1|Page
COSO Framework - Enterprise Risk
Management (ERM) Exam Questions
and Answers 100% Pass
Enterprise Risk Management - Integrating with Strategy and Performance (COSO ERM framework) -
ANSWER ✔✔-is a framework that complements, and incorporates some concepts of, the COSO internal
control framework.
The COSO ERM framework provides - ANSWER ✔✔-a basis for coordinating and integrating all of an
organization's risk management activities.
Effective integration: - ANSWER ✔✔-1. Improves decision making and
2. Enhances performance.
ERM - ANSWER ✔✔-is based on the premise that every organization exists to provide value for its
stakeholders.
is defined as 'The culture, capabilities, and practices, integrated with strategy-setting and performance,
that organizations rely on to manage risk in creating, preserving, and realizing value.'
Governance - ANSWER ✔✔-sets the organization's tone and establishes responsibilities for ERM.
Culture - ANSWER ✔✔-- consists of "The attitudes, behaviors, and understanding about risk, both
positive and negative, that influence the decisions of management and personnel and reflect the mission,
vision, and core values of the organization."
Created by ©EmilyCharlene 2025. All rights reserved.
,2|Page
- relates to the desired behaviors, values, and overall understanding about risk held by personnel within
the organization.
Mission - ANSWER ✔✔-is the organization's core purpose.
Vision - ANSWER ✔✔-is the organization's aspirations for what it intends to achieve over time.
Core values - ANSWER ✔✔-are the organization's essential beliefs about what is acceptable or
unacceptable.
Capabilities - ANSWER ✔✔-are the skills needed to carry out the entity's mission and vision.
Practices - ANSWER ✔✔-are the collective methods used to manage risk.
Integrating strategy setting and performance - ANSWER ✔✔-- Risk must be considered in setting
strategy, business objectives, performance targets, and tolerance.
- The organization considers the effect of strategy on its risk profile and portfolio view.
Strategy - ANSWER ✔✔-- communicates how the organization will
(a) achieve its mission and vision and
(b) apply its core values.
- must support the organization's mission, vision, and core values.
Business objectives - ANSWER ✔✔-are the steps taken to achieve the strategy.
Tolerance - ANSWER ✔✔-- is the range of acceptable variation in performance results.
- identical term in the COSO internal control framework is "risk tolerance"
Risk profile - ANSWER ✔✔-- is a composite view of the types, severity, and interdependencies of risks
related to a specific strategy or business objective and their effect on performance.
Created by ©EmilyCharlene 2025. All rights reserved.
, 3|Page
- may be created at any level (e.g., entity, division, operating unit, or function) or aspect (e.g., product,
service, or geography) of the organization.
Portfolio view - ANSWER ✔✔-- is similar to a risk profile.
- The difference is that it is a composite view of the risks related to entity-wide strategy and business
objectives and their effects on entity performance.
Managing risk - Risk - ANSWER ✔✔-is "[t]he possibility that events will occur and affect the achievement
of strategy and business objectives."
Managing risk - Opportunity - ANSWER ✔✔-is any action or potential action that creates or alters goals
or approaches for the creation, preservation, or realization of value.
Managing risk - Reasonable expectation - ANSWER ✔✔-- provided through effective ERM practices
- cannot provide absolute assurance that the risk assumed is appropriate
Managing risk - Risk Inventory - ANSWER ✔✔-consists of all identified risks that affect strategy and
business objectives.
Managing risk - Risk Capacity - ANSWER ✔✔-is the maximum amount of risk the organization can
assume.
Managing risk - Risk appetite - ANSWER ✔✔-consists of the amount and types of risk the organization is
willing to accept in pursuit of value.
Managing risk - Inherent risk - ANSWER ✔✔-is the risk in the absence of management actions to alter its
severity.
Managing risk - Actual residual risk - ANSWER ✔✔-remains after management actions to alter its
severity.
Created by ©EmilyCharlene 2025. All rights reserved.
COSO Framework - Enterprise Risk
Management (ERM) Exam Questions
and Answers 100% Pass
Enterprise Risk Management - Integrating with Strategy and Performance (COSO ERM framework) -
ANSWER ✔✔-is a framework that complements, and incorporates some concepts of, the COSO internal
control framework.
The COSO ERM framework provides - ANSWER ✔✔-a basis for coordinating and integrating all of an
organization's risk management activities.
Effective integration: - ANSWER ✔✔-1. Improves decision making and
2. Enhances performance.
ERM - ANSWER ✔✔-is based on the premise that every organization exists to provide value for its
stakeholders.
is defined as 'The culture, capabilities, and practices, integrated with strategy-setting and performance,
that organizations rely on to manage risk in creating, preserving, and realizing value.'
Governance - ANSWER ✔✔-sets the organization's tone and establishes responsibilities for ERM.
Culture - ANSWER ✔✔-- consists of "The attitudes, behaviors, and understanding about risk, both
positive and negative, that influence the decisions of management and personnel and reflect the mission,
vision, and core values of the organization."
Created by ©EmilyCharlene 2025. All rights reserved.
,2|Page
- relates to the desired behaviors, values, and overall understanding about risk held by personnel within
the organization.
Mission - ANSWER ✔✔-is the organization's core purpose.
Vision - ANSWER ✔✔-is the organization's aspirations for what it intends to achieve over time.
Core values - ANSWER ✔✔-are the organization's essential beliefs about what is acceptable or
unacceptable.
Capabilities - ANSWER ✔✔-are the skills needed to carry out the entity's mission and vision.
Practices - ANSWER ✔✔-are the collective methods used to manage risk.
Integrating strategy setting and performance - ANSWER ✔✔-- Risk must be considered in setting
strategy, business objectives, performance targets, and tolerance.
- The organization considers the effect of strategy on its risk profile and portfolio view.
Strategy - ANSWER ✔✔-- communicates how the organization will
(a) achieve its mission and vision and
(b) apply its core values.
- must support the organization's mission, vision, and core values.
Business objectives - ANSWER ✔✔-are the steps taken to achieve the strategy.
Tolerance - ANSWER ✔✔-- is the range of acceptable variation in performance results.
- identical term in the COSO internal control framework is "risk tolerance"
Risk profile - ANSWER ✔✔-- is a composite view of the types, severity, and interdependencies of risks
related to a specific strategy or business objective and their effect on performance.
Created by ©EmilyCharlene 2025. All rights reserved.
, 3|Page
- may be created at any level (e.g., entity, division, operating unit, or function) or aspect (e.g., product,
service, or geography) of the organization.
Portfolio view - ANSWER ✔✔-- is similar to a risk profile.
- The difference is that it is a composite view of the risks related to entity-wide strategy and business
objectives and their effects on entity performance.
Managing risk - Risk - ANSWER ✔✔-is "[t]he possibility that events will occur and affect the achievement
of strategy and business objectives."
Managing risk - Opportunity - ANSWER ✔✔-is any action or potential action that creates or alters goals
or approaches for the creation, preservation, or realization of value.
Managing risk - Reasonable expectation - ANSWER ✔✔-- provided through effective ERM practices
- cannot provide absolute assurance that the risk assumed is appropriate
Managing risk - Risk Inventory - ANSWER ✔✔-consists of all identified risks that affect strategy and
business objectives.
Managing risk - Risk Capacity - ANSWER ✔✔-is the maximum amount of risk the organization can
assume.
Managing risk - Risk appetite - ANSWER ✔✔-consists of the amount and types of risk the organization is
willing to accept in pursuit of value.
Managing risk - Inherent risk - ANSWER ✔✔-is the risk in the absence of management actions to alter its
severity.
Managing risk - Actual residual risk - ANSWER ✔✔-remains after management actions to alter its
severity.
Created by ©EmilyCharlene 2025. All rights reserved.
