Risk Assessment for Mid-Sized Organisations: COSO Tools for a Tailored Approach, 2nd Edition
Offers guidance and practical tools designed to demystify risk identification at the enterprise or entity level and to help the user develop a tailored approach to the organisation's risk management requirements. This edition contains COSO thought leadership and an overview of risk assessment approaches and techniques that have emerged as the most useful and sustainable for decision making.

If you are purchasing a product in one of the following formats, please check the system requirements below:

Online Professional Library
The AICPA Online Professional Library will operate in a variety of configurations, but only the configuration described below is supported by our technicians:

  • Windows 7+ (Latest Microsoft Edge, Internet Explorer, Firefox or Chrome)


Minimum system requirements are:

  • Internet access
  • Adobe ID
  • Adobe® Digital Editions (ADE) is a free program that lets you read eBooks on a PC, Mac, and any supported smartphone or tablet. You MUST download and login to ADE in order to view an AICPA eBook. AICPA eBooks are best viewed when using ADE 3 for PC and ADE 4 for Mac.
  • For mobile access to eBooks, download the free Bluefire Reader app for Apple (iOS) and Android phones and tablets.


  • eBooks are intended for a single user only.
  • An eBook is a downloadable file that will be accessible immediately after completing your purchase. Access to the download link expires 180 days from the purchase date so you must download the file before this time elapses.
  • This product is refundable within 10 days of your purchase date.

Read the AICPA eBook Tutorial and see our FAQ for more information.


  • Adobe® Acrobat® Reader 8 or higher
Product details

Companies often struggle with the concept of enterprise risk management. The heart of ERM is the risk assessment process that has evolved from the COSO framework. This resource offers practical examples and explanations that lay out a clearly defined framework for approaching enterprise risk management from start to finish. It identifies risk at the entity level in small and medium size enterprises, and allows you to develop a tailored approach to an organization’s risk management requirements.

The publication features tightly written strategies and helpful diagrams that translate COSO guidelines into tactical plans and it includes a free download containing:

  • A set of Excel worksheets that show how following the ERM tactics will impact quantitative financial measurements
  • A PowerPoint presentation for training staff that are involved in the ERM process

Together this approach will allow you to create a solid structure for a risk management process that helps you avoid the internal and external risks that damaged so many organizations in the recent past. You will be able to:

  • Create a common language to define, identify, evaluate, and manage risk
  • Establish and agree on risk tolerances and risk appetite
  • Identify risk management expectations, current gaps, and risk owners
  • Leverage cross-functional expertise to manage risk to within acceptable levels
CGMA designation holders qualify for discounted pricing on this product. In order to receive your special pricing, you must be registered and signed in. View the complete list of development products available on CGMA.org.

Chapter 4: Risk Management

Risk management response concepts are simple when you understand that you are limited to only four options:

  1. Internal controls
  2. Risk avoidance strategies
  3. Risk transfer (risk sharing) strategies
  4. Risk acceptance

Note that our experience indicates that when conducting risk assessment workshops and asking participants when they evaluate a given risk area to consider how it is managed, the number one response provided by participants is that the risk area is managed using internal controls. Because internal controls can be evaluated and tested in terms of design and operating effectiveness, the concept of control maturity can be incorporated into the risk assessment workshop using a control maturity model (CMM) (see the section on Control Maturity in this chapter).

In selecting risk management responses, a company defaults to risk acceptance when all other risk management strategies are exhausted or no other risk management strategy is employed. Enterprise risk management guides a company to ensure that risk acceptance aligns with management’s risk tolerance, risk appetite or both.

Key Insight: When facilitating the entity-wide risk assessment and asking participants to assess a given risk area, make sure to elicit whether they think controls are ‘well defined’ (see the control maturity scale in this chapter) or ‘soft’ (see repeatable in the control maturity scale) or ‘more informal’ (see immature in the CMM discussed later).

Internal controls that contain ‘defined’ or more ‘mature’ attributes can be more easily measured for design and operating effectiveness either through audit or self-assessment and hence provide positive assurance to stakeholders whether residual risk is within management’s acceptance levels.

After you establish participants’ views on formal or informal controls, ask them which risk management strategies they believe the company employs. Often there can be lack of clarity regarding the level within the organisation at which individual risks will be managed—that is, whether individual risks are to be ‘mitigated’ by the corporate shared service centres or left to business units to manage. Using CMMs will help draw out the collective wisdom of the organisation and get managers to agree on what functions are primarily responsible for managing risk and how shared services can best support the business units in achieving their goals. This will help break down silos and embed risk management into the business culture.


Scott McKay, CPA, CPE, CIA, CCSA


American Institute of CPAs

The American Institute of CPAs (AICPA) is the world’s largest member association representing the CPA profession, with more than 418,000 members in 143 countries, and a history of serving the public interest since 1887. AICPA members represent many areas of practice, including business and industry, public practice, government, education and consulting.

The AICPA sets ethical standards for the profession and U.S. auditing standards for private companies, nonprofit organizations, federal, state and local governments. It develops and grades the Uniform CPA Examination, and offers specialized credentials for qualified professionals who concentrate on personal financial planning; forensic accounting; business valuation; and information management and technology assurance. With The Chartered Institute of Management Accountants (CIMA), it offers the Chartered Global Management Accountant (CGMA) designation, which sets the global benchmark for quality and recognition in management accounting.

The AICPA and CIMA also make up the Association of International Certified Professional Accountants (the Association), which represents public and management accounting globally, advocating on behalf the public interest and advancing the quality, competency and employability of CPAs, CGMAs and other accounting and finance professionals worldwide.

The AICPA maintains offices in New York, Washington, DC, Durham, NC, and Ewing, NJ.

Member Quantity:
Nonmember Quantity:
Estimated total:
Add to cart
Back to Top