Skip to main content
Rehmann
Rehmann
Solutions
Industries
Resources
About Us

COSO updates its Enterprise Risk Management (ERM) framework to address modern data sources

March 27, 2025

Contributors: Thomson Reuters

Alternative data sources present businesses with powerful opportunities. However, they also introduce risks. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) addresses this challenge in its 2024 report, Alternative Data: The COSO Perspective. This report offers valuable guidance on how businesses can leverage nontraditional data sources into their enterprise risk management (ERM) frameworks.

What’s alternative data?

Companies increasingly rely on social media analytics, satellite imagery, web scraping, transactional data, smart sensor feeds, and environmental, social and governance (ESG) indicators to drive strategic decision-making. Such alternative data sources may provide fresh insights into market trends and consumer behavior.

These unconventional sources can enhance forecasting and risk assessment. But they also introduce challenges, such as data integrity, privacy concerns and regulatory compliance. Without a structured approach to managing these risks, alternative data can create more uncertainty than clarity. To fully capitalize on alternative data, companies must embed it within their risk management practices. (See “COSO’s ERM framework” below.)

COSO emphasizes that businesses must ensure alternative data aligns with their strategic objectives, such as improving customer engagement, optimizing supply chains and strengthening investment strategies. If alternative data doesn’t contribute to well-defined business outcomes, the risk may not be worth it.

How can business leaders put the guidance into action?

COSO recommends the following five steps to successfully integrate alternative data into your organization’s ERM framework:

1. Perform a data audit. Begin by identifying all sources of alternative data currently used or under consideration. To get a complete picture of your organization’s data landscape, evaluate these questions:

  • How is alternative data collected, and who provides it?
  • Does the data introduce potential privacy or security risks?
  • Is the data relevant to the company’s strategic objectives?

Not all alternative data is created equal. Three key areas where quality issues commonly arise are 1) source reliability, 2) accuracy and bias, and 3) timeliness. Vet third-party data providers carefully to ensure they’re credible, transparent and compliant with industry standards.

2. Strengthen governance practices. Assigning oversight responsibility to a chief data officer or a data governance committee helps ensure accountability. Businesses without proper governance practices risk drawing inaccurate conclusions, facing regulatory penalties or damaging their reputations.

Also stay informed about rapidly evolving data privacy laws and document data collection and usage practices thoroughly. This includes creating internal codes of ethics for responsible data use, especially when using AI-driven analytics

3. Invest in technology and security. Protect alternative data and reduce risk exposure with technology and security measures, including:

  • Transparent, explainable and unbiased AI-driven analytics and machine learning algorithms,
  • Data encryption, and
  • Role-based access control that allows only authorized personnel to handle sensitive data.

Cybersecurity infrastructure — such as robust firewalls, intrusion detection systems and endpoint security solutions — is also essential to protect sensitive data. Partner with reputable data providers to maintain compliance with industry standards, and conduct due diligence before engaging with new vendors to ensure compliance with security best practices and regulatory standards.

4. Train employees on best practices. Even with advanced security measures, data risks often arise due to human error, lack of awareness or poor decision-making. Conduct regular data literacy training sessions to prevent misuse of alternative data and maximize its strategic value.

Education programs foster a data-driven culture where employees recognize the importance of risk assessment and informed decision-making. Consider such topics as interpreting AI-generated insights responsibly, preventing data bias, understanding regulatory implications and implementing cybersecurity best practices. Interactive workshops that simulate real-world data scenarios can engage participants and promote cross-departmental collaboration.

5. Monitor and adapt. As technology advances, alternative data opportunities and risks will evolve, requiring businesses to update their ERM practices continuously. By regularly assessing the impact of alternative data on business decisions, staying updated on regulatory changes and refining risk management strategies, businesses can properly balance innovation and compliance.

Think of alternative data as a valuable asset

A structured risk management approach helps ensure your organization uses alternative data ethically, responsibly and strategically. As the technology and regulatory landscapes evolve, agile leaders can stay ahead of compliance requirements and governance best practices. Your accountant can provide valuable guidance on how to integrate alternative data into your ERM strategy and position your company for long-term success.

Sidebar: COSO’s ERM framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in July 1985. It’s a joint initiative of the American Institute of Certified Public Accountants, Financial Executives International, Institute of Internal Auditors, American Accounting Association and Institute of Management Accountants.

COSO’s original goal was to combat fraudulent financial reporting, but its scope has expanded. Today, COSO’s Enterprise Risk Management — Integrated Framework is the cornerstone of modern risk management practices. COSO continuously updates its guidance to address emerging risks.

Implementing an enterprise risk management (ERM) framework helps managers anticipate risks and recognize that change creates opportunities, not simply the potential for crises. Internal control is just one small part of ERM. It may also encompass strategy setting, governance, stakeholder communications and performance measurement. These principles apply at all business levels, across all functions and to organizations of any size.

© 2025