How ERM Became a Product
Theorizing, Rhetorical Appeal, Mythologizing, Normative Networks & Educating
In 2014, the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, commissioned a study by the University of New South Wales, Australian School of Business in Sydney, Australia to interview members of its board, consultants and other advisers who had been instrumental in formalizing the Enterprise Risk Management Integrated Framework to document the institutional work undertaken by COSO to create ERM. This article explains how COSO transformed ERM into a product to “inoculate it [COSO] from competition within the finance and accounting industries” to dominate consulting in ERM practice using excerpts from COSO’s study.
Quote from COSO Board member: “It was a master stroke to double up on the same model look. It (COSO ERM-IF and Internal Controls- IF) has been successful for COSO, and people especially in the US, had bought into it.”
The researchers, Christie Hayne and Clinton Free, undertook the study to “examine the emergence and diffusion of the dominant “standard” in the field, the 2004 Enterprise Risk Management Integrated Framework (ERM-IF), as evidence of a new form of institutional work involving the use of five concepts, “theorizing, rhetorical appeals, mythologizing, constructive narrative networks and educating” through a diaspora of associated entities (COSO) providing a key platform for advocating and promoting ERM.
A variety of management fads have emerged and faded into obscurity over the last 20 plus years, which is testament to COSO’s longevity, formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative to study the causal factors that lead to fraudulent financial reporting. COSO is jointly made up of five major professional associations: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA).
The authors of the study wanted to examine how COSO convinced “buyers” to invest considerable resources in an innovation with “uncertain benefits” in the absence of a law or mandate requiring the buyers use.
The researchers adopted a qualitative research design to interview 15 individuals who were directly involved in COSO’s Board and Project Advisory Council at the time the ERM-IF was developed. The interviewees were group members of hybridized professional groups (HPG) designed to drive the promotion and create a platform to sell ERM-IF. The HPG was tasked with the first concept of theorizing ERM-IF. The HPG was comprised of accountants, auditors, academics, researchers, and consultants with risk experience were charged with (theorizing) creating the ERM-IF.
The researchers chose institutional theory as a basis for classifying COSO’s ERM-IF and to examine the institutional work of the HPG in the promotion of ERM-IF. On the basis of this classification, the researchers described ERM-IF as “an innovation in accounting such as activity-based costing, the balanced score card, or risk-based auditing, which have generally been circumscribed to particular areas of management accounting, auditing or financial accounting.” This is not however how COSO’s ERM-IF is described publicly. COSO adopted the “language of risk” in its Internal Control-IF without defining the practice of risk management. We will explain later why the grounding of ERM in institutional theory is also problematic in the summary of these findings.
One of the key surprises in the study was the wide acceptance of COSO’s ERM-IF and its commercial penetration. There is no legal mandate for COSO’s ERM-IF yet it has found general acceptance beyond the 80 risk standards that exist around the globe. The goal of the researchers was to explain how COSO’s institutional work led to such wide acceptance.
Methodology used in the study
15 in-depth semi-structured interviews were conducted with 13 people from the United States and Canada between May 2010 and September 2012. Three of the interviews were conducted in-person and the remaining 12 interviews were conducted over the phone which lasted approximately 60 minutes. Interviews were recorded to ensure accuracy with the exception of one and five interviewees chose to remain anonymous. The names and organizations of the interviewees are listed in a chart in the study. Participants were recruited based on their identification as key players who held authorship, guidance or oversight roles. A few participants were recommended to fill certain gaps or to challenge or confirm unexpected insights. Many of the participants had prior or current relationships with COSO, but some did not, were deemed to have relevant industry or domain expertise. Table1 in the study is particularly interesting.
The focus of the institutional work examined how actors interact with, and influence institutions. Three types of institutional work was identified: 1) disrupts; 2)creates; and 3) maintains institutions. For example, “Disrupting” involved undermining assumptions and beliefs. “Creating” involved theorizing — creating abstract or generalized characterizations and causal relationships. And, “Maintaining” involved mythologizing — creating and sustaining myths about its history.
Findings from the study — Competition for regulatory guidance became fierce
I. COSO Board members struggled to classify the organization in precise terms.
“COSO is kind of an odd organization, not just in terms of being a virtual organization but, you know, what is it? It’s not really a standard setter and yet it is kind of a standard setter. It’s not a company; it’s not a for-profit organization. And so I think, when COSO comes out with guidance, it carries a pretty unique credibility because you can’t attribute their actions to a profit motive per se.”
Note: COSO is a black box, according to Consultant #3 — “COSO is disarmingly mundane and leaves unspecified the identity of the organizations and imparts an almost faceless proceduralism to COSO’s activities.”
However, the researchers noted, “this innocuous acronym is not without effects as COSO allows profit seeking organizations to have effects through a non-profit. Indeed, though non-mandated, COSO’s standards have effectively seeded an entire economic ecology (spanning different professions and functions) that has underpinned the generation of billions of professional service fees.”
II. COSO played a disruptor role but had to respond to disruptors to its Internal Control-Integrated Framework
In the early 1990’s, enhancements to internal controls became central to global business stakeholders. The Cadbury Report commissioned by the Cadbury Commission in the UK was published in 1992, closely followed by the COSO Internal Controls Integrated Framework also in 1992 and the King Report on Corporate Governance in 1994 by the King Committee on Corporate Governance in South Africa. Canada followed with the Criteria of Control framework by the Canadian Institute of Chartered Accountants in 1995, and the Internal Control: Guidance on the Combined Code (commonly known as the “Turnbull Report” by the London Stock Exchange in the UK in 1999. Interestingly, the Turnbull Report in 1999 preceded COSO’s ERM-IF with guidance that extended beyond financial and internal controls to include risk management concepts.
COSO benefited from the implementation of the Sarbanes-Oxley Act of 2002 resulting in widespread adoption of the Internal Controls-IF, driven specifically by SOX section 404 internal control assessment, mandating that organizations enhance their internal controls propelled the COSO IC-IF as the leading guidance. Even so, competitors were quick to point out that the COSO IC-IF was inadequate for addressing increasingly more complex and diverse risks and publicly challenged the efficacy of focusing only on internal controls. In response, COSO had to develop an ERM framework to remain relevant amongst global competitors but what would become of their core competency, the Internal Control-IF?
COSO had branded the IC-IF and did not want to lose its foundational standing. “There were some people who were looking ahead and saying ‘Okay, what’s the next step?’ We [COSO] have this internal control framework out here and now companies are using it, auditors are looking at internal controls. . .. What’s the next step in the evolution of things? What are outside parties interested in? They are interested in how you’re controlling things, but what’s at the core of that control framework? First, it’s identifying risk and then implementing controls to mitigate and control those risks. . .. So in a way, the COSO internal control framework was a rudimentary risk management framework,” according to one interviewee.
COSO ERM-IF does not replace the IC-IF, officially, but it did pivot dramatically to a focus on ERM and the potential consulting opportunities that emerged. “COSO defended its institutional space by using their IC-IF as a springboard to create the ERM-IF with similar style/language and lower costs/risks of adoption. The logics of internal control were disrupted without formal intervention, and this paved the way for a new framework to emerge.” PriceWaterhouseCoopers was hired by COSO to lead the transition and was then positioned as the international benchmark and took the lead in consulting on ERM under the auspices of SOX and the reimagined ERM-IF. COSO returned to the hybridized professional groups (HPG) to begin cementing it leadership position.
The HPG also known as Project Advisory Council was overseen by the COSO Board. “Reflecting on the ‘‘clout’’ of the combined groups, (Interview 9) suggested that ‘‘it was their insight and their foresight in terms of being able to see the need [for the ERM-IF]’’.
COSO may have seen the need for ERM but Sarbanes-Oxley created the opportunity. Timing is everything! “Moreover, the ‘‘independence’’ of this expertise was widely believed by respondents to lend substantial credibility to the organization”. According to one reviewer,”COSO has carved out a unique kind of niche and credibility as being an independent body that has come out with the framework that ended up being very heavily influential. It’s seen as an organization that brings top experts and thinkers together to develop frameworks and there’s a lot of credibility that COSO brings to the table as an objective, independent organization that has had success and done good things in the past.”
COSO has been effective at cementing its position by engaging diverse communities in surveys, thought leadership articles, and revisions to its internal controls and ERM framework to keep pace with a proliferation of new regulation starting 1999. Gramm Leach Bliley, the USA Patriot Act, the Bank Secrecy Act, Sarbanes-Oxley created an unending demand. The rush to comply with the crush of regulation required external auditors to become supplement staff for internal audit for many years with audit and risk professionals moving between public accounting and internal audit organizations.
Ironically, COSO ERM-IF was ascending at the same time a raft of fraud and business scandals exploded on the scene, many of which were COSO’s clients. “Indeed, COSO’s ERM-IF (2004, p. v) is explicitly motivated in part by the observation that ‘‘the period of the framework’s development was marked by a series of high-profile business scandals and failures where investors, company personnel, and other stakeholders suffered tremendous loss’’. These failures combined with catastrophic terrorist attacks (such as 9/11) and natural disasters generated substantial uncertainty. Numerous scholars have pointed to the way that this uncertainty and ‘‘politics of fear’’ substantially fueled demand for effective innovations and tools to support decision making and be seen to be effectively managing.” Counterintuitively, business failure created new business opportunity for ERM.
COSO ERM-IF’s rudimentary risk framework made it easy to talk about risks and provided management with a standard to assess their own risk framework. It [ERM-IF] was simple to explain and viewed as an extension of internal controls but none of the interviewees were asked how effective ERM-IF was at mitigating risks? And maybe that wasn’t the point because at the peak of adoption the ERM framework is still generating billions in consulting fees. COSO’s network of 654,000+ members from each of its five associations is massive and self-reinforcing helping to ingrain the ERM framework across a diverse industry base. That is a lot of clout on the supply side of selling an institutional solution with advisers across diverse disciplines promoting the COSO ERM-IF.
One interviewee stated, “I was invited to speak in Tokyo and I remember talking to the Minister of Economy . . . he said, ‘‘But you also have to understand that many Japanese businesses are already New York Stock Exchange traded and so whatever they hear is happening in the US, they want to do it’’. He said, ‘‘Many others are New York Stock Exchange wannabes. So they’re not on the New York Stock Exchange yet, but they want to figure out what the best practices are in the US and then get ready and say that they’re already doing those practices . . . so that division is going to implement enterprise risk management or some COSO framework to make it look more relevant.’’
Yet, even with all this success not everyone was onboard with COSO’s ERM-IF within its own ranks. “Some accounting firms were fairly responsive to it [COSO’s ERM-IF] and kind of did similar to us [PwC], kind of developed methodologies and things to go deliver services around it. There was also some who felt that they could build a better mousetrap or already had a better mousetrap.” “There are a lot of mouths to feed and we were out hawking for work like everyone else. And COSO was a name that people knew … Sure most of the big players refined this to develop their own proprietorial tools, but the COSO model opened the door if you like.”
“Recently, the COSO Board has re-engaged in promoting COSO’s ERM-IF by publishing extensions, clarifications and implementation guidance in order to continue to educate existing and potential adopters. These reports also serve an important function of continuing to valorize success stories and best practices, while demonizing inadequate adoptions, failed implementations, and the inexorable growth of risk more generally. These ‘‘thought papers’’ are identified in Table 5.”
ERM-IF has become a cash-cow for members of COSO and its consultants and academic advisers. More recently however, several members of COSO have suffered significant missteps in Germany and the UK with questions being raised about the relevance financial reporting when external auditors appear to be conflicted or at worse active participants in fraud. A rash of bankruptcies in the U.S. caused by the Covid-19 pandemic and loads of debt have also started to reveal COSO’s Achilles Heel.
COSO’s Achilles Heel
> COSO’s own study has revealed many of its weaknesses. COSO’s ERM-IF is a risk framework in name only and is instead an innovation in management accounting, at best, reliant on user-compliance with some but not all of its enterprise risk guidance.
> COSO uses “mythologizing” to promote the benefits of ERM-IF but provides no road map for achieving its outcomes.
> COSO’s presumed “independence” is a fiction that was created as a platform to promote its product. “The COSO Board, Project Advisory Council and PwC authorship team held key roles in the promotional efforts and this promotion work was reinforced by the sponsoring organizations, other professional firms and various consulting groups.”
> COSO’s ERM-IF is founded on institutional theory and work. Institutional theory is defined as processes by which structures, including schemes, rules, norms, and routines, become established as authoritative guidelines for social behavior from social and organizational behavior; not risk management principles.
> According to Scott (2008), institutional theory is “a widely accepted theoretical posture that emphasizes rational myths, isomorphism, and legitimacy.”[2] Researchers building on this perspective emphasize that a key insight of institutional theory is imitation: rather than necessarily optimizing their decisions, practices, and structures, organizations look to their peers for cues to appropriate behavior.[3][1]
> The study was designed to evaluate how COSO “diffused” institutional work broadly to become a leader in ERM consulting but failed to examine the effectiveness of its own framework in achieving its promised outcomes for its clients.
It is kind of like saying the operation was a success but the patient died!
Summary observations
> The codification of internal controls has been an important milestone in audit practice but it has led to a focus on minutia at the expense of clear guidance the design of controls to mitigate risks effectively. “Compliance” is not a risk solution but is the endpoint of control activities to understand the causes of risk that lead to failure.
> In the marketplace of ideas, COSO has a right to compete with other standard setters. The fact that COSO has been successful at “diffusing” its framework better than others may be less an indictment of COSO than a reflection of the sad state risk management.
> Industry regulators and a broad community of audit, risk and information security professionals need a truly independent body that is not conflicted in its guidance. The Basel Capital Accord is an imperfect example of a global risk standard conceived to harmonize risk practice to address systemic financial risks in banking. The lessons learned battling systemic risks in financial markets has bolstered most banks against these risks, albeit, with an impartial body of Central Bankers.
> Good risk management has never been more important and a convergence of events in technology (machine learning) and a cohort of sophisticated risk professionals with robust analytical skills will eventually lead to better risk practice. With that said, risk professionals deserve an independent global community dedicated to training, skills development and best practice that does not compete with its community in the pursuit of assuring organizational excellence.
Read the study for yourself and draw your own conclusion.
