The Midwife of Risk Management

Most new management ideas are like shooting stars, appearing out of nowhere and lighting up the sky before flaming out. Does anyone remember Theory X and Theory Y? But some concepts seem to win wide acceptance and become embedded in business consciousness. Risk management is a case in point. 

Growing out of the disorienting 1990s, risk management was a natural response to rapidly changing information technology upending business models, new forms of competition, emerging markets, deregulation, and crises du jour. The usual collection of consultants and academics advanced their own models on how to manage these risks but only one framework, developed by the innocuous-sounding Committee of Sponsoring Organizations (COSO), became the gold standard within a mere five years and popularized risk management as a must-follow business process. 

“The arrival of COSO’s enterprise risk management framework represents a major inflection point in the history of risk management throughout the world,” says Christie Hayne, a PhD student at Smith School of Business. “Enterprise Risk Management (ERM) increasingly defines the language of governance and senior management responsibility.”

Surveys have shown that out of a forest of some 80 risk management models, COSO’s version, while not markedly different from the others, is the overwhelming choice for designing and implementing ERM processes. 

Wanting to know how the COSO framework won out over the others, Hayne, working with Clinton Free of University of New South Wales, interviewed executives and consultants within and outside COSO and studied theories of how ideas are diffused. 

Business ideas tend to be advanced by management gurus, standardized by professional groups, and popularized by industry publishers. But COSO managed all three stages itself. Hayne says this is partly due to COSO’s structure as a “hybridized professional group,” a big tent that incorporates the views of multiple professions, consultants, and academics. COSO astutely exploited this network to both standardize and promote its ERM framework.

“The idea of a hybridized professional group isn’t something we can really look back on for examples,” says Hayne, “but I think it will be the way of the future.”

COSO's Hybrid Structure

Formed in 1985, COSO is a not-for-profit organization that develops governance-based frameworks and offers the latest thinking on internal controls. It was created by five major professional associations in the U.S.: American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Internal Auditors, and Association of Accountants and Financial Professionals in Business. Its membership includes professional accountants and auditors, organizational leaders and consultants, and professors who teach and research, drawn from around the world.

COSO initially made its mark with its internal control framework that became popular in 2002 when the Sarbanes–Oxley Act was enacted in response to a series of accounting scandals in the U.S. 

From the late 1990s, Hayne says, COSO could foresee a demand for “a credible set of practices to help organizations manage, monitor, and plan for risk extending beyond a narrow focus on internal controls.”

In 1999, COSO set out to create that framework by engaging the Big Four accounting firm PricewaterhouseCoopers (PwC) to lead, in a volunteer capacity, the development process. COSO also formed a Project Advisory Council to provide guidance, composed of nine consultants, university professors, and industry executives from across the U.S.

The Council’s composition was key, says Hayne. “Consultants offered an understanding of organizational challenges with risk management and the type of guidance likely to resonate in the corporate community. University professors offered familiarity with the emerging academic research in the field. And members from industry were able to speak to risk management challenges and needs, the stakes, and preferences of corporations.” 

The ERM framework was claimed to be universally applicable. This ambiguity meant organizations could easily adopt some of its prescriptions without getting lost in full implementation

The enterprise risk management framework that COSO released in 2004 was a delicate balancing act between offering direct guidance and allowing for adaptation in a wide range of organizational settings. Its “cube” framework defines eight processes to manage, monitor, and plan for risk across an entire organization. 

“The framework was claimed to be universally applicable,” Hayne says. “Individual firms from any industry or geography could tailor the framework to their needs. This ambiguity meant that organizations could easily adopt some of the framework’s prescriptions without getting lost in full implementation.”

COSO’s unique governance structure and links with key consultants, academics, and practitioners during the framework’s development phase also gave it an edge in reaching a wide audience of potential early adopters. COSO developed how-to guides and articles and its representatives hit the speaking circuit to talk up the framework. And having led its development, PwC helped to promote the framework to its vast client base by developing aligned corporate tools. 

Positioning the Cube

COSO was careful to position the ERM framework as “integral to value creation,” says Hayne. “The persuasive rhetoric underpinning the framework suggests that failure to implement a comprehensive risk management framework is both dangerous and futile. Risk is consistently positioned as a critical business problem, and investing resources into implementing COSO’s ERM is presented as a viable and sound solution.”

They clearly had the right product at the right time. Businesses were starting to take risk seriously but looking for a comprehensive package and common language to understand and speak about risk. “In 2004 organizations were finally aware and ready,” Hayne says. “Some of the frameworks released in the early 90s, I think organizations weren’t ready for them. They didn’t know what risk was and that it could be measured.” 

Since then, COSO has kept its framework front and centre by publishing extensions and offering implementation guidance in order to continue to educate potential adopters.

To Hayne, COSO’s experience provides a lesson for other professional groups. “What characterizes COSO as an especially sound example of a hybridized professional group is that not only are members from various professional entities, but the substance of their day-to-day employment also varies widely. They are teaching, researching, consulting, auditing, setting standards, and working in industry. The activity of this group was central in explaining how COSO’s ERM became the preeminent framework for managing risk.”

— Alan Morantz