No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Risk

How COSO Destroyed Risk Management

by James Bone
September 1, 2015
in Risk
risk in miscalculation

“The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

The National Commission was sponsored jointly by five major professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). Wholly independent of each of the sponsoring organizations, the Commission included representatives from industry, public accounting, investment firms, and the New York Stock Exchange.

COSO’s goal is to provide thought leadership dealing with three interrelated subjects: enterprise risk management (ERM), internal control, and fraud deterrence.”

This excerpt has been taken directly from the COSO Internal Control – Integrated Framework, dated December 2011.

COSO has been adopted by regulators, industry and financial services as the “gold standard” along with its counterpart, ISO 31000, as a leading framework for designing, implementing and evaluating the effectiveness of internal control.  In 2004, COSO expanded its mandate to include Enterprise Risk Management – Integrated Framework and in its words, “In response to a need for principles-based guidance to help entities design and implement effective enterprise-wide approaches to risk management.”

COSO’s Enterprise Risk Management – Integrated Framework lists its keys to success as:

  1. Support from the top is a necessity
  2. Build ERM using incremental steps
  3. Focus initially on a small number of top risks
  4. Leverage existing resources
  5. Build on existing risk management activities
  6. Embed ERM into the business fabric of the organization
  7. Provide ongoing ERM updates and continuing education for directors and senior management

COSO further suggests the initial steps and objectives for embracing ERM:

  1. Seek Board and senior management leadership, involvement and oversight
  2. Select a strong leader to drive the ERM initiative
  3. Conduct the initial enterprise-wide risk assessment and develop an action plan
  4. Establish a management risk committee or working group
  5. Inventory the existing risk management practices
  6. Develop your initial risk reporting
  7. Develop the next phase of action plans and ongoing communications

COSO goes on to offer an example of a strategic risk profile using risk criteria such as likelihood, impact, velocity, readiness and priority to assess each strategic risk.

COSO moved beyond its role of suggesting a framework to giving advice on the role of who should be the Chief Risk Officer. “This person does not need to be a ‘CRO’ (Chief Risk Officer). Often, it is best to initially use existing resources, for example the Chief Audit Executive or Chief Financial Officer, for this role to get ERM started. This leader will not necessarily be the person to head ERM long term, but the person to get the initiative started and to take responsibility for moving the organization’s ERM activities to the next level.”

So what is the problem?

COSO has lost sight of its original mandate from a more narrow focus on developing an internal controls framework, moving from an integrated framework designed to understand the causal factors that can lead to fraudulent financial reporting to a broader and rather vague Enterprise Risk framework with little substance. 

In the original framing of COSO’s internal controls framework, risk assessments are included as a means to evaluate the effectiveness of the controls designed to ensure financial reporting and disclosures.  COSO’s focus on risk-based assessments of internal controls and periodic monitoring of the effectiveness of financial internal controls is appropriate; however, this is also the place, intentionally or unintentionally, where the corruption of risk management began.  The first problem is a perennial one in business that is classically called “scope creep.”

Internal control design and monitoring is a critical safeguard for reducing or addressing the occurrence of fraudulent financial reporting.  Had the framers devoted research to the development of robust internal control design for the enterprise instead of the broad and wide-ranging outline of a framework of internal controls, the intent and application might have proven more effective.  COSO’s guidance is so generic and broad that even public accounting firms often fail to live up to the basic requirements advocated in its guidance.  The media is replete with examples of large, well-established firms who failed to properly disclose financial impropriety after successfully passing internal control attestations by management and their internal and external auditing teams.  Public accounting firms use the “reasonable assurance” defense to counter this argument, but there is more going on here.

COSO was not intended to become the de facto risk management framework that it has become known today.  In the early days of COSO, the nascent risk management community did not offer an effective alternative.  There were many examples of Wall Street firms attempting to develop position papers on risk management that never seemed to take hold or evolve into a framework that was adopted broadly.  This was, in part, because the attempts were focused on financial services risks, thereby limiting the appeal as an operating standard outside of the industry. Risk management, as we now understand it, is much bigger, more diverse and infinitely more complicated than a set of internal controls over financial reporting.

Charting a new path

COSO’s failure is due primarily to its narrow focus on internal controls as a risk management tool.  Internal controls should have been considered one leg of a four-pronged approach to a comprehensive risk management framework.  Fundamentally, internal controls should be considered one of the foundational components of enterprise risk management.  What is missing in COSO and broadly across risk management are the other tools needed to execute ERM.  Risk management must include mechanisms to measure and quantify real risks.  The rise of quantitative analysts is the recognition that risk management is measureable and not simply assessed through the qualitative assessments advocated in COSO.

Secondly, the fraction of risks that are less understood or harder to measure is called uncertainty.  There are methods and tools to assess uncertainty which include probability analysis using a Monte Carlo simulation and/or regression analysis as a means to understand the distribution of risks that fall in the long tail of the bell curve.

Lastly, the area that is least understood is the concept of human decision making under uncertain conditions, which could serve as fertile ground for discussions with senior management and the Board of Trustees as a tool for oversight and monitoring.  These four components of ERM must replace COSO and become a true unifying construct for managing the complexity and diversity of risks we now face.  Internal controls, quantitative risk analysis, probability analysis and decision support tools are the four legs of ERM.

These concepts are not new.  In fact, big thinkers such as Frank Knight, Herbert Simon and Dan Kahneman researched and advocated for these ideas and approaches at the turn of the 20th century.  However, the accounting and risk management community has largely ignored this rich body of research; that is, until more recently.  Knight, Simon and Kahneman recognized that making decisions under uncertain conditions is the largest contributor to risk an organization faces.  Their research directs us to take a multidisciplinary approach, not some mechanical internal controls process that does not truly inform the Board or senior management about the complexity of risks faced by today’s organization.

COSO’s contributions should not be ignored or minimized, but recognized for coalescing focus and attention on enterprise risk management. Now it is time for risk management practitioners to take the lead in developing innovations in ERM using a multidisciplinary approach to building an effective framework that is as dynamic as the risks it must manage.


Tags: COSO
Previous Post

Amendments to California’s Paid Sick Leave Law Have Been Enacted and Are Effective Immediately

Next Post

Does Every Board Need an Activist?

James Bone

James Bone

James Bone’s career has spanned 29 years of management, financial services and regulatory compliance risk experience with Frito-Lay, Inc., Abbot Labs, Merrill Lynch, and Fidelity Investments. James founded Global Compliance Associates, LLC and TheGRCBlueBook in 2009 to consult with global professional services firms, private equity investors, and risk and compliance professionals seeking insights in governance, risk and compliance (“GRC”) leading practices and best in class vendors. James is a frequent speaker at industry conferences and contributing writer for Compliance Week and Corporate Compliance Insights and serves as faculty presenter and independent consultant for several global consulting firms specializing in governance, risk and compliance, IT compliance and the GRC vendor market. James created TheGRCBlueBook.com to provide risk and compliance professionals with transparency into the GRC vendor marketplace by creating a forum for writing reviews on GRC products and sharing success stories on the risk practices that are most effective. James is currently attending Harvard Extension School for a Master of Arts in Management with an emphasis in accounting and finance. James received an honorary PhD in Letters from Drury University in Springfield, Missouri and is a member of the Breech Business School Hall of Fame as well as the Missouri Sports Hall of Fame. Having graduated from the Boston University Graduate School of Education, James received his M.Ed. in Management and Organizational Design in 1997 and a Bachelor of Arts in Business Administration from Drury University in 1980.  

Related Posts

man on tablet with cloud

COSO Releases New Guidance: Enterprise Risk Management for Cloud Computing

by Corporate Compliance Insights
July 28, 2021

Lake Mary, FL (July 28, 2021) – With increased need for more remote and flexible work environments as a result...

businessman jumping between increasingly taller stacks of coins

The Board-Management Risk Appetite Dialogue

by Jim DeLoach
December 17, 2019

Considering unpredictable markets, myriad uncertainties and unprecedented market opportunities, how should the board and executives engage with respect to the...

illustration of scattered financial reports on green background

Financial Reporting Control Considerations

by Ron Kral
September 18, 2019

Ron Kral espouses the benefits of a well-designed system for financial reporting controls and provides five ways organizations can improve...

illuminated light bulb with brain inside, in businessman's hands

A Cognitive Risk Framework for the 4th Industrial Revolution

by James Bone
June 10, 2019

As we move into the 4th Industrial Revolution (4IR), risk management is poised to undergo a significant shift. James Bone...

Next Post
man in suit with question mark where his head should be

Does Every Board Need an Activist?

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights