More to Risk Management Than COSO ERM


The authors of “ERM: Opportunities for Improvement” (Sept. 09, page 28) only discuss/reference the COSO ERM Framework.


The body of risk management knowledge includes many other sources, including lectures and books from recognized thought leaders, such as Robert Shiller, Nassim Taleb and others; at least 15 professional risk-related organizations such as the Casualty Actuarial Society, the Federation of European Risk Management Associations, the Global Association of Risk Professionals, and the Institute of Internal Auditors; and at least 15 other risk-related frameworks, including ISO 31000 and AS/NZS (Australian/New Zealand standard) 4360:2004. The authors suggest a COSO-driven risk management process without any regard for this body of knowledge. Why?


These are some of the problems with the COSO ERM Framework:


  • It is 125 pages long as compared to 28 and 24 pages, respectively, for AS/NZS 4360:2004 and ISO 31000—too cumbersome for the average professional.
  • It uses lengthy paragraphs instead of easy-to-read bullets with far fewer words.
  • The ERM definition in the COSO framework is 62 words—missing commas with run-on sentences. It should be bulleted, at a minimum. Compare its verbose definition with that from ISO 31000: “All activities in an organization involve risks that must be managed. The risk management process aids decision making by taking account of uncertainty and the possibility of future events or circumstances (intended or unintended) and their effects on agreed objectives.” The definition in AS/NZS 4360:2004 is similarly easy to follow.
  • It contains in excess of 100 principles of an effective ERM system.
  • The upside of risk is not well-considered in the COSO framework, but it is considered in the other frameworks.
  • The application ERM book contains numerous examples that are unintegrated into one flowing case.


In the past several years we have witnessed an implosion of companies and wasted significant expenditures on excessive Sarbanes-Oxley implementation efforts and made little progress in implementing ERM in the United States. It is difficult to comprehend why an entire body of risk management knowledge has been ignored. In the end analysis, a company’s stakeholders pay the price for an inability of the various risk professions to “drive in unison” what is best for a company. Just as in many professions there is one voice that speaks for the profession, so do we need to have this for the risk profession.


We need a vast improvement in learning and sharing among the different risk organizations. It is time that COSO dropped its armor and began to network with the rest of the risk management community and vice versa. There are many individuals within an organization—both CPAs and non-CPAs—that are involved in the risk management process. Implementation of risk management practices in the United States should follow one of the two frameworks suggested above, while the COSO ERM Framework, unless rewritten, can perhaps still be used as a reference guide. Incidentally, ISO 31000 will be released in final form shortly after the new year.


Arnold H. Schanfield, CPA, CIA, CFE

Fort Lee, N.J.



Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.