More to Risk Management Than COSO ERM


The authors of “ERM: Opportunities for Improvement” (Sept. 09, page 28) only discuss/reference the COSO ERM Framework.


The body of risk management knowledge includes many other sources, including lectures and books from recognized thought leaders, such as Robert Shiller, Nassim Taleb and others; at least 15 professional risk-related organizations such as the Casualty Actuarial Society, the Federation of European Risk Management Associations, the Global Association of Risk Professionals, and the Institute of Internal Auditors; and at least 15 other risk-related frameworks, including ISO 31000 and AS/NZS (Australian/New Zealand standard) 4360:2004. The authors suggest a COSO-driven risk management process without any regard for this body of knowledge. Why?


These are some of the problems with the COSO ERM Framework:


  • It is 125 pages long as compared to 28 and 24 pages, respectively, for AS/NZS 4360:2004 and ISO 31000—too cumbersome for the average professional.
  • It uses lengthy paragraphs instead of easy-to-read bullets with far fewer words.
  • The ERM definition in the COSO framework is 62 words—missing commas with run-on sentences. It should be bulleted, at a minimum. Compare its verbose definition with that from ISO 31000: “All activities in an organization involve risks that must be managed. The risk management process aids decision making by taking account of uncertainty and the possibility of future events or circumstances (intended or unintended) and their effects on agreed objectives.” The definition in AS/NZS 4360:2004 is similarly easy to follow.
  • It contains in excess of 100 principles of an effective ERM system.
  • The upside of risk is not well-considered in the COSO framework, but it is considered in the other frameworks.
  • The application ERM book contains numerous examples that are unintegrated into one flowing case.


In the past several years we have witnessed an implosion of companies and wasted significant expenditures on excessive Sarbanes-Oxley implementation efforts and made little progress in implementing ERM in the United States. It is difficult to comprehend why an entire body of risk management knowledge has been ignored. In the end analysis, a company’s stakeholders pay the price for an inability of the various risk professions to “drive in unison” what is best for a company. Just as in many professions there is one voice that speaks for the profession, so do we need to have this for the risk profession.


We need a vast improvement in learning and sharing among the different risk organizations. It is time that COSO dropped its armor and began to network with the rest of the risk management community and vice versa. There are many individuals within an organization—both CPAs and non-CPAs—that are involved in the risk management process. Implementation of risk management practices in the United States should follow one of the two frameworks suggested above, while the COSO ERM Framework, unless rewritten, can perhaps still be used as a reference guide. Incidentally, ISO 31000 will be released in final form shortly after the new year.


Arnold H. Schanfield, CPA, CIA, CFE

Fort Lee, N.J.



What’s next for potential CPA licensure changes

A new model proposed by NASBA and the AICPA is designed with an eye on the future for newly licensed CPAs. The AICPA's Carl Mayes, CPA, provides background on the project and a look ahead to 2020.


What RPA is and how it works

Robotic process automation is like an Excel macro that can work on multiple applications, says Danielle Supkis Cheek, CPA. RPA can complete routine, repetitive tasks such as data entry, freeing up employee time from lower-level chores.