More to Risk Management Than COSO ERM


The authors of “ERM: Opportunities for Improvement” (Sept. 09, page 28) only discuss/reference the COSO ERM Framework.


The body of risk management knowledge includes many other sources, including lectures and books from recognized thought leaders, such as Robert Shiller, Nassim Taleb and others; at least 15 professional risk-related organizations such as the Casualty Actuarial Society, the Federation of European Risk Management Associations, the Global Association of Risk Professionals, and the Institute of Internal Auditors; and at least 15 other risk-related frameworks, including ISO 31000 and AS/NZS (Australian/New Zealand standard) 4360:2004. The authors suggest a COSO-driven risk management process without any regard for this body of knowledge. Why?


These are some of the problems with the COSO ERM Framework:


  • It is 125 pages long as compared to 28 and 24 pages, respectively, for AS/NZS 4360:2004 and ISO 31000—too cumbersome for the average professional.
  • It uses lengthy paragraphs instead of easy-to-read bullets with far fewer words.
  • The ERM definition in the COSO framework is 62 words—missing commas with run-on sentences. It should be bulleted, at a minimum. Compare its verbose definition with that from ISO 31000: “All activities in an organization involve risks that must be managed. The risk management process aids decision making by taking account of uncertainty and the possibility of future events or circumstances (intended or unintended) and their effects on agreed objectives.” The definition in AS/NZS 4360:2004 is similarly easy to follow.
  • It contains in excess of 100 principles of an effective ERM system.
  • The upside of risk is not well-considered in the COSO framework, but it is considered in the other frameworks.
  • The application ERM book contains numerous examples that are unintegrated into one flowing case.


In the past several years we have witnessed an implosion of companies and wasted significant expenditures on excessive Sarbanes-Oxley implementation efforts and made little progress in implementing ERM in the United States. It is difficult to comprehend why an entire body of risk management knowledge has been ignored. In the end analysis, a company’s stakeholders pay the price for an inability of the various risk professions to “drive in unison” what is best for a company. Just as in many professions there is one voice that speaks for the profession, so do we need to have this for the risk profession.


We need a vast improvement in learning and sharing among the different risk organizations. It is time that COSO dropped its armor and began to network with the rest of the risk management community and vice versa. There are many individuals within an organization—both CPAs and non-CPAs—that are involved in the risk management process. Implementation of risk management practices in the United States should follow one of the two frameworks suggested above, while the COSO ERM Framework, unless rewritten, can perhaps still be used as a reference guide. Incidentally, ISO 31000 will be released in final form shortly after the new year.


Arnold H. Schanfield, CPA, CIA, CFE

Fort Lee, N.J.



Supercharge your audit process with AI

Auditors today can employ AI to automate tedious tasks and gain far greater insights from their clients’ information. This free report lays out a five-step process for implementing AI and shows ways AI can add value to the auditing process.


Keeping you informed and prepared amid the coronavirus crisis

We’re gathering the latest news stories along with relevant columns, tips, podcasts, and videos on this page, along with curated items from our archives to help with uncertainty and disruption.