Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management

https://doi.org/10.1016/j.aos.2014.05.002Get rights and content

Abstract

The rise of risk management represents one of the major organizational shifts of the past decade. This article examines the emergence and diffusion of the dominant standard in the field, the Enterprise Risk Management – Integrated Framework, first published by the Committee of Sponsoring Organizations in 2004. Drawing on a range of interviews with key stakeholders and an analysis of secondary materials, we find evidence of numerous forms of institutional work including theorizing, rhetorical appeals, mythologizing, constructing normative networks and educating. The diaspora of associated entities provided a key platform for advocating and promoting the ERM technology and provided a stable and influential network of support. Our analysis suggests that, as a large, multi-faceted hybridized professional group, COSO was able to bridge conventional diffusion categories of disruption, creation and maintenance. We argue that the notion of institutional work offers a useful lens for examining the diffusion of innovations in accounting research.

Introduction

Risk management is an idea that can be said to have arrived (Arena et al., 2010, Mikes, 2008, Power, 2007, Power, 2013, Spira and Page, 2003). As a practice, risk management and its associated accoutrements of risk frameworks, executive positions, committees and information systems, have been increasingly embraced by organizations across the globe. These changes represent a fundamental shift in ways of talking about, and dealing with, risk (Power, 2013). This paper examines a central development in the emergence of risk management, the rise of arguably the most widely invoked risk management framework in the world, the Committee of Sponsoring Organization’s Enterprise Risk Management – Integrated Framework (ERM-IF) published in 2004. Expanding on its earlier guidance on internal control, this model has become widely embedded into the risk management mainstream (see COSO, 2010b, Fraser et al., 2008, Power, 2007, Power, 2009), prompting Power (2007, p. 849) to describe the framework as “a world-level template for best practice.”

The advent of “new” management innovations has long been a focus of research in management including accounting (e.g., Bol and Moers, 2010, Busco and Quattrone, 2009, Chua and Taylor, 2008, Davila et al., 2009, Jones and Dugdale, 2002, Lapsley and Wright, 2004, Malmi, 1999, Qu and Cooper, 2011, Sharma et al., 2010; see also a recent special issue on management innovations in European Management Review, Spring 2013). Research on the topic has been theorized from a variety of different perspectives including diffusion theory (e.g., Rogers, 1995), actor network theory (e.g., Qu & Cooper, 2011), fads and fashions theory (e.g., Abrahamson, 1991), and organizational evolution perspectives (e.g., Scott, 2003). Recent research has focused attention on the relatively under-explored so-called “supply side” (Zahir ul Hassan & Vosselman, 2010) of the diffusion process, addressing the intriguing puzzle of how ‘sellers’ of innovations convince ‘buyers’ to invest considerable resources in innovations with uncertain benefits in the absence of a law or mandate requiring their use.

Drawing insights from the emerging literature on institutional work (e.g., Hwang and Colyvas, 2011, Lawrence and Suddaby, 2006, Lawrence et al., 2011, Perkmann and Spicer, 2008, Suddaby and Viale, 2011), this study specifically aims to examine the emergence and institutionalization of COSO’s ERM-IF. Adopting a qualitative research design, we interviewed a range of individuals directly involved in COSO’s Board and Project Advisory Council at the time the ERM-IF framework was devised, as well as the principal authors of the framework. We also interviewed individuals outside of the COSO groups (e.g., consultants, executives) that we felt would offer valuable insights into the process of diffusion. In total, we conducted 15 interviews with individuals important to COSO and the ERM-IF. We also consulted a large body of secondary materials to provide further evidence and substantiate findings.

This article makes two key contributions. First, it presents an account of the mechanisms and processes that gave rise to the formation of COSO’s ERM model, which has become the dominant risk management model in North America and beyond. We detail how COSO engaged in a comprehensive project of institutional work comprised of political, cultural and technical activities (Lawrence and Suddaby, 2006, Perkmann and Spicer, 2008). Drawing upon taxonomies developed in the area of institutional work, we illustrate the varied and overlapping forms of agency that enabled COSO’s ERM-IF to successfully institutionalize. Recent research in the area of institutional work augments and extends institutional theory, a perspective which has wide currency in accounting research. While others have focused on particular categories of institutional work (e.g., Goretzki, Strauss, & Weber, 2013), we adopt a holistic approach to illustrate the wide ambit of work required to successfully diffuse a new managerial technology. We demonstrate that COSO’s institutional work was marked by non-sequential, often serendipitous, actions that acted to overlap and reinforce each other. To the best of our knowledge, this article is the first to fully elaborate the notion of institutional work in accounting research.

Second, we present a more fully articulated conception of the actors involved in the supply side of a management innovation. Specifically, we draw attention to the notion of hybridized professional groups, reflecting the way that COSO was able to draw importantly from the social and cultural capital, networks and resources of its members in disseminating the emerging model. Miller, Kurunmaki, and O’Leary (2008) argue that existing literature has largely neglected the hybrid practices, processes and expertises that make possible lateral information flows and coordination across the boundaries of organizations, firms, and groups of experts or professionals. While others have argued for a marked division of labor in theorizing and diffusing new technologies (for example, Scarbrough (2002) argues that professional groups tend to fulfill theorization roles in the shaping of a management fashion while consultants fulfill the diffusion side), we demonstrate that a more distributed but cohesive group of actors – comprised of accountants, auditors, academics, researchers and consultants – was able to perform multiple roles and effectively support both the development and preservation of the concept.

This article is structured as follows. In the next section, we briefly review literature on the diffusion of new management innovations. This precedes an overview of COSO’s ERM-IF and a discussion of the theoretical framework of the paper, focusing on the notion of institutional work. After outlining our research method, we then follow the construction and diffusion of COSO’s ERM-IF as the preeminent enterprise risk management framework in the world, focusing in particular on the institutional work performed by COSO. The final sections of the paper discuss the implications of our findings, summarize the contribution of our research, and conclude with directions for future research.

Section snippets

The diffusion of “new” management innovations

Many researchers have observed that management innovations – including ISO standards (Corbett & Kirsch, 2001), product development management control systems (Davila et al., 2009), activity-based costing (Malmi, 1999), total quality management (Sharma et al., 2010), performance-based incentives (Bol & Moers, 2010) and the balanced scorecard (Busco and Quattrone, 2009, Qu and Cooper, 2011) – have swept across a broad range of industrial sectors in the past two decades (Abrahamson and Fairchild,

Method

In light of the emerging state of the field and the phenomena under examination, field research comprising semi-structured interviews is appropriate for this study (Edmondson & McManus, 2007). Table 2 below comprises a list of all interview participants. Specifically, we conducted 15 in-depth semi-structured interviews with 13 individuals from various locations in Canada and the United States between May 2010 and September 2012.

COSO as a disruptor

In the early 1990s, internal control grew to become an important business issue and a key concern for a variety of business stakeholders. This growing interest is reflected in the publication of the Financial Aspects of Corporate Governance (commonly known as “The Cadbury Report”) by the Cadbury Committee in the UK in 1992, the Internal Control – Integrated Framework (IC-IF) by COSO in 1992, the King Report on Corporate Governance by the King Committee on Corporate Governance in South Africa in

COSO as a creator

Based on the recommendations from the consulting team in 2000 to create a risk framework, COSO’s Board engaged Big-4 accounting firm PricewaterhouseCoopers (PwC) to lead and author the framework.12 As one consultant in the field reflected:

In effect, what PwC was

COSO as a maintainer

By 2004 then, COSO had created a fully articulated framework, and was equipped with a solid reputation as a “thought leader”

Discussion

Our data highlights the critical roles played by COSO in the emergence and institutionalization of their ERM-IF. Commencing with disruption, the devolution of internal control led to an interest in risk; the inadequacies and failures of internal control systems created a space for the acceptance of risk logics. Within these new logics, a key element of the institutional work performed by actors within COSO was the way that the existing IC-IF model was problematized as insufficient to deal with

Conclusion

The arrival of COSO’s ERM-IF represents a major inflection point in the history of risk management throughout the world; ERM increasingly defines the language of governance and senior management responsibility. Since its release in 2004, COSO’s ERM-IF has had a significant impact on business practice. In a survey that asked respondents if they read specific publications related to risk and if so, to what extent did they read them, COSO’s ERM-IF was read by 74% of respondents and was also rated

Acknowledgements

We would like to thank Steven Salterio, Pamela Murphy, Paul Andon and Bertrand Malsch for their helpful comments and suggestions. We would also like to thank participants at the 2013 Alternative Accounts Conference as well as workshops at the Queen’s School of Business and the University of New South Wales. Financial support provided by the CPA-Queen’s Centre for Governance is gratefully acknowledged.

References (123)

  • I. Lapsley et al.

    The diffusion of management accounting innovations in the public sector: A research agenda

    Management Accounting Research

    (2004)
  • T. Malmi

    Activity-based costing diffusion across organizations: An exploratory empirical analysis of Finnish firms

    Accounting, Organizations and Society

    (1999)
  • A. Mikes

    Risk management and calculative cultures

    Management Accounting Research

    (2009)
  • P. Miller et al.

    Accounting, hybrids and the management of risk

    Accounting, Organizations and Society

    (2008)
  • M.E. Oliverio

    Internal control – Integrated framework: Who is responsible?

    Critical Perspectives on Accounting

    (2001)
  • M. Power

    The risk management of nothing

    Accounting, Organizations and Society

    (2009)
  • M. Power

    The apparatus of fraud risk

    Accounting, Organizations and Society

    (2013)
  • T. Aabo et al.

    The rise and evolution of the chief risk officer: Enterprise risk management

    Journal of Applied Corporate Finance

    (2005)
  • E. Abrahamson

    Managerial fads and fashions: The diffusion and rejection of innovations

    The Academy of Management Review

    (1991)
  • E. Abrahamson et al.

    Management fashion: Lifecycles, triggers, and collective learning processes

    Administrative Science Quarterly

    (1999)
  • E. Abrahamson et al.

    Knowledge industries and idea entrepreneurs: New dimensions of innovative products, services, and organizations

  • AICPA Board of Directors

    Meeting the financial reporting needs of the future: A public commitment from the public accounting profession

    Journal of Accountancy

    (1993)
  • D. Altheide

    Notes towards a politics of fear

    Journal for Crime, Conflict and the Media

    (2003)
  • Anonymous

    How strong is your safety net?

    Financial Executive

    (1997)
  • Anonymous

    News digest

    Journal of Accountancy

    (2004)
  • M. Beasley et al.

    Information conveyed in hiring announcements of senior executives overseeing enterprise-wide risk management processes

    Journal of Accounting, Auditing & Finance

    (2008)
  • J. Benders et al.

    What’s in a fashion? Interpretative viability and management fashions

    Organization

    (2001)
  • P.L. Bernstein

    The new religion of risk management

    Harvard Business Review

    (1996)
  • T. Bjornenak et al.

    Unbundling management accounting innovations

    Management Accounting Research

    (1999)
  • F. Blacker et al.

    Institutional reform and the reorganization of family support services

    Organization Studies

    (2006)
  • S. Bort et al.

    Fashion in organization theory: An empirical analysis of the diffusion of theoretical concepts

    Organization Studies

    (2011)
  • Bridge, M., & Moss, I. (2003). COSO back in the limelight: Good practice for any organization, critical for SEC...
  • Busco, C., & Quattrone, P. (2009). How management practices diffuse: The balanced scorecard as a rhetorical machine....
  • C. Chapman

    Bringing ERM into focus

    The Internal Auditor

    (2003)
  • P.B. Chenok

    Fifteen years of meeting the challenges

    Journal of Accountancy

    (1995)
  • T. Clark

    The fashion of management fashion: A surge too far?

    Organization

    (2004)
  • T. Clark et al.

    Telling tales: Management gurus’ narratives and the construction of managerial identity

    Journal of Management Studies

    (1998)
  • C.J. Corbett et al.

    International diffusion of ISO 14000 certification

    Production and Operations Management

    (2001)
  • COSO (n.d.). About us. Committee of Sponsoring Organizations of the Treadway Commission....
  • COSO

    Internal control – Integrated framework

    (1994)
  • COSO

    Enterprise risk management – Integrated framework

    (2004)
  • COSO (2010a). Board risk oversight – A progress report: Where boards of directors currently stand in executing their...
  • COSO (2010b). COSO’s 2010 report on ERM: Current state of enterprise risk oversight and market perceptions of COSO’s...
  • COSO (2012). Enhancing board oversight: Avoiding judgment traps and biases by Steven M. Glover & Douglas F. Prawitt....
  • COSO (2013). Demystifying sustainability risk: Integrating the triple bottom line into an enterprise risk management...
  • G. Currie et al.

    Institutional work to maintain professional power: Recreating the model of medical professionalism

    Organization Studies

    (2012)
  • M. Dacin et al.

    Institutional theory and institutional change: Introduction to the special research forum

    The Academy of Management Journal

    (2002)
  • M. Delmas et al.

    The diffusion of voluntary international management standards: Responsible care, ISO 9000, and ISO 14001 in the chemical industry

    Policy Studies Journal

    (2008)
  • G. Delmestri

    Streams of inconsistent institutional influences: Middle managers as carriers of multiple identities

    Human Relations

    (2006)
  • A. Dennis

    The downside of good times

    Journal of Accountancy

    (2000)
  • Cited by (108)

    • Recoupling work beyond COSO: A longitudinal case study of Enterprise-wide Risk Management

      2022, Accounting, Organizations and Society
      Citation Excerpt :

      More research could provide clues as to the emergence of the risk management occupation at the field level and the role of field-level professions such as internal auditors and controllers in shaping “good practices” pertaining to ERM along with their interests. Preliminary evidence from existing literature (Hayne & Free, 2014; Spira & Page, 2003) and from Morpheus suggests that risk management was sponsored by internal auditors and controllers to reinvent control systems that came to be seen as outdated. However, our case suggests that the field quickly moved toward a sharp distinction between the functions of risk management, internal control, and internal auditing.

    View all citing articles on Scopus
    1

    Tel.: +1 613 533 6926; fax: +1 613 533 6589.

    View full text