Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management
Introduction
Risk management is an idea that can be said to have arrived (Arena et al., 2010, Mikes, 2008, Power, 2007, Power, 2013, Spira and Page, 2003). As a practice, risk management and its associated accoutrements of risk frameworks, executive positions, committees and information systems, have been increasingly embraced by organizations across the globe. These changes represent a fundamental shift in ways of talking about, and dealing with, risk (Power, 2013). This paper examines a central development in the emergence of risk management, the rise of arguably the most widely invoked risk management framework in the world, the Committee of Sponsoring Organization’s Enterprise Risk Management – Integrated Framework (ERM-IF) published in 2004. Expanding on its earlier guidance on internal control, this model has become widely embedded into the risk management mainstream (see COSO, 2010b, Fraser et al., 2008, Power, 2007, Power, 2009), prompting Power (2007, p. 849) to describe the framework as “a world-level template for best practice.”
The advent of “new” management innovations has long been a focus of research in management including accounting (e.g., Bol and Moers, 2010, Busco and Quattrone, 2009, Chua and Taylor, 2008, Davila et al., 2009, Jones and Dugdale, 2002, Lapsley and Wright, 2004, Malmi, 1999, Qu and Cooper, 2011, Sharma et al., 2010; see also a recent special issue on management innovations in European Management Review, Spring 2013). Research on the topic has been theorized from a variety of different perspectives including diffusion theory (e.g., Rogers, 1995), actor network theory (e.g., Qu & Cooper, 2011), fads and fashions theory (e.g., Abrahamson, 1991), and organizational evolution perspectives (e.g., Scott, 2003). Recent research has focused attention on the relatively under-explored so-called “supply side” (Zahir ul Hassan & Vosselman, 2010) of the diffusion process, addressing the intriguing puzzle of how ‘sellers’ of innovations convince ‘buyers’ to invest considerable resources in innovations with uncertain benefits in the absence of a law or mandate requiring their use.
Drawing insights from the emerging literature on institutional work (e.g., Hwang and Colyvas, 2011, Lawrence and Suddaby, 2006, Lawrence et al., 2011, Perkmann and Spicer, 2008, Suddaby and Viale, 2011), this study specifically aims to examine the emergence and institutionalization of COSO’s ERM-IF. Adopting a qualitative research design, we interviewed a range of individuals directly involved in COSO’s Board and Project Advisory Council at the time the ERM-IF framework was devised, as well as the principal authors of the framework. We also interviewed individuals outside of the COSO groups (e.g., consultants, executives) that we felt would offer valuable insights into the process of diffusion. In total, we conducted 15 interviews with individuals important to COSO and the ERM-IF. We also consulted a large body of secondary materials to provide further evidence and substantiate findings.
This article makes two key contributions. First, it presents an account of the mechanisms and processes that gave rise to the formation of COSO’s ERM model, which has become the dominant risk management model in North America and beyond. We detail how COSO engaged in a comprehensive project of institutional work comprised of political, cultural and technical activities (Lawrence and Suddaby, 2006, Perkmann and Spicer, 2008). Drawing upon taxonomies developed in the area of institutional work, we illustrate the varied and overlapping forms of agency that enabled COSO’s ERM-IF to successfully institutionalize. Recent research in the area of institutional work augments and extends institutional theory, a perspective which has wide currency in accounting research. While others have focused on particular categories of institutional work (e.g., Goretzki, Strauss, & Weber, 2013), we adopt a holistic approach to illustrate the wide ambit of work required to successfully diffuse a new managerial technology. We demonstrate that COSO’s institutional work was marked by non-sequential, often serendipitous, actions that acted to overlap and reinforce each other. To the best of our knowledge, this article is the first to fully elaborate the notion of institutional work in accounting research.
Second, we present a more fully articulated conception of the actors involved in the supply side of a management innovation. Specifically, we draw attention to the notion of hybridized professional groups, reflecting the way that COSO was able to draw importantly from the social and cultural capital, networks and resources of its members in disseminating the emerging model. Miller, Kurunmaki, and O’Leary (2008) argue that existing literature has largely neglected the hybrid practices, processes and expertises that make possible lateral information flows and coordination across the boundaries of organizations, firms, and groups of experts or professionals. While others have argued for a marked division of labor in theorizing and diffusing new technologies (for example, Scarbrough (2002) argues that professional groups tend to fulfill theorization roles in the shaping of a management fashion while consultants fulfill the diffusion side), we demonstrate that a more distributed but cohesive group of actors – comprised of accountants, auditors, academics, researchers and consultants – was able to perform multiple roles and effectively support both the development and preservation of the concept.
This article is structured as follows. In the next section, we briefly review literature on the diffusion of new management innovations. This precedes an overview of COSO’s ERM-IF and a discussion of the theoretical framework of the paper, focusing on the notion of institutional work. After outlining our research method, we then follow the construction and diffusion of COSO’s ERM-IF as the preeminent enterprise risk management framework in the world, focusing in particular on the institutional work performed by COSO. The final sections of the paper discuss the implications of our findings, summarize the contribution of our research, and conclude with directions for future research.
Section snippets
The diffusion of “new” management innovations
Many researchers have observed that management innovations – including ISO standards (Corbett & Kirsch, 2001), product development management control systems (Davila et al., 2009), activity-based costing (Malmi, 1999), total quality management (Sharma et al., 2010), performance-based incentives (Bol & Moers, 2010) and the balanced scorecard (Busco and Quattrone, 2009, Qu and Cooper, 2011) – have swept across a broad range of industrial sectors in the past two decades (Abrahamson and Fairchild,
Method
In light of the emerging state of the field and the phenomena under examination, field research comprising semi-structured interviews is appropriate for this study (Edmondson & McManus, 2007). Table 2 below comprises a list of all interview participants. Specifically, we conducted 15 in-depth semi-structured interviews with 13 individuals from various locations in Canada and the United States between May 2010 and September 2012.
COSO as a disruptor
In the early 1990s, internal control grew to become an important business issue and a key concern for a variety of business stakeholders. This growing interest is reflected in the publication of the Financial Aspects of Corporate Governance (commonly known as “The Cadbury Report”) by the Cadbury Committee in the UK in 1992, the Internal Control – Integrated Framework (IC-IF) by COSO in 1992, the King Report on Corporate Governance by the King Committee on Corporate Governance in South Africa in
COSO as a creator
Based on the recommendations from the consulting team in 2000 to create a risk framework, COSO’s Board engaged Big-4 accounting firm PricewaterhouseCoopers (PwC) to lead and author the framework.12 As one consultant in the field reflected:
In effect, what PwC was
COSO as a maintainer
By 2004 then, COSO had created a fully articulated framework, and was equipped with a solid reputation as a “thought leader”
Discussion
Our data highlights the critical roles played by COSO in the emergence and institutionalization of their ERM-IF. Commencing with disruption, the devolution of internal control led to an interest in risk; the inadequacies and failures of internal control systems created a space for the acceptance of risk logics. Within these new logics, a key element of the institutional work performed by actors within COSO was the way that the existing IC-IF model was problematized as insufficient to deal with
Conclusion
The arrival of COSO’s ERM-IF represents a major inflection point in the history of risk management throughout the world; ERM increasingly defines the language of governance and senior management responsibility. Since its release in 2004, COSO’s ERM-IF has had a significant impact on business practice. In a survey that asked respondents if they read specific publications related to risk and if so, to what extent did they read them, COSO’s ERM-IF was read by 74% of respondents and was also rated
Acknowledgements
We would like to thank Steven Salterio, Pamela Murphy, Paul Andon and Bertrand Malsch for their helpful comments and suggestions. We would also like to thank participants at the 2013 Alternative Accounts Conference as well as workshops at the Queen’s School of Business and the University of New South Wales. Financial support provided by the CPA-Queen’s Centre for Governance is gratefully acknowledged.
References (123)
- et al.
Actor-networks and the diffusion of management accounting innovations: A comparative study
Management Accounting Research
(2008) - et al.
The organizational dynamics of enterprise risk management
Accounting, Organizations and Society
(2010) - et al.
Bundling and diffusion of management accounting innovations – The case of the balanced scorecard in Sweden
Management Accounting Research
(2005) - et al.
The dynamics of incentive contracting: The role of learning in the diffusion process
Accounting, Organizations and Society
(2010) - et al.
Designing management control in hybrid organizations: The role of path creation and morphogenesis
Accounting, Organizations and Society
(2008) - et al.
ISO 26000 and supply chains – On the diffusion of the social responsibility standard
International Journal of Production Economics
(2008) - et al.
The rise and rise of IFRS: An examination of IFRS diffusion
Journal of Accounting and Public Policy
(2008) - et al.
Accounting, professions and regulation: Locating the sites of professionalization
Accounting, Organizations and Society
(2006) - et al.
Reasons for management control systems adoption: Insights from product development systems choice by early-stage entrepreneurial companies
Accounting, Organizations and Society
(2009) - et al.
An institutional perspective on the changes in management accountants’ professional role
Management Accounting Research
(2013)
The diffusion of management accounting innovations in the public sector: A research agenda
Management Accounting Research
Activity-based costing diffusion across organizations: An exploratory empirical analysis of Finnish firms
Accounting, Organizations and Society
Risk management and calculative cultures
Management Accounting Research
Accounting, hybrids and the management of risk
Accounting, Organizations and Society
Internal control – Integrated framework: Who is responsible?
Critical Perspectives on Accounting
The risk management of nothing
Accounting, Organizations and Society
The apparatus of fraud risk
Accounting, Organizations and Society
The rise and evolution of the chief risk officer: Enterprise risk management
Journal of Applied Corporate Finance
Managerial fads and fashions: The diffusion and rejection of innovations
The Academy of Management Review
Management fashion: Lifecycles, triggers, and collective learning processes
Administrative Science Quarterly
Knowledge industries and idea entrepreneurs: New dimensions of innovative products, services, and organizations
Meeting the financial reporting needs of the future: A public commitment from the public accounting profession
Journal of Accountancy
Notes towards a politics of fear
Journal for Crime, Conflict and the Media
How strong is your safety net?
Financial Executive
News digest
Journal of Accountancy
Information conveyed in hiring announcements of senior executives overseeing enterprise-wide risk management processes
Journal of Accounting, Auditing & Finance
What’s in a fashion? Interpretative viability and management fashions
Organization
The new religion of risk management
Harvard Business Review
Unbundling management accounting innovations
Management Accounting Research
Institutional reform and the reorganization of family support services
Organization Studies
Fashion in organization theory: An empirical analysis of the diffusion of theoretical concepts
Organization Studies
Bringing ERM into focus
The Internal Auditor
Fifteen years of meeting the challenges
Journal of Accountancy
The fashion of management fashion: A surge too far?
Organization
Telling tales: Management gurus’ narratives and the construction of managerial identity
Journal of Management Studies
International diffusion of ISO 14000 certification
Production and Operations Management
Internal control – Integrated framework
Enterprise risk management – Integrated framework
Institutional work to maintain professional power: Recreating the model of medical professionalism
Organization Studies
Institutional theory and institutional change: Introduction to the special research forum
The Academy of Management Journal
The diffusion of voluntary international management standards: Responsible care, ISO 9000, and ISO 14001 in the chemical industry
Policy Studies Journal
Streams of inconsistent institutional influences: Middle managers as carriers of multiple identities
Human Relations
The downside of good times
Journal of Accountancy
Cited by (108)
Catch me if you match! A discussion of auditors' involvement in clients’ sustainability reporting
2024, Accounting, Organizations and SocietyThe diffusion of management fashions as software in an intermediated market: The case of continuous accounting
2023, Management Accounting ResearchRecoupling work beyond COSO: A longitudinal case study of Enterprise-wide Risk Management
2022, Accounting, Organizations and SocietyCitation Excerpt :More research could provide clues as to the emergence of the risk management occupation at the field level and the role of field-level professions such as internal auditors and controllers in shaping “good practices” pertaining to ERM along with their interests. Preliminary evidence from existing literature (Hayne & Free, 2014; Spira & Page, 2003) and from Morpheus suggests that risk management was sponsored by internal auditors and controllers to reinvent control systems that came to be seen as outdated. However, our case suggests that the field quickly moved toward a sharp distinction between the functions of risk management, internal control, and internal auditing.
The effect of enterprise risk management competencies on students’ perceptions of their work readiness
2022, International Journal of Management EducationAccounting for Failure Through Morality: The IMF’s Involvement in (Mis)managing the Greek Crisis
2024, Journal of Business Ethics
- 1
Tel.: +1 613 533 6926; fax: +1 613 533 6589.