Description
The rise of risk management represents one of the major organizational shifts of the past
decade. This article examines the emergence and diffusion of the dominant standard in
the field, the Enterprise Risk Management – Integrated Framework, first published by the
Committee of Sponsoring Organizations in 2004. Drawing on a range of interviews with
key stakeholders and an analysis of secondary materials, we find evidence of numerous
forms of institutional work including theorizing, rhetorical appeals, mythologizing, constructing
normative networks and educating. The diaspora of associated entities provided
a key platform for advocating and promoting the ERM technology and provided a stable
and influential network of support. Our analysis suggests that, as a large, multi-faceted
hybridized professional group, COSO was able to bridge conventional diffusion categories
of disruption, creation and maintenance. We argue that the notion of institutional work
offers a useful lens for examining the diffusion of innovations in accounting research.
Hybridized professional groups and institutional work: COSO
and the rise of enterprise risk management
Christie Hayne
a,1
, Clinton Free
b,?
a
School of Business, Goodes Hall, Queen’s University, Kingston, ON K7L 3N6, Canada
b
Australian School of Business, University of New South Wales, Sydney 2052, Australia
a b s t r a c t
The rise of risk management represents one of the major organizational shifts of the past
decade. This article examines the emergence and diffusion of the dominant standard in
the ?eld, the Enterprise Risk Management – Integrated Framework, ?rst published by the
Committee of Sponsoring Organizations in 2004. Drawing on a range of interviews with
key stakeholders and an analysis of secondary materials, we ?nd evidence of numerous
forms of institutional work including theorizing, rhetorical appeals, mythologizing, con-
structing normative networks and educating. The diaspora of associated entities provided
a key platform for advocating and promoting the ERM technology and provided a stable
and in?uential network of support. Our analysis suggests that, as a large, multi-faceted
hybridized professional group, COSO was able to bridge conventional diffusion categories
of disruption, creation and maintenance. We argue that the notion of institutional work
offers a useful lens for examining the diffusion of innovations in accounting research.
Ó 2014 Elsevier Ltd. All rights reserved.
Introduction
Risk management is an idea that can be said to have
arrived (Arena, Arnaboldi, & Azzone, 2010; Mikes, 2008;
Power, 2007, 2013; Spira & Page, 2003). As a practice, risk
management and its associated accoutrements of risk
frameworks, executive positions, committees and informa-
tion systems, have been increasingly embraced by organi-
zations across the globe. These changes represent a
fundamental shift in ways of talking about, and dealing
with, risk (Power, 2013). This paper examines a central
development in the emergence of risk management, the
rise of arguably the most widely invoked risk management
framework in the world, the Committee of Sponsoring
Organization’s Enterprise Risk Management – Integrated
Framework (ERM-IF) published in 2004. Expanding on its
earlier guidance on internal control, this model has
become widely embedded into the risk management main-
stream (see COSO, 2010b; Fraser, Schoening-Thiessen, &
Simkins, 2008; Power, 2007, 2009), prompting Power
(2007, p. 849) to describe the framework as ‘‘a world-level
template for best practice.’’
The advent of ‘‘new’’ management innovations has long
been a focus of research in management including
accounting (e.g., Bol & Moers, 2010; Busco & Quattrone,
2009; Chua & Taylor, 2008; Davila, Foster, & Li, 2009;
Jones & Dugdale, 2002; Lapsley & Wright, 2004; Malmi,
1999; Qu & Cooper, 2011; Sharma, Lawrence, & Lowe,
2010; see also a recent special issue on management inno-
vations in European Management Review, Spring 2013).
Research on the topic has been theorized from a variety
of different perspectives including diffusion theory (e.g.,
Rogers, 1995), actor network theory (e.g., Qu & Cooper,
2011), fads and fashions theory (e.g., Abrahamson, 1991),
and organizational evolution perspectives (e.g., Scott,
2003). Recent research has focused attention on thehttp://dx.doi.org/10.1016/j.aos.2014.05.002
0361-3682/Ó 2014 Elsevier Ltd. All rights reserved.
?
Corresponding author. Tel.: +612 9385 9705; fax: +612 9385 5925.
E-mail addresses: [email protected] (C. Hayne), c.free@-
unsw.edu.au (C. Free).
1
Tel.: +1 613 533 6926; fax: +1 613 533 6589.
Accounting, Organizations and Society 39 (2014) 309–330
Contents lists available at ScienceDirect
Accounting, Organizations and Society
j our nal homepage: www. el sevi er. com/ l ocat e/ aos
relatively under-explored so-called ‘‘supply side’’ (Zahir ul
Hassan & Vosselman, 2010) of the diffusion process,
addressing the intriguing puzzle of how ‘sellers’ of innova-
tions convince ‘buyers’ to invest considerable resources in
innovations with uncertain bene?ts in the absence of a law
or mandate requiring their use.
Drawing insights from the emerging literature on insti-
tutional work (e.g., Hwang & Colyvas, 2011; Lawrence &
Suddaby, 2006; Lawrence, Suddaby, & Leca, 2011;
Perkmann & Spicer, 2008; Suddaby & Viale, 2011), this
study speci?cally aims to examine the emergence and
institutionalization of COSO’s ERM-IF. Adopting a qualita-
tive research design, we interviewed a range of individuals
directly involved in COSO’s Board and Project Advisory
Council at the time the ERM-IF framework was devised,
as well as the principal authors of the framework. We also
interviewed individuals outside of the COSO groups (e.g.,
consultants, executives) that we felt would offer valuable
insights into the process of diffusion. In total, we con-
ducted 15 interviews with individuals important to COSO
and the ERM-IF. We also consulted a large body of second-
ary materials to provide further evidence and substantiate
?ndings.
This article makes two key contributions. First, it pre-
sents an account of the mechanisms and processes that
gave rise to the formation of COSO’s ERM model, which
has become the dominant risk management model in
North America and beyond. We detail how COSO engaged
in a comprehensive project of institutional work comprised
of political, cultural and technical activities (Lawrence &
Suddaby, 2006; Perkmann & Spicer, 2008). Drawing upon
taxonomies developed in the area of institutional work,
we illustrate the varied and overlapping forms of agency
that enabled COSO’s ERM-IF to successfully institutional-
ize. Recent research in the area of institutional work aug-
ments and extends institutional theory, a perspective
which has wide currency in accounting research. While
others have focused on particular categories of institu-
tional work (e.g., Goretzki, Strauss, & Weber, 2013), we
adopt a holistic approach to illustrate the wide ambit of
work required to successfully diffuse a new managerial
technology. We demonstrate that COSO’s institutional
work was marked by non-sequential, often serendipitous,
actions that acted to overlap and reinforce each other. To
the best of our knowledge, this article is the ?rst to fully
elaborate the notion of institutional work in accounting
research.
Second, we present a more fully articulated conception
of the actors involved in the supply side of a management
innovation. Speci?cally, we draw attention to the notion of
hybridized professional groups, re?ecting the way that COSO
was able to draw importantly from the social and cultural
capital, networks and resources of its members in dissem-
inating the emerging model. Miller, Kurunmaki, and
O’Leary (2008) argue that existing literature has largely
neglected the hybrid practices, processes and expertises
that make possible lateral information ?ows and coordina-
tion across the boundaries of organizations, ?rms, and
groups of experts or professionals. While others have
argued for a marked division of labor in theorizing and dif-
fusing new technologies (for example, Scarbrough (2002)
argues that professional groups tend to ful?ll theorization
roles in the shaping of a management fashion while con-
sultants ful?ll the diffusion side), we demonstrate that a
more distributed but cohesive group of actors – comprised
of accountants, auditors, academics, researchers and con-
sultants – was able to perform multiple roles and effec-
tively support both the development and preservation of
the concept.
This article is structured as follows. In the next section,
we brie?y review literature on the diffusion of new man-
agement innovations. This precedes an overview of COSO’s
ERM-IF and a discussion of the theoretical framework of
the paper, focusing on the notion of institutional work.
After outlining our research method, we then follow the
construction and diffusion of COSO’s ERM-IF as the preem-
inent enterprise risk management framework in the world,
focusing in particular on the institutional work performed
by COSO. The ?nal sections of the paper discuss the impli-
cations of our ?ndings, summarize the contribution of our
research, and conclude with directions for future research.
The diffusion of ‘‘new’’ management innovations
Many researchers have observed that management
innovations – including ISO standards (Corbett & Kirsch,
2001), product development management control systems
(Davila et al., 2009), activity-based costing (Malmi, 1999),
total quality management (Sharma et al., 2010), perfor-
mance-based incentives (Bol & Moers, 2010) and the bal-
anced scorecard (Busco & Quattrone, 2009; Qu & Cooper,
2011) – have swept across a broad range of industrial sec-
tors in the past two decades (Abrahamson & Fairchild,
1999; Alcouffe, Berland, & Levant, 2008; Bort & Kieser,
2011; Jackson, 2001). In broad terms, diffusion refers to
the process by which an innovation is communicated
through certain channels over time among the members
of a social system (Rogers, 1995). The general topic of inno-
vation has inspired vast amounts of research, theorizing
and speculation in recent decades (as early as 1978, Kelly
and Kranzberg reviewed more than 4000 items in the liter-
ature on technological innovation alone).
A wide range of studies have examined the factors that
support the demand for management innovations. The phe-
nomenonof management ‘fads’ and ‘fashions’ has inspired a
large body of research, prompting some commentators to
question whether management fashions research itself has
become the next academic fad (Clark, 2004). The social
and organizational functions of management innovations
are generally related to reducing uncertainty, insecurity,
ambiguity and imperfection (Mazza & Alvarez, 2000) and
providing managers with an image of innovativeness
(Kieser, 1997) or even heroism (Clark & Salaman, 1998).
Somewhat paradoxically, this is often achieved through
the use of concepts that are of high linguistic ambiguity
(Benders & Van Veen, 2001).
More recent work has focused on the so-called ‘‘supply-
side’’ of innovation by examining the processes through
which a network of different actors including consultants
(Qu & Cooper, 2011), business school academics and man-
agement gurus (Huczynski, 1993; Jones & Dugdale, 2002),
CFOs (Naranjo-Gil, Maas, & Hartmann, 2009), publishers,
310 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
managers and other intermediaries promote business
ideas. Jones and Dugdale (2002) highlight the key role of
consultants (rather than academics or professional associ-
ations) in the construction of activity-based costing and
associated ideas (e.g., activity-based management and
activity-based budgeting) that served to create an ‘‘ABC
bandwagon’’. They describe a complex diffusion process
that was the result of a complicated entanglement of
actors (primarily consultants but also academics and pro-
fessional associations) and intermediaries (e.g., documents,
journals, computer software), in addition to, inscriptions,
events and circumstances. Qu and Cooper (2011) examine
the role of textual and graphical inscriptions more closely
and demonstrate that these inscriptions serve as important
consultant-client negotiation devices. Researchers else-
where have added another dimension to diffusion research
by investigating the way that management control innova-
tions have been bundled with other proven technologies to
further enhance diffusion (e.g., Ax & Bjornenak, 2005;
Bjornenak & Olson, 1999; Modell, 2009).
A recurring theme in recent diffusion research has been
a focus on the spread of standards that explicitly formulate
general rules de?ning and regulating activity (Mendel,
2002). In broad terms, standards can be generated as a
result of formal regulatory processes (such as legislative
safety requirements), de facto processes (such as product
speci?cations gaining predominant market share) or
through a voluntary consensus process (Mendel, 2002).
An emerging stream of research has focused on the diffu-
sion of a range of voluntary managerial standards, which
lack an of?cial mandate, including standards issued by
the International Organization for Standardization (ISO)
such as ISO 26000 (Castka & Balzarova, 2008), ISO 9000
(Guler, Guillén, & Macpherson, 2002), ISO 14001 (King,
Lenox, & Terlaak, 2005), the environmental standard
Responsible Care (Delmas & Montiel, 2008), the responsible
investment index FTSE4Good (Slager, Gond, & Moon, 2012)
and AACSB educational certi?cation standards (Durand &
McGuire, 2005).
Research in the area has focused attention on the role of
distributed agency as well as the impact of regulatory
context. Durand and McGuire (2005) demonstrate that
standard making organizations expand their remit in
response to both selection pressure and the desire to main-
tain their legitimacy. They emphasize the contribution of
intermediaries, such as NGOs and consultants, in institu-
tionalizing standards. Similarly, Slager et al. (2012) empha-
size the distributed, continuous agency of a wide range of
actors in the emergence of the FTSE4Good index, including
‘‘new actors who aid in the translating of the standard’s
requirements for actors seeking to adopt it’’ (p. 784).
Drawing greater attention to regulatory context, Chua
and Taylor (2008) conjecture that the diffusion of interna-
tional ?nancial reporting standards (IFRS) was promoted
via its sponsorship from powerful interest groups and reg-
ulators largely because of the broad international character
(rather than a uniquely ‘American’ feel), and also because
of the plasticity of the principles which allow for local
customization and translation (compared to rigid rules).
Insummary, worktodate provides ample evidence of the
coordinated efforts of key parties in a market or area in the
diffusion of innovations in management. Research is less
clear, however, about the way that voluntary managerial
standards such as COSO’s ERM-IF are constructed and main-
tained. Although the regulatory power of such standards is
widely acknowledged, little attention has been given to
the purposive activities that underlie the process of
standard making and promoting. The regulatory power of
standards does not, of course, appear out of nowhere, but
derives importantly fromthe institutional work undertaken
by various actors. However, as Slager et al. (2012, p. 765)
conclude, ‘‘the activities withinthe standardmakingorgani-
zations are usually not considered as these organizations
tendto be treatedas a ‘black box.’’’ Since the mid-1990s, risk
management has enteredprivate andpublic sector manage-
ment thinking to become an organizing concept as never
before (Power, 2004, 2007), with attendant standards and
blueprints of best practice. The next section overviews the
leading standard in this ?eld, COSO’s ERM-IF.
COSO’s Enterprise Risk Management – Integrated Framework
Formed in 1985, the Committee of Sponsoring Organiza-
tions (COSO) is a not-for-pro?t organization with a mission
of providing thought leadership by developing governance-
based frameworks and guidance.
2
Active in the three related
areas of fraud deterrence, internal control and risk manage-
ment, COSO’s ERM-IF model is one of its best known outputs.
In contrast to highly quantitative risk metrics based
approaches, COSO(2004, p. 2) de?nes enterprise riskmanage-
ment (ERM) as ‘‘a process, effected by an entity’s board of
directors, management and other personnel, applied in strat-
egy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk
to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.’’ ERM is thus
presented as a standard and a comprehensive and holistic
way for organizations to manage risks across the entire orga-
nization (Mikes, 2009; Pagach &Warr, 2010). As well as being
widely implemented inpractice, COSO’s ERM-IF has become a
growing focus for a wide range of researchers and practitio-
ners (e.g., Beasley, Pagach, & Warr, 2008; Desender, 2007;
Fraser et al., 2008; Mikes, 2009; Pagach & Warr, 2010;
Power, 2007, 2009; Power, Scheytt, Soin, & Sahlin, 2009).
3
Fig. 1 depicts COSO’s stylized ERM-IF cube, the major
graphic associated with the tool. The cube was intention-
ally designed so that the three visible surfaces depict three
important considerations to be made in ERM. The most
prominent face consists of eight ideal-typical ERM pro-
cesses organizations can employ to manage risk. Internal
environment addresses the organization’s attitude toward
risk; how an organization and its people view and address
risk via ‘risk appetite’, values and management philosophy.
Objective setting suggests that an organization must have
goals and objectives in order to evaluate what risks might
challenge successful goal attainment. Event identi?cation
refers to a comprehensive review of internal and external
events that could either help (opportunities) or hinder
2
The website for COSO can be found at www.coso.org
3
For a collection of recent work from academics and practitioners at the
ERM Initiative seehttp://poole.ncsu.edu/erm.
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 311
(risks) goal attainment. Within risk assessment, identi?ed
risks are assessed for their likelihood of occurrence and
potential for impact so that organizations can prioritize
important risks. Risk response describes the process
whereby management must decide whether to accept,
avoid, minimize or share the risk based on the organiza-
tion’s pre-determined risk appetite. Control activities
ensure that the risk response steps are implemented effec-
tively via various internal controls, policies and proce-
dures. Continuous information and communication ensures
that all parties associated with the risk management
receive timely and relevant information. And, in keeping
with the cybernetic systems logic, the monitoring compo-
nent requires the entire process be constantly monitored
and improved as necessary. The other dimensions of the
cube speak to the breadth and wide application of this
‘‘new’’ management innovation.
4
In this way, the cube
design is intended to convey the ?exibility and scalability
of COSO’s prescriptions for risk management.
As it emerged, it became apparent that risk manage-
ment was a canvass with a host of aspiring artists. Within
the broad area of ?nancial management, management
accountants, internal auditors, external auditors, manage-
ment consultants as well as a new and increasingly visible
body of risk managers (see Aabo, Fraser, & Simkins, 2005;
Hall, Mikes, & Millo, 2013) all sought to stake a claim as
the concept opened up opportunities for applied use. In
effect, this made risk management different from other
innovations in accounting such as activity-based costing,
the balanced scorecard or risk-based auditing, which have
generally been circumscribed to particular areas of
management accounting, auditing or ?nancial accounting.
In this sense, COSO’s ERM-IF is an innovation that is
remarkable in its breadth (contested by a range of sub-dis-
ciplines) and commercial penetration (applied throughout
the world). While there is no legal mandate for its use, it
nevertheless has attracted normative force. While Olson
and Wu (2008) claim that there are over 80 risk
management standards across the globe,
5
research has con-
sistently identi?ed COSO ERM-IF as the best known (Fraser
et al., 2008) and most widely diffused risk management
standard (COSO, 2010b). The institutional work that has
facilitated this rise is thus an important object of scholarly
attention.
From entrepreneurs to collectives: The emergence of
institutional work
After prolonged criticism that traditional neo-institu-
tional research has been remiss in addressing ?eld-level
change (Dacin, Goodstein, & Scott, 2002), ideas of change
and agency were ?rst introduced into the area of institu-
tional theory in the form of institutional entrepreneurship
(DiMaggio, 1988; Greenwood & Suddaby, 2006; Oliver,
1991). In place of the limited role of agency found in
neo-institutional theory, institutional entrepreneurship
conceives of actors as active in?uencers of institutional
logics rather than passive bystanders. Maguire, Hardy,
and Lawrence (2004) describe institutional entrepreneurs
as actors that ‘‘leverage resources to create new institu-
tions or to transform existing ones’’ (p. 657). They show
that actors use a variety of strategies (e.g., compromise,
manipulation) to pursue their own interests against the
rigidity and resistance of institutions (see also Oliver,
1991). For some, however, accounts of institutional entre-
preneurship have tended to be hagiographic and represent
a bridge too far in asserting the heroic in?uence of individ-
ual agents (Delmestri, 2006; Lawrence, Suddaby, & Leca,
2009; Suddaby, 2010). As Lawrence et al. (2011, pp. 52–
53) put it: ‘‘Missing from such grand accounts of institu-
tions and agency are the myriad, day-to-day equivocal
instances of agency that, although aimed at affecting the
institutional order, represent a complex mélange of forms
of agency – successful or not, simultaneously radical and
Fig. 1. COSO’s enterprise risk management cube (reproduced from COSO,
2004, p. 7).
4
The top face of the cube lists four possible categories of objectives (i.e.,
strategic, operations, reporting and compliance) that can (but need not all)
be included in implementing risk management. The third face identi?es the
potential units of an organization (i.e., subsidiary, business unit, division,
and entity-level) that can (but need not all) be recipients of risk
management implementation. A speci?c component can in?uence any
number of other components, and further, adopters/implementers might
move back and forth between some components before considering others
(COSO, 2004).
5
Indeed, several international risk management standards pre-date the
COSO framework including CAN/CSA-Q850-97 Risk Management: Guideline
for Decision-Makers issued by the Canadian Standards Association in 1997
(62 pages); BS 6079-3:2000 Project Management: Guide to the Management
of Business-related Project Risk issued by the British Standards Institution in
2000 (22 pages); JIS Q2001: 2001(E) Guidelines for Development and
Importance of Risk Management Systems issued by the Japanese Standards
Association in 2001 (20 pages); IEEE Standard 1540-2001 Standard for
Software Life Cycle Processes – Risk Management issued by the American
Institute of Electrical and Electronics Engineers in 2001 (24 pages); and AS/
NZS 4360:2004 Risk Management issued jointly by Standards Australia/
Standards New Zealand in 2004 (24 pages). Based on a wide ranging
analysis of several standards, Raz and Hillson (2005) conclude that there is
‘‘wide consensus regarding the main steps and activities of a generic risk
management process’’ (p. 65) and that ‘‘where there are apparent differ-
ences in process, these are largely attributable to variations in terminology’’
(p. 64).
312 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
conservative, strategic and emotional, full of compromises,
and rife with unintended consequences.’’
Research in the area of institutional work seeks to
address this concern by recognizing that in many instances
collectives of actors create, maintain, disrupt, challenge,
adjust and transform institutions. The notion was ?rst
introduced by Lawrence and Suddaby (2006). They
describe institutional work as the ‘‘purposive action of
individuals and organizations aimed at creating, maintain-
ing and disrupting institutions’’ (Lawrence & Suddaby,
2006, p. 215). Thus, the focus of institutional work is to
examine how actors interact with, and in?uence, institu-
tions. Lawrence and Suddaby identify three types of insti-
tutional work: work that (i) disrupts, (ii) creates and (iii)
maintains institutions. Table 1 summarizes the types of
work associated with each of these activities.
As illustrated in Table 1, multiple actors and varied
forms of institutional work are necessary to institutional-
ize a management idea (Lawrence & Suddaby, 2006;
Perkmann & Spicer, 2008). These categories of work can
be mutually reinforcing and lead to a total recon?guration
of an institution. These various forms of institutional work
– jockeying for political power, de?ning the normative
structures, and cognitive appeals – underscore that the
creation of an institution requires signi?cant effort and
skill from actors. Professional groups have been high-
lighted as particularly in?uential in recon?guring or trans-
forming ?elds and the institutions within them (Cooper &
Robson, 2006; Greenwood, Suddaby, & Hinings, 2002;
Lawrence & Suddaby, 2006; Perkmann & Spicer, 2008;
Scott, 2008; Suddaby & Viale, 2011).
Actors directly in?uence the creation of new institu-
tions by performing institutional work that disrupts exist-
ing ones (Hwang & Colyvas, 2011). Lawrence and
Suddaby (2006, pp. 234–235) suggest that in organiza-
tional ?elds, there are often ‘‘actors whose interests are
not served by existing institutional arrangements, and
who will consequently work when possible to disrupt
the extant set of institutions’’. As organizations and envi-
ronments change, their existing institutions may become
less legitimate and less taken-for-granted, and as a result,
new organizational logics and new interpretive schemes
arise (Greenwood & Hinings, 1988; Greenwood et al.,
2002).
6
Maguire and Hardy (2009), studying the decline
in commercial insecticide use, show how discourse was
used to problematize and disrupt a previously taken-for-
granted practice. In contrast, Lounsbury and Crumley
(2007), focusing on the emergence of active money man-
agement, and Currie, Lockett, Finn, Martin, and Waring
(2012), investigating the institutional work that specialist
doctors perform to maintain their power and status, draw
attention to creation and maintenance forms of institutional
work. These studies highlight that types of institutional
work interact and can be deployed together, and also that
the distinction between creating versus maintaining types
of institutional work may not be a stark one in practice.
Furthermore, they demonstrate that an actor’s social posi-
tion and status (both intra- and inter-professionally) in
their institutional ?eld serves to frame their institutional
work.
Research on institutional work has begun to unpack the
actual activities and efforts that individuals and groups put
forward in creating, maintaining and disrupting institu-
tions. In spite of these contributions, research on institu-
tional work remains in its infancy; there are signi?cant
opportunities to describe and explain the details of the
‘work’ involved. To this end, Hwang and Colyvas (2011, p.
62) conclude that institutional work is ‘‘. . . an umbrella
concept and a rallying point’’ rather than a coherent frame-
work. Our ?eld study seeks to explore the ‘work’ in the
institutional work surrounding the institutionalization of
COSO’s ERM-IF. We show that institutional work is not pre-
cisely categorized and necessarily intentional but haphaz-
ard and dynamic, ricocheting off other actors and bodies of
knowledge and garnering momentum from unexpected
and serendipitous sources.
Method
In light of the emerging state of the ?eld and the phe-
nomena under examination, ?eld research comprising
semi-structured interviews is appropriate for this study
(Edmondson & McManus, 2007). Table 2 below comprises
a list of all interview participants. Speci?cally, we con-
ducted 15 in-depth semi-structured interviews with 13
individuals from various locations in Canada and the Uni-
ted States between May 2010 and September 2012.
7
Three
of the interviews were conducted in person and the remain-
ing 12 interviews were conducted over the phone. The aver-
age length of the interviews was approximately 60 min. All
but one participant permitted the use of a recording device
allowing for accurate transcriptions; the single unrecorded
interview was conducted with careful and thorough note-
taking during and immediately following the interview to
ensure accurate representations of the participant’s
responses. Five of the participants requested that their iden-
tity remain anonymous, whereas the other eight partici-
pants gave permission for the use of quotations linked to
their names and organizations.
As Table 2 re?ects, a diverse group of participants were
recruited: early participants were identi?ed to reach key
players holding authorship, guidance or oversight roles;
we then followed up on speci?c suggestions made by par-
ticipants on whom else we should speak with; and we also
selected some participants to ?ll gaps in our understand-
ings, or to challenge and con?rm unexpected insights.
Many of the participants had prior or current relationships
with COSO, but some individuals also had no formal con-
nection to COSO (i.e., they were drawn from realms of
industry and/or consulting). We stopped recruiting partic-
ipants at the point when incremental learning from
interviews became minimal (i.e., our iterations between
6
A variety of pressures – political, competitive, functional and social –
help to explain what disrupts an institution (and could even lead to
deinstitutionalization) (Oliver, 1992). These pressures can arise from within
the organization or from the environment.
7
We conducted a second interview with two participants to con?rm
some of our understandings and interpretations, and also to probe for
additional information in a few areas.
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 313
data collection and analysis were fully developed and con-
vergence was attained).
Our semi-structured interview guide was driven by four
topics: (1) the participant’s background and experience in
risk management; (2) the development and diffusion of
COSO’s ERM-IF and other frameworks; (3) criticisms of
andre?ections onriskmanagement andCOSO’s framework;
(4) andany predictions concerning the future directions and
developments of risk management. We allowed partici-
pants to talk openly and at length, moving to a related area
or idea they felt was relevant. When necessary, we used
prompting questions to refocus participants by asking if
there were any other explanations they considered impor-
tant to the spread of COSO’s ERM-IF, or if they could provide
a speci?c example in relation to an earlier comment.
We also consulted two key sets of secondary materials.
We reviewed a variety of COSO’s guidance and ‘‘thought
papers’’, most importantly of which is the Enterprise Risk
Management – Integrated Framework but also the Internal
Control – Integrated Framework and more recent ERM-
related implementation guidance. We also reviewed 2483
articles as part of a bibliometric analysis based on keyword
searches relating to ‘‘risk management’’ and ‘‘COSO’’. Our
focus set was on four journals published by the sponsoring
organizations in the period from 2000 through 2013: (i)
Journal of Accountancy; (ii) Strategic Finance; (iii) Internal
Auditor; and (iv) Financial Executive (see Fig. 3 below). We
selected these journals because of the signi?cant member-
ship bodies and international presence of the sponsoring
organizations. As well, these journals were accessible back
to 2000 whereas newsletters and direct communication to
members were not.
8
Of importance, however, is that many
of the journal issues included in our analysis contained pro-
fessional updates and newsletters directed at membership.
Data analysis
Each interview recording was transcribed into a text-
based ?le and reviewed to ensure the transcription was
Table 1
Institutional work associated with disrupting, creating and maintaining institutions.
a
Disrupting
1. Disconnecting sanctions/
rewards
Accesses the state and court systems to disconnect rewards and sanctions from a set of practices, technologies or
rules
2. Disassociating moral
foundations
Refers to disassociating a practice, rule or technology from its moral foundation, which results in an institution that
is no longer considered appropriate within its speci?c cultural context
3. Undermining assumptions
and beliefs
Decreases the perceived costs and risks of innovation and differentiation by weakening the core assumptions and
beliefs of an institution
Creating
1. Advocacy Refers to determining the interests of and then mobilizing support from political/regulatory actors to rede?ne the
allocation of material resources or social/political capital
2. De?ning Refers to the creation of rule systems to constrain action and also confers status, identity or membership within a
?eld
3. Vesting Refers to the creation of rule systems that grant property rights. By creating or changing the rule systems, vesting
can create new actors and ?eld dynamics
4. Constructing identities Creates and de?nes the relationships between actors and the ?eld
5. Changing normative
associations
Challenges and reformulates the relationships between norms and the moral and cultural foundation of the
institutional ?elds in which they are produced
6. Constructing normative
networks
Refers to the process through which formerly disconnected actors construct normative networks. Within, they ratify
practices and take on the responsibility for monitoring, evaluation and enforcement
7. Mimicry Refers to leveraging existing practices, tools and rules by juxtaposing features of the new with those of the old taken-
for-granted practices
8. Theorizing Refers to the creation of abstract or generalized categorizations, and the identi?cation of causal relationships
between elements. Theorizing begins with the naming of new practices, and this follows with its communication
and further elaboration
9. Educating Refers to sharing skills/knowledge and providing access to the necessary information to educate actors’ use of a new
institution
Maintaining
1. Enabling work Refers to the creation of rules to facilitate, supplement and support institutions; for example, by creating new agents
or roles to support institutions and divert resources towards them
2. Policing Refers to oversight activities performed to enforce, audit and monitor compliance
3. Deterring Refers to coercive barriers to institutional change
4. Valourizing and demonizing Circulates positive and negative examples to the public in order to demonstrate the institutions’ normative
foundations
5. Mythologizing Maintains the normative underpinnings of an institution by creating and sustaining myths about its history
6. Embedding and routinizing Instills the normative foundations of an institution into participants’ day to day routines and organizational
practices
a
Adapted from Lawrence and Suddaby (2006).
8
The Internal Auditor periodical and Financial Executive magazine are the
IIA’s and FEI’s sole trade publications. The IMA publishes a magazine
(Strategic Finance) and a refereed online journal (Management Accounting
Quarterly) but refers to Strategic Finance as its ?agship publication and so
we have selected this magazine. Finally, the AICPA has nearly a dozen topic-
speci?c publications (e.g., tax, fraud and forensics) but to maintain
comparability we have selected the Journal of Accountancy; it is the only
general interest publication and the AICPA refers to it as its ?agship
publication.
314 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
complete and accurate. Coding the data was performed
using qualitative data analysis software. Each text was
analyzed to draw inferences, to make comparisons and
to identify themes in the data set (Smith, 2003; Weber,
1990). Meaning oriented analysis, a sub-type of content
analysis, directs researchers to focus on the underlying
themes of the data. While this approach can be subjec-
tive, we were cautious not to draw any assumptions or
conclusions without supporting data (Lee & Peterson,
1997; Weber, 1990). Furthermore, the interviews and
coding was performed by one author, and then chal-
lenged or con?rmed by the other.
9
The coding process took place in two stages. The ?rst
round of coding was driven by the predetermined high-
level themes in our semi-structured interview guide.
Since coding within this ?rst round was an iterative pro-
cess, categorizations evolved over time and allowed us to
test tentative ideas in the ?eld. During the second round
of coding, high-level themes were re-sorted by dissecting
and reorganizing the participants’ responses around key
ideas and insights, followed by comparing these ?ndings
with existing research in enterprise risk management
(see Patton, 1990). The data analysis was iterative to min-
imize the risk of misunderstanding or misinterpreting
interviewees’ responses. Given that several respondents
had similar backgrounds and experiences (e.g., COSO
members, ERM consultants), some of their ideas and per-
spectives could be compared and con?rmed against one
another. Our analysis was characterized by ongoing
hypothesizing and theorizing, and by continuously dis-
carding and revising suitable theories in pursuit of the
‘‘best ?t between data and analysis’’ (Patton, 1990, p.
462).
Context: The Committee of Sponsoring Organizations
The Committee of Sponsoring Organizations (COSO) is a
voluntary private sector organization with a stated mission
to provide ‘‘thought leadership through the development
of comprehensive frameworks and guidance on enterprise
risk management, internal control and fraud deterrence
designed to improve organizational performance and gov-
ernance and to reduce the extent of fraud in organizations’’
(COSO, n.d.). COSO is an initiative created and supported by
?ve major professional associations in the US [i.e., the
American Accounting Association (AAA), the American
Institute of Certi?ed Public Accountants (AICPA), Financial
Executives International (FEI), the Institute of Internal
Auditors (IIA), and the Institute of Management Accoun-
tants (IMA; previously the National Association of Accoun-
tants)]. Throughout its history, the COSO Board has been
comprised of a Chairperson and a Board Member fromeach
of ?ve accounting associations (known collectively as the
Table 2
Interview participants.
a
# Name Current roles Past roles
1 Mr. John Fraser Vice-President Internal Audit and Chief
Risk Of?cer, Hydro One
N/A
2 Professional Accounting
Institute 1
Con?dential, Professional Accounting Institute Anonymized respondent
3 Dr. Mark Beasley 1. COSO Board of Directors Advisory Council to COSO for COSO’s ERM-IF
2. Associate Professor, North Carolina State
University
3. Director, ERM Initiative
4 Mr. Peter Jackson Principal, riskWaves corp. The Criteria of Control Board, Canadian Institute of
Chartered Accountants
5 Dr. Douglas Prawitt Professor, Brigham Young University Advisory Council to COSO for COSO’s ERM-IF
6 Mr. Frank Martens Director, Risk & Regulatory Consulting,
PricewaterhouseCoopers LLP
PwC Author & Principal Contributor for COSO’s ERM-IF
7 Dr. Larry Rittenberg 1. Chairman, COSO Board of Directors American Accounting Association Representative
for COSO’s ERM-IF 2. Professor, University of Wisconsin-Madison
8 Dr. Paul Walker Associate Professor, University of Virginia Hired by COSO to recommend whether it should develop
a framework that provides guidance on enterprise-wide
risk management
9 Mr. Richard Steinberg CEO, Steinberg Governance Advisors, Inc. 1. PwC Author & Principal Contributor for COSO’s ERM-IF
2. PwC Author & Principal Contributor for COSO’s IC-IF
10 Consultant 1 Con?dential, Consulting Company Anonymized respondent
11 Consultant 2 Con?dential, Consulting Company Anonymized respondent
12 Consultant 3 Con?dential, Consulting Company Anonymized respondent
13 Dr. Mark Beasley 1. COSO Board of Directors Advisory Council to COSO for COSO’s ERM-IF
Follow-up Interview 2. Associate Professor, North Carolina State
University
3. Director, ERM Initiative
14 Mr. Frank Martens Director, Risk & Regulatory Consulting,
PricewaterhouseCoopers LLP
PwC Author & Principal Contributor for COSO’s ERM-IF
Follow-up Interview
15 Consultant 4 Con?dential, Consulting Company Anonymized respondent
a
Current roles re?ect the roles interview participants held at the time interviews were conducted. Past roles re?ect the roles interview participants held
during the development of COSO’s ERM-IF.
9
Note that initial interviews were conducted by both researchers to
ensure a consistency of approach.
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 315
‘‘sponsoring organizations’’).
10
COSO initiated work in 1985
to report on fraudulent ?nancial reporting, and since then
has added internal control and enterprise risk management
to their agenda (COSO, n.d.; Landsittel & Rittenberg, 2010).
Table 3 provides an overview of key events and publications
throughout COSO’s history.
COSO is recognized internationally for its foresight on
emerging business trends and needs. Landsittel and
Rittenberg (2010, p. 457), the two most recent Board Chair-
men, explain that new projects are identi?ed according to
‘‘perceived practice needs and COSO’s mission statement’’
in addition to, environmental scanning, academic research
and input from the sponsoring organizations. It is a long-
standing COSO practice (formally embedded in COSO’s
Mission and Operating Policies) to engage consultants to
conduct research and make recommendations before initi-
ating new projects. For COSO’s signi?cant governance pro-
jects, the Board typically establishes a task force
(responsible for guiding framework development by
reviewing drafts, ensuring practical relevance and assess-
ing clarity/integrity) and engages a project team (responsi-
ble for overall development and authorship). In the case of
COSO’s ERM-IF, the task force (referred to as ‘‘Project Advi-
sory Council’’ in the ERM-IF and henceforth) included con-
sultants, university professors and industry executives, and
the project team was comprised of senior representatives
from PricewaterhouseCoopers LLP (PwC).
As an organization, COSO possesses a number of unique
features. In addition to being a distributed, non-pro?t,
independent, virtual organization supported by a network
of ?ve major professional associations, COSO often engages
ancillary task forces and project teams to further its mis-
sion. COSO’s membership comprises a range of profes-
sional underpinnings (e.g., Certi?ed Professional
Accountant, Certi?ed Fraud Examiner, Certi?ed Internal
Auditor) and educational backgrounds (undergraduate,
practice-oriented masters and research-oriented doctorate
degrees). The substance of their day-to-day employment
also varies widely (e.g., teaching, research, consulting,
auditing, standard setting and working in industry). COSO
Board members themselves struggled to classify the orga-
nization in precise terms:
COSO is kind of an odd organization, not just in terms of
being a virtual organization but, you know, what is it?
It’s not really a standard setter and yet it is kind of a
standard setter. It’s not a company; it’s not a for-pro?t
organization. And so I think, when COSO comes out
with guidance, it carries a pretty unique credibility
because you can’t attribute their actions to a pro?t
motive per se. (Douglas Prawitt, Interview 5)
The cipher COSO itself is noteworthy. Described as ‘‘dis-
armingly mundane’’ by Consultant 3, COSO leaves unspec-
i?ed the identity of the involved organizations and imparts
an almost faceless proceduralism to COSO’s activities.
However, this innocuous acronym is not without effects
as COSO allows pro?t seeking organizations to have effects
through a non-pro?t. Indeed, though non-mandated,
COSO’s standards have effectively seeded an entire eco-
nomic ecology (spanning different professions and func-
tions) that has underpinned the generation of billions of
professional service fees.
We argue that unique characteristics of the COSO orga-
nization, especially its hybridized professional form,
enabled it to perform various forms of institutional work
that helped to disrupt existing logics, and then to create
and maintain the preeminent framework for managing
risk. We turn to each of these phases below.
COSO as a disruptor
In the early 1990s, internal control grew to become an
important business issue and a key concern for a variety
of business stakeholders. This growing interest is re?ected
in the publication of the Financial Aspects of Corporate Gov-
ernance (commonly known as ‘‘The Cadbury Report’’) by
the Cadbury Committee in the UK in 1992, the Internal Con-
trol – Integrated Framework (IC-IF) by COSO in 1992, the
King Report on Corporate Governance by the King Commit-
tee on Corporate Governance in South Africa in 1994, the
Table 3
Key events in COSO’s history.
Event Year
Committee of Sponsoring Organizations (COSO) was created 1985
COSO released Report of the National Commission on Fraudulent Financial Reporting 1987
COSO released Internal Control – Integrated Framework 1992
COSO released Fraudulent Financial Reporting: 1987–1997 1999
COSO engaged consultants to evaluate need for ERM framework 1999
Consultants recommended COSO develop an ERM framework 2000
A series of signi?cant corporate and accounting scandals such as Enron, Tyco International, WorldCom 2001–2002
COSO initiated work on ERM-IF project; established Project Advisory Council; engaged PricewaterhouseCoopers 2001
COSO surveyed the marketplace 2001
Sarbanes–Oxley Act enacted in the United States 2002
COSO released exposure draft of Enterprise Risk Management – Integrated Framework 2003
COSO released ?nal version of Enterprise Risk Management – Integrated Framework 2004
COSO updated and released Fraudulent Financial Reporting: 1998–2007 2010
COSO issued additional ERM guidance 2009–2013
10
The Board typically meets quarterly, rotating between the locations of
each sponsoring organizations. According to COSO’s Mission and Operating
Policies, the Chairperson is appointed for a 3-year term (with a possible
extension) and must be a member of at least one of the ?ve founding
sponsoring organizations. The stated time commitment of the Chairperson
role is 6–8 days per month and a negotiable, partial fee is paid to the Board
Chair annually at the Board’s discretion and based on the needs of the chair.
For further details seehttp://www.coso.org/aboutus.htm.
316 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
Criteria of Control framework by the Canadian Institute of
Chartered Accountants in Canada in 1995, and the Internal
Control: Guidance for Directors on the Combined Code (com-
monly known as the ‘‘Turnbull Report’’) by the London
Stock Exchange in the UK in 1999. Signi?cant amongst
the stated motivations of these reports was the rapid
change and myriad of economic, corporate, environmental
and regulatory shocks throughout the 1990s. For example,
in 1995 the Oklahoma City bombing was the most destruc-
tive act of terrorism of its time; the late 1990s saw the
rapid growth of the internet accelerate globalization; in
2000 the Dot-com bubble burst disrupting ?nancial mar-
kets and economic activity across the globe; while Y2K
concerns generated fear that technology would not shift
into the new millennium (see, for example, AICPA, 1993;
Anonymous, 1997; Chenok, 1995; Dennis, 2000; Semer,
1998; Tucker, 2001; all publications published by COSO’s
sponsoring organizations).
For COSO, an important forerunner to its ERM-IF was its
IC-IF. Depicted in Fig. 2 below, this framework emerged
from the COSO sponsored Treadway report (Treadway,
1987). The framework outlines ?ve constituent elements
of effective internal control, de?ned broadly as a process
designed to ‘‘provide reasonable assurance regarding the
achievement of objectives’’ in relation to (i) the effective-
ness and ef?ciency of operations; (ii) the reliability of ?nan-
cial reporting; and (iii) compliance withapplicable laws and
regulations (COSO, 1994, p. 3). COSO’s IC-IF was released in
1992 (revised in 1994 and, most recently, in 2013). Its
adoption dramatically increased in 2002 when the
Sarbanes–Oxley Act (SOX) was enacted in response to a ser-
ies of signi?cant corporate and accounting scandals. SOX,
and speci?cally section 404 on internal control assessment,
mandated organizations to enhance their controls and con-
sequently brought COSO’s IC-IF to the fore in the frenzy to
address SOX requirements (see, for example, Bridge &
Moss, 2003). Several interview respondents pointed
squarely to COSO’s IC-IF when identifying the major factors
that led to the popularity of COSO:
COSO as an entity is becoming more widely known par-
tially because the Sarbanes Oxley Section 404 reporting
requirements whichis pointing themto the internal con-
trol framework, but it points them to COSO too. (Mark
Beasley, Interview 3)
Numerous scholars have discussedthe waythat the notion
of internal control gradually evolved and refocused around
notions of risk during the late 1990s (see Power, 2004, 2007,
2009; Spira & Page, 2003). Spira and Page (2003) stress that
the publication of the Turnbull Report in 1999 had already
extended beyond ?nancial and internal control to contem-
plate risk management. They note that scienti?c and techno-
logical advances made risk more quanti?able and con?rmed
that risk(andits effects) was indeedserious; as Spira andPage
put it, ‘‘. . .changes in technology and auditing encouraged a
devolution of control downwards, and rigidly enforced com-
pliancewithpolicies andprocedures was replacedbytherhet-
oric of risk. . .’’ (p. 647). As it became increasinglybelievedthat
risk couldbe measuredandmanaged, demandfor meaningful
frameworks intensi?ed.
In addition to the disruption of the concept of internal
control generally, COSO’s IC-IF also encountered disrupting
in?uences. Both suppliers and users of competing internal
control frameworks publicly challenged and critiqued
COSO’s IC-IF. For example, Oliverio (2001) pointed to a
number of failings including the absence of implementa-
tion guidance and clear allocations of responsibility, as well
as, the imperative of an enterprise-wide approach. Further-
more, the competing frameworks were all motivated in
some part by observations that COSO’s IC-IF was no longer
adequate in managing against diverse and growing risks.
Where internal control was once seen as a valuable process
for assuring the achievement of an organization’s goals, it
was seen to come under increasing scrutiny.
In response to these charges, COSO itself engaged in dis-
rupting work by commissioning a group of consultants to
research and evaluate ‘‘whether [COSO] should develop a
framework that provides guidance on enterprise-wide risk
management’’ (Scott, Shenkir, & Walker, 2000, p. 2). In the
report, Scott et al. (2000; hereafter SSW) con?rmed the
1990s as a decade that experienced dramatic change as a
result of a number of factors: ‘‘globalization; emerging mar-
kets; consolidationof companies andrestructuring; deregu-
lation; increasing competition; product and market
innovation; rapidly changing technology, especially infor-
mationtechnology; e-commerce; emergence of the internet
andneweconomy; andcrisis andmajor riskdebacles’’ (SSW,
2000, p. 3). The consultants took little time in verifying the
need for a new framework and pointed to a vigorous
demand for a credible set of practices to help organizations
manage, monitor and plan for risk extending beyond a nar-
row focus on internal controls.
COSO’s ERM-IF re?ected both the style and language of
the IC-IF (exempli?ed by the resemblance of Figs. 1 and 2)
such that the costs and risks of adoption were minimized
for potential adopters. Our interview data highlighted a
strong connection between the transition from COSO’s IC-
IF to their ERM-IF:
Fig. 2. COSO’s internal control cube (reproduced from COSO, 1994, pp.
19).
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 317
There were some people who were looking ahead and
saying ‘Okay, what’s the next step?’ We [COSO] have
this internal control framework out here and now
companies are using it, auditors are looking at internal
controls. . .. What’s the next step in the evolution of
things? What are outside parties interested in? They
are interested in how you’re controlling things, but
what’s at the core of that control framework? First,
it’s identifying risk and then implementing controls
to mitigate and control those risks. . .. So in a way,
the COSO internal control framework was a rudimen-
tary risk management framework. (Douglas Prawitt,
Interview 5)
This quotation implies that COSO’s ERM-IF was effec-
tively an updated replacement for the IC-IF, however,
it should be noted that COSO’s ERM-IF was in no way
formally intended to replace the IC-IF. Rather, COSO’s
IC-IF is better conceived of as a springboard for
ERM-IF.
In summary, mounting pressures and shocks paired
with the growing sense that risk could be measured
resulted in a gradual shift away from the logics of internal
control towards the logics of risk.
11
In addition to the dis-
ruption of the logics of internal control generally, critiques
of COSO’s IC-IF speci?cally also began to be circulated,
suggesting that the model was no longer adequate for
contemporary organizations. This disruption work was not
intentionally deployed by COSO but instead enabled COSO
to then execute its own disruption work by commissioning
consultants to evaluate the need for a framework to manage
risk, and also by further undermining the assumptions and
comprehensiveness of the IC-IF. COSO defended its institu-
tional space by using their IC-IF as a springboard to create
the ERM-IF with similar style/language and lower costs/risks
of adoption. The logics of internal control were disrupted
without formal intervention, and this paved the way for a
new framework to emerge.
COSO as a creator
Based on the recommendations from the consulting
team in 2000 to create a risk framework, COSO’s Board
engaged Big-4 accounting ?rm PricewaterhouseCoopers
(PwC) to lead and author the framework.
12
As one consul-
tant in the ?eld re?ected:
In effect, what PwC was able to do was to position itself
to roll out its framework as the international bench-
mark. Under the COSO badge, PwC was able to
take the lead in consulting in the area. (Consultant,
Interview 3)
COSO also formed a Project Advisory Council to provide
guidance throughout the development of COSO’s ERM-IF.
As noted in Table 4, the council was comprised of nine
individuals employed as consultants, university profes-
sors and industry executives from across the US. This
composition offered a wide range of resources for the
new mission. Consultants offered a crucial nexus with
practice and an understanding of organizational chal-
lenges with risk management and the type of guidance
likely to resonate in the corporate community. Univer-
sity professors, involved in both teaching and research,
offered academic capital and familiarity with the emerg-
ing academic research in the ?eld. Finally, members
from industry were able to speak to risk management
challenges and needs, and the stakes, struggles and pref-
erences of the key corporates. As Table 4 re?ects, mem-
bers from industry were not only drawn from diverse
industries, but they also held a range of job positions
and functional expertise (e.g., internal control, risk,
?nancial management).
COSO’s Board was responsible for overseeing the work
of the Project Advisory Council and authorship team from
PwC. Because COSO’s Board is comprised of one member
from each sponsoring organization, COSO had access not
just to these ?ve representatives, but access to the visions,
membership corps and reputational capital of ?ve organi-
zations that conduct research and support members
throughout the world. Re?ecting on the ‘‘clout’’ of the com-
bined groups, Rick Steinberg (Interview 9) suggested that
‘‘it was their insight and their foresight in terms of being
able to see the need [for the ERM-IF]’’. Indeed, a signi?cant
and in?uential identity was constructed such that the
organizational structure of COSO and the power of its
members provided elevated status to COSO as a creator
of innovative change.
In addition to constructing a network of hybridized pro-
fessionals to facilitate ERM-IF collaborations, several
aspects of COSO were important to creating the ERM-IF.
By 2004, COSO had a proven track record extending over
two decades. COSO had issued the Report of the National
Commission on Fraudulent Financial Reporting in 1987
(known as the ‘‘Treadway Commission’’ report); had for-
mulated and released an integrated framework on internal
control in 1992; and, had published an extensive 10-year
analysis of fraudulent ?nancial reporting occurrences in
1999. Table 3 above provides a timeline of these and other
key events in COSO’s history. It was against this back-
ground as a powerful organization with an acknowledged
track record of successfully creating and promoting guide-
lines and practices that COSO’s ERM framework was
created.
The credibility of the COSO structure also resonated in
the corporate community. For example, COSO’s original
1992 version of its IC-IF (i.e., one source of COSO’s credibil-
ity) was been referred to as having ‘‘gained broad accep-
11
The ‘‘logics’’ of internal control and of enterprise risk management are
intended to highlight a deep-rooted implementation, such that the logics or
ways of internal control and enterprise risk management become routine
(Power, 2004) or accepted as religion (Bernstein, 1996). Power (2004)
suggests three explanations for the shift from internal control to enterprise
risk management: (1) changing regulation, (2) organization’s desire for self-
insurance against growing risk, and (3) demand for risks to be auditable.
Power summarizes this shift in logics well by concluding that, ‘‘The private
world of organisational internal control systems has been turned inside out,
made public, codi?ed and standardised and repackaged as risk manage-
ment. In this way, a blueprint for extending the reach of risk management
into every aspect of organisational life has been created’’ (pp. 27–28).
12
In an analysis of which public accounting ?rms purchased Andersen
of?ces/clients in 2002, Kohlbeck, Mayhew, Murphy, and Wilkins (2008)
note that PwC did not purchase any of?ces because they had the largest
market share at the time.
318 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
tance’’ and being ‘‘widely used’’, ‘‘time-tested’’ and ‘‘recog-
nized as a leading source’’ (Protiviti, 2013, p. i).
13
Moreover,
the ‘‘independence’’ of this expertise was widely believed by
respondents to lend substantial credibility to the
organization.
COSO has carved out a unique kind of niche and
credibility as being an independent body that has
come out with the framework that ended up being
very heavily in?uential. It’s seen as an organization
that brings top experts and thinkers together to
develop frameworks and there’s a lot of credibility
that COSO brings to the table as an objective, inde-
pendent organization that has had success and
done good things in the past. (Douglas Prawitt, Inter-
view 5)
One respondent re?ected on a previous consulting engage-
ment where he’d prepared a thorough discussion of all the
major risk frameworks around the world for presentation
to a client. In hearing of this, the client likened COSO to
‘‘the name brand in the US’’ (Paul Walker, Interview 8)
and demanded that discussion of alternative frameworks
be removed.
14
During the development of the ERM-IF, the COSO Board,
Project Advisory Council and PwC intensi?ed their interac-
tions with the marketplace to determine whether their
de?nitions and theorizations would accord to user needs.
In the fall of 2001, COSO conducted a public survey to serve
as a consultation and information gathering process. This
survey was conducted in order to understand the market’s
view on various issues (e.g., what companies were doing at
the time, what companies were willing to consider doing,
what companies wished they were doing). Once the ERM
framework had been theorized and written in draft form,
an exposure draft was released for public comment in
the summer of 2003.
15
During this exposure period, mem-
bers from the COSO groups spoke at a signi?cant number
of conferences held by the ?ve sponsoring organizations
and by other associations/organizations. The intent was to
engage the marketplace, to provide information about the
process of developing the framework, and also begin to
share information and educate potential adopters about
how COSO’s ERM-IF would help organizations govern (see,
for example, Chapman, 2003; Minter, 2002). Presentations
during the exposure period provided an opportunity to col-
lect feedback, in addition to the written comments that were
submitted. Based on comments submitted by interested par-
ties and individuals, the revised version was then released in
the fall of 2004 (COSO, n.d.).
16
While the events leading up to the turn of the millen-
nium focused attention on risk management practices
and supported SSW’s recommendation to COSO, signi?cant
world events during the time COSO was creating the ERM-
IF acted to heighten the demand for a framework for man-
aging risk. Indeed, COSO’s ERM-IF (2004, p. v) is explicitly
motivated in part by the observation that ‘‘the period of
the framework’s development was marked by a series of
high-pro?le business scandals and failures where inves-
tors, company personnel, and other stakeholders suffered
tremendous loss’’.
17
These failures, combined with cata-
strophic terrorist attacks (such as 9/11) and natural disasters
generated substantial uncertainty. Numerous scholars have
pointed to the way that this uncertainty and ‘‘politics of
fear’’ (Altheide, 2003; Gardner, 2009) substantially fueled
demand for effective innovations and tools to support deci-
sion making and be seen to be effectively managing.
This combination of economic, corporate, environmen-
tal and regulatory factors resulted in a receptive market-
place for a framework to manage risk. COSO and its
board members recognized organizations’ ‘‘readiness’’ for
a framework to facilitate their risk discussions, for
example:
What the profession needed was a comprehensive way
to talk about risk. There are many ways of looking at
risk but what we found is that people were talking
and using the same terms in different fashions and so
forth. And, our view was that we needed a comprehen-
13
In addition to the examples and evidence provided above, there are a
range of additional markers of COSO’s resonating credibility including: (1)
COSO’s IC-IF is the only framework speci?cally named in the SEC’s guidance
for implementing Section 404 (seehttp://www.sec.gov/rules/?nal/33-
8238.htm); (2) in addition to English, COSO’s IC-IF has been translated
into seven languages (i.e., Chinese, Japanese, Spanish, French, Arabic,
Portuguese, Norwegian) and a Russian translation is currently in
progress (R.B. Hirth, current Chairman of COSO, personal communica-
tion, January 31, 2014); and (3) the US government’s Greenbook (when
the US president releases their budget, the Treasury releases the
General Explanations of the Administration’s Revenue Proposals, coined
the ‘‘Greenbook’’) has been modeled after COSO’s IC-IF as have several
other SOX-like documents in other countries (R.B. Hirth, current
Chairman of COSO, personal communication, January 31, 2014).
14
During the interview Paul Walker speci?cally referred to the ISO
31000 – Risk Management standard created by the International Orga-
nization for Standardization (ISO), the Australia/New Zealand Standard
4360 Risk Management, as well as the Turnbull and King Reports more
generally. Other competing risk frameworks include: an Integrated Risk
Management Framework created by the Treasury Board of Canada
Secretariat, A Conceptual Framework for Integrated Risk Management
created by The Conference Board of Canada, as well as proprietary
frameworks from various consulting groups (e.g., Protiviti, McKinsey,
KPMG LLP, PwC, CRISIL) and other professional associations (e.g.,
Canadian Standards Association (CSA) Technical Committee on Risk
Management, Risk Insurance Management Society, Global Association of
Risk Professionals).
15
For example, the AICPA announced the release of COSO’s ERM-IF
exposure draft in the Journal of Accountancy (see Volume 196, Issue 4, p. 20)
as well as the release of the ?nal framework (see Volume 198, Issue 6, p. 20
and p. 25). In contrast, the AAA which does not publish its own trade
magazine, published a news release to announce COSO’s ERM-IF exposure
draft (‘‘New Study Addresses Enterprise Risks’’) and ?nal draft (‘‘COSO’s
ERM Framework – FREE SUMMARY AVAILABLE’’, emphasis in original).
Both postings appear to have been front page news releases as suggested in
the AAA’s news archives (found here:http://aaahq.org/newsarc.cfm).
16
Appendix E (pp. 115–120) in COSO’s ERM-IF ‘‘summarizes the more
signi?cant issues and resulting modi?cations re?ected in the ?nal report.’’
The sponsoring organizations were also involved in the feedback collection
process; for example the Auditing Standards Committee of the AAA
composed a formal response (see here:http://aaahq.org/audit/asc.htm) as
did the Committee on Corporate Reporting of the FEI (see here: http://
www2.?nancialexecutives.org/news/?nrep/letters/COSO_10_13_03.pdf).
17
Many of the worst and most costly corporate accounting scandals
happened in 2001, 2002 and 2003 (e.g., Enron in 2001, WorldCom in 2002,
Tyco International in 2002, Freddie Mac in 2002, HealthSouth Corporation
in 2003).
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 319
sive framework on enterprise risk management and it
had to be across the enterprise and that if we could
introduce the framework, it could get more people talk-
ing about enterprise risk management–management
and therefore moving to manage risk in a much more
effective way. So that was the motivation behind start-
ing with the ERM framework. (Larry Rittenberg, Inter-
view 7)
In this sense, the timing of the COSO ERM-IF was ser-
endipitous; coinciding with some of the major corpo-
rate scandals of recent history. It should be stressed
that despite the 2004 release date of COSO’s ERM-IF,
COSO commissioned the preliminary ERM work in
1999.
The ?nal version of COSO’s ERM-IF contains two vol-
umes: the ?rst volume of COSO’s ERM-IF consists of an
executive summary and description of the ERM process,
and the second volume comprises a collection of applica-
tion techniques to help illustrate key tenets of ERM. Within
both of these volumes, risk is problematized extensively
and framed as an overwhelming impediment to organiza-
tional performance. While the framework acknowledges
the potential upside of risk (COSO, 2004, p. 16), the nega-
tive threat posed by risk is highlighted by drawing on
several graphic metaphors and cautions such as earth-
quakes (e.g., pp. 42, 50) and the devastating impacts of
large-scale ?nancial frauds (e.g., pp. 30, 34). In the face of
this inexorable uncertainty, COSO’s (2004) ERM-IF is
mythologized as ‘‘integral to value creation’’ (p. 13), and
able to ‘‘enhance the entity’s capacity to build value’’ (p.
13). COSO promises that ERM encompasses: ‘‘aligning risk
appetite and strategy. . . enhancing risk response deci-
sions. . . reducing operational surprises and losses. . . identi-
fying and managing cross-enterprise risks. . . providing
integrated responses to multiple risks. . . seizing opportuni-
ties. . . [and] improving deployment of capital’’ (pp. 14–15).
Through this process, readers (and potential adopters) are
warned of risks that they previously never knew they
had; ‘‘It can be argued that no problem is so insigni?cant
Table 4
Hybridized professional group: Composition of COSO groups.
a
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
COSO Chair John J. Flaherty, CIA, CPA
American Accounting Association Larry E. Rittenberg, Ph.D., CPA, CIA
*
American Institute of Certi?ed Public Accountants Alan W. Anderson, CPA
Financial Executives International John P. Jessup, MBA
Nicholas S. Cyprus, MBA, CPA
Institute of Management Accountants Frank C. Minter, CPA
Dennis L. Neider, CMA, CPA
The Institute of Internal Auditors William G. Bishop, III, CIA
David A. Richards, CIA, CPA
Project Advisory Council to COSO
Tony Maki, Chair, CPA Steven E. Jameson, CPA, CIA, CFE, CFSA
Partner Executive Vice President, Chief Internal Audit & Risk Of?cer
Moss Adams LLP Community Trust Bancorp, Inc.
Mark S. Beasley, Ph.D., CPA
*
John P. Jessup, MBA
Professor Vice President and Treasurer
North Carolina State University E. I. duPont de Nemours and Company
Jerry W. DeFoor, CPA Tony M. Knapp
Vice President and Controller Senior Vice President and Controller
Protective Life Corporation Motorola, Inc.
James W. DeLoach, MBA, CPA Douglas F. Prawitt, PhD, CPA
*
Managing Director Professor
Protiviti Inc. Brigham Young University
Andrew J. Jackson, CIA, CISA
Senior Vice President of Enterprise Risk Assurance Services
American Express Company
Author/Principal Contributors
PricewaterhouseCoopers LLP
Richard M. Steinberg, MBA
*
Miles E.A. Everson, CPA
Former Partner and Corporate Governance Leader Partner and Financial Services
(Presently Steinberg Governance Advisors) Finance, Operations, Risk and Compliance Leader
New York
Frank J. Martens, CA
*
Lucy E. Nottingham
Senior Manager, Client Services Manager, Internal Firm Services
Vancouver, Canada Boston
a
The information herein re?ects employers and positions held as at 2004. Every effort was made to con?rm the graduate-level educations and pro-
fessional certi?cations of involved parties. We apologize for any omissions.
*
Individuals interviewed for this research project.
320 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
as to make investigation of its implications unwarranted’’
(p. 80). The persuasive rhetoric underpinning the frame-
work suggests that failure to implement a comprehensive
risk management framework is both dangerous and futile.
Risk is consistently positioned as a critical business prob-
lem, and investing resources into implementing COSO’s
ERM-IF is presented as a viable and sound solution. In
short, according to its authors, implementing COSO’s
ERM-IF will ‘‘help management achieve the entity’s perfor-
mance and pro?tability targets and prevent loss of
resources. . . help ensure effective reporting and compli-
ance with laws and regulations, and help avoid damage
to the entity’s reputation and associated consequences’’
(p. 3).
The framework suggests that ‘‘everyone has some
responsibility’’ (COSO, 2004, p. 8) but also identi?es spe-
ci?c roles for how various organizational participants
should be involved – thus suggesting both an individual
and collective responsibility to take control and become
‘‘part of the essence of the enterprise’’ (p. 17). To extend
the signi?cance of COSO’s ERM-IF even further, the frame-
work enables broader stakeholder engagement by high-
lighting roles for boards of directors, regulators,
professional organizations and educators as follows:
With this foundation for mutual understanding, all par-
ties will be able to speak a common language and com-
municate more effectively. Business executives will be
positioned to assess their company’s enterprise risk
management progress against a standard, and
strengthen the process and move their enterprise
toward established goals. Future research can be lever-
aged off an established base. Legislators and regulators
will be able to gain an increased understanding of
enterprise risk management, including its bene?ts and
limitations. With all parties utilizing a common enter-
prise risk management framework, these bene?ts will
be realized. (COSO, 2004, p. 9)
By problematizing risks into something critical that must
be carefully managed, COSO’s ERM-IF legitimized the space
for professional groups and consultants to intervene in risk
management – a hugely lucrative, but hitherto largely
latent, commercial market.
As noted above, the colorful, multi-layered, three-
dimensional cube included in the IC-IF bears a striking
resemblance to the cube included in the ERM-IF (refer to
Figs. 1 and 2). An interview respondent con?rmed that,
‘‘. . . it made sense that the enterprise risk management
framework should be consistent with the Internal Control
– Integrated Framework. . . you see quite a bit of consistency’’
(Larry Rittenberg, Interview 7). Consultant 4 stated more
pointedly, ‘‘it was a master stroke to double up on the same
model look. It had been successful for COSO, and people,
especially in the US, had bought into it.’’ COSO’s ERM-IF also
offered critics of the IC-IF a new and improved tool to allevi-
ate their concerns with the IC-IF. The assumptions and
beliefs of internal control had been problematized, under-
mined and disrupted, and COSO leveraged this problem by
presenting their ERM-IF as a solution.
In articulating the new framework, COSO members rec-
ognized the need to theorize a high-level of abstraction if
the framework were going to have application across a
wide range of time and space. The emerging categories –
internal environment, objective setting, event identi?ca-
tion, risk assessment, risk response, control activities,
information and communication, and monitoring – were
supported with a discussion that avoided direct applica-
tion within speci?c industries. As such, the emerging
framework was claimed to be universally applicable; indi-
vidual ?rms from any industry or geography could tailor
the framework to their needs. A careful balance was thus
struck between seeming to offer direct guidance, while at
the same time permitting adaptation and considerable
scope for different approaches and settings. Interview
respondents involved in theorizing the ERM-IF acknowl-
edged the scalability and discretionary nature of the
framework. This ambiguity meant that organizations could
easily adopt some of the framework’s prescriptions with-
out ‘‘getting lost’’ in full implementation.
You can implement COSO’s framework and it’s scalable
and can be implemented across all the functional units
in your organization. And so, you can take any organi-
zation, and if you break it down into its subcompo-
nents, if it’s accounting, you can break it down into
accounts receivable and accounts payable, or payroll –
it is scalable across all of those units and I think that
is one of the parts that is really valuable in both of
COSO’s internal control and enterprise risk manage-
ment frameworks. It’s very valuable but is most often
overlooked. And I think that’s one of the reasons why
it continues to work so well. (Larry Rittenberg, Inter-
view 7)
Because of that lack of a mandate [from a regulator,
for example], organizations can sort of pick and
choose pieces of it that work and not feel like they
have to do a full blown implementation. We’re in
the early phases of ERM where people are just out
there picking, there’s no mandate for anything and
so I think people have found it helpful but I guess
it’s good that they’re not being forced into it at this
point. ERM is so complex to really do, companies have
realized if they try to go from A to Z, it will stall.
(Mark Beasley, Interview 3)
In summary, the ERM-IF was brought into existence in
a receptive marketplace characterized by rapid change
and a rolling myriad of external shocks that had shaken
corporate con?dence and fed a growing appetite for
methodologies and practices offering to equip organiza-
tions with an ability to navigate through stormy environ-
ments. COSO was able to build on its identity as a
‘‘thought leader’’ with a proven track record, and also to
construct a widely connected normative network wherein
the ERM-IF would diffuse. An important part of the insti-
tutional work performed by COSO as a creator was to
engage the marketplace early through consultation and
information gathering processes, and also to begin to
educate potential adopters at presentations and confer-
ences during the exposure period. In turn, COSO was able
to leverage the receptive marketplace and conduct advo-
cacy work to mobilize their ERM-IF. During the creation
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 321
of the framework itself, de?ning work outlined a com-
mon language and important rule systems; theorizing
work ensured a high level of abstraction to provide
adopters with ?exibility and scalability; and mimicry
work leveraged the style and language of the IC-IF to fur-
ther increase the appeal and eventual adoption of COSO’s
ERM-IF. Within the framework, COSO sought to de?ne
speci?c roles to support ERM through enabling work so
that a greater number of organizational participants
could engage. COSO was able to leverage the fact that
the logics of internal control had been disrupted and
therefore changed the normative assumptions to present
ERM-IF as a solution. In so doing, COSO deployed mythol-
ogizing work to problematize risk and advance stories of
success and best practice. This combination of institu-
tional work was suf?cient to diffuse a framework without
the need for supporting rules and regulatory systems
suggested in vesting work.
COSO as a maintainer
By 2004 then, COSO had created a fully articulated
framework, and was equipped with a solid reputation as
a ‘‘thought leader’’
18
and a track record comprising the suc-
cessful dissemination of their IC-IF framework. This reputa-
tion and success enabled COSO to conduct institutional work
to maintain ERM. PwC was at the forefront of COSO and lever-
aged the platformto push their internal framework. As Consul-
tant 4 stated, ‘‘with COSO’s badge and PwC’s reputation and
members, diffusion was inevitable.’’ Concerning the ascen-
dance of COSO’s ERM-IF to its preeminent status, one respon-
dent (who was also one of the authors with PwC) noted:
I think part of it is because of the COSO consortium of
organizations and frankly PricewaterhouseCoopers hav-
ing been the author of the COSO ERM report – the
names attached and the fact that COSO’s internal con-
trol became a standard. The background and expertise
of those organizations, and if I may say so also PwC,
has caused people to look to it as the place to go in gain-
ing insight, in gaining direction on how to build an ERM
architecture in their organizations. (Rick Steinberg,
Interview 9)
COSO had not only constructed a highly reputable iden-
tity for itself but had also constructed a network with
reach that was geographically unbounded. The ?ve spon-
soring organization representatives that make up COSO’s
Board are spread across the US and so too are the members
of the Project Advisory Council for COSO’s ERM-IF. Even the
group of four individuals from PwC – a former partner, cur-
rent partner, and two managers – that was tasked to
author the framework was geographically distributed
across North America. Furthermore, the sponsoring organi-
zations’ members are spread all over the world: the AICPA
has nearly 386,000 members (380,000 of which are in the
USA) in 128 countries; the FEI has 15,000 members in 85
chapters across North America and one chapter in Japan;
the IIA serves more than 180,000 members in 190 countries
and territories around the world; the IMA has a global mem-
bership body of approximately 65,000 accountants and
?nancial professionals; and the AAA has approximately
8500 members (6800 of which are in the USA).
19
Having
COSO-related people situated all over North America enabled
COSO to cast a wide net to support the maintenance of ERM
by realigning actors and redirecting supporting resources.
Within North America, there is no doubt that dissemi-
nation and maintenance of the ERM-IF bene?tted from
an American feel. All respondents commented that a
framework made in the US by an organization headquar-
tered in the US gave it a lot of resonance within the United
States and elsewhere across the globe.
Part of it is probably, just the fact that it’s a US frame-
work, to be honest with you. I think that carries a lot
of clout, probably decreasingly so the way the world
is moving, but I think that it still does carry some
impact. (Douglas Prawitt, Interview 5)
The whole US thing; it’s what I call the McDonald effect:
it’s American, it’s big, and it’s what the New York Stock
Exchange will accept. (John Fraser, Interview 1)
One respondent recounted a conversation he’d had with a
minister from another country about COSO as follows:
I was invited to speak in Tokyo and I remember talk-
ing to the Minister of Economy . . . he said, ‘‘But you
also have to understand that many Japanese busi-
nesses are already New York Stock Exchange traded
and so whatever they hear is happening in the US,
they want to do it’’. He said, ‘‘Many others are New
York Stock Exchange wannabes. So they’re not on
the New York Stock Exchange yet, but they want to
?gure out what the best practices are in the US and
then get ready and say that they’re already doing
those practices . . . so that division is going to imple-
ment enterprise risk management or some COSO
framework to make it look more relevant.’’ (Paul
Walker, Interview 8)
The diffusion of COSO’s ERM-IF bene?tted from various
forms of promotional work; as one respondent put it,
‘‘other frameworks just weren’t getting the pro?ling that
COSO got.... If people can name one, they’re going to name
COSO’’ (Professional Accounting Institute, Interview 2). The
promotional work that helped publicize COSO’s ERM-IF to
potential adopters was a shared task between the COSO
Board, the Project Advisory Council, PwC, and the ?ve
sponsoring organizations. Once the framework was
complete, COSO’s Board
20
was formally responsible for
18
We note here that our references to COSO as a ‘‘thought leader’’ and to
its ‘‘thought papers’’ are adopted from the organization’s stated mission ‘‘to
provide thought leadership’’ and vision ‘‘to be a recognized thought leader’’
according to its operating charters (found athttp://www.coso.org/abou-
tus.htm). We note that this uncritical phrase is repeated across COSO
publications and press releases.
19
Membership numbers were located on each organization’s website, and
in most cases, the numbers were either updated or con?rmed by emailing a
representative from each organization’s membership services department.
20
The requirement (and budget) to make presentations at conferences/
panels and represent COSO at other events is built into the job description
for the COSO Chairman of the Board. For recent examples, see https://
na.theiia.org/standards-guidance/topics/pages/coso-resource-center.aspx.
322 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
promoting it since the Project Advisory Council was a tem-
porary taskforce and PwC was formally hired mainly as
authors of the framework.
In terms of promotional activities in this phase, several
initiatives were undertaken. The ?ve sponsoring organiza-
tions were formally requested to support COSO’s ERM-IF
publicly, and to assist in the development of their materi-
als, courses and standards.
21
Since each of the ?ve sponsor-
ing organizations had its own norms and membership
domains, each organization supported COSO’s ERM-IF in dif-
ferent ways (for example, by making the framework avail-
able on their website and/or by notifying members of its
release via email newsletters).
22
The sponsoring organiza-
tions (except the AAA) each publish their own magazine
with the latest news and professional developments. Fig. 3
shows that journal coverage of ‘‘COSO’’ spiked around the
release of COSO’s ERM-IF (see 2004–2005) but otherwise
remained generally stable (see trend line). In contrast, jour-
nal coverage of ‘‘risk management’’ shows a consistent
increase (see trend line) with a spike at the beginning of
COSO’s continued ERM guidance (see 2009). The continued
upward trend re?ects the way that maintenance institu-
tional work continued to support diffusion. As well, a press
release, media tour and webcast were used to promote the
framework and carry it to potential adopters (for examples
of recent press, see www.coso.org/newsroom.htm). The
media event was hosted in New York (chosen because it is
a major business hub) and major media players were invited
(e.g., The Wall Street Journal, The New York Times, Financial
Post).
Since the Project Advisory Council was brought
together with the sole purpose of developing the ERM
framework, the task force dissolved upon its completion.
Interestingly, ‘‘some individuals on the Advisory Council. . .
continued to have a personal interest and continued to be
active in the marketplace in terms of attending confer-
ences [and] speaking’’ (Frank Martens, Interview 14). These
continued educational and promotional efforts from highly
regarded individuals provided a further boost to the main-
tenance work performed.
PwC did not have a formal responsibility beyond writ-
ing the framework; however, they also helped to promote
the framework after its launch by continuing to support it
publicly and by developing aligned corporate tools (see, for
example, PwC (2009, pp. 10, 13, 15) where COSO’s ERM-IF
is highlighted throughout). In explaining PwC’s role, Frank
Martens recognized the ?rm’s applied use of the frame-
work to develop a range of commercial products: ‘‘... when
I say we had a methodology that aligned into it [COSO’s
ERM-IF], to be clear what we did was we developed a
methodology that was entirely supportive and integrated
and consistent with it, but it was not framework depen-
dent’’ (Frank Martens, Interview 14). To continue to gain
market acceptance and market credibility, PwC ?ew in
and met with other PwC executives from 12 or more coun-
tries to develop a methodology for how they could go to
the market and help organizations implement and apply
COSO’s ERM-IF. As Frank Martens re?ected, ‘‘Once it was
out, we didn’t stop talking about it, we didn’t stop suggest-
ing to the marketplace that they should go read it’’ (Inter-
view 14). Speaking of other professional accounting ?rms,
Frank Martens noted that:
Some accounting ?rms were fairly responsive to it
[COSO’s ERM-IF] and kind of did similar to us [PwC],
kind of developed methodologies and things to go deli-
ver services around it. There was also some who felt
that they could build a better mousetrap or already
had a better mousetrap. (Frank Martens, Interview 14)
Together, PwC and the professional accounting industry
more generally supported ERM adoption and implementa-
tion by offering extensive training and education program-
ming to embed ERM and routinize it as a taken for granted
practice.
Consultants also helped furnish the risk management
space with COSO’s framework. Interview respondents
pointed extensively to a network of private-sector consul-
tants that guided ?rms in their implementation of COSO’s
ERM-IF, several complementing the framework with other
proprietary frames of reference, guidelines and policies. As
described by Consultant 1:
Most consulting ?rms want to have tools and frame-
works that are branded their own so they can use them,
even if it’s just a slight change. I think everybody tries to
come up with their own little process wheel, everybody
tries to come up with their own framework for looking
at it, everybody tries to come up with their own com-
mon risk language, it’s just the way it is. (Consultant
1, Interview 10)
This quotation highlights the way that the interpretative
viability (Benders & Van Veen, 2001) of COSO’s ERM-IF
opened it up to considerable applied adaptation (see, for
example, Protiviti, 2006, 2007). Parallel to the accounting
community, the consulting community served to embed
the framework in client organizations through a diverse
range of service offerings predicated upon, but often trans-
lating the ERM-IF. This idea was corroborated by Consul-
tant 3: ‘‘Of course consulting ?rms have seized upon
COSO’s outputs. They’re logical, resonate in the business
community and speak to a space that most ?rms are strug-
gling with. . .’’ (Interview 12). Numerous consultant
respondents frankly noted the intense competition for con-
sulting dollars in the emerging risk management space. As
Consultant 3 put it,
21
For example, see ‘‘The IIA COSO Resource Center’’ athttps://na.the-
iia.org/standards-guidance/topics/Pages/COSO-Resource-Center.aspx.
22
For example, in an article titled ‘‘COSO ERM Framework Released’’ in
The Internal Auditor (Scott, 2004, p. 17), the IIA president is quoted on how
the IIA and internal auditors have ‘‘been advocating for strong gover-
nance.... Thus the release of COSO ERM is a great opportunity for the
internal audit profession’’. An IIA member is identi?ed as already having
embraced COSO’s framework and he comments that COSO’s ERM-IF is ‘‘the
foundation for my recommendations on how to implement our enterprise-
wide risk management’’ (pp. 17–18). A different article in The Internal
Auditor refers to ongoing SOX implementations and suggests, ‘‘[T]he next
logical step would be to leverage that investment [Section 404] and
implement a total enterprise risk management (ERM) framework’’
(Matyjewicz & D’Arcangelo, 2004, p. 67). These authors go on to recom-
mend COSO’s ERM-IF and they also summarize the general process with the
help of COSO’s cube and other graphic aids. Similar announcements were
published in the IMA’s Strategic Finance (e.g., Levinsohn & Williams, 2004)
and the AICPA’s Journal of Accountancy (e.g., Anonymous, 2004).
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 323
There are a lot of mouths to feed and we were out
hawking for work like everyone else. And COSO was a
name that people knew ... Sure most of the big players
re?ned this to develop their own proprietorial tools,
but the COSO model opened the door if you like. (Con-
sultant 3, Interview 12)
Recently, the COSO Board has re-engaged in promoting
COSO’s ERM-IF by publishing extensions, clari?cations and
implementation guidance in order to continue to educate
existing and potential adopters. Two of these reports are
focused on addressing the state of ERM (e.g., extent of
implementation, level of satisfaction, successes experi-
enced) and in doing so, highlight the need for greater adop-
tion across ?rms and more extensive implementation
within ?rms (COSO, 2010a, 2010b). The other reports elab-
orate on ERM improvements and advancements, for exam-
ple, ‘‘to improve board oversight of management’s
judgments’’ (COSO, 2012, p. 2) or to describe ‘‘a more
systematic integration of sustainability into COSO-based
ERM programs’’ (COSO, 2013, p. 2). These reports also serve
an important function of continuing to valorize success
stories and best practices, while demonizing inadequate
adoptions, failed implementations, and the inexorable
growth of risk more generally. These ‘‘thought papers’’
are identi?ed in Table 5.
In summary, COSO’s reputation for success and the
unbounded geographic network it constructed prior to,
and during the creation of, the ERM-IF were key compo-
nents of COSO’s institutional work as a maintainer. The
framework’s American feel and the international signi?-
cance of US capital markets were important features that
underlie the process of maintenance work. The combina-
tion of COSO’s Board, Advisory Council, and PwC in addi-
tion to the expansive membership bodies of the
sponsoring organizations ensured that the various forms
of promotional work spanned North America and beyond.
Further, the hybridized nature of the COSO group
Table 5
Continuous ERM rhetoric.
Title Year of
release
Demystifying Sustainability Risk: Integrating the triple bottom line into an enterprise risk management program 2013
ERM Risk Assessment in Practice 2012
Enterprise Risk Management for Cloud Computing 2012
Enhancing Board Oversight by Avoiding and Challenging Traps and Biases in Professional Judgment 2012
Enterprise Risk Management – Understanding and Communicating Risk Appetite 2012
Embracing Enterprise Risk Management: Practical Approaches for Getting Started 2011
Developing Key Risk Indicators to Strengthen Enterprise Risk Management 2011
Board Risk Oversight – A Progress Report: Where Boards of Directors Currently Stand in Executing their Risk Oversight
Responsibilities
2010
COSO’s 2010 Report on ERM: Current State of Enterprise Risk Oversight and Market Perceptions of COSO’s ERM Framework 2010
Strengthening Enterprise Risk Management for Strategic Advantage 2009
Effective Enterprise Risk Oversight: The Role of the Board of Directors 2009
Note: The highlighted ?me window refers to the release period of key COSO ERM-IF publica?ons
0
20
40
60
80
100
120
2
0
0
0
-
Q
1
/
Q
2
2
0
0
0
-
Q
3
/
Q
4
2
0
0
1
-
Q
1
/
Q
2
2
0
0
1
-
Q
3
/
Q
4
2
0
0
2
-
Q
1
/
Q
2
2
0
0
2
-
Q
3
/
Q
4
2
0
0
3
-
Q
1
/
Q
2
2
0
0
3
-
Q
3
/
Q
4
2
0
0
4
-
Q
1
/
Q
2
2
0
0
4
-
Q
3
/
Q
4
2
0
0
5
-
Q
1
/
Q
2
2
0
0
5
-
Q
3
/
Q
4
2
0
0
6
-
Q
1
/
Q
2
2
0
0
6
-
Q
3
/
Q
4
2
0
0
7
-
Q
1
/
Q
2
2
0
0
7
-
Q
3
/
Q
4
2
0
0
8
-
Q
1
/
Q
2
2
0
0
8
-
Q
3
/
Q
4
2
0
0
9
-
Q
1
/
Q
2
2
0
0
9
-
Q
3
/
Q
4
2
0
1
0
-
Q
1
/
Q
2
2
0
1
0
-
Q
3
/
Q
4
2
0
1
1
-
Q
1
/
Q
2
2
0
1
1
-
Q
3
/
Q
4
2
0
1
2
-
Q
1
/
Q
2
2
0
1
2
-
Q
3
/
Q
4
2
0
1
3
-
Q
1
/
Q
2
2
0
1
3
-
Q
3
/
Q
4
Risk Management
COSO
Fig. 3. Bibliometric analysis (for each data point, we searched for ‘‘risk management’’ and ‘‘COSO’’ in the publications of AICPA’s Journal of Accountancy,
IMA’s Strategic Finance magazine, IIA’s Internal Auditor magazine and FEI’s Financial Executive magazine. Our initial search also included ‘‘enterprise risk
management’’ and ‘‘Committee of Sponsoring Organizations’’; including the frequencies of these words does not change the bibliometric data, however, not
including them eliminates redundancies).
324 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
inoculated it from competition within the ?nance and
accounting industries by capturing key organizations and
individuals in the broad ?eld. Much of the promotional
work also served to educate potential adopters and exist-
ing users. The interpretative viability of the ERM-IF
allowed PwC, other professional accounting ?rms, and con-
sultants to take advantage of the framework’s leeway for
applied use, and to embed and routinize its use by develop-
ing aligned tools. To this day, COSO continues to educate
and enable the marketplace by issuing additional guidance.
Within these ‘‘thought papers’’, demonizing institutional
work continues to impress upon failures and risk more
generally, while valourizing work offers success stories
and highlights the potential to bene?t from the logics of
enterprise risk management. The unique presence, exper-
tise and resources of COSO, a hybridized professional
group, meant that policing and deterring forms of institu-
tional work were not required to maintain the preeminent
status of the ERM-IF and the rhetoric of risk management
more generally.
Discussion
Our data highlights the critical roles played by COSO in
the emergence and institutionalization of their ERM-IF.
Commencing with disruption, the devolution of internal
control led to an interest in risk; the inadequacies and fail-
ures of internal control systems created a space for the
acceptance of risk logics. Within these new logics, a key
element of the institutional work performed by actors
within COSO was the way that the existing IC-IF model
was problematized as insuf?cient to deal with a growing
array of risks facing organizations. In so doing, the ERM-
IF was positioned as offering a more thorough framework
through which risk could be effectively understood and
dealt with, while at the same time retaining a similar look
and feel to the IC-IF which minimized the perceived bur-
den, costs and risks of adoption. Discursively, this was
achieved through an appeal to the prospect of reining in
a growing and diverse band of risks and uncertainties. As
Power (2009, p. 850) has pointed out, the discourse sur-
rounding the arrival of the ERM-IF promised ‘‘that mis-
takes of the past will be mitigated, if not avoided, by a
more rational and synthetic conception of risk manage-
ment capable of a ‘canopy-like’ view of the organization.’’
This process was marketed as positive, entrepreneurial
and explicitly in the service of wealth creation.
As creators, the COSO group engaged in various forms of
institutional work. Upon accessing consultants to con?rm
the need for a framework to help organizations manage
risk, COSO de?ned the ‘new’ rule systems of risk manage-
ment; drew upon, and further constructed, their identity
as reputable ‘‘thought leaders’’; and built support networks
within the ?ve sponsoring organizations. In the ?nal ver-
sion of the framework, COSO drew connections to their
IC-IF with similar language and format; theorized an
abstract and ?exible framework that would appear rele-
vant to all potential adopters; and problematized risk as
something that must be addressed while emphasizing that
the prescriptions of their ERM-IF are integral to the crea-
tion and preservation of value.
While each of these demonstrations of institutional
work created awareness of, and interest in, the ERM-IF,
the COSO group also conducted institutional work to main-
tain the ERM-IF as a lasting institution. The majority of
studies investigating the diffusion and institutionalization
of management tools have suggested that the individuals
responsible for creating the practice tend to be different
from the individuals who then promote and distribute it
(see, for example, Ax & Bjornenak, 2005; Jones &
Dugdale, 2002). What makes the diffusion of COSO’s
ERM-IF especially interesting is the fact that COSO (and
their related membership groups) played a fundamental
role in executing both the creation and maintenance of
the emerging innovation. In addition to the rules and guid-
ance included in COSO’s ERM-IF to enable and support
adoption, COSO’s ERM-IF was actively valorized as a solu-
tion. It was developed and then delivered to potential
adopters through accessible how-to guides and promo-
tional work aimed at generating mass market awareness.
The diffusion of COSO’s ERM-IF bene?tted not only from
having various groups involved in delivering it to the mar-
ketplace across the US, but also from being spread through
diverse mediums and channels of communication. Further,
the loose nature of the framework provided enough leeway
that the sponsoring organizations, accounting ?rms and
consultancy groups could continue to maintain the ERM
space by devising different services closely connected to
the ideas of ERM.
Table 6 lists Lawrence and Suddaby’s (2006) three types
of institutional work to disrupt, nine types of institutional
work to create, and six types of institutional work to main-
tain an institution. In the table, we summarize empirical
examples of disruption, creation and maintenance institu-
tional work carried out by COSO. Our empirical observa-
tions contain no evidence of disconnecting sanctions/
rewards, policing, and deterring forms of institutional
work, suggesting that COSO’s ERM-IF diffused successfully
without requiring any sanctioning or compliance work. We
also note that mimicry and mythologizing share signi?cant
overlap in their de?nitions that institutions rise in part
because of prior related institutions. Discursive practices
and resources appear as a common theme underlying
several forms of institutional work (e.g., advocacy, mim-
icry, enabling, valourizing, demonizing, mythologizing,
undermining assumptions and beliefs). It is interesting to
note that this commonality transcends Lawrence and Sud-
daby’s disruption, creation and maintenance categories,
highlighting the centrality of discourse in institutional
work.
Our analysis thus demonstrates that although
institutional work research provides a robust vehicle for
explaining the rise of COSO’s ERM-IF, the actual ‘‘work’’
performed in institutional work does not ?t neatly into
the categories suggested in prior research (i.e., Lawrence
& Suddaby, 2006; Perkmann & Spicer, 2008). It is a mistake
to envisage this as a step-by-step approach: ?rst originat-
ing with an identi?ed intellectual gap, then moving into
the rationalized program of response ?nally implemented
via technologies. Such sequential ordering offers an easy
narrative but does not capture the ?uidity of practice
(see also Blacker & Regan, 2006; Malsch & Gendron,
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 325
2013; Meyer, Gaba, & Colwell, 2005). For example, in this
instance, the availability of a related technology enabled
discussion of a potential framework in a way that would
not have hitherto been possible. Much of this happened
synchronously and non-linearly rather than sequentially.
It is not a question of what came ?rst: for example, de?n-
ing, theorizing, educating, mythologizing, embedding and
routinizing. Rather, they each enabled each other and led
to practice as it came to be. In this way, we present a ?uid
depiction of diffusion, one that addresses the dialectical
interaction between disrupting, creating and maintaining,
while at the same time we seek to illuminate broader
processes of the development of knowledge and practice.
Certain forms of institutional work persisted, others disap-
peared, while others in turn re-emerged.
Further, the diffusion of COSO’s ERM-IF highlights the
extra-organizational character of much work. To disrupt
the logics of internal control, COSO commissioned a team
of consultants to evaluate the need for a framework to
manage risk. While creating the ERM-IF, COSO engaged
with the marketplace by sharing an exposure draft for pub-
lic comment. During this period, members of the COSO
group also attended conferences and engaged in presenta-
tions to collect additional feedback and to make the mar-
Table 6
Empirical examples of institutional work by COSO as a disruptor, creator and maintainer.
Category Institutional work Nature of work
COSO as a
disruptor
Disconnecting sanctions/
rewards
Not observed
Disassociating moral
foundations
COSO argued that due to rapid changes in the operating environments of organizations, the pre-
existing IC-IF was no longer suf?cient to address key risks faced by ?rms
Undermining
assumptions and beliefs
The perceived costs and risks of adopting the ERM-IF were minimized by ensuring that it had a similar
style and language as the IC-IF, thereby providing organizations with a familiar template and
manageable transition
COSO as a
creator
Advocacy COSO’s ERM-IF release heavily referenced the economic, corporate and regulatory shocks preceding its
release as well as international ‘‘calls for enhanced corporate governance and risk management, with
new law, regulation, and listing standards’’ (COSO, 2004, p. v)
De?ning COSO’s framework promulgated widely quoted de?nitions as well as ‘‘key principles and concepts, a
common language, and clear direction and guidance’’ (COSO, 2004, p. v)
Vesting Not observed
Constructing identities COSO was able to build upon their identity as ‘‘thought leaders’’ in the areas of fraud and internal
control and remake themselves as leading ERM contributors
COSO was able to extend its existing expertise and, by extension, the boundaries of the sponsoring
organizations (the membership bodies of AAA, AICPA, FEI, IMA and IIA) to incorporate risk management
Changing normative
associations
With its vast member network, COSO was well positioned to promulgate ERM to the business
community. The ERM-IF built upon the foundation provided by the IC-IF
Constructing normative
networks
COSO’s member organizations provided a strong, widely connected vehicle to distribute the
framework, which opened up opportunities for applied use by a range of managers, consultants and
related experts
Mimicry COSO’s ERM-IF leveraged its existing IC-IF by adopting all ?ve of the original components (control
environment, risk assessment, control activities, information/communication, and monitoring) and
adding three components (internal environment, objective setting, risk response). It also adopted a
similar format, graphical presentation and language
Theorizing COSO recognized the need for a high level of abstraction or generalization facilitating adoption across
a wide range of industries and geographies as well as a ?exible and scalable model allowing adopters to
incrementally implement aspects of the framework
Educating The ERM-IF is available in an inexpensive, easy-to-access and understandable book. Purchasers of the
framework also receive a CD of blank evaluation tools and templates which provided an additional
medium to learn and apply ERM
COSO (and related organizations) also helped educate the marketplace through press releases, media
tours and webcasts, and also by producing follow-up thought leadership on speci?c issues and problem
areas
COSO (and related organizations) presented the ERM-IF at various conferences, and PwC continued to
support the ERM-IF publicly and by developing market tools aligned with it
COSO as a
maintainer
Enabling COSO’s provision of continuous ERM rhetoric through their thought leadership publications provided
an important vehicle to reinforce the framework
The ERM-IF set out clear roles and responsibilities for stakeholders within and across the organization
Policing Not observed
Deterring Not observed
Valourizing and
demonizing
COSO’s framework was cast as progressive and useful in the face of growing and inexorable risks. In
addition, member organizations and external players (e.g., consultants, media) played a role in
foregrounding the dangers of risk, in valourizing organizations that had successfully followed best
practice and demonizing organizations that had failed to adapt
COSO continued its valorizing and demonizing work throughout its additional ‘‘thought papers’’
Mythologizing COSO publications provide extensive case studies of successful implementation and best practices
promising to navigate enrolled organizations through dangerous and uncertain risks
Embedding and
routinizing
COSO’s member organizations as well as consulting practices offered extensive training and education
programming to embed ERM in practice
326 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
ketplace aware of the impending release of the ERM-IF.
This consultation and information gathering process is an
important bridge between work to create and work to
maintain because the former builds a network and creates
awareness for the latter to eventually unfold. As origina-
tors of the ERM-IF, the COSO Board, Project Advisory Coun-
cil and PwC authorship team held key roles in the
promotional efforts and this promotion work was rein-
forced by the sponsoring organizations, other professional
?rms and various consulting groups. The project nature of
much contemporary corporate activity draws attention to
groups, coalitions and alliances, however temporary and
shifting. The extra-organizational character of this work
distinguishes it from some hagiographic accounts of heroic
institutional entrepreneurship.
Rather than re?ecting a ‘‘grand account’’ of institu-
tion-building or ‘‘heroic’’ account of institutional entre-
preneurship, COSO’s institutional work takes shape, in
Lawrence et al.’s (2011, p. 52) terms, as a ‘‘complex
mélange of forms of agency’’ – simultaneously radical
and conservative, strategic, and overlapping with a pow-
erful set of interested member organizations. Our results
show that COSO sampled and tested a variety of types of
institutional work, at different points throughout the dif-
fusion process and drew strategically on third parties.
Several researchers have suggested that the effort of
multiple actors is advantageous to institutionalization
(e.g., Abrahamson & Fairchild, 2001; Perkmann & Spicer,
2008; Suddaby & Greenwood, 2001).
Scott (2008, p. 223) goes further to assert that profes-
sionals are ‘‘the most in?uential, contemporary crafters of
institutions.’’ Interestingly, ‘‘profession’’ in our case does
not refer to a group of experts in one particular knowl-
edge area. Our paper thus introduces and offers empirical
support for the concept of a hybridized professional
group. Extant research has studied hybrid organizational
forms (e.g., Boland, Sharma, & Afonso, 2008; Miller et al.,
2008) and professional organizations with a homogenous
composition (e.g., Cooper & Robson, 2006; Greenwood
et al., 2002). Divergent from these examples, COSO is a
professional group spanning multiple functional domains
and defying strict de?nition. We de?ne hybridized profes-
sional group as a collection of persons derived from heter-
ogeneous sources. A hybridized professional group such
as COSO thus brings together a variety of distinct profes-
sional entities. What characterizes COSO as an especially
sound example of a hybridized professional group is that
not only are members from various professional entities,
but the substance of their day-to-day employment also
varies widely (e.g., teaching, research, consulting, audit-
ing, standard setting and working in industry). The activ-
ity of this cohort was central in explaining how COSO’s
ERM-IF became the preeminent framework for managing
risk. Moreover, we argue that a virtual, blended group of
professionals who are otherwise not connected (i.e., they
do not come from the same employer, background or
even geographic location) make especially powerful sup-
pliers of institutions. Our depiction of hybridized profes-
sionals responds to Lawrence et al.’s (2011) call for
institutional work to consider distributed agency –
referred to as a signi?cant group of actors conducting
coordinated or uncoordinated activities employed to
effect change.
Conclusion
The arrival of COSO’s ERM-IF represents a major in?ec-
tion point in the history of risk management throughout
the world; ERM increasingly de?nes the language of gover-
nance and senior management responsibility. Since its
release in 2004, COSO’s ERM-IF has had a signi?cant
impact on business practice. In a survey that asked respon-
dents if they read speci?c publications related to risk and if
so, to what extent did they read them, COSO’s ERM-IF was
read by 74% of respondents and was also rated as the most
well-read (Fraser et al., 2008). More recently, a 2010 report
on the state of ERM found that nearly 65% of respondents
were either ‘fairly familiar’ or ‘very familiar’ with COSO’s
ERM-IF. In comparison, competing frameworks received
very low ratings of familiarity (i.e., Australia/New Zealand
AS/NZ 4360, Turnbull Guidance, ISO standards) (COSO,
2010b). Further, respondents identi?ed COSO’s ERM-IF as
‘‘the overwhelming choice as the basis for implementing
ERM. . .. Very few respondents indicated that they used
other frameworks as the basis for designing and imple-
menting ERM processes’’ (COSO, 2010b, p. III). Despite crit-
icisms of COSO’s ERM framework (see for example, Fraser
et al., 2008; Quinn, 2006; Samad-Khan, 2005), Power
(2007, 2009) con?rms the embeddedness of COSO’s ERM-
IF: ‘‘[w]hile ERM has numerous sources feeding the same
basic idea, the COSO (2004) version has become a world-
level template for best practice over a short period of time’’
(Power, 2009, p. 849).
Rather than map the large-scale transformations occa-
sioned by the growing in?uence of risk management
(see, for example, Hoyt & Liebenberg, 2011; Pagach &
Warr, 2010), this article has sought to attend more closely
to the relationship between a key risk management insti-
tution and the actors central in its formation and diffusion.
Investigating the institutional work fromthe perspective of
the supply-side of a management innovation helps us
understand the nature of institutional work that led to
the preeminent status of COSO’s ERM-IF. We emphasize
that this work was non-sequential, at times simultaneous
and heavily reliant on a web of member entities. The case
dissolves conventional dichotomies between theorization
and diffusion (Scarbrough, 2002) and creation and convey-
ing (Rogers, 1995) and demonstrates that when the sup-
ply-side ful?lls both of these critical roles, diffusion and
institutionalization may be strengthened. A hybridized
professional group that performs a variety of disruptor,
creator and maintainer activities is a strong force for diffu-
sion and institutionalization. COSO was able to leverage its
diverse composition, favorable geographic features and a
collection of promotional activities to then ful?ll a mainte-
nance role of disseminating the framework across North
America and beyond.
We believe that this paper opens up several interesting
lines of future research. Speci?cally, hybridized profes-
sional groups comprising members from different profes-
sional accreditations and/or geographic locations remain
under-researched. Particularly in realms that are contested
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 327
by multiple professional associations (such as risk manage-
ment) we believe these groups will become increasingly
signi?cant actors in the diffusion of new ideas and tech-
niques. Furthermore, theoretical work in the area of insti-
tutional work remains relatively nascent, particularly in
the accounting literature. Future ?eld-based studies have
the potential to further re?ne and consolidate the theoret-
ical categories and concepts in the area.
Acknowledgements
We would like to thank Steven Salterio, Pamela Mur-
phy, Paul Andon and Bertrand Malsch for their helpful
comments and suggestions. We would also like to thank
participants at the 2013 Alternative Accounts Conference
as well as workshops at the Queen’s School of Business
and the University of New South Wales. Financial support
provided by the CPA-Queen’s Centre for Governance is
gratefully acknowledged.
References
Aabo, T., Fraser, J. R., & Simkins, B. J. (2005). The rise and evolution of the
chief risk of?cer: Enterprise risk management. Journal of Applied
Corporate Finance, 17(3), 62–75.
Abrahamson, E. (1991). Managerial fads and fashions: The diffusion and
rejection of innovations. The Academy of Management Review, 16(3),
586–612.
Abrahamson, E., & Fairchild, G. (1999). Management fashion: Lifecycles,
triggers, and collective learning processes. Administrative Science
Quarterly, 44(4), 708–740.
Abrahamson, E., & Fairchild, G. (2001). Knowledge industries and idea
entrepreneurs: New dimensions of innovative products, services, and
organizations. In C. B. Schoonhoven & E. Romanelli (Eds.), The
entrepreneurship dynamic: Origins of entrepreneurship and the evolution
of industries (pp. 147–177). Stanford, CA: Stanford University Press.
AICPA Board of Directors (1993). Meeting the ?nancial reporting needs of
the future: A public commitment from the public accounting
profession. Journal of Accountancy, 176(2), 17–19.
Alcouffe, S., Berland, N., & Levant, Y. (2008). Actor-networks and the
diffusion of management accounting innovations: A comparative
study. Management Accounting Research, 19(1), 1–17.
Altheide, D. (2003). Notes towards a politics of fear. Journal for Crime,
Con?ict and the Media, 1(1), 37–54.
Anonymous (1997). How strong is your safety net? Financial Executive,
13(2), 47.
Anonymous (2004). News digest. Journal of Accountancy, 198(6), 19–21.
Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational
dynamics of enterprise risk management. Accounting, Organizations
and Society, 35(7), 659–675.
Ax, C., & Bjornenak, T. (2005). Bundling and diffusion of management
accounting innovations – The case of the balanced scorecard in
Sweden. Management Accounting Research, 16(1), 1–20.
Beasley, M., Pagach, D., & Warr, R. (2008). Information conveyed in hiring
announcements of senior executives overseeing enterprise-wide risk
management processes. Journal of Accounting, Auditing & Finance,
23(3), 311–332.
Benders, J., & Van Veen, K. (2001). What’s in a fashion? Interpretative
viability and management fashions. Organization, 8(1), 33–53.
Bernstein, P. L. (1996). The new religion of risk management. Harvard
Business Review, 74(2), 47–51.
Bjornenak, T., & Olson, O. (1999). Unbundling management accounting
innovations. Management Accounting Research, 10(4), 325–338.
Blacker, F., & Regan, S. (2006). Institutional reform and the reorganization
of family support services. Organization Studies, 27(12), 1843–1861.
Bol, J. C., & Moers, F. (2010). The dynamics of incentive contracting: The
role of learning in the diffusion process. Accounting, Organizations and
Society, 35(8), 721–736.
Boland, R. J., Jr., Sharma, A. K., & Afonso, P. S. (2008). Designing
management control in hybrid organizations: The role of path
creation and morphogenesis. Accounting, Organizations and Society,
33(7), 899–914.
Bort, S., & Kieser, A. (2011). Fashion in organization theory: An empirical
analysis of the diffusion of theoretical concepts. Organization Studies,
32(5), 655–681.
Bridge, M., & Moss, I. (2003). COSO back in the limelight: Good practice for
any organization, critical for SEC registrants. Compliance Week.
.
Busco, C., & Quattrone, P. (2009). How management practices diffuse: The
balanced scorecard as a rhetorical machine. HEC Accounting &
Management Control Department, Research Seminar. .
Castka, P., & Balzarova, M. A. (2008). ISO 26000 and supply chains – On
the diffusion of the social responsibility standard. International Journal
of Production Economics, 111(2), 274–286.
Chapman, C. (2003). Bringing ERM into focus. The Internal Auditor, 60(3),
30–35.
Chenok, P. B. (1995). Fifteen years of meeting the challenges. Journal of
Accountancy, 179(6), 66–70.
Chua, W. F., & Taylor, S. L. (2008). The rise and rise of IFRS: An
examination of IFRS diffusion. Journal of Accounting and Public Policy,
27(6), 462–473.
Clark, T. (2004). The fashion of management fashion: A surge too far?
Organization, 11(2), 297–306.
Clark, T., & Salaman, G. (1998). Telling tales: Management gurus’
narratives and the construction of managerial identity. Journal of
Management Studies, 35(2), 137–161.
Cooper, D. J., & Robson, K. (2006). Accounting, professions and regulation:
Locating the sites of professionalization. Accounting, Organizations and
Society, 31(4–5), 415–444.
Corbett, C. J., & Kirsch, D. A. (2001). International diffusion of ISO 14000
certi?cation. Production and Operations Management, 10(3), 327–342.
COSO (n.d.). About us. Committee of Sponsoring Organizations of the
Treadway Commission. .
COSO (1994). Internal control – Integrated framework. New York, NY:
Committee of Sponsoring Organizations of the Treadway
Commission.
COSO (2004). Enterprise risk management – Integrated framework. New
York, NY: Committee of Sponsoring Organizations of the Treadway
Commission.
COSO (2010a). Board risk oversight – A progress report: Where boards of
directors currently stand in executing their risk oversight responsibilities
by Protiviti. Committee of Sponsoring Organizations of the Treadway
Commission. .
COSO (2010b). COSO’s 2010 report on ERM: Current state of enterprise risk
oversight and market perceptions of COSO’s ERM framework by Mark S.
Beasley, Bruce C. Branson & Bonnie V. Hancock. Committee of
Sponsoring Organizations of the Treadway Commission.
.
COSO (2012). Enhancing board oversight: Avoiding judgment traps and
biases by Steven M. Glover & Douglas F. Prawitt. Committee of
Sponsoring Organizations of the Treadway Commission.
.
COSO (2013). Demystifying sustainability risk: Integrating the triple bottom
line into an enterprise risk management program by Craig Faris, Brian
Gilbert, Brendan LeBlanc, Brian Ballou & Dan L. Heitger. Committee of
Sponsoring Organizations of the Treadway Commission.
.
Currie, G., Lockett, A., Finn, R., Martin, G., & Waring, J. (2012). Institutional
work to maintain professional power: Recreating the model of
medical professionalism. Organization Studies, 33(7), 937–962.
Dacin, M., Goodstein, J., & Scott, W. R. (2002). Institutional theory and
institutional change: Introduction to the special research forum. The
Academy of Management Journal, 45(1), 43–56.
Davila, A., Foster, G., & Li, M. (2009). Reasons for management control
systems adoption: Insights from product development systems
choice by early-stage entrepreneurial companies. Accounting,
Organizations and Society, 34(3–4), 322–347.
Delmas, M., & Montiel, I. (2008). The diffusion of voluntary international
management standards: Responsible care, ISO 9000, and ISO 14001 in
the chemical industry. Policy Studies Journal, 36(1), 65–93.
Delmestri, G. (2006). Streams of inconsistent institutional in?uences:
Middle managers as carriers of multiple identities. Human Relations,
59(11), 1515–1541.
Dennis, A. (2000). The downside of good times. Journal of Accountancy,
190(5), 53–55.
Desender, K. A. (2007). On the determinants of enterprise risk
management implementation. 2007 Information Resources
Management Association Annual Meeting Paper. SSRN: .
328 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
DiMaggio, P. J. (1988). Interest and agency in institutional theory. In L. G.
Zucker (Ed.), Institutional patterns and organizations: Culture and
environment (pp. 3–22). Cambridge, MA: Ballinger.
Durand, R., & McGuire, J. (2005). Legitimating agencies in the face of
selection: The case of AACSB. Organization Studies, 26(2), 165–196.
Edmondson, A., & McManus, S. (2007). Methodological ?t in management
?eld research. Academy of Management Review, 32(4), 1155–1179.
Fraser, J. R. S., Schoening-Thiessen, K., & Simkins, B. J. (2008). Who reads
what most often? A survey of enterprise risk management literature
read by risk executives. Journal of Applied Finance, Spring/Summer,
73–91.
Gardner, D. (2009). Risk: The science and politics of fear. London: Virgin
Books.
Goretzki, L., Strauss, E., & Weber, J. (2013). An institutional perspective on
the changes in management accountants’ professional role.
Management Accounting Research, 24(1), 41–63.
Greenwood, R., & Hinings, C. R. (1988). Organizational design types, tracks
and the dynamics of strategic change. Organization Studies, 9(3),
293–316.
Greenwood, R., & Suddaby, R. (2006). Institutional entrepreneurship in
mature ?elds: The big ?ve accounting ?rms. Academy of Management
Journal, 49(1), 27–48.
Greenwood, R., Suddaby, R., & Hinings, C. R. (2002). Theorizing change:
The role of professional associations in the transformation of
institutionalized ?elds. Academy of Management Journal, 45(1), 58–80.
Guler, I., Guillén, M. F., & Macpherson, J. M. (2002). Global competition,
institutions, and the diffusion of organizational practices: The
international spread of ISO 9000 quality certi?cates. Administrative
Science Quarterly, 47(2), 207–232.
Hall, M., Mikes, A., & Millo, Y. (2013). How do risk managers become
in?uential? A ?eld study in two ?nancial institutions. Working Paper,
Harvard Business School, October 17.
Hoyt, R. E., & Liebenberg, A. P. (2011). The value of enterprise risk
management. Journal of Risk and Insurance, 78(4), 795–822.
Huczynski, A. (1993). Management gurus. London: Routledge.
Hwang, H., & Colyvas, J. A. (2011). Problematizing actors and institutions
in institutional work. Journal of Management Inquiry, 20(1), 62–66.
Jackson, B. (2001). Management gurus and management fashions: A
dramatistic inquiry. London: Routledge.
Jones, T. C., & Dugdale, D. (2002). The ABC bandwagon and the juggernaut
of modernity. Accounting, Organizations and Society, 27(1–2), 121–163.
Kelly, P., & Kranzberg, M. (1978). Technological innovation: A critical review
of current knowledge. San Francisco, CA: San Francisco Press.
Kieser, A. (1997). Myth and rhetoric in management fashion. Organization,
4(1), 49–74.
King, A. A., Lenox, M. J., & Terlaak, A. (2005). The strategic use of
decentralized institutions: Exploring certi?cation with the ISO 14001
management standard. The Academy of Management Journal, 48(6),
1091–1106.
Kohlbeck, M., Mayhew, B. W., Murphy, P., & Wilkins, M. S. (2008).
Competition for Andersen’s clients. Contemporary Accounting
Research, 25(4), 1099–1136.
Landsittel, D. L., & Rittenberg, L. E. (2010). COSO: Working with the
academic community. Accounting Horizons, 24(3), 455–469.
Lapsley, I., & Wright, E. (2004). The diffusion of management accounting
innovations in the public sector: A research agenda. Management
Accounting Research, 15(3), 355–374.
Lawrence, T. B., & Suddaby, R. (2006). Institutions and institutional work.
In S. R. Clegg, C. Hardy, T. B. Lawrence, & W. R. Nord (Eds.), Handbook
of organization studies (2nd ed., pp. 215–254). London: SAGE
Publications.
Lawrence, T. B., Suddaby, R., & Leca, B. (2011). Institutional work:
Refocusing institutional studies of organization. Journal of
Management Inquiry, 20(1), 52–58.
Lawrence, T. B., Suddaby, R., & Leca, B. (2009). Introduction: Theorizing
and studying institutional work. In T. B. Lawrence, R. Suddaby, & B.
Leca (Eds.), Institutional work: Actors and agency in institutional studies
of organizations (pp. 1–27). Cambridge: Cambridge University Press.
Lee, F., & Peterson, C. (1997). Content analysis of archival data. Journal of
Consulting and Clinical Psychology, 65(6), 959–969.
Levinsohn, A., & Williams, K. (2004). How to manage risk-enterprise-
wide. Strategic Finance, 86(5), 55–56.
Lounsbury, M., & Crumley, E. (2007). New practice creation: An
institutional perspective on innovation. Organization Studies, 28(7),
993–1012.
Maguire, S., & Hardy, C. (2009). Discourse and deinstitutionalization: The
decline of DDT. Academy of Management Journal, 52(1), 148–178.
Maguire, S., Hardy, C., & Lawrence, T. B. (2004). Institutional
entrepreneurship in emerging ?elds: HIV/AIDS treatment advocacy
in Canada. Academy of Management Journal, 47(5), 657–679.
Malmi, T. (1999). Activity-based costing diffusion across organizations:
An exploratory empirical analysis of Finnish ?rms. Accounting,
Organizations and Society, 24(8), 649–672.
Malsch, B., & Gendron, Y. (2013). Re-theorizing change: Institutional
experimentation and the struggle for domination in the ?eld of public
accounting. Journal of Management Studies, 50(5), 870–899.
Matyjewicz, G., & D’Arcangelo, J. R. (2004). Beyond Sarbanes–Oxley. The
Internal Auditor, 61(5), 67–72.
Mazza, C., & Alvarez, J. (2000). Haute couture and prêt-à-porter: The
popular press and the diffusion of management practices.
Organization Studies, 21(3), 567–588.
Mendel, P. (2002). International standardisation and global governance:
The spread of quality and environmental management standards. In
A. J. Hoffman & M. J. Ventresca (Eds.), Organizations, policy and the
natural environment (pp. 407–424). Stanford, CA: Stanford University
Press.
Meyer, A. D., Gaba, V., & Colwell, K. A. (2005). Organizing far from
equilibrium: Nonlinear change in organizational ?elds. Organization
Science, 16(5), 456–473.
Mikes, A. (2008). Chief risk of?cers at crunch time: Compliance
champions or business partners? Journal of Risk Management in
Financial Institutions, 2(1), 7–25.
Mikes, A. (2009). Risk management and calculative cultures. Management
Accounting Research, 20(1), 18–40.
Miller, P., Kurunmaki, L., & O’Leary, T. (2008). Accounting, hybrids and the
management of risk. Accounting, Organizations and Society, 33(7–8),
942–967.
Minter, F. C. (2002). Do you remember COSO? Strategic Finance, 83(8),
8–10.
Modell, S. (2009). Bundling management control innovations: A ?eld
study of organisational experimenting with total quality
management and the balanced scorecard. Accounting, Auditing &
Accountability Journal, 22(1), 59–90.
Naranjo-Gil, D., Maas, V. S., & Hartmann, F. G. H. (2009). How CFOs
determine management accounting innovation: An examination of
direct and indirect effects. European Accounting Review, 18(4),
667–695.
Oliver, C. (1991). Strategic responses to institutional processes. Academy
of Management Review, 16(1), 145–179.
Oliver, C. (1992). The antecedents of deinstitutionalization. Organization
Studies, 13(4), 563–588.
Oliverio, M. E. (2001). Internal control – Integrated framework: Who is
responsible? Critical Perspectives on Accounting, 12(2), 187–192.
Olson, D. L., & Wu, D. D. (2008). New frontiers in enterprise risk
management. Springer.
Pagach, D. P., & Warr, R. S. (2010). The effects of enterprise risk management
on ?rm performance. SSRN: .
Patton, M. (1990). Qualitative evaluation and research methods (2nd ed.).
California, USA: Thousand Oaks.
Perkmann, M., & Spicer, A. (2008). How are management fashions
institutionalized? The role of institutional work. Human Relations,
61(6), 811–844.
Power, M. (2004). The risk management of everything: Rethinking the
politics of uncertainty. London, UK: Demos.
Power, M. (2007). Organized uncertainty: Designing a world of risk
management. Oxford: Oxford University Press.
Power, M. (2009). The risk management of nothing. Accounting,
Organizations and Society, 34(6–7), 849–855.
Power, M. (2013). The apparatus of fraud risk. Accounting, Organizations
and Society, 38(6–7), 525–543.
Power, M., Scheytt, T., Soin, K., & Sahlin, K. (2009). Reputational risk as a
logic of organizing in late modernity. Organization Studies, 30(2–3),
301–324.
Protiviti (2006). Guide to enterprise risk management: Frequently asked
questions. Protiviti Inc. .
Protiviti (2007). Enterprise risk management in practice: Pro?les of
companies building effective ERM programs. Protiviti Inc.
.
Protiviti (2013). The updated COSO internal control framework: Frequently
asked questions (2nd ed.). Protiviti Inc. .
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 329
PwC (2009). Extending enterprise risk management (ERM) to address
emerging risks. PricewaterhouseCoopers. .
Qu, S. Q., & Cooper, D. J. (2011). The role of inscriptions in producing a
balanced scorecard. Accounting, Organizations and Society, 36(6),
344–362.
Quinn, L. R. (2006). COSO at a crossroad. Strategic Finance, 88(1), 42–49.
Raz, T., & Hillson, D. (2005). A comparative review of risk management
standards. Risk Management: An International Journal, 7(4), 53–66.
Rogers, E. M. (1995). Diffusion of innovations (4th ed.). New York: The Free
Press.
Samad-Khan, A. (2005). Why COSO is ?awed. Operational Risk &
Regulation, January. .
Scarbrough, H. (2002). The role of intermediary groups in shaping
management fashion: The case of knowledge management.
International Studies of Management and Organization, 32(4), 87–103.
Scott, W. R. (2003). Institutional carriers: Reviewing modes of
transporting ideas over time and space and considering their
consequences. Industrial and Corporate Change, 12(4), 879–894.
Scott, A. (2004). COSO ERM framework released. The Internal Auditor,
61(5), 17–18.
Scott, W. R. (2008). Lords of the dance: Professionals as institutional
agents. Organization Studies, 29(2), 219–238.
Scott, R. A., Shenkir, W. G., & Walker, P. L. (2000). Enterprise-wide risk
management: Recommendations to COSO. Consulting report.
Semer, L. J. (1998). Disaster recovery planning. The Internal Auditor, 55(6),
40–47.
Sharma, U. P., Lawrence, S. R., & Lowe, A. (2010). Institutional contradiction
and management control innovation: A ?eld study of total quality
management practices in a privatized telecommunication company.
Management Accounting Research, 21(4), 251–264.
Slager, R., Gond, J.-P., & Moon, J. (2012). Standardization as institutional
work: The regulatory power of a responsible investment standard.
Organization Studies, 33(5–6), 763–790.
Smith, M. (2003). Research methods in accounting. Thousand Oaks, CA:
SAGE Publications Ltd..
Spira, L. F., & Page, M. (2003). Risk management: The reinvention of
internal control and the changing role of internal audit. Accounting,
Auditing & Accountability Journal, 16(4), 640–661.
Suddaby, R. (2010). Challenges for institutional theory. Journal of
Management Inquiry, 19(1), 14–20.
Suddaby, R., & Greenwood, R. (2001). Colonizing knowledge:
Commodi?cation as a dynamic of jurisdictional expansion in
professional service ?rms. Human Relations, 54(7), 933–953.
Suddaby, R., & Viale, T. (2011). Professionals and ?eld-level change:
Institutional work and the professional project. Current Sociology,
59(4), 423–442.
Treadway (1987). Report of the national commission on fraudulent ?nancial
reporting by National Commission on Fraudulent Financial
Reporting. Committee of Sponsoring Organizations of the Treadway
Commission. .
Tucker, G. H. (2001). IT and the audit. Journal of Accountancy, 192(3),
41–43.
Weber, R. P. (1990). Basic content analysis. Newbury Park, CA: SAGE
Publications Ltd..
Zahir ul Hassan, M. K., & Vosselman, E. (2010). Institutional entrepreneurship
in the social construction of accounting control. NiCE Working Paper.
.
330 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
doc_806937093.pdf
The rise of risk management represents one of the major organizational shifts of the past
decade. This article examines the emergence and diffusion of the dominant standard in
the field, the Enterprise Risk Management – Integrated Framework, first published by the
Committee of Sponsoring Organizations in 2004. Drawing on a range of interviews with
key stakeholders and an analysis of secondary materials, we find evidence of numerous
forms of institutional work including theorizing, rhetorical appeals, mythologizing, constructing
normative networks and educating. The diaspora of associated entities provided
a key platform for advocating and promoting the ERM technology and provided a stable
and influential network of support. Our analysis suggests that, as a large, multi-faceted
hybridized professional group, COSO was able to bridge conventional diffusion categories
of disruption, creation and maintenance. We argue that the notion of institutional work
offers a useful lens for examining the diffusion of innovations in accounting research.
Hybridized professional groups and institutional work: COSO
and the rise of enterprise risk management
Christie Hayne
a,1
, Clinton Free
b,?
a
School of Business, Goodes Hall, Queen’s University, Kingston, ON K7L 3N6, Canada
b
Australian School of Business, University of New South Wales, Sydney 2052, Australia
a b s t r a c t
The rise of risk management represents one of the major organizational shifts of the past
decade. This article examines the emergence and diffusion of the dominant standard in
the ?eld, the Enterprise Risk Management – Integrated Framework, ?rst published by the
Committee of Sponsoring Organizations in 2004. Drawing on a range of interviews with
key stakeholders and an analysis of secondary materials, we ?nd evidence of numerous
forms of institutional work including theorizing, rhetorical appeals, mythologizing, con-
structing normative networks and educating. The diaspora of associated entities provided
a key platform for advocating and promoting the ERM technology and provided a stable
and in?uential network of support. Our analysis suggests that, as a large, multi-faceted
hybridized professional group, COSO was able to bridge conventional diffusion categories
of disruption, creation and maintenance. We argue that the notion of institutional work
offers a useful lens for examining the diffusion of innovations in accounting research.
Ó 2014 Elsevier Ltd. All rights reserved.
Introduction
Risk management is an idea that can be said to have
arrived (Arena, Arnaboldi, & Azzone, 2010; Mikes, 2008;
Power, 2007, 2013; Spira & Page, 2003). As a practice, risk
management and its associated accoutrements of risk
frameworks, executive positions, committees and informa-
tion systems, have been increasingly embraced by organi-
zations across the globe. These changes represent a
fundamental shift in ways of talking about, and dealing
with, risk (Power, 2013). This paper examines a central
development in the emergence of risk management, the
rise of arguably the most widely invoked risk management
framework in the world, the Committee of Sponsoring
Organization’s Enterprise Risk Management – Integrated
Framework (ERM-IF) published in 2004. Expanding on its
earlier guidance on internal control, this model has
become widely embedded into the risk management main-
stream (see COSO, 2010b; Fraser, Schoening-Thiessen, &
Simkins, 2008; Power, 2007, 2009), prompting Power
(2007, p. 849) to describe the framework as ‘‘a world-level
template for best practice.’’
The advent of ‘‘new’’ management innovations has long
been a focus of research in management including
accounting (e.g., Bol & Moers, 2010; Busco & Quattrone,
2009; Chua & Taylor, 2008; Davila, Foster, & Li, 2009;
Jones & Dugdale, 2002; Lapsley & Wright, 2004; Malmi,
1999; Qu & Cooper, 2011; Sharma, Lawrence, & Lowe,
2010; see also a recent special issue on management inno-
vations in European Management Review, Spring 2013).
Research on the topic has been theorized from a variety
of different perspectives including diffusion theory (e.g.,
Rogers, 1995), actor network theory (e.g., Qu & Cooper,
2011), fads and fashions theory (e.g., Abrahamson, 1991),
and organizational evolution perspectives (e.g., Scott,
2003). Recent research has focused attention on thehttp://dx.doi.org/10.1016/j.aos.2014.05.002
0361-3682/Ó 2014 Elsevier Ltd. All rights reserved.
?
Corresponding author. Tel.: +612 9385 9705; fax: +612 9385 5925.
E-mail addresses: [email protected] (C. Hayne), c.free@-
unsw.edu.au (C. Free).
1
Tel.: +1 613 533 6926; fax: +1 613 533 6589.
Accounting, Organizations and Society 39 (2014) 309–330
Contents lists available at ScienceDirect
Accounting, Organizations and Society
j our nal homepage: www. el sevi er. com/ l ocat e/ aos
relatively under-explored so-called ‘‘supply side’’ (Zahir ul
Hassan & Vosselman, 2010) of the diffusion process,
addressing the intriguing puzzle of how ‘sellers’ of innova-
tions convince ‘buyers’ to invest considerable resources in
innovations with uncertain bene?ts in the absence of a law
or mandate requiring their use.
Drawing insights from the emerging literature on insti-
tutional work (e.g., Hwang & Colyvas, 2011; Lawrence &
Suddaby, 2006; Lawrence, Suddaby, & Leca, 2011;
Perkmann & Spicer, 2008; Suddaby & Viale, 2011), this
study speci?cally aims to examine the emergence and
institutionalization of COSO’s ERM-IF. Adopting a qualita-
tive research design, we interviewed a range of individuals
directly involved in COSO’s Board and Project Advisory
Council at the time the ERM-IF framework was devised,
as well as the principal authors of the framework. We also
interviewed individuals outside of the COSO groups (e.g.,
consultants, executives) that we felt would offer valuable
insights into the process of diffusion. In total, we con-
ducted 15 interviews with individuals important to COSO
and the ERM-IF. We also consulted a large body of second-
ary materials to provide further evidence and substantiate
?ndings.
This article makes two key contributions. First, it pre-
sents an account of the mechanisms and processes that
gave rise to the formation of COSO’s ERM model, which
has become the dominant risk management model in
North America and beyond. We detail how COSO engaged
in a comprehensive project of institutional work comprised
of political, cultural and technical activities (Lawrence &
Suddaby, 2006; Perkmann & Spicer, 2008). Drawing upon
taxonomies developed in the area of institutional work,
we illustrate the varied and overlapping forms of agency
that enabled COSO’s ERM-IF to successfully institutional-
ize. Recent research in the area of institutional work aug-
ments and extends institutional theory, a perspective
which has wide currency in accounting research. While
others have focused on particular categories of institu-
tional work (e.g., Goretzki, Strauss, & Weber, 2013), we
adopt a holistic approach to illustrate the wide ambit of
work required to successfully diffuse a new managerial
technology. We demonstrate that COSO’s institutional
work was marked by non-sequential, often serendipitous,
actions that acted to overlap and reinforce each other. To
the best of our knowledge, this article is the ?rst to fully
elaborate the notion of institutional work in accounting
research.
Second, we present a more fully articulated conception
of the actors involved in the supply side of a management
innovation. Speci?cally, we draw attention to the notion of
hybridized professional groups, re?ecting the way that COSO
was able to draw importantly from the social and cultural
capital, networks and resources of its members in dissem-
inating the emerging model. Miller, Kurunmaki, and
O’Leary (2008) argue that existing literature has largely
neglected the hybrid practices, processes and expertises
that make possible lateral information ?ows and coordina-
tion across the boundaries of organizations, ?rms, and
groups of experts or professionals. While others have
argued for a marked division of labor in theorizing and dif-
fusing new technologies (for example, Scarbrough (2002)
argues that professional groups tend to ful?ll theorization
roles in the shaping of a management fashion while con-
sultants ful?ll the diffusion side), we demonstrate that a
more distributed but cohesive group of actors – comprised
of accountants, auditors, academics, researchers and con-
sultants – was able to perform multiple roles and effec-
tively support both the development and preservation of
the concept.
This article is structured as follows. In the next section,
we brie?y review literature on the diffusion of new man-
agement innovations. This precedes an overview of COSO’s
ERM-IF and a discussion of the theoretical framework of
the paper, focusing on the notion of institutional work.
After outlining our research method, we then follow the
construction and diffusion of COSO’s ERM-IF as the preem-
inent enterprise risk management framework in the world,
focusing in particular on the institutional work performed
by COSO. The ?nal sections of the paper discuss the impli-
cations of our ?ndings, summarize the contribution of our
research, and conclude with directions for future research.
The diffusion of ‘‘new’’ management innovations
Many researchers have observed that management
innovations – including ISO standards (Corbett & Kirsch,
2001), product development management control systems
(Davila et al., 2009), activity-based costing (Malmi, 1999),
total quality management (Sharma et al., 2010), perfor-
mance-based incentives (Bol & Moers, 2010) and the bal-
anced scorecard (Busco & Quattrone, 2009; Qu & Cooper,
2011) – have swept across a broad range of industrial sec-
tors in the past two decades (Abrahamson & Fairchild,
1999; Alcouffe, Berland, & Levant, 2008; Bort & Kieser,
2011; Jackson, 2001). In broad terms, diffusion refers to
the process by which an innovation is communicated
through certain channels over time among the members
of a social system (Rogers, 1995). The general topic of inno-
vation has inspired vast amounts of research, theorizing
and speculation in recent decades (as early as 1978, Kelly
and Kranzberg reviewed more than 4000 items in the liter-
ature on technological innovation alone).
A wide range of studies have examined the factors that
support the demand for management innovations. The phe-
nomenonof management ‘fads’ and ‘fashions’ has inspired a
large body of research, prompting some commentators to
question whether management fashions research itself has
become the next academic fad (Clark, 2004). The social
and organizational functions of management innovations
are generally related to reducing uncertainty, insecurity,
ambiguity and imperfection (Mazza & Alvarez, 2000) and
providing managers with an image of innovativeness
(Kieser, 1997) or even heroism (Clark & Salaman, 1998).
Somewhat paradoxically, this is often achieved through
the use of concepts that are of high linguistic ambiguity
(Benders & Van Veen, 2001).
More recent work has focused on the so-called ‘‘supply-
side’’ of innovation by examining the processes through
which a network of different actors including consultants
(Qu & Cooper, 2011), business school academics and man-
agement gurus (Huczynski, 1993; Jones & Dugdale, 2002),
CFOs (Naranjo-Gil, Maas, & Hartmann, 2009), publishers,
310 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
managers and other intermediaries promote business
ideas. Jones and Dugdale (2002) highlight the key role of
consultants (rather than academics or professional associ-
ations) in the construction of activity-based costing and
associated ideas (e.g., activity-based management and
activity-based budgeting) that served to create an ‘‘ABC
bandwagon’’. They describe a complex diffusion process
that was the result of a complicated entanglement of
actors (primarily consultants but also academics and pro-
fessional associations) and intermediaries (e.g., documents,
journals, computer software), in addition to, inscriptions,
events and circumstances. Qu and Cooper (2011) examine
the role of textual and graphical inscriptions more closely
and demonstrate that these inscriptions serve as important
consultant-client negotiation devices. Researchers else-
where have added another dimension to diffusion research
by investigating the way that management control innova-
tions have been bundled with other proven technologies to
further enhance diffusion (e.g., Ax & Bjornenak, 2005;
Bjornenak & Olson, 1999; Modell, 2009).
A recurring theme in recent diffusion research has been
a focus on the spread of standards that explicitly formulate
general rules de?ning and regulating activity (Mendel,
2002). In broad terms, standards can be generated as a
result of formal regulatory processes (such as legislative
safety requirements), de facto processes (such as product
speci?cations gaining predominant market share) or
through a voluntary consensus process (Mendel, 2002).
An emerging stream of research has focused on the diffu-
sion of a range of voluntary managerial standards, which
lack an of?cial mandate, including standards issued by
the International Organization for Standardization (ISO)
such as ISO 26000 (Castka & Balzarova, 2008), ISO 9000
(Guler, Guillén, & Macpherson, 2002), ISO 14001 (King,
Lenox, & Terlaak, 2005), the environmental standard
Responsible Care (Delmas & Montiel, 2008), the responsible
investment index FTSE4Good (Slager, Gond, & Moon, 2012)
and AACSB educational certi?cation standards (Durand &
McGuire, 2005).
Research in the area has focused attention on the role of
distributed agency as well as the impact of regulatory
context. Durand and McGuire (2005) demonstrate that
standard making organizations expand their remit in
response to both selection pressure and the desire to main-
tain their legitimacy. They emphasize the contribution of
intermediaries, such as NGOs and consultants, in institu-
tionalizing standards. Similarly, Slager et al. (2012) empha-
size the distributed, continuous agency of a wide range of
actors in the emergence of the FTSE4Good index, including
‘‘new actors who aid in the translating of the standard’s
requirements for actors seeking to adopt it’’ (p. 784).
Drawing greater attention to regulatory context, Chua
and Taylor (2008) conjecture that the diffusion of interna-
tional ?nancial reporting standards (IFRS) was promoted
via its sponsorship from powerful interest groups and reg-
ulators largely because of the broad international character
(rather than a uniquely ‘American’ feel), and also because
of the plasticity of the principles which allow for local
customization and translation (compared to rigid rules).
Insummary, worktodate provides ample evidence of the
coordinated efforts of key parties in a market or area in the
diffusion of innovations in management. Research is less
clear, however, about the way that voluntary managerial
standards such as COSO’s ERM-IF are constructed and main-
tained. Although the regulatory power of such standards is
widely acknowledged, little attention has been given to
the purposive activities that underlie the process of
standard making and promoting. The regulatory power of
standards does not, of course, appear out of nowhere, but
derives importantly fromthe institutional work undertaken
by various actors. However, as Slager et al. (2012, p. 765)
conclude, ‘‘the activities withinthe standardmakingorgani-
zations are usually not considered as these organizations
tendto be treatedas a ‘black box.’’’ Since the mid-1990s, risk
management has enteredprivate andpublic sector manage-
ment thinking to become an organizing concept as never
before (Power, 2004, 2007), with attendant standards and
blueprints of best practice. The next section overviews the
leading standard in this ?eld, COSO’s ERM-IF.
COSO’s Enterprise Risk Management – Integrated Framework
Formed in 1985, the Committee of Sponsoring Organiza-
tions (COSO) is a not-for-pro?t organization with a mission
of providing thought leadership by developing governance-
based frameworks and guidance.
2
Active in the three related
areas of fraud deterrence, internal control and risk manage-
ment, COSO’s ERM-IF model is one of its best known outputs.
In contrast to highly quantitative risk metrics based
approaches, COSO(2004, p. 2) de?nes enterprise riskmanage-
ment (ERM) as ‘‘a process, effected by an entity’s board of
directors, management and other personnel, applied in strat-
egy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk
to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.’’ ERM is thus
presented as a standard and a comprehensive and holistic
way for organizations to manage risks across the entire orga-
nization (Mikes, 2009; Pagach &Warr, 2010). As well as being
widely implemented inpractice, COSO’s ERM-IF has become a
growing focus for a wide range of researchers and practitio-
ners (e.g., Beasley, Pagach, & Warr, 2008; Desender, 2007;
Fraser et al., 2008; Mikes, 2009; Pagach & Warr, 2010;
Power, 2007, 2009; Power, Scheytt, Soin, & Sahlin, 2009).
3
Fig. 1 depicts COSO’s stylized ERM-IF cube, the major
graphic associated with the tool. The cube was intention-
ally designed so that the three visible surfaces depict three
important considerations to be made in ERM. The most
prominent face consists of eight ideal-typical ERM pro-
cesses organizations can employ to manage risk. Internal
environment addresses the organization’s attitude toward
risk; how an organization and its people view and address
risk via ‘risk appetite’, values and management philosophy.
Objective setting suggests that an organization must have
goals and objectives in order to evaluate what risks might
challenge successful goal attainment. Event identi?cation
refers to a comprehensive review of internal and external
events that could either help (opportunities) or hinder
2
The website for COSO can be found at www.coso.org
3
For a collection of recent work from academics and practitioners at the
ERM Initiative seehttp://poole.ncsu.edu/erm.
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 311
(risks) goal attainment. Within risk assessment, identi?ed
risks are assessed for their likelihood of occurrence and
potential for impact so that organizations can prioritize
important risks. Risk response describes the process
whereby management must decide whether to accept,
avoid, minimize or share the risk based on the organiza-
tion’s pre-determined risk appetite. Control activities
ensure that the risk response steps are implemented effec-
tively via various internal controls, policies and proce-
dures. Continuous information and communication ensures
that all parties associated with the risk management
receive timely and relevant information. And, in keeping
with the cybernetic systems logic, the monitoring compo-
nent requires the entire process be constantly monitored
and improved as necessary. The other dimensions of the
cube speak to the breadth and wide application of this
‘‘new’’ management innovation.
4
In this way, the cube
design is intended to convey the ?exibility and scalability
of COSO’s prescriptions for risk management.
As it emerged, it became apparent that risk manage-
ment was a canvass with a host of aspiring artists. Within
the broad area of ?nancial management, management
accountants, internal auditors, external auditors, manage-
ment consultants as well as a new and increasingly visible
body of risk managers (see Aabo, Fraser, & Simkins, 2005;
Hall, Mikes, & Millo, 2013) all sought to stake a claim as
the concept opened up opportunities for applied use. In
effect, this made risk management different from other
innovations in accounting such as activity-based costing,
the balanced scorecard or risk-based auditing, which have
generally been circumscribed to particular areas of
management accounting, auditing or ?nancial accounting.
In this sense, COSO’s ERM-IF is an innovation that is
remarkable in its breadth (contested by a range of sub-dis-
ciplines) and commercial penetration (applied throughout
the world). While there is no legal mandate for its use, it
nevertheless has attracted normative force. While Olson
and Wu (2008) claim that there are over 80 risk
management standards across the globe,
5
research has con-
sistently identi?ed COSO ERM-IF as the best known (Fraser
et al., 2008) and most widely diffused risk management
standard (COSO, 2010b). The institutional work that has
facilitated this rise is thus an important object of scholarly
attention.
From entrepreneurs to collectives: The emergence of
institutional work
After prolonged criticism that traditional neo-institu-
tional research has been remiss in addressing ?eld-level
change (Dacin, Goodstein, & Scott, 2002), ideas of change
and agency were ?rst introduced into the area of institu-
tional theory in the form of institutional entrepreneurship
(DiMaggio, 1988; Greenwood & Suddaby, 2006; Oliver,
1991). In place of the limited role of agency found in
neo-institutional theory, institutional entrepreneurship
conceives of actors as active in?uencers of institutional
logics rather than passive bystanders. Maguire, Hardy,
and Lawrence (2004) describe institutional entrepreneurs
as actors that ‘‘leverage resources to create new institu-
tions or to transform existing ones’’ (p. 657). They show
that actors use a variety of strategies (e.g., compromise,
manipulation) to pursue their own interests against the
rigidity and resistance of institutions (see also Oliver,
1991). For some, however, accounts of institutional entre-
preneurship have tended to be hagiographic and represent
a bridge too far in asserting the heroic in?uence of individ-
ual agents (Delmestri, 2006; Lawrence, Suddaby, & Leca,
2009; Suddaby, 2010). As Lawrence et al. (2011, pp. 52–
53) put it: ‘‘Missing from such grand accounts of institu-
tions and agency are the myriad, day-to-day equivocal
instances of agency that, although aimed at affecting the
institutional order, represent a complex mélange of forms
of agency – successful or not, simultaneously radical and
Fig. 1. COSO’s enterprise risk management cube (reproduced from COSO,
2004, p. 7).
4
The top face of the cube lists four possible categories of objectives (i.e.,
strategic, operations, reporting and compliance) that can (but need not all)
be included in implementing risk management. The third face identi?es the
potential units of an organization (i.e., subsidiary, business unit, division,
and entity-level) that can (but need not all) be recipients of risk
management implementation. A speci?c component can in?uence any
number of other components, and further, adopters/implementers might
move back and forth between some components before considering others
(COSO, 2004).
5
Indeed, several international risk management standards pre-date the
COSO framework including CAN/CSA-Q850-97 Risk Management: Guideline
for Decision-Makers issued by the Canadian Standards Association in 1997
(62 pages); BS 6079-3:2000 Project Management: Guide to the Management
of Business-related Project Risk issued by the British Standards Institution in
2000 (22 pages); JIS Q2001: 2001(E) Guidelines for Development and
Importance of Risk Management Systems issued by the Japanese Standards
Association in 2001 (20 pages); IEEE Standard 1540-2001 Standard for
Software Life Cycle Processes – Risk Management issued by the American
Institute of Electrical and Electronics Engineers in 2001 (24 pages); and AS/
NZS 4360:2004 Risk Management issued jointly by Standards Australia/
Standards New Zealand in 2004 (24 pages). Based on a wide ranging
analysis of several standards, Raz and Hillson (2005) conclude that there is
‘‘wide consensus regarding the main steps and activities of a generic risk
management process’’ (p. 65) and that ‘‘where there are apparent differ-
ences in process, these are largely attributable to variations in terminology’’
(p. 64).
312 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
conservative, strategic and emotional, full of compromises,
and rife with unintended consequences.’’
Research in the area of institutional work seeks to
address this concern by recognizing that in many instances
collectives of actors create, maintain, disrupt, challenge,
adjust and transform institutions. The notion was ?rst
introduced by Lawrence and Suddaby (2006). They
describe institutional work as the ‘‘purposive action of
individuals and organizations aimed at creating, maintain-
ing and disrupting institutions’’ (Lawrence & Suddaby,
2006, p. 215). Thus, the focus of institutional work is to
examine how actors interact with, and in?uence, institu-
tions. Lawrence and Suddaby identify three types of insti-
tutional work: work that (i) disrupts, (ii) creates and (iii)
maintains institutions. Table 1 summarizes the types of
work associated with each of these activities.
As illustrated in Table 1, multiple actors and varied
forms of institutional work are necessary to institutional-
ize a management idea (Lawrence & Suddaby, 2006;
Perkmann & Spicer, 2008). These categories of work can
be mutually reinforcing and lead to a total recon?guration
of an institution. These various forms of institutional work
– jockeying for political power, de?ning the normative
structures, and cognitive appeals – underscore that the
creation of an institution requires signi?cant effort and
skill from actors. Professional groups have been high-
lighted as particularly in?uential in recon?guring or trans-
forming ?elds and the institutions within them (Cooper &
Robson, 2006; Greenwood, Suddaby, & Hinings, 2002;
Lawrence & Suddaby, 2006; Perkmann & Spicer, 2008;
Scott, 2008; Suddaby & Viale, 2011).
Actors directly in?uence the creation of new institu-
tions by performing institutional work that disrupts exist-
ing ones (Hwang & Colyvas, 2011). Lawrence and
Suddaby (2006, pp. 234–235) suggest that in organiza-
tional ?elds, there are often ‘‘actors whose interests are
not served by existing institutional arrangements, and
who will consequently work when possible to disrupt
the extant set of institutions’’. As organizations and envi-
ronments change, their existing institutions may become
less legitimate and less taken-for-granted, and as a result,
new organizational logics and new interpretive schemes
arise (Greenwood & Hinings, 1988; Greenwood et al.,
2002).
6
Maguire and Hardy (2009), studying the decline
in commercial insecticide use, show how discourse was
used to problematize and disrupt a previously taken-for-
granted practice. In contrast, Lounsbury and Crumley
(2007), focusing on the emergence of active money man-
agement, and Currie, Lockett, Finn, Martin, and Waring
(2012), investigating the institutional work that specialist
doctors perform to maintain their power and status, draw
attention to creation and maintenance forms of institutional
work. These studies highlight that types of institutional
work interact and can be deployed together, and also that
the distinction between creating versus maintaining types
of institutional work may not be a stark one in practice.
Furthermore, they demonstrate that an actor’s social posi-
tion and status (both intra- and inter-professionally) in
their institutional ?eld serves to frame their institutional
work.
Research on institutional work has begun to unpack the
actual activities and efforts that individuals and groups put
forward in creating, maintaining and disrupting institu-
tions. In spite of these contributions, research on institu-
tional work remains in its infancy; there are signi?cant
opportunities to describe and explain the details of the
‘work’ involved. To this end, Hwang and Colyvas (2011, p.
62) conclude that institutional work is ‘‘. . . an umbrella
concept and a rallying point’’ rather than a coherent frame-
work. Our ?eld study seeks to explore the ‘work’ in the
institutional work surrounding the institutionalization of
COSO’s ERM-IF. We show that institutional work is not pre-
cisely categorized and necessarily intentional but haphaz-
ard and dynamic, ricocheting off other actors and bodies of
knowledge and garnering momentum from unexpected
and serendipitous sources.
Method
In light of the emerging state of the ?eld and the phe-
nomena under examination, ?eld research comprising
semi-structured interviews is appropriate for this study
(Edmondson & McManus, 2007). Table 2 below comprises
a list of all interview participants. Speci?cally, we con-
ducted 15 in-depth semi-structured interviews with 13
individuals from various locations in Canada and the Uni-
ted States between May 2010 and September 2012.
7
Three
of the interviews were conducted in person and the remain-
ing 12 interviews were conducted over the phone. The aver-
age length of the interviews was approximately 60 min. All
but one participant permitted the use of a recording device
allowing for accurate transcriptions; the single unrecorded
interview was conducted with careful and thorough note-
taking during and immediately following the interview to
ensure accurate representations of the participant’s
responses. Five of the participants requested that their iden-
tity remain anonymous, whereas the other eight partici-
pants gave permission for the use of quotations linked to
their names and organizations.
As Table 2 re?ects, a diverse group of participants were
recruited: early participants were identi?ed to reach key
players holding authorship, guidance or oversight roles;
we then followed up on speci?c suggestions made by par-
ticipants on whom else we should speak with; and we also
selected some participants to ?ll gaps in our understand-
ings, or to challenge and con?rm unexpected insights.
Many of the participants had prior or current relationships
with COSO, but some individuals also had no formal con-
nection to COSO (i.e., they were drawn from realms of
industry and/or consulting). We stopped recruiting partic-
ipants at the point when incremental learning from
interviews became minimal (i.e., our iterations between
6
A variety of pressures – political, competitive, functional and social –
help to explain what disrupts an institution (and could even lead to
deinstitutionalization) (Oliver, 1992). These pressures can arise from within
the organization or from the environment.
7
We conducted a second interview with two participants to con?rm
some of our understandings and interpretations, and also to probe for
additional information in a few areas.
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 313
data collection and analysis were fully developed and con-
vergence was attained).
Our semi-structured interview guide was driven by four
topics: (1) the participant’s background and experience in
risk management; (2) the development and diffusion of
COSO’s ERM-IF and other frameworks; (3) criticisms of
andre?ections onriskmanagement andCOSO’s framework;
(4) andany predictions concerning the future directions and
developments of risk management. We allowed partici-
pants to talk openly and at length, moving to a related area
or idea they felt was relevant. When necessary, we used
prompting questions to refocus participants by asking if
there were any other explanations they considered impor-
tant to the spread of COSO’s ERM-IF, or if they could provide
a speci?c example in relation to an earlier comment.
We also consulted two key sets of secondary materials.
We reviewed a variety of COSO’s guidance and ‘‘thought
papers’’, most importantly of which is the Enterprise Risk
Management – Integrated Framework but also the Internal
Control – Integrated Framework and more recent ERM-
related implementation guidance. We also reviewed 2483
articles as part of a bibliometric analysis based on keyword
searches relating to ‘‘risk management’’ and ‘‘COSO’’. Our
focus set was on four journals published by the sponsoring
organizations in the period from 2000 through 2013: (i)
Journal of Accountancy; (ii) Strategic Finance; (iii) Internal
Auditor; and (iv) Financial Executive (see Fig. 3 below). We
selected these journals because of the signi?cant member-
ship bodies and international presence of the sponsoring
organizations. As well, these journals were accessible back
to 2000 whereas newsletters and direct communication to
members were not.
8
Of importance, however, is that many
of the journal issues included in our analysis contained pro-
fessional updates and newsletters directed at membership.
Data analysis
Each interview recording was transcribed into a text-
based ?le and reviewed to ensure the transcription was
Table 1
Institutional work associated with disrupting, creating and maintaining institutions.
a
Disrupting
1. Disconnecting sanctions/
rewards
Accesses the state and court systems to disconnect rewards and sanctions from a set of practices, technologies or
rules
2. Disassociating moral
foundations
Refers to disassociating a practice, rule or technology from its moral foundation, which results in an institution that
is no longer considered appropriate within its speci?c cultural context
3. Undermining assumptions
and beliefs
Decreases the perceived costs and risks of innovation and differentiation by weakening the core assumptions and
beliefs of an institution
Creating
1. Advocacy Refers to determining the interests of and then mobilizing support from political/regulatory actors to rede?ne the
allocation of material resources or social/political capital
2. De?ning Refers to the creation of rule systems to constrain action and also confers status, identity or membership within a
?eld
3. Vesting Refers to the creation of rule systems that grant property rights. By creating or changing the rule systems, vesting
can create new actors and ?eld dynamics
4. Constructing identities Creates and de?nes the relationships between actors and the ?eld
5. Changing normative
associations
Challenges and reformulates the relationships between norms and the moral and cultural foundation of the
institutional ?elds in which they are produced
6. Constructing normative
networks
Refers to the process through which formerly disconnected actors construct normative networks. Within, they ratify
practices and take on the responsibility for monitoring, evaluation and enforcement
7. Mimicry Refers to leveraging existing practices, tools and rules by juxtaposing features of the new with those of the old taken-
for-granted practices
8. Theorizing Refers to the creation of abstract or generalized categorizations, and the identi?cation of causal relationships
between elements. Theorizing begins with the naming of new practices, and this follows with its communication
and further elaboration
9. Educating Refers to sharing skills/knowledge and providing access to the necessary information to educate actors’ use of a new
institution
Maintaining
1. Enabling work Refers to the creation of rules to facilitate, supplement and support institutions; for example, by creating new agents
or roles to support institutions and divert resources towards them
2. Policing Refers to oversight activities performed to enforce, audit and monitor compliance
3. Deterring Refers to coercive barriers to institutional change
4. Valourizing and demonizing Circulates positive and negative examples to the public in order to demonstrate the institutions’ normative
foundations
5. Mythologizing Maintains the normative underpinnings of an institution by creating and sustaining myths about its history
6. Embedding and routinizing Instills the normative foundations of an institution into participants’ day to day routines and organizational
practices
a
Adapted from Lawrence and Suddaby (2006).
8
The Internal Auditor periodical and Financial Executive magazine are the
IIA’s and FEI’s sole trade publications. The IMA publishes a magazine
(Strategic Finance) and a refereed online journal (Management Accounting
Quarterly) but refers to Strategic Finance as its ?agship publication and so
we have selected this magazine. Finally, the AICPA has nearly a dozen topic-
speci?c publications (e.g., tax, fraud and forensics) but to maintain
comparability we have selected the Journal of Accountancy; it is the only
general interest publication and the AICPA refers to it as its ?agship
publication.
314 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
complete and accurate. Coding the data was performed
using qualitative data analysis software. Each text was
analyzed to draw inferences, to make comparisons and
to identify themes in the data set (Smith, 2003; Weber,
1990). Meaning oriented analysis, a sub-type of content
analysis, directs researchers to focus on the underlying
themes of the data. While this approach can be subjec-
tive, we were cautious not to draw any assumptions or
conclusions without supporting data (Lee & Peterson,
1997; Weber, 1990). Furthermore, the interviews and
coding was performed by one author, and then chal-
lenged or con?rmed by the other.
9
The coding process took place in two stages. The ?rst
round of coding was driven by the predetermined high-
level themes in our semi-structured interview guide.
Since coding within this ?rst round was an iterative pro-
cess, categorizations evolved over time and allowed us to
test tentative ideas in the ?eld. During the second round
of coding, high-level themes were re-sorted by dissecting
and reorganizing the participants’ responses around key
ideas and insights, followed by comparing these ?ndings
with existing research in enterprise risk management
(see Patton, 1990). The data analysis was iterative to min-
imize the risk of misunderstanding or misinterpreting
interviewees’ responses. Given that several respondents
had similar backgrounds and experiences (e.g., COSO
members, ERM consultants), some of their ideas and per-
spectives could be compared and con?rmed against one
another. Our analysis was characterized by ongoing
hypothesizing and theorizing, and by continuously dis-
carding and revising suitable theories in pursuit of the
‘‘best ?t between data and analysis’’ (Patton, 1990, p.
462).
Context: The Committee of Sponsoring Organizations
The Committee of Sponsoring Organizations (COSO) is a
voluntary private sector organization with a stated mission
to provide ‘‘thought leadership through the development
of comprehensive frameworks and guidance on enterprise
risk management, internal control and fraud deterrence
designed to improve organizational performance and gov-
ernance and to reduce the extent of fraud in organizations’’
(COSO, n.d.). COSO is an initiative created and supported by
?ve major professional associations in the US [i.e., the
American Accounting Association (AAA), the American
Institute of Certi?ed Public Accountants (AICPA), Financial
Executives International (FEI), the Institute of Internal
Auditors (IIA), and the Institute of Management Accoun-
tants (IMA; previously the National Association of Accoun-
tants)]. Throughout its history, the COSO Board has been
comprised of a Chairperson and a Board Member fromeach
of ?ve accounting associations (known collectively as the
Table 2
Interview participants.
a
# Name Current roles Past roles
1 Mr. John Fraser Vice-President Internal Audit and Chief
Risk Of?cer, Hydro One
N/A
2 Professional Accounting
Institute 1
Con?dential, Professional Accounting Institute Anonymized respondent
3 Dr. Mark Beasley 1. COSO Board of Directors Advisory Council to COSO for COSO’s ERM-IF
2. Associate Professor, North Carolina State
University
3. Director, ERM Initiative
4 Mr. Peter Jackson Principal, riskWaves corp. The Criteria of Control Board, Canadian Institute of
Chartered Accountants
5 Dr. Douglas Prawitt Professor, Brigham Young University Advisory Council to COSO for COSO’s ERM-IF
6 Mr. Frank Martens Director, Risk & Regulatory Consulting,
PricewaterhouseCoopers LLP
PwC Author & Principal Contributor for COSO’s ERM-IF
7 Dr. Larry Rittenberg 1. Chairman, COSO Board of Directors American Accounting Association Representative
for COSO’s ERM-IF 2. Professor, University of Wisconsin-Madison
8 Dr. Paul Walker Associate Professor, University of Virginia Hired by COSO to recommend whether it should develop
a framework that provides guidance on enterprise-wide
risk management
9 Mr. Richard Steinberg CEO, Steinberg Governance Advisors, Inc. 1. PwC Author & Principal Contributor for COSO’s ERM-IF
2. PwC Author & Principal Contributor for COSO’s IC-IF
10 Consultant 1 Con?dential, Consulting Company Anonymized respondent
11 Consultant 2 Con?dential, Consulting Company Anonymized respondent
12 Consultant 3 Con?dential, Consulting Company Anonymized respondent
13 Dr. Mark Beasley 1. COSO Board of Directors Advisory Council to COSO for COSO’s ERM-IF
Follow-up Interview 2. Associate Professor, North Carolina State
University
3. Director, ERM Initiative
14 Mr. Frank Martens Director, Risk & Regulatory Consulting,
PricewaterhouseCoopers LLP
PwC Author & Principal Contributor for COSO’s ERM-IF
Follow-up Interview
15 Consultant 4 Con?dential, Consulting Company Anonymized respondent
a
Current roles re?ect the roles interview participants held at the time interviews were conducted. Past roles re?ect the roles interview participants held
during the development of COSO’s ERM-IF.
9
Note that initial interviews were conducted by both researchers to
ensure a consistency of approach.
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 315
‘‘sponsoring organizations’’).
10
COSO initiated work in 1985
to report on fraudulent ?nancial reporting, and since then
has added internal control and enterprise risk management
to their agenda (COSO, n.d.; Landsittel & Rittenberg, 2010).
Table 3 provides an overview of key events and publications
throughout COSO’s history.
COSO is recognized internationally for its foresight on
emerging business trends and needs. Landsittel and
Rittenberg (2010, p. 457), the two most recent Board Chair-
men, explain that new projects are identi?ed according to
‘‘perceived practice needs and COSO’s mission statement’’
in addition to, environmental scanning, academic research
and input from the sponsoring organizations. It is a long-
standing COSO practice (formally embedded in COSO’s
Mission and Operating Policies) to engage consultants to
conduct research and make recommendations before initi-
ating new projects. For COSO’s signi?cant governance pro-
jects, the Board typically establishes a task force
(responsible for guiding framework development by
reviewing drafts, ensuring practical relevance and assess-
ing clarity/integrity) and engages a project team (responsi-
ble for overall development and authorship). In the case of
COSO’s ERM-IF, the task force (referred to as ‘‘Project Advi-
sory Council’’ in the ERM-IF and henceforth) included con-
sultants, university professors and industry executives, and
the project team was comprised of senior representatives
from PricewaterhouseCoopers LLP (PwC).
As an organization, COSO possesses a number of unique
features. In addition to being a distributed, non-pro?t,
independent, virtual organization supported by a network
of ?ve major professional associations, COSO often engages
ancillary task forces and project teams to further its mis-
sion. COSO’s membership comprises a range of profes-
sional underpinnings (e.g., Certi?ed Professional
Accountant, Certi?ed Fraud Examiner, Certi?ed Internal
Auditor) and educational backgrounds (undergraduate,
practice-oriented masters and research-oriented doctorate
degrees). The substance of their day-to-day employment
also varies widely (e.g., teaching, research, consulting,
auditing, standard setting and working in industry). COSO
Board members themselves struggled to classify the orga-
nization in precise terms:
COSO is kind of an odd organization, not just in terms of
being a virtual organization but, you know, what is it?
It’s not really a standard setter and yet it is kind of a
standard setter. It’s not a company; it’s not a for-pro?t
organization. And so I think, when COSO comes out
with guidance, it carries a pretty unique credibility
because you can’t attribute their actions to a pro?t
motive per se. (Douglas Prawitt, Interview 5)
The cipher COSO itself is noteworthy. Described as ‘‘dis-
armingly mundane’’ by Consultant 3, COSO leaves unspec-
i?ed the identity of the involved organizations and imparts
an almost faceless proceduralism to COSO’s activities.
However, this innocuous acronym is not without effects
as COSO allows pro?t seeking organizations to have effects
through a non-pro?t. Indeed, though non-mandated,
COSO’s standards have effectively seeded an entire eco-
nomic ecology (spanning different professions and func-
tions) that has underpinned the generation of billions of
professional service fees.
We argue that unique characteristics of the COSO orga-
nization, especially its hybridized professional form,
enabled it to perform various forms of institutional work
that helped to disrupt existing logics, and then to create
and maintain the preeminent framework for managing
risk. We turn to each of these phases below.
COSO as a disruptor
In the early 1990s, internal control grew to become an
important business issue and a key concern for a variety
of business stakeholders. This growing interest is re?ected
in the publication of the Financial Aspects of Corporate Gov-
ernance (commonly known as ‘‘The Cadbury Report’’) by
the Cadbury Committee in the UK in 1992, the Internal Con-
trol – Integrated Framework (IC-IF) by COSO in 1992, the
King Report on Corporate Governance by the King Commit-
tee on Corporate Governance in South Africa in 1994, the
Table 3
Key events in COSO’s history.
Event Year
Committee of Sponsoring Organizations (COSO) was created 1985
COSO released Report of the National Commission on Fraudulent Financial Reporting 1987
COSO released Internal Control – Integrated Framework 1992
COSO released Fraudulent Financial Reporting: 1987–1997 1999
COSO engaged consultants to evaluate need for ERM framework 1999
Consultants recommended COSO develop an ERM framework 2000
A series of signi?cant corporate and accounting scandals such as Enron, Tyco International, WorldCom 2001–2002
COSO initiated work on ERM-IF project; established Project Advisory Council; engaged PricewaterhouseCoopers 2001
COSO surveyed the marketplace 2001
Sarbanes–Oxley Act enacted in the United States 2002
COSO released exposure draft of Enterprise Risk Management – Integrated Framework 2003
COSO released ?nal version of Enterprise Risk Management – Integrated Framework 2004
COSO updated and released Fraudulent Financial Reporting: 1998–2007 2010
COSO issued additional ERM guidance 2009–2013
10
The Board typically meets quarterly, rotating between the locations of
each sponsoring organizations. According to COSO’s Mission and Operating
Policies, the Chairperson is appointed for a 3-year term (with a possible
extension) and must be a member of at least one of the ?ve founding
sponsoring organizations. The stated time commitment of the Chairperson
role is 6–8 days per month and a negotiable, partial fee is paid to the Board
Chair annually at the Board’s discretion and based on the needs of the chair.
For further details seehttp://www.coso.org/aboutus.htm.
316 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
Criteria of Control framework by the Canadian Institute of
Chartered Accountants in Canada in 1995, and the Internal
Control: Guidance for Directors on the Combined Code (com-
monly known as the ‘‘Turnbull Report’’) by the London
Stock Exchange in the UK in 1999. Signi?cant amongst
the stated motivations of these reports was the rapid
change and myriad of economic, corporate, environmental
and regulatory shocks throughout the 1990s. For example,
in 1995 the Oklahoma City bombing was the most destruc-
tive act of terrorism of its time; the late 1990s saw the
rapid growth of the internet accelerate globalization; in
2000 the Dot-com bubble burst disrupting ?nancial mar-
kets and economic activity across the globe; while Y2K
concerns generated fear that technology would not shift
into the new millennium (see, for example, AICPA, 1993;
Anonymous, 1997; Chenok, 1995; Dennis, 2000; Semer,
1998; Tucker, 2001; all publications published by COSO’s
sponsoring organizations).
For COSO, an important forerunner to its ERM-IF was its
IC-IF. Depicted in Fig. 2 below, this framework emerged
from the COSO sponsored Treadway report (Treadway,
1987). The framework outlines ?ve constituent elements
of effective internal control, de?ned broadly as a process
designed to ‘‘provide reasonable assurance regarding the
achievement of objectives’’ in relation to (i) the effective-
ness and ef?ciency of operations; (ii) the reliability of ?nan-
cial reporting; and (iii) compliance withapplicable laws and
regulations (COSO, 1994, p. 3). COSO’s IC-IF was released in
1992 (revised in 1994 and, most recently, in 2013). Its
adoption dramatically increased in 2002 when the
Sarbanes–Oxley Act (SOX) was enacted in response to a ser-
ies of signi?cant corporate and accounting scandals. SOX,
and speci?cally section 404 on internal control assessment,
mandated organizations to enhance their controls and con-
sequently brought COSO’s IC-IF to the fore in the frenzy to
address SOX requirements (see, for example, Bridge &
Moss, 2003). Several interview respondents pointed
squarely to COSO’s IC-IF when identifying the major factors
that led to the popularity of COSO:
COSO as an entity is becoming more widely known par-
tially because the Sarbanes Oxley Section 404 reporting
requirements whichis pointing themto the internal con-
trol framework, but it points them to COSO too. (Mark
Beasley, Interview 3)
Numerous scholars have discussedthe waythat the notion
of internal control gradually evolved and refocused around
notions of risk during the late 1990s (see Power, 2004, 2007,
2009; Spira & Page, 2003). Spira and Page (2003) stress that
the publication of the Turnbull Report in 1999 had already
extended beyond ?nancial and internal control to contem-
plate risk management. They note that scienti?c and techno-
logical advances made risk more quanti?able and con?rmed
that risk(andits effects) was indeedserious; as Spira andPage
put it, ‘‘. . .changes in technology and auditing encouraged a
devolution of control downwards, and rigidly enforced com-
pliancewithpolicies andprocedures was replacedbytherhet-
oric of risk. . .’’ (p. 647). As it became increasinglybelievedthat
risk couldbe measuredandmanaged, demandfor meaningful
frameworks intensi?ed.
In addition to the disruption of the concept of internal
control generally, COSO’s IC-IF also encountered disrupting
in?uences. Both suppliers and users of competing internal
control frameworks publicly challenged and critiqued
COSO’s IC-IF. For example, Oliverio (2001) pointed to a
number of failings including the absence of implementa-
tion guidance and clear allocations of responsibility, as well
as, the imperative of an enterprise-wide approach. Further-
more, the competing frameworks were all motivated in
some part by observations that COSO’s IC-IF was no longer
adequate in managing against diverse and growing risks.
Where internal control was once seen as a valuable process
for assuring the achievement of an organization’s goals, it
was seen to come under increasing scrutiny.
In response to these charges, COSO itself engaged in dis-
rupting work by commissioning a group of consultants to
research and evaluate ‘‘whether [COSO] should develop a
framework that provides guidance on enterprise-wide risk
management’’ (Scott, Shenkir, & Walker, 2000, p. 2). In the
report, Scott et al. (2000; hereafter SSW) con?rmed the
1990s as a decade that experienced dramatic change as a
result of a number of factors: ‘‘globalization; emerging mar-
kets; consolidationof companies andrestructuring; deregu-
lation; increasing competition; product and market
innovation; rapidly changing technology, especially infor-
mationtechnology; e-commerce; emergence of the internet
andneweconomy; andcrisis andmajor riskdebacles’’ (SSW,
2000, p. 3). The consultants took little time in verifying the
need for a new framework and pointed to a vigorous
demand for a credible set of practices to help organizations
manage, monitor and plan for risk extending beyond a nar-
row focus on internal controls.
COSO’s ERM-IF re?ected both the style and language of
the IC-IF (exempli?ed by the resemblance of Figs. 1 and 2)
such that the costs and risks of adoption were minimized
for potential adopters. Our interview data highlighted a
strong connection between the transition from COSO’s IC-
IF to their ERM-IF:
Fig. 2. COSO’s internal control cube (reproduced from COSO, 1994, pp.
19).
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 317
There were some people who were looking ahead and
saying ‘Okay, what’s the next step?’ We [COSO] have
this internal control framework out here and now
companies are using it, auditors are looking at internal
controls. . .. What’s the next step in the evolution of
things? What are outside parties interested in? They
are interested in how you’re controlling things, but
what’s at the core of that control framework? First,
it’s identifying risk and then implementing controls
to mitigate and control those risks. . .. So in a way,
the COSO internal control framework was a rudimen-
tary risk management framework. (Douglas Prawitt,
Interview 5)
This quotation implies that COSO’s ERM-IF was effec-
tively an updated replacement for the IC-IF, however,
it should be noted that COSO’s ERM-IF was in no way
formally intended to replace the IC-IF. Rather, COSO’s
IC-IF is better conceived of as a springboard for
ERM-IF.
In summary, mounting pressures and shocks paired
with the growing sense that risk could be measured
resulted in a gradual shift away from the logics of internal
control towards the logics of risk.
11
In addition to the dis-
ruption of the logics of internal control generally, critiques
of COSO’s IC-IF speci?cally also began to be circulated,
suggesting that the model was no longer adequate for
contemporary organizations. This disruption work was not
intentionally deployed by COSO but instead enabled COSO
to then execute its own disruption work by commissioning
consultants to evaluate the need for a framework to manage
risk, and also by further undermining the assumptions and
comprehensiveness of the IC-IF. COSO defended its institu-
tional space by using their IC-IF as a springboard to create
the ERM-IF with similar style/language and lower costs/risks
of adoption. The logics of internal control were disrupted
without formal intervention, and this paved the way for a
new framework to emerge.
COSO as a creator
Based on the recommendations from the consulting
team in 2000 to create a risk framework, COSO’s Board
engaged Big-4 accounting ?rm PricewaterhouseCoopers
(PwC) to lead and author the framework.
12
As one consul-
tant in the ?eld re?ected:
In effect, what PwC was able to do was to position itself
to roll out its framework as the international bench-
mark. Under the COSO badge, PwC was able to
take the lead in consulting in the area. (Consultant,
Interview 3)
COSO also formed a Project Advisory Council to provide
guidance throughout the development of COSO’s ERM-IF.
As noted in Table 4, the council was comprised of nine
individuals employed as consultants, university profes-
sors and industry executives from across the US. This
composition offered a wide range of resources for the
new mission. Consultants offered a crucial nexus with
practice and an understanding of organizational chal-
lenges with risk management and the type of guidance
likely to resonate in the corporate community. Univer-
sity professors, involved in both teaching and research,
offered academic capital and familiarity with the emerg-
ing academic research in the ?eld. Finally, members
from industry were able to speak to risk management
challenges and needs, and the stakes, struggles and pref-
erences of the key corporates. As Table 4 re?ects, mem-
bers from industry were not only drawn from diverse
industries, but they also held a range of job positions
and functional expertise (e.g., internal control, risk,
?nancial management).
COSO’s Board was responsible for overseeing the work
of the Project Advisory Council and authorship team from
PwC. Because COSO’s Board is comprised of one member
from each sponsoring organization, COSO had access not
just to these ?ve representatives, but access to the visions,
membership corps and reputational capital of ?ve organi-
zations that conduct research and support members
throughout the world. Re?ecting on the ‘‘clout’’ of the com-
bined groups, Rick Steinberg (Interview 9) suggested that
‘‘it was their insight and their foresight in terms of being
able to see the need [for the ERM-IF]’’. Indeed, a signi?cant
and in?uential identity was constructed such that the
organizational structure of COSO and the power of its
members provided elevated status to COSO as a creator
of innovative change.
In addition to constructing a network of hybridized pro-
fessionals to facilitate ERM-IF collaborations, several
aspects of COSO were important to creating the ERM-IF.
By 2004, COSO had a proven track record extending over
two decades. COSO had issued the Report of the National
Commission on Fraudulent Financial Reporting in 1987
(known as the ‘‘Treadway Commission’’ report); had for-
mulated and released an integrated framework on internal
control in 1992; and, had published an extensive 10-year
analysis of fraudulent ?nancial reporting occurrences in
1999. Table 3 above provides a timeline of these and other
key events in COSO’s history. It was against this back-
ground as a powerful organization with an acknowledged
track record of successfully creating and promoting guide-
lines and practices that COSO’s ERM framework was
created.
The credibility of the COSO structure also resonated in
the corporate community. For example, COSO’s original
1992 version of its IC-IF (i.e., one source of COSO’s credibil-
ity) was been referred to as having ‘‘gained broad accep-
11
The ‘‘logics’’ of internal control and of enterprise risk management are
intended to highlight a deep-rooted implementation, such that the logics or
ways of internal control and enterprise risk management become routine
(Power, 2004) or accepted as religion (Bernstein, 1996). Power (2004)
suggests three explanations for the shift from internal control to enterprise
risk management: (1) changing regulation, (2) organization’s desire for self-
insurance against growing risk, and (3) demand for risks to be auditable.
Power summarizes this shift in logics well by concluding that, ‘‘The private
world of organisational internal control systems has been turned inside out,
made public, codi?ed and standardised and repackaged as risk manage-
ment. In this way, a blueprint for extending the reach of risk management
into every aspect of organisational life has been created’’ (pp. 27–28).
12
In an analysis of which public accounting ?rms purchased Andersen
of?ces/clients in 2002, Kohlbeck, Mayhew, Murphy, and Wilkins (2008)
note that PwC did not purchase any of?ces because they had the largest
market share at the time.
318 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
tance’’ and being ‘‘widely used’’, ‘‘time-tested’’ and ‘‘recog-
nized as a leading source’’ (Protiviti, 2013, p. i).
13
Moreover,
the ‘‘independence’’ of this expertise was widely believed by
respondents to lend substantial credibility to the
organization.
COSO has carved out a unique kind of niche and
credibility as being an independent body that has
come out with the framework that ended up being
very heavily in?uential. It’s seen as an organization
that brings top experts and thinkers together to
develop frameworks and there’s a lot of credibility
that COSO brings to the table as an objective, inde-
pendent organization that has had success and
done good things in the past. (Douglas Prawitt, Inter-
view 5)
One respondent re?ected on a previous consulting engage-
ment where he’d prepared a thorough discussion of all the
major risk frameworks around the world for presentation
to a client. In hearing of this, the client likened COSO to
‘‘the name brand in the US’’ (Paul Walker, Interview 8)
and demanded that discussion of alternative frameworks
be removed.
14
During the development of the ERM-IF, the COSO Board,
Project Advisory Council and PwC intensi?ed their interac-
tions with the marketplace to determine whether their
de?nitions and theorizations would accord to user needs.
In the fall of 2001, COSO conducted a public survey to serve
as a consultation and information gathering process. This
survey was conducted in order to understand the market’s
view on various issues (e.g., what companies were doing at
the time, what companies were willing to consider doing,
what companies wished they were doing). Once the ERM
framework had been theorized and written in draft form,
an exposure draft was released for public comment in
the summer of 2003.
15
During this exposure period, mem-
bers from the COSO groups spoke at a signi?cant number
of conferences held by the ?ve sponsoring organizations
and by other associations/organizations. The intent was to
engage the marketplace, to provide information about the
process of developing the framework, and also begin to
share information and educate potential adopters about
how COSO’s ERM-IF would help organizations govern (see,
for example, Chapman, 2003; Minter, 2002). Presentations
during the exposure period provided an opportunity to col-
lect feedback, in addition to the written comments that were
submitted. Based on comments submitted by interested par-
ties and individuals, the revised version was then released in
the fall of 2004 (COSO, n.d.).
16
While the events leading up to the turn of the millen-
nium focused attention on risk management practices
and supported SSW’s recommendation to COSO, signi?cant
world events during the time COSO was creating the ERM-
IF acted to heighten the demand for a framework for man-
aging risk. Indeed, COSO’s ERM-IF (2004, p. v) is explicitly
motivated in part by the observation that ‘‘the period of
the framework’s development was marked by a series of
high-pro?le business scandals and failures where inves-
tors, company personnel, and other stakeholders suffered
tremendous loss’’.
17
These failures, combined with cata-
strophic terrorist attacks (such as 9/11) and natural disasters
generated substantial uncertainty. Numerous scholars have
pointed to the way that this uncertainty and ‘‘politics of
fear’’ (Altheide, 2003; Gardner, 2009) substantially fueled
demand for effective innovations and tools to support deci-
sion making and be seen to be effectively managing.
This combination of economic, corporate, environmen-
tal and regulatory factors resulted in a receptive market-
place for a framework to manage risk. COSO and its
board members recognized organizations’ ‘‘readiness’’ for
a framework to facilitate their risk discussions, for
example:
What the profession needed was a comprehensive way
to talk about risk. There are many ways of looking at
risk but what we found is that people were talking
and using the same terms in different fashions and so
forth. And, our view was that we needed a comprehen-
13
In addition to the examples and evidence provided above, there are a
range of additional markers of COSO’s resonating credibility including: (1)
COSO’s IC-IF is the only framework speci?cally named in the SEC’s guidance
for implementing Section 404 (seehttp://www.sec.gov/rules/?nal/33-
8238.htm); (2) in addition to English, COSO’s IC-IF has been translated
into seven languages (i.e., Chinese, Japanese, Spanish, French, Arabic,
Portuguese, Norwegian) and a Russian translation is currently in
progress (R.B. Hirth, current Chairman of COSO, personal communica-
tion, January 31, 2014); and (3) the US government’s Greenbook (when
the US president releases their budget, the Treasury releases the
General Explanations of the Administration’s Revenue Proposals, coined
the ‘‘Greenbook’’) has been modeled after COSO’s IC-IF as have several
other SOX-like documents in other countries (R.B. Hirth, current
Chairman of COSO, personal communication, January 31, 2014).
14
During the interview Paul Walker speci?cally referred to the ISO
31000 – Risk Management standard created by the International Orga-
nization for Standardization (ISO), the Australia/New Zealand Standard
4360 Risk Management, as well as the Turnbull and King Reports more
generally. Other competing risk frameworks include: an Integrated Risk
Management Framework created by the Treasury Board of Canada
Secretariat, A Conceptual Framework for Integrated Risk Management
created by The Conference Board of Canada, as well as proprietary
frameworks from various consulting groups (e.g., Protiviti, McKinsey,
KPMG LLP, PwC, CRISIL) and other professional associations (e.g.,
Canadian Standards Association (CSA) Technical Committee on Risk
Management, Risk Insurance Management Society, Global Association of
Risk Professionals).
15
For example, the AICPA announced the release of COSO’s ERM-IF
exposure draft in the Journal of Accountancy (see Volume 196, Issue 4, p. 20)
as well as the release of the ?nal framework (see Volume 198, Issue 6, p. 20
and p. 25). In contrast, the AAA which does not publish its own trade
magazine, published a news release to announce COSO’s ERM-IF exposure
draft (‘‘New Study Addresses Enterprise Risks’’) and ?nal draft (‘‘COSO’s
ERM Framework – FREE SUMMARY AVAILABLE’’, emphasis in original).
Both postings appear to have been front page news releases as suggested in
the AAA’s news archives (found here:http://aaahq.org/newsarc.cfm).
16
Appendix E (pp. 115–120) in COSO’s ERM-IF ‘‘summarizes the more
signi?cant issues and resulting modi?cations re?ected in the ?nal report.’’
The sponsoring organizations were also involved in the feedback collection
process; for example the Auditing Standards Committee of the AAA
composed a formal response (see here:http://aaahq.org/audit/asc.htm) as
did the Committee on Corporate Reporting of the FEI (see here: http://
www2.?nancialexecutives.org/news/?nrep/letters/COSO_10_13_03.pdf).
17
Many of the worst and most costly corporate accounting scandals
happened in 2001, 2002 and 2003 (e.g., Enron in 2001, WorldCom in 2002,
Tyco International in 2002, Freddie Mac in 2002, HealthSouth Corporation
in 2003).
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 319
sive framework on enterprise risk management and it
had to be across the enterprise and that if we could
introduce the framework, it could get more people talk-
ing about enterprise risk management–management
and therefore moving to manage risk in a much more
effective way. So that was the motivation behind start-
ing with the ERM framework. (Larry Rittenberg, Inter-
view 7)
In this sense, the timing of the COSO ERM-IF was ser-
endipitous; coinciding with some of the major corpo-
rate scandals of recent history. It should be stressed
that despite the 2004 release date of COSO’s ERM-IF,
COSO commissioned the preliminary ERM work in
1999.
The ?nal version of COSO’s ERM-IF contains two vol-
umes: the ?rst volume of COSO’s ERM-IF consists of an
executive summary and description of the ERM process,
and the second volume comprises a collection of applica-
tion techniques to help illustrate key tenets of ERM. Within
both of these volumes, risk is problematized extensively
and framed as an overwhelming impediment to organiza-
tional performance. While the framework acknowledges
the potential upside of risk (COSO, 2004, p. 16), the nega-
tive threat posed by risk is highlighted by drawing on
several graphic metaphors and cautions such as earth-
quakes (e.g., pp. 42, 50) and the devastating impacts of
large-scale ?nancial frauds (e.g., pp. 30, 34). In the face of
this inexorable uncertainty, COSO’s (2004) ERM-IF is
mythologized as ‘‘integral to value creation’’ (p. 13), and
able to ‘‘enhance the entity’s capacity to build value’’ (p.
13). COSO promises that ERM encompasses: ‘‘aligning risk
appetite and strategy. . . enhancing risk response deci-
sions. . . reducing operational surprises and losses. . . identi-
fying and managing cross-enterprise risks. . . providing
integrated responses to multiple risks. . . seizing opportuni-
ties. . . [and] improving deployment of capital’’ (pp. 14–15).
Through this process, readers (and potential adopters) are
warned of risks that they previously never knew they
had; ‘‘It can be argued that no problem is so insigni?cant
Table 4
Hybridized professional group: Composition of COSO groups.
a
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
COSO Chair John J. Flaherty, CIA, CPA
American Accounting Association Larry E. Rittenberg, Ph.D., CPA, CIA
*
American Institute of Certi?ed Public Accountants Alan W. Anderson, CPA
Financial Executives International John P. Jessup, MBA
Nicholas S. Cyprus, MBA, CPA
Institute of Management Accountants Frank C. Minter, CPA
Dennis L. Neider, CMA, CPA
The Institute of Internal Auditors William G. Bishop, III, CIA
David A. Richards, CIA, CPA
Project Advisory Council to COSO
Tony Maki, Chair, CPA Steven E. Jameson, CPA, CIA, CFE, CFSA
Partner Executive Vice President, Chief Internal Audit & Risk Of?cer
Moss Adams LLP Community Trust Bancorp, Inc.
Mark S. Beasley, Ph.D., CPA
*
John P. Jessup, MBA
Professor Vice President and Treasurer
North Carolina State University E. I. duPont de Nemours and Company
Jerry W. DeFoor, CPA Tony M. Knapp
Vice President and Controller Senior Vice President and Controller
Protective Life Corporation Motorola, Inc.
James W. DeLoach, MBA, CPA Douglas F. Prawitt, PhD, CPA
*
Managing Director Professor
Protiviti Inc. Brigham Young University
Andrew J. Jackson, CIA, CISA
Senior Vice President of Enterprise Risk Assurance Services
American Express Company
Author/Principal Contributors
PricewaterhouseCoopers LLP
Richard M. Steinberg, MBA
*
Miles E.A. Everson, CPA
Former Partner and Corporate Governance Leader Partner and Financial Services
(Presently Steinberg Governance Advisors) Finance, Operations, Risk and Compliance Leader
New York
Frank J. Martens, CA
*
Lucy E. Nottingham
Senior Manager, Client Services Manager, Internal Firm Services
Vancouver, Canada Boston
a
The information herein re?ects employers and positions held as at 2004. Every effort was made to con?rm the graduate-level educations and pro-
fessional certi?cations of involved parties. We apologize for any omissions.
*
Individuals interviewed for this research project.
320 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
as to make investigation of its implications unwarranted’’
(p. 80). The persuasive rhetoric underpinning the frame-
work suggests that failure to implement a comprehensive
risk management framework is both dangerous and futile.
Risk is consistently positioned as a critical business prob-
lem, and investing resources into implementing COSO’s
ERM-IF is presented as a viable and sound solution. In
short, according to its authors, implementing COSO’s
ERM-IF will ‘‘help management achieve the entity’s perfor-
mance and pro?tability targets and prevent loss of
resources. . . help ensure effective reporting and compli-
ance with laws and regulations, and help avoid damage
to the entity’s reputation and associated consequences’’
(p. 3).
The framework suggests that ‘‘everyone has some
responsibility’’ (COSO, 2004, p. 8) but also identi?es spe-
ci?c roles for how various organizational participants
should be involved – thus suggesting both an individual
and collective responsibility to take control and become
‘‘part of the essence of the enterprise’’ (p. 17). To extend
the signi?cance of COSO’s ERM-IF even further, the frame-
work enables broader stakeholder engagement by high-
lighting roles for boards of directors, regulators,
professional organizations and educators as follows:
With this foundation for mutual understanding, all par-
ties will be able to speak a common language and com-
municate more effectively. Business executives will be
positioned to assess their company’s enterprise risk
management progress against a standard, and
strengthen the process and move their enterprise
toward established goals. Future research can be lever-
aged off an established base. Legislators and regulators
will be able to gain an increased understanding of
enterprise risk management, including its bene?ts and
limitations. With all parties utilizing a common enter-
prise risk management framework, these bene?ts will
be realized. (COSO, 2004, p. 9)
By problematizing risks into something critical that must
be carefully managed, COSO’s ERM-IF legitimized the space
for professional groups and consultants to intervene in risk
management – a hugely lucrative, but hitherto largely
latent, commercial market.
As noted above, the colorful, multi-layered, three-
dimensional cube included in the IC-IF bears a striking
resemblance to the cube included in the ERM-IF (refer to
Figs. 1 and 2). An interview respondent con?rmed that,
‘‘. . . it made sense that the enterprise risk management
framework should be consistent with the Internal Control
– Integrated Framework. . . you see quite a bit of consistency’’
(Larry Rittenberg, Interview 7). Consultant 4 stated more
pointedly, ‘‘it was a master stroke to double up on the same
model look. It had been successful for COSO, and people,
especially in the US, had bought into it.’’ COSO’s ERM-IF also
offered critics of the IC-IF a new and improved tool to allevi-
ate their concerns with the IC-IF. The assumptions and
beliefs of internal control had been problematized, under-
mined and disrupted, and COSO leveraged this problem by
presenting their ERM-IF as a solution.
In articulating the new framework, COSO members rec-
ognized the need to theorize a high-level of abstraction if
the framework were going to have application across a
wide range of time and space. The emerging categories –
internal environment, objective setting, event identi?ca-
tion, risk assessment, risk response, control activities,
information and communication, and monitoring – were
supported with a discussion that avoided direct applica-
tion within speci?c industries. As such, the emerging
framework was claimed to be universally applicable; indi-
vidual ?rms from any industry or geography could tailor
the framework to their needs. A careful balance was thus
struck between seeming to offer direct guidance, while at
the same time permitting adaptation and considerable
scope for different approaches and settings. Interview
respondents involved in theorizing the ERM-IF acknowl-
edged the scalability and discretionary nature of the
framework. This ambiguity meant that organizations could
easily adopt some of the framework’s prescriptions with-
out ‘‘getting lost’’ in full implementation.
You can implement COSO’s framework and it’s scalable
and can be implemented across all the functional units
in your organization. And so, you can take any organi-
zation, and if you break it down into its subcompo-
nents, if it’s accounting, you can break it down into
accounts receivable and accounts payable, or payroll –
it is scalable across all of those units and I think that
is one of the parts that is really valuable in both of
COSO’s internal control and enterprise risk manage-
ment frameworks. It’s very valuable but is most often
overlooked. And I think that’s one of the reasons why
it continues to work so well. (Larry Rittenberg, Inter-
view 7)
Because of that lack of a mandate [from a regulator,
for example], organizations can sort of pick and
choose pieces of it that work and not feel like they
have to do a full blown implementation. We’re in
the early phases of ERM where people are just out
there picking, there’s no mandate for anything and
so I think people have found it helpful but I guess
it’s good that they’re not being forced into it at this
point. ERM is so complex to really do, companies have
realized if they try to go from A to Z, it will stall.
(Mark Beasley, Interview 3)
In summary, the ERM-IF was brought into existence in
a receptive marketplace characterized by rapid change
and a rolling myriad of external shocks that had shaken
corporate con?dence and fed a growing appetite for
methodologies and practices offering to equip organiza-
tions with an ability to navigate through stormy environ-
ments. COSO was able to build on its identity as a
‘‘thought leader’’ with a proven track record, and also to
construct a widely connected normative network wherein
the ERM-IF would diffuse. An important part of the insti-
tutional work performed by COSO as a creator was to
engage the marketplace early through consultation and
information gathering processes, and also to begin to
educate potential adopters at presentations and confer-
ences during the exposure period. In turn, COSO was able
to leverage the receptive marketplace and conduct advo-
cacy work to mobilize their ERM-IF. During the creation
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 321
of the framework itself, de?ning work outlined a com-
mon language and important rule systems; theorizing
work ensured a high level of abstraction to provide
adopters with ?exibility and scalability; and mimicry
work leveraged the style and language of the IC-IF to fur-
ther increase the appeal and eventual adoption of COSO’s
ERM-IF. Within the framework, COSO sought to de?ne
speci?c roles to support ERM through enabling work so
that a greater number of organizational participants
could engage. COSO was able to leverage the fact that
the logics of internal control had been disrupted and
therefore changed the normative assumptions to present
ERM-IF as a solution. In so doing, COSO deployed mythol-
ogizing work to problematize risk and advance stories of
success and best practice. This combination of institu-
tional work was suf?cient to diffuse a framework without
the need for supporting rules and regulatory systems
suggested in vesting work.
COSO as a maintainer
By 2004 then, COSO had created a fully articulated
framework, and was equipped with a solid reputation as
a ‘‘thought leader’’
18
and a track record comprising the suc-
cessful dissemination of their IC-IF framework. This reputa-
tion and success enabled COSO to conduct institutional work
to maintain ERM. PwC was at the forefront of COSO and lever-
aged the platformto push their internal framework. As Consul-
tant 4 stated, ‘‘with COSO’s badge and PwC’s reputation and
members, diffusion was inevitable.’’ Concerning the ascen-
dance of COSO’s ERM-IF to its preeminent status, one respon-
dent (who was also one of the authors with PwC) noted:
I think part of it is because of the COSO consortium of
organizations and frankly PricewaterhouseCoopers hav-
ing been the author of the COSO ERM report – the
names attached and the fact that COSO’s internal con-
trol became a standard. The background and expertise
of those organizations, and if I may say so also PwC,
has caused people to look to it as the place to go in gain-
ing insight, in gaining direction on how to build an ERM
architecture in their organizations. (Rick Steinberg,
Interview 9)
COSO had not only constructed a highly reputable iden-
tity for itself but had also constructed a network with
reach that was geographically unbounded. The ?ve spon-
soring organization representatives that make up COSO’s
Board are spread across the US and so too are the members
of the Project Advisory Council for COSO’s ERM-IF. Even the
group of four individuals from PwC – a former partner, cur-
rent partner, and two managers – that was tasked to
author the framework was geographically distributed
across North America. Furthermore, the sponsoring organi-
zations’ members are spread all over the world: the AICPA
has nearly 386,000 members (380,000 of which are in the
USA) in 128 countries; the FEI has 15,000 members in 85
chapters across North America and one chapter in Japan;
the IIA serves more than 180,000 members in 190 countries
and territories around the world; the IMA has a global mem-
bership body of approximately 65,000 accountants and
?nancial professionals; and the AAA has approximately
8500 members (6800 of which are in the USA).
19
Having
COSO-related people situated all over North America enabled
COSO to cast a wide net to support the maintenance of ERM
by realigning actors and redirecting supporting resources.
Within North America, there is no doubt that dissemi-
nation and maintenance of the ERM-IF bene?tted from
an American feel. All respondents commented that a
framework made in the US by an organization headquar-
tered in the US gave it a lot of resonance within the United
States and elsewhere across the globe.
Part of it is probably, just the fact that it’s a US frame-
work, to be honest with you. I think that carries a lot
of clout, probably decreasingly so the way the world
is moving, but I think that it still does carry some
impact. (Douglas Prawitt, Interview 5)
The whole US thing; it’s what I call the McDonald effect:
it’s American, it’s big, and it’s what the New York Stock
Exchange will accept. (John Fraser, Interview 1)
One respondent recounted a conversation he’d had with a
minister from another country about COSO as follows:
I was invited to speak in Tokyo and I remember talk-
ing to the Minister of Economy . . . he said, ‘‘But you
also have to understand that many Japanese busi-
nesses are already New York Stock Exchange traded
and so whatever they hear is happening in the US,
they want to do it’’. He said, ‘‘Many others are New
York Stock Exchange wannabes. So they’re not on
the New York Stock Exchange yet, but they want to
?gure out what the best practices are in the US and
then get ready and say that they’re already doing
those practices . . . so that division is going to imple-
ment enterprise risk management or some COSO
framework to make it look more relevant.’’ (Paul
Walker, Interview 8)
The diffusion of COSO’s ERM-IF bene?tted from various
forms of promotional work; as one respondent put it,
‘‘other frameworks just weren’t getting the pro?ling that
COSO got.... If people can name one, they’re going to name
COSO’’ (Professional Accounting Institute, Interview 2). The
promotional work that helped publicize COSO’s ERM-IF to
potential adopters was a shared task between the COSO
Board, the Project Advisory Council, PwC, and the ?ve
sponsoring organizations. Once the framework was
complete, COSO’s Board
20
was formally responsible for
18
We note here that our references to COSO as a ‘‘thought leader’’ and to
its ‘‘thought papers’’ are adopted from the organization’s stated mission ‘‘to
provide thought leadership’’ and vision ‘‘to be a recognized thought leader’’
according to its operating charters (found athttp://www.coso.org/abou-
tus.htm). We note that this uncritical phrase is repeated across COSO
publications and press releases.
19
Membership numbers were located on each organization’s website, and
in most cases, the numbers were either updated or con?rmed by emailing a
representative from each organization’s membership services department.
20
The requirement (and budget) to make presentations at conferences/
panels and represent COSO at other events is built into the job description
for the COSO Chairman of the Board. For recent examples, see https://
na.theiia.org/standards-guidance/topics/pages/coso-resource-center.aspx.
322 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
promoting it since the Project Advisory Council was a tem-
porary taskforce and PwC was formally hired mainly as
authors of the framework.
In terms of promotional activities in this phase, several
initiatives were undertaken. The ?ve sponsoring organiza-
tions were formally requested to support COSO’s ERM-IF
publicly, and to assist in the development of their materi-
als, courses and standards.
21
Since each of the ?ve sponsor-
ing organizations had its own norms and membership
domains, each organization supported COSO’s ERM-IF in dif-
ferent ways (for example, by making the framework avail-
able on their website and/or by notifying members of its
release via email newsletters).
22
The sponsoring organiza-
tions (except the AAA) each publish their own magazine
with the latest news and professional developments. Fig. 3
shows that journal coverage of ‘‘COSO’’ spiked around the
release of COSO’s ERM-IF (see 2004–2005) but otherwise
remained generally stable (see trend line). In contrast, jour-
nal coverage of ‘‘risk management’’ shows a consistent
increase (see trend line) with a spike at the beginning of
COSO’s continued ERM guidance (see 2009). The continued
upward trend re?ects the way that maintenance institu-
tional work continued to support diffusion. As well, a press
release, media tour and webcast were used to promote the
framework and carry it to potential adopters (for examples
of recent press, see www.coso.org/newsroom.htm). The
media event was hosted in New York (chosen because it is
a major business hub) and major media players were invited
(e.g., The Wall Street Journal, The New York Times, Financial
Post).
Since the Project Advisory Council was brought
together with the sole purpose of developing the ERM
framework, the task force dissolved upon its completion.
Interestingly, ‘‘some individuals on the Advisory Council. . .
continued to have a personal interest and continued to be
active in the marketplace in terms of attending confer-
ences [and] speaking’’ (Frank Martens, Interview 14). These
continued educational and promotional efforts from highly
regarded individuals provided a further boost to the main-
tenance work performed.
PwC did not have a formal responsibility beyond writ-
ing the framework; however, they also helped to promote
the framework after its launch by continuing to support it
publicly and by developing aligned corporate tools (see, for
example, PwC (2009, pp. 10, 13, 15) where COSO’s ERM-IF
is highlighted throughout). In explaining PwC’s role, Frank
Martens recognized the ?rm’s applied use of the frame-
work to develop a range of commercial products: ‘‘... when
I say we had a methodology that aligned into it [COSO’s
ERM-IF], to be clear what we did was we developed a
methodology that was entirely supportive and integrated
and consistent with it, but it was not framework depen-
dent’’ (Frank Martens, Interview 14). To continue to gain
market acceptance and market credibility, PwC ?ew in
and met with other PwC executives from 12 or more coun-
tries to develop a methodology for how they could go to
the market and help organizations implement and apply
COSO’s ERM-IF. As Frank Martens re?ected, ‘‘Once it was
out, we didn’t stop talking about it, we didn’t stop suggest-
ing to the marketplace that they should go read it’’ (Inter-
view 14). Speaking of other professional accounting ?rms,
Frank Martens noted that:
Some accounting ?rms were fairly responsive to it
[COSO’s ERM-IF] and kind of did similar to us [PwC],
kind of developed methodologies and things to go deli-
ver services around it. There was also some who felt
that they could build a better mousetrap or already
had a better mousetrap. (Frank Martens, Interview 14)
Together, PwC and the professional accounting industry
more generally supported ERM adoption and implementa-
tion by offering extensive training and education program-
ming to embed ERM and routinize it as a taken for granted
practice.
Consultants also helped furnish the risk management
space with COSO’s framework. Interview respondents
pointed extensively to a network of private-sector consul-
tants that guided ?rms in their implementation of COSO’s
ERM-IF, several complementing the framework with other
proprietary frames of reference, guidelines and policies. As
described by Consultant 1:
Most consulting ?rms want to have tools and frame-
works that are branded their own so they can use them,
even if it’s just a slight change. I think everybody tries to
come up with their own little process wheel, everybody
tries to come up with their own framework for looking
at it, everybody tries to come up with their own com-
mon risk language, it’s just the way it is. (Consultant
1, Interview 10)
This quotation highlights the way that the interpretative
viability (Benders & Van Veen, 2001) of COSO’s ERM-IF
opened it up to considerable applied adaptation (see, for
example, Protiviti, 2006, 2007). Parallel to the accounting
community, the consulting community served to embed
the framework in client organizations through a diverse
range of service offerings predicated upon, but often trans-
lating the ERM-IF. This idea was corroborated by Consul-
tant 3: ‘‘Of course consulting ?rms have seized upon
COSO’s outputs. They’re logical, resonate in the business
community and speak to a space that most ?rms are strug-
gling with. . .’’ (Interview 12). Numerous consultant
respondents frankly noted the intense competition for con-
sulting dollars in the emerging risk management space. As
Consultant 3 put it,
21
For example, see ‘‘The IIA COSO Resource Center’’ athttps://na.the-
iia.org/standards-guidance/topics/Pages/COSO-Resource-Center.aspx.
22
For example, in an article titled ‘‘COSO ERM Framework Released’’ in
The Internal Auditor (Scott, 2004, p. 17), the IIA president is quoted on how
the IIA and internal auditors have ‘‘been advocating for strong gover-
nance.... Thus the release of COSO ERM is a great opportunity for the
internal audit profession’’. An IIA member is identi?ed as already having
embraced COSO’s framework and he comments that COSO’s ERM-IF is ‘‘the
foundation for my recommendations on how to implement our enterprise-
wide risk management’’ (pp. 17–18). A different article in The Internal
Auditor refers to ongoing SOX implementations and suggests, ‘‘[T]he next
logical step would be to leverage that investment [Section 404] and
implement a total enterprise risk management (ERM) framework’’
(Matyjewicz & D’Arcangelo, 2004, p. 67). These authors go on to recom-
mend COSO’s ERM-IF and they also summarize the general process with the
help of COSO’s cube and other graphic aids. Similar announcements were
published in the IMA’s Strategic Finance (e.g., Levinsohn & Williams, 2004)
and the AICPA’s Journal of Accountancy (e.g., Anonymous, 2004).
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 323
There are a lot of mouths to feed and we were out
hawking for work like everyone else. And COSO was a
name that people knew ... Sure most of the big players
re?ned this to develop their own proprietorial tools,
but the COSO model opened the door if you like. (Con-
sultant 3, Interview 12)
Recently, the COSO Board has re-engaged in promoting
COSO’s ERM-IF by publishing extensions, clari?cations and
implementation guidance in order to continue to educate
existing and potential adopters. Two of these reports are
focused on addressing the state of ERM (e.g., extent of
implementation, level of satisfaction, successes experi-
enced) and in doing so, highlight the need for greater adop-
tion across ?rms and more extensive implementation
within ?rms (COSO, 2010a, 2010b). The other reports elab-
orate on ERM improvements and advancements, for exam-
ple, ‘‘to improve board oversight of management’s
judgments’’ (COSO, 2012, p. 2) or to describe ‘‘a more
systematic integration of sustainability into COSO-based
ERM programs’’ (COSO, 2013, p. 2). These reports also serve
an important function of continuing to valorize success
stories and best practices, while demonizing inadequate
adoptions, failed implementations, and the inexorable
growth of risk more generally. These ‘‘thought papers’’
are identi?ed in Table 5.
In summary, COSO’s reputation for success and the
unbounded geographic network it constructed prior to,
and during the creation of, the ERM-IF were key compo-
nents of COSO’s institutional work as a maintainer. The
framework’s American feel and the international signi?-
cance of US capital markets were important features that
underlie the process of maintenance work. The combina-
tion of COSO’s Board, Advisory Council, and PwC in addi-
tion to the expansive membership bodies of the
sponsoring organizations ensured that the various forms
of promotional work spanned North America and beyond.
Further, the hybridized nature of the COSO group
Table 5
Continuous ERM rhetoric.
Title Year of
release
Demystifying Sustainability Risk: Integrating the triple bottom line into an enterprise risk management program 2013
ERM Risk Assessment in Practice 2012
Enterprise Risk Management for Cloud Computing 2012
Enhancing Board Oversight by Avoiding and Challenging Traps and Biases in Professional Judgment 2012
Enterprise Risk Management – Understanding and Communicating Risk Appetite 2012
Embracing Enterprise Risk Management: Practical Approaches for Getting Started 2011
Developing Key Risk Indicators to Strengthen Enterprise Risk Management 2011
Board Risk Oversight – A Progress Report: Where Boards of Directors Currently Stand in Executing their Risk Oversight
Responsibilities
2010
COSO’s 2010 Report on ERM: Current State of Enterprise Risk Oversight and Market Perceptions of COSO’s ERM Framework 2010
Strengthening Enterprise Risk Management for Strategic Advantage 2009
Effective Enterprise Risk Oversight: The Role of the Board of Directors 2009
Note: The highlighted ?me window refers to the release period of key COSO ERM-IF publica?ons
0
20
40
60
80
100
120
2
0
0
0
-
Q
1
/
Q
2
2
0
0
0
-
Q
3
/
Q
4
2
0
0
1
-
Q
1
/
Q
2
2
0
0
1
-
Q
3
/
Q
4
2
0
0
2
-
Q
1
/
Q
2
2
0
0
2
-
Q
3
/
Q
4
2
0
0
3
-
Q
1
/
Q
2
2
0
0
3
-
Q
3
/
Q
4
2
0
0
4
-
Q
1
/
Q
2
2
0
0
4
-
Q
3
/
Q
4
2
0
0
5
-
Q
1
/
Q
2
2
0
0
5
-
Q
3
/
Q
4
2
0
0
6
-
Q
1
/
Q
2
2
0
0
6
-
Q
3
/
Q
4
2
0
0
7
-
Q
1
/
Q
2
2
0
0
7
-
Q
3
/
Q
4
2
0
0
8
-
Q
1
/
Q
2
2
0
0
8
-
Q
3
/
Q
4
2
0
0
9
-
Q
1
/
Q
2
2
0
0
9
-
Q
3
/
Q
4
2
0
1
0
-
Q
1
/
Q
2
2
0
1
0
-
Q
3
/
Q
4
2
0
1
1
-
Q
1
/
Q
2
2
0
1
1
-
Q
3
/
Q
4
2
0
1
2
-
Q
1
/
Q
2
2
0
1
2
-
Q
3
/
Q
4
2
0
1
3
-
Q
1
/
Q
2
2
0
1
3
-
Q
3
/
Q
4
Risk Management
COSO
Fig. 3. Bibliometric analysis (for each data point, we searched for ‘‘risk management’’ and ‘‘COSO’’ in the publications of AICPA’s Journal of Accountancy,
IMA’s Strategic Finance magazine, IIA’s Internal Auditor magazine and FEI’s Financial Executive magazine. Our initial search also included ‘‘enterprise risk
management’’ and ‘‘Committee of Sponsoring Organizations’’; including the frequencies of these words does not change the bibliometric data, however, not
including them eliminates redundancies).
324 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
inoculated it from competition within the ?nance and
accounting industries by capturing key organizations and
individuals in the broad ?eld. Much of the promotional
work also served to educate potential adopters and exist-
ing users. The interpretative viability of the ERM-IF
allowed PwC, other professional accounting ?rms, and con-
sultants to take advantage of the framework’s leeway for
applied use, and to embed and routinize its use by develop-
ing aligned tools. To this day, COSO continues to educate
and enable the marketplace by issuing additional guidance.
Within these ‘‘thought papers’’, demonizing institutional
work continues to impress upon failures and risk more
generally, while valourizing work offers success stories
and highlights the potential to bene?t from the logics of
enterprise risk management. The unique presence, exper-
tise and resources of COSO, a hybridized professional
group, meant that policing and deterring forms of institu-
tional work were not required to maintain the preeminent
status of the ERM-IF and the rhetoric of risk management
more generally.
Discussion
Our data highlights the critical roles played by COSO in
the emergence and institutionalization of their ERM-IF.
Commencing with disruption, the devolution of internal
control led to an interest in risk; the inadequacies and fail-
ures of internal control systems created a space for the
acceptance of risk logics. Within these new logics, a key
element of the institutional work performed by actors
within COSO was the way that the existing IC-IF model
was problematized as insuf?cient to deal with a growing
array of risks facing organizations. In so doing, the ERM-
IF was positioned as offering a more thorough framework
through which risk could be effectively understood and
dealt with, while at the same time retaining a similar look
and feel to the IC-IF which minimized the perceived bur-
den, costs and risks of adoption. Discursively, this was
achieved through an appeal to the prospect of reining in
a growing and diverse band of risks and uncertainties. As
Power (2009, p. 850) has pointed out, the discourse sur-
rounding the arrival of the ERM-IF promised ‘‘that mis-
takes of the past will be mitigated, if not avoided, by a
more rational and synthetic conception of risk manage-
ment capable of a ‘canopy-like’ view of the organization.’’
This process was marketed as positive, entrepreneurial
and explicitly in the service of wealth creation.
As creators, the COSO group engaged in various forms of
institutional work. Upon accessing consultants to con?rm
the need for a framework to help organizations manage
risk, COSO de?ned the ‘new’ rule systems of risk manage-
ment; drew upon, and further constructed, their identity
as reputable ‘‘thought leaders’’; and built support networks
within the ?ve sponsoring organizations. In the ?nal ver-
sion of the framework, COSO drew connections to their
IC-IF with similar language and format; theorized an
abstract and ?exible framework that would appear rele-
vant to all potential adopters; and problematized risk as
something that must be addressed while emphasizing that
the prescriptions of their ERM-IF are integral to the crea-
tion and preservation of value.
While each of these demonstrations of institutional
work created awareness of, and interest in, the ERM-IF,
the COSO group also conducted institutional work to main-
tain the ERM-IF as a lasting institution. The majority of
studies investigating the diffusion and institutionalization
of management tools have suggested that the individuals
responsible for creating the practice tend to be different
from the individuals who then promote and distribute it
(see, for example, Ax & Bjornenak, 2005; Jones &
Dugdale, 2002). What makes the diffusion of COSO’s
ERM-IF especially interesting is the fact that COSO (and
their related membership groups) played a fundamental
role in executing both the creation and maintenance of
the emerging innovation. In addition to the rules and guid-
ance included in COSO’s ERM-IF to enable and support
adoption, COSO’s ERM-IF was actively valorized as a solu-
tion. It was developed and then delivered to potential
adopters through accessible how-to guides and promo-
tional work aimed at generating mass market awareness.
The diffusion of COSO’s ERM-IF bene?tted not only from
having various groups involved in delivering it to the mar-
ketplace across the US, but also from being spread through
diverse mediums and channels of communication. Further,
the loose nature of the framework provided enough leeway
that the sponsoring organizations, accounting ?rms and
consultancy groups could continue to maintain the ERM
space by devising different services closely connected to
the ideas of ERM.
Table 6 lists Lawrence and Suddaby’s (2006) three types
of institutional work to disrupt, nine types of institutional
work to create, and six types of institutional work to main-
tain an institution. In the table, we summarize empirical
examples of disruption, creation and maintenance institu-
tional work carried out by COSO. Our empirical observa-
tions contain no evidence of disconnecting sanctions/
rewards, policing, and deterring forms of institutional
work, suggesting that COSO’s ERM-IF diffused successfully
without requiring any sanctioning or compliance work. We
also note that mimicry and mythologizing share signi?cant
overlap in their de?nitions that institutions rise in part
because of prior related institutions. Discursive practices
and resources appear as a common theme underlying
several forms of institutional work (e.g., advocacy, mim-
icry, enabling, valourizing, demonizing, mythologizing,
undermining assumptions and beliefs). It is interesting to
note that this commonality transcends Lawrence and Sud-
daby’s disruption, creation and maintenance categories,
highlighting the centrality of discourse in institutional
work.
Our analysis thus demonstrates that although
institutional work research provides a robust vehicle for
explaining the rise of COSO’s ERM-IF, the actual ‘‘work’’
performed in institutional work does not ?t neatly into
the categories suggested in prior research (i.e., Lawrence
& Suddaby, 2006; Perkmann & Spicer, 2008). It is a mistake
to envisage this as a step-by-step approach: ?rst originat-
ing with an identi?ed intellectual gap, then moving into
the rationalized program of response ?nally implemented
via technologies. Such sequential ordering offers an easy
narrative but does not capture the ?uidity of practice
(see also Blacker & Regan, 2006; Malsch & Gendron,
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 325
2013; Meyer, Gaba, & Colwell, 2005). For example, in this
instance, the availability of a related technology enabled
discussion of a potential framework in a way that would
not have hitherto been possible. Much of this happened
synchronously and non-linearly rather than sequentially.
It is not a question of what came ?rst: for example, de?n-
ing, theorizing, educating, mythologizing, embedding and
routinizing. Rather, they each enabled each other and led
to practice as it came to be. In this way, we present a ?uid
depiction of diffusion, one that addresses the dialectical
interaction between disrupting, creating and maintaining,
while at the same time we seek to illuminate broader
processes of the development of knowledge and practice.
Certain forms of institutional work persisted, others disap-
peared, while others in turn re-emerged.
Further, the diffusion of COSO’s ERM-IF highlights the
extra-organizational character of much work. To disrupt
the logics of internal control, COSO commissioned a team
of consultants to evaluate the need for a framework to
manage risk. While creating the ERM-IF, COSO engaged
with the marketplace by sharing an exposure draft for pub-
lic comment. During this period, members of the COSO
group also attended conferences and engaged in presenta-
tions to collect additional feedback and to make the mar-
Table 6
Empirical examples of institutional work by COSO as a disruptor, creator and maintainer.
Category Institutional work Nature of work
COSO as a
disruptor
Disconnecting sanctions/
rewards
Not observed
Disassociating moral
foundations
COSO argued that due to rapid changes in the operating environments of organizations, the pre-
existing IC-IF was no longer suf?cient to address key risks faced by ?rms
Undermining
assumptions and beliefs
The perceived costs and risks of adopting the ERM-IF were minimized by ensuring that it had a similar
style and language as the IC-IF, thereby providing organizations with a familiar template and
manageable transition
COSO as a
creator
Advocacy COSO’s ERM-IF release heavily referenced the economic, corporate and regulatory shocks preceding its
release as well as international ‘‘calls for enhanced corporate governance and risk management, with
new law, regulation, and listing standards’’ (COSO, 2004, p. v)
De?ning COSO’s framework promulgated widely quoted de?nitions as well as ‘‘key principles and concepts, a
common language, and clear direction and guidance’’ (COSO, 2004, p. v)
Vesting Not observed
Constructing identities COSO was able to build upon their identity as ‘‘thought leaders’’ in the areas of fraud and internal
control and remake themselves as leading ERM contributors
COSO was able to extend its existing expertise and, by extension, the boundaries of the sponsoring
organizations (the membership bodies of AAA, AICPA, FEI, IMA and IIA) to incorporate risk management
Changing normative
associations
With its vast member network, COSO was well positioned to promulgate ERM to the business
community. The ERM-IF built upon the foundation provided by the IC-IF
Constructing normative
networks
COSO’s member organizations provided a strong, widely connected vehicle to distribute the
framework, which opened up opportunities for applied use by a range of managers, consultants and
related experts
Mimicry COSO’s ERM-IF leveraged its existing IC-IF by adopting all ?ve of the original components (control
environment, risk assessment, control activities, information/communication, and monitoring) and
adding three components (internal environment, objective setting, risk response). It also adopted a
similar format, graphical presentation and language
Theorizing COSO recognized the need for a high level of abstraction or generalization facilitating adoption across
a wide range of industries and geographies as well as a ?exible and scalable model allowing adopters to
incrementally implement aspects of the framework
Educating The ERM-IF is available in an inexpensive, easy-to-access and understandable book. Purchasers of the
framework also receive a CD of blank evaluation tools and templates which provided an additional
medium to learn and apply ERM
COSO (and related organizations) also helped educate the marketplace through press releases, media
tours and webcasts, and also by producing follow-up thought leadership on speci?c issues and problem
areas
COSO (and related organizations) presented the ERM-IF at various conferences, and PwC continued to
support the ERM-IF publicly and by developing market tools aligned with it
COSO as a
maintainer
Enabling COSO’s provision of continuous ERM rhetoric through their thought leadership publications provided
an important vehicle to reinforce the framework
The ERM-IF set out clear roles and responsibilities for stakeholders within and across the organization
Policing Not observed
Deterring Not observed
Valourizing and
demonizing
COSO’s framework was cast as progressive and useful in the face of growing and inexorable risks. In
addition, member organizations and external players (e.g., consultants, media) played a role in
foregrounding the dangers of risk, in valourizing organizations that had successfully followed best
practice and demonizing organizations that had failed to adapt
COSO continued its valorizing and demonizing work throughout its additional ‘‘thought papers’’
Mythologizing COSO publications provide extensive case studies of successful implementation and best practices
promising to navigate enrolled organizations through dangerous and uncertain risks
Embedding and
routinizing
COSO’s member organizations as well as consulting practices offered extensive training and education
programming to embed ERM in practice
326 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
ketplace aware of the impending release of the ERM-IF.
This consultation and information gathering process is an
important bridge between work to create and work to
maintain because the former builds a network and creates
awareness for the latter to eventually unfold. As origina-
tors of the ERM-IF, the COSO Board, Project Advisory Coun-
cil and PwC authorship team held key roles in the
promotional efforts and this promotion work was rein-
forced by the sponsoring organizations, other professional
?rms and various consulting groups. The project nature of
much contemporary corporate activity draws attention to
groups, coalitions and alliances, however temporary and
shifting. The extra-organizational character of this work
distinguishes it from some hagiographic accounts of heroic
institutional entrepreneurship.
Rather than re?ecting a ‘‘grand account’’ of institu-
tion-building or ‘‘heroic’’ account of institutional entre-
preneurship, COSO’s institutional work takes shape, in
Lawrence et al.’s (2011, p. 52) terms, as a ‘‘complex
mélange of forms of agency’’ – simultaneously radical
and conservative, strategic, and overlapping with a pow-
erful set of interested member organizations. Our results
show that COSO sampled and tested a variety of types of
institutional work, at different points throughout the dif-
fusion process and drew strategically on third parties.
Several researchers have suggested that the effort of
multiple actors is advantageous to institutionalization
(e.g., Abrahamson & Fairchild, 2001; Perkmann & Spicer,
2008; Suddaby & Greenwood, 2001).
Scott (2008, p. 223) goes further to assert that profes-
sionals are ‘‘the most in?uential, contemporary crafters of
institutions.’’ Interestingly, ‘‘profession’’ in our case does
not refer to a group of experts in one particular knowl-
edge area. Our paper thus introduces and offers empirical
support for the concept of a hybridized professional
group. Extant research has studied hybrid organizational
forms (e.g., Boland, Sharma, & Afonso, 2008; Miller et al.,
2008) and professional organizations with a homogenous
composition (e.g., Cooper & Robson, 2006; Greenwood
et al., 2002). Divergent from these examples, COSO is a
professional group spanning multiple functional domains
and defying strict de?nition. We de?ne hybridized profes-
sional group as a collection of persons derived from heter-
ogeneous sources. A hybridized professional group such
as COSO thus brings together a variety of distinct profes-
sional entities. What characterizes COSO as an especially
sound example of a hybridized professional group is that
not only are members from various professional entities,
but the substance of their day-to-day employment also
varies widely (e.g., teaching, research, consulting, audit-
ing, standard setting and working in industry). The activ-
ity of this cohort was central in explaining how COSO’s
ERM-IF became the preeminent framework for managing
risk. Moreover, we argue that a virtual, blended group of
professionals who are otherwise not connected (i.e., they
do not come from the same employer, background or
even geographic location) make especially powerful sup-
pliers of institutions. Our depiction of hybridized profes-
sionals responds to Lawrence et al.’s (2011) call for
institutional work to consider distributed agency –
referred to as a signi?cant group of actors conducting
coordinated or uncoordinated activities employed to
effect change.
Conclusion
The arrival of COSO’s ERM-IF represents a major in?ec-
tion point in the history of risk management throughout
the world; ERM increasingly de?nes the language of gover-
nance and senior management responsibility. Since its
release in 2004, COSO’s ERM-IF has had a signi?cant
impact on business practice. In a survey that asked respon-
dents if they read speci?c publications related to risk and if
so, to what extent did they read them, COSO’s ERM-IF was
read by 74% of respondents and was also rated as the most
well-read (Fraser et al., 2008). More recently, a 2010 report
on the state of ERM found that nearly 65% of respondents
were either ‘fairly familiar’ or ‘very familiar’ with COSO’s
ERM-IF. In comparison, competing frameworks received
very low ratings of familiarity (i.e., Australia/New Zealand
AS/NZ 4360, Turnbull Guidance, ISO standards) (COSO,
2010b). Further, respondents identi?ed COSO’s ERM-IF as
‘‘the overwhelming choice as the basis for implementing
ERM. . .. Very few respondents indicated that they used
other frameworks as the basis for designing and imple-
menting ERM processes’’ (COSO, 2010b, p. III). Despite crit-
icisms of COSO’s ERM framework (see for example, Fraser
et al., 2008; Quinn, 2006; Samad-Khan, 2005), Power
(2007, 2009) con?rms the embeddedness of COSO’s ERM-
IF: ‘‘[w]hile ERM has numerous sources feeding the same
basic idea, the COSO (2004) version has become a world-
level template for best practice over a short period of time’’
(Power, 2009, p. 849).
Rather than map the large-scale transformations occa-
sioned by the growing in?uence of risk management
(see, for example, Hoyt & Liebenberg, 2011; Pagach &
Warr, 2010), this article has sought to attend more closely
to the relationship between a key risk management insti-
tution and the actors central in its formation and diffusion.
Investigating the institutional work fromthe perspective of
the supply-side of a management innovation helps us
understand the nature of institutional work that led to
the preeminent status of COSO’s ERM-IF. We emphasize
that this work was non-sequential, at times simultaneous
and heavily reliant on a web of member entities. The case
dissolves conventional dichotomies between theorization
and diffusion (Scarbrough, 2002) and creation and convey-
ing (Rogers, 1995) and demonstrates that when the sup-
ply-side ful?lls both of these critical roles, diffusion and
institutionalization may be strengthened. A hybridized
professional group that performs a variety of disruptor,
creator and maintainer activities is a strong force for diffu-
sion and institutionalization. COSO was able to leverage its
diverse composition, favorable geographic features and a
collection of promotional activities to then ful?ll a mainte-
nance role of disseminating the framework across North
America and beyond.
We believe that this paper opens up several interesting
lines of future research. Speci?cally, hybridized profes-
sional groups comprising members from different profes-
sional accreditations and/or geographic locations remain
under-researched. Particularly in realms that are contested
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 327
by multiple professional associations (such as risk manage-
ment) we believe these groups will become increasingly
signi?cant actors in the diffusion of new ideas and tech-
niques. Furthermore, theoretical work in the area of insti-
tutional work remains relatively nascent, particularly in
the accounting literature. Future ?eld-based studies have
the potential to further re?ne and consolidate the theoret-
ical categories and concepts in the area.
Acknowledgements
We would like to thank Steven Salterio, Pamela Mur-
phy, Paul Andon and Bertrand Malsch for their helpful
comments and suggestions. We would also like to thank
participants at the 2013 Alternative Accounts Conference
as well as workshops at the Queen’s School of Business
and the University of New South Wales. Financial support
provided by the CPA-Queen’s Centre for Governance is
gratefully acknowledged.
References
Aabo, T., Fraser, J. R., & Simkins, B. J. (2005). The rise and evolution of the
chief risk of?cer: Enterprise risk management. Journal of Applied
Corporate Finance, 17(3), 62–75.
Abrahamson, E. (1991). Managerial fads and fashions: The diffusion and
rejection of innovations. The Academy of Management Review, 16(3),
586–612.
Abrahamson, E., & Fairchild, G. (1999). Management fashion: Lifecycles,
triggers, and collective learning processes. Administrative Science
Quarterly, 44(4), 708–740.
Abrahamson, E., & Fairchild, G. (2001). Knowledge industries and idea
entrepreneurs: New dimensions of innovative products, services, and
organizations. In C. B. Schoonhoven & E. Romanelli (Eds.), The
entrepreneurship dynamic: Origins of entrepreneurship and the evolution
of industries (pp. 147–177). Stanford, CA: Stanford University Press.
AICPA Board of Directors (1993). Meeting the ?nancial reporting needs of
the future: A public commitment from the public accounting
profession. Journal of Accountancy, 176(2), 17–19.
Alcouffe, S., Berland, N., & Levant, Y. (2008). Actor-networks and the
diffusion of management accounting innovations: A comparative
study. Management Accounting Research, 19(1), 1–17.
Altheide, D. (2003). Notes towards a politics of fear. Journal for Crime,
Con?ict and the Media, 1(1), 37–54.
Anonymous (1997). How strong is your safety net? Financial Executive,
13(2), 47.
Anonymous (2004). News digest. Journal of Accountancy, 198(6), 19–21.
Arena, M., Arnaboldi, M., & Azzone, G. (2010). The organizational
dynamics of enterprise risk management. Accounting, Organizations
and Society, 35(7), 659–675.
Ax, C., & Bjornenak, T. (2005). Bundling and diffusion of management
accounting innovations – The case of the balanced scorecard in
Sweden. Management Accounting Research, 16(1), 1–20.
Beasley, M., Pagach, D., & Warr, R. (2008). Information conveyed in hiring
announcements of senior executives overseeing enterprise-wide risk
management processes. Journal of Accounting, Auditing & Finance,
23(3), 311–332.
Benders, J., & Van Veen, K. (2001). What’s in a fashion? Interpretative
viability and management fashions. Organization, 8(1), 33–53.
Bernstein, P. L. (1996). The new religion of risk management. Harvard
Business Review, 74(2), 47–51.
Bjornenak, T., & Olson, O. (1999). Unbundling management accounting
innovations. Management Accounting Research, 10(4), 325–338.
Blacker, F., & Regan, S. (2006). Institutional reform and the reorganization
of family support services. Organization Studies, 27(12), 1843–1861.
Bol, J. C., & Moers, F. (2010). The dynamics of incentive contracting: The
role of learning in the diffusion process. Accounting, Organizations and
Society, 35(8), 721–736.
Boland, R. J., Jr., Sharma, A. K., & Afonso, P. S. (2008). Designing
management control in hybrid organizations: The role of path
creation and morphogenesis. Accounting, Organizations and Society,
33(7), 899–914.
Bort, S., & Kieser, A. (2011). Fashion in organization theory: An empirical
analysis of the diffusion of theoretical concepts. Organization Studies,
32(5), 655–681.
Bridge, M., & Moss, I. (2003). COSO back in the limelight: Good practice for
any organization, critical for SEC registrants. Compliance Week.
.
Busco, C., & Quattrone, P. (2009). How management practices diffuse: The
balanced scorecard as a rhetorical machine. HEC Accounting &
Management Control Department, Research Seminar. .
Castka, P., & Balzarova, M. A. (2008). ISO 26000 and supply chains – On
the diffusion of the social responsibility standard. International Journal
of Production Economics, 111(2), 274–286.
Chapman, C. (2003). Bringing ERM into focus. The Internal Auditor, 60(3),
30–35.
Chenok, P. B. (1995). Fifteen years of meeting the challenges. Journal of
Accountancy, 179(6), 66–70.
Chua, W. F., & Taylor, S. L. (2008). The rise and rise of IFRS: An
examination of IFRS diffusion. Journal of Accounting and Public Policy,
27(6), 462–473.
Clark, T. (2004). The fashion of management fashion: A surge too far?
Organization, 11(2), 297–306.
Clark, T., & Salaman, G. (1998). Telling tales: Management gurus’
narratives and the construction of managerial identity. Journal of
Management Studies, 35(2), 137–161.
Cooper, D. J., & Robson, K. (2006). Accounting, professions and regulation:
Locating the sites of professionalization. Accounting, Organizations and
Society, 31(4–5), 415–444.
Corbett, C. J., & Kirsch, D. A. (2001). International diffusion of ISO 14000
certi?cation. Production and Operations Management, 10(3), 327–342.
COSO (n.d.). About us. Committee of Sponsoring Organizations of the
Treadway Commission. .
COSO (1994). Internal control – Integrated framework. New York, NY:
Committee of Sponsoring Organizations of the Treadway
Commission.
COSO (2004). Enterprise risk management – Integrated framework. New
York, NY: Committee of Sponsoring Organizations of the Treadway
Commission.
COSO (2010a). Board risk oversight – A progress report: Where boards of
directors currently stand in executing their risk oversight responsibilities
by Protiviti. Committee of Sponsoring Organizations of the Treadway
Commission. .
COSO (2010b). COSO’s 2010 report on ERM: Current state of enterprise risk
oversight and market perceptions of COSO’s ERM framework by Mark S.
Beasley, Bruce C. Branson & Bonnie V. Hancock. Committee of
Sponsoring Organizations of the Treadway Commission.
.
COSO (2012). Enhancing board oversight: Avoiding judgment traps and
biases by Steven M. Glover & Douglas F. Prawitt. Committee of
Sponsoring Organizations of the Treadway Commission.
.
COSO (2013). Demystifying sustainability risk: Integrating the triple bottom
line into an enterprise risk management program by Craig Faris, Brian
Gilbert, Brendan LeBlanc, Brian Ballou & Dan L. Heitger. Committee of
Sponsoring Organizations of the Treadway Commission.
.
Currie, G., Lockett, A., Finn, R., Martin, G., & Waring, J. (2012). Institutional
work to maintain professional power: Recreating the model of
medical professionalism. Organization Studies, 33(7), 937–962.
Dacin, M., Goodstein, J., & Scott, W. R. (2002). Institutional theory and
institutional change: Introduction to the special research forum. The
Academy of Management Journal, 45(1), 43–56.
Davila, A., Foster, G., & Li, M. (2009). Reasons for management control
systems adoption: Insights from product development systems
choice by early-stage entrepreneurial companies. Accounting,
Organizations and Society, 34(3–4), 322–347.
Delmas, M., & Montiel, I. (2008). The diffusion of voluntary international
management standards: Responsible care, ISO 9000, and ISO 14001 in
the chemical industry. Policy Studies Journal, 36(1), 65–93.
Delmestri, G. (2006). Streams of inconsistent institutional in?uences:
Middle managers as carriers of multiple identities. Human Relations,
59(11), 1515–1541.
Dennis, A. (2000). The downside of good times. Journal of Accountancy,
190(5), 53–55.
Desender, K. A. (2007). On the determinants of enterprise risk
management implementation. 2007 Information Resources
Management Association Annual Meeting Paper. SSRN: .
328 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
DiMaggio, P. J. (1988). Interest and agency in institutional theory. In L. G.
Zucker (Ed.), Institutional patterns and organizations: Culture and
environment (pp. 3–22). Cambridge, MA: Ballinger.
Durand, R., & McGuire, J. (2005). Legitimating agencies in the face of
selection: The case of AACSB. Organization Studies, 26(2), 165–196.
Edmondson, A., & McManus, S. (2007). Methodological ?t in management
?eld research. Academy of Management Review, 32(4), 1155–1179.
Fraser, J. R. S., Schoening-Thiessen, K., & Simkins, B. J. (2008). Who reads
what most often? A survey of enterprise risk management literature
read by risk executives. Journal of Applied Finance, Spring/Summer,
73–91.
Gardner, D. (2009). Risk: The science and politics of fear. London: Virgin
Books.
Goretzki, L., Strauss, E., & Weber, J. (2013). An institutional perspective on
the changes in management accountants’ professional role.
Management Accounting Research, 24(1), 41–63.
Greenwood, R., & Hinings, C. R. (1988). Organizational design types, tracks
and the dynamics of strategic change. Organization Studies, 9(3),
293–316.
Greenwood, R., & Suddaby, R. (2006). Institutional entrepreneurship in
mature ?elds: The big ?ve accounting ?rms. Academy of Management
Journal, 49(1), 27–48.
Greenwood, R., Suddaby, R., & Hinings, C. R. (2002). Theorizing change:
The role of professional associations in the transformation of
institutionalized ?elds. Academy of Management Journal, 45(1), 58–80.
Guler, I., Guillén, M. F., & Macpherson, J. M. (2002). Global competition,
institutions, and the diffusion of organizational practices: The
international spread of ISO 9000 quality certi?cates. Administrative
Science Quarterly, 47(2), 207–232.
Hall, M., Mikes, A., & Millo, Y. (2013). How do risk managers become
in?uential? A ?eld study in two ?nancial institutions. Working Paper,
Harvard Business School, October 17.
Hoyt, R. E., & Liebenberg, A. P. (2011). The value of enterprise risk
management. Journal of Risk and Insurance, 78(4), 795–822.
Huczynski, A. (1993). Management gurus. London: Routledge.
Hwang, H., & Colyvas, J. A. (2011). Problematizing actors and institutions
in institutional work. Journal of Management Inquiry, 20(1), 62–66.
Jackson, B. (2001). Management gurus and management fashions: A
dramatistic inquiry. London: Routledge.
Jones, T. C., & Dugdale, D. (2002). The ABC bandwagon and the juggernaut
of modernity. Accounting, Organizations and Society, 27(1–2), 121–163.
Kelly, P., & Kranzberg, M. (1978). Technological innovation: A critical review
of current knowledge. San Francisco, CA: San Francisco Press.
Kieser, A. (1997). Myth and rhetoric in management fashion. Organization,
4(1), 49–74.
King, A. A., Lenox, M. J., & Terlaak, A. (2005). The strategic use of
decentralized institutions: Exploring certi?cation with the ISO 14001
management standard. The Academy of Management Journal, 48(6),
1091–1106.
Kohlbeck, M., Mayhew, B. W., Murphy, P., & Wilkins, M. S. (2008).
Competition for Andersen’s clients. Contemporary Accounting
Research, 25(4), 1099–1136.
Landsittel, D. L., & Rittenberg, L. E. (2010). COSO: Working with the
academic community. Accounting Horizons, 24(3), 455–469.
Lapsley, I., & Wright, E. (2004). The diffusion of management accounting
innovations in the public sector: A research agenda. Management
Accounting Research, 15(3), 355–374.
Lawrence, T. B., & Suddaby, R. (2006). Institutions and institutional work.
In S. R. Clegg, C. Hardy, T. B. Lawrence, & W. R. Nord (Eds.), Handbook
of organization studies (2nd ed., pp. 215–254). London: SAGE
Publications.
Lawrence, T. B., Suddaby, R., & Leca, B. (2011). Institutional work:
Refocusing institutional studies of organization. Journal of
Management Inquiry, 20(1), 52–58.
Lawrence, T. B., Suddaby, R., & Leca, B. (2009). Introduction: Theorizing
and studying institutional work. In T. B. Lawrence, R. Suddaby, & B.
Leca (Eds.), Institutional work: Actors and agency in institutional studies
of organizations (pp. 1–27). Cambridge: Cambridge University Press.
Lee, F., & Peterson, C. (1997). Content analysis of archival data. Journal of
Consulting and Clinical Psychology, 65(6), 959–969.
Levinsohn, A., & Williams, K. (2004). How to manage risk-enterprise-
wide. Strategic Finance, 86(5), 55–56.
Lounsbury, M., & Crumley, E. (2007). New practice creation: An
institutional perspective on innovation. Organization Studies, 28(7),
993–1012.
Maguire, S., & Hardy, C. (2009). Discourse and deinstitutionalization: The
decline of DDT. Academy of Management Journal, 52(1), 148–178.
Maguire, S., Hardy, C., & Lawrence, T. B. (2004). Institutional
entrepreneurship in emerging ?elds: HIV/AIDS treatment advocacy
in Canada. Academy of Management Journal, 47(5), 657–679.
Malmi, T. (1999). Activity-based costing diffusion across organizations:
An exploratory empirical analysis of Finnish ?rms. Accounting,
Organizations and Society, 24(8), 649–672.
Malsch, B., & Gendron, Y. (2013). Re-theorizing change: Institutional
experimentation and the struggle for domination in the ?eld of public
accounting. Journal of Management Studies, 50(5), 870–899.
Matyjewicz, G., & D’Arcangelo, J. R. (2004). Beyond Sarbanes–Oxley. The
Internal Auditor, 61(5), 67–72.
Mazza, C., & Alvarez, J. (2000). Haute couture and prêt-à-porter: The
popular press and the diffusion of management practices.
Organization Studies, 21(3), 567–588.
Mendel, P. (2002). International standardisation and global governance:
The spread of quality and environmental management standards. In
A. J. Hoffman & M. J. Ventresca (Eds.), Organizations, policy and the
natural environment (pp. 407–424). Stanford, CA: Stanford University
Press.
Meyer, A. D., Gaba, V., & Colwell, K. A. (2005). Organizing far from
equilibrium: Nonlinear change in organizational ?elds. Organization
Science, 16(5), 456–473.
Mikes, A. (2008). Chief risk of?cers at crunch time: Compliance
champions or business partners? Journal of Risk Management in
Financial Institutions, 2(1), 7–25.
Mikes, A. (2009). Risk management and calculative cultures. Management
Accounting Research, 20(1), 18–40.
Miller, P., Kurunmaki, L., & O’Leary, T. (2008). Accounting, hybrids and the
management of risk. Accounting, Organizations and Society, 33(7–8),
942–967.
Minter, F. C. (2002). Do you remember COSO? Strategic Finance, 83(8),
8–10.
Modell, S. (2009). Bundling management control innovations: A ?eld
study of organisational experimenting with total quality
management and the balanced scorecard. Accounting, Auditing &
Accountability Journal, 22(1), 59–90.
Naranjo-Gil, D., Maas, V. S., & Hartmann, F. G. H. (2009). How CFOs
determine management accounting innovation: An examination of
direct and indirect effects. European Accounting Review, 18(4),
667–695.
Oliver, C. (1991). Strategic responses to institutional processes. Academy
of Management Review, 16(1), 145–179.
Oliver, C. (1992). The antecedents of deinstitutionalization. Organization
Studies, 13(4), 563–588.
Oliverio, M. E. (2001). Internal control – Integrated framework: Who is
responsible? Critical Perspectives on Accounting, 12(2), 187–192.
Olson, D. L., & Wu, D. D. (2008). New frontiers in enterprise risk
management. Springer.
Pagach, D. P., & Warr, R. S. (2010). The effects of enterprise risk management
on ?rm performance. SSRN: .
Patton, M. (1990). Qualitative evaluation and research methods (2nd ed.).
California, USA: Thousand Oaks.
Perkmann, M., & Spicer, A. (2008). How are management fashions
institutionalized? The role of institutional work. Human Relations,
61(6), 811–844.
Power, M. (2004). The risk management of everything: Rethinking the
politics of uncertainty. London, UK: Demos.
Power, M. (2007). Organized uncertainty: Designing a world of risk
management. Oxford: Oxford University Press.
Power, M. (2009). The risk management of nothing. Accounting,
Organizations and Society, 34(6–7), 849–855.
Power, M. (2013). The apparatus of fraud risk. Accounting, Organizations
and Society, 38(6–7), 525–543.
Power, M., Scheytt, T., Soin, K., & Sahlin, K. (2009). Reputational risk as a
logic of organizing in late modernity. Organization Studies, 30(2–3),
301–324.
Protiviti (2006). Guide to enterprise risk management: Frequently asked
questions. Protiviti Inc. .
Protiviti (2007). Enterprise risk management in practice: Pro?les of
companies building effective ERM programs. Protiviti Inc.
.
Protiviti (2013). The updated COSO internal control framework: Frequently
asked questions (2nd ed.). Protiviti Inc. .
C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330 329
PwC (2009). Extending enterprise risk management (ERM) to address
emerging risks. PricewaterhouseCoopers. .
Qu, S. Q., & Cooper, D. J. (2011). The role of inscriptions in producing a
balanced scorecard. Accounting, Organizations and Society, 36(6),
344–362.
Quinn, L. R. (2006). COSO at a crossroad. Strategic Finance, 88(1), 42–49.
Raz, T., & Hillson, D. (2005). A comparative review of risk management
standards. Risk Management: An International Journal, 7(4), 53–66.
Rogers, E. M. (1995). Diffusion of innovations (4th ed.). New York: The Free
Press.
Samad-Khan, A. (2005). Why COSO is ?awed. Operational Risk &
Regulation, January. .
Scarbrough, H. (2002). The role of intermediary groups in shaping
management fashion: The case of knowledge management.
International Studies of Management and Organization, 32(4), 87–103.
Scott, W. R. (2003). Institutional carriers: Reviewing modes of
transporting ideas over time and space and considering their
consequences. Industrial and Corporate Change, 12(4), 879–894.
Scott, A. (2004). COSO ERM framework released. The Internal Auditor,
61(5), 17–18.
Scott, W. R. (2008). Lords of the dance: Professionals as institutional
agents. Organization Studies, 29(2), 219–238.
Scott, R. A., Shenkir, W. G., & Walker, P. L. (2000). Enterprise-wide risk
management: Recommendations to COSO. Consulting report.
Semer, L. J. (1998). Disaster recovery planning. The Internal Auditor, 55(6),
40–47.
Sharma, U. P., Lawrence, S. R., & Lowe, A. (2010). Institutional contradiction
and management control innovation: A ?eld study of total quality
management practices in a privatized telecommunication company.
Management Accounting Research, 21(4), 251–264.
Slager, R., Gond, J.-P., & Moon, J. (2012). Standardization as institutional
work: The regulatory power of a responsible investment standard.
Organization Studies, 33(5–6), 763–790.
Smith, M. (2003). Research methods in accounting. Thousand Oaks, CA:
SAGE Publications Ltd..
Spira, L. F., & Page, M. (2003). Risk management: The reinvention of
internal control and the changing role of internal audit. Accounting,
Auditing & Accountability Journal, 16(4), 640–661.
Suddaby, R. (2010). Challenges for institutional theory. Journal of
Management Inquiry, 19(1), 14–20.
Suddaby, R., & Greenwood, R. (2001). Colonizing knowledge:
Commodi?cation as a dynamic of jurisdictional expansion in
professional service ?rms. Human Relations, 54(7), 933–953.
Suddaby, R., & Viale, T. (2011). Professionals and ?eld-level change:
Institutional work and the professional project. Current Sociology,
59(4), 423–442.
Treadway (1987). Report of the national commission on fraudulent ?nancial
reporting by National Commission on Fraudulent Financial
Reporting. Committee of Sponsoring Organizations of the Treadway
Commission. .
Tucker, G. H. (2001). IT and the audit. Journal of Accountancy, 192(3),
41–43.
Weber, R. P. (1990). Basic content analysis. Newbury Park, CA: SAGE
Publications Ltd..
Zahir ul Hassan, M. K., & Vosselman, E. (2010). Institutional entrepreneurship
in the social construction of accounting control. NiCE Working Paper.
.
330 C. Hayne, C. Free / Accounting, Organizations and Society 39 (2014) 309–330
doc_806937093.pdf