Keywords: enterprise risk management, ERM, institutions, management accounting, management control, systems theory
The COSO ERM framework: a critique from systems theory of management control
COSO's (2004) framework on Enterprise Risk Management (ERM) makes a valuable contribution to the emerging practice of ERM, but suffers serious limitations. It fails to provide a workable standard for identifying ERM effectiveness. Its definition of 'risk' diverts attention from opportunities and from uncertainties that fall outside its closed rational systems perspective. By taking a command and control approach, it ignores shared management of uncertainties with external parties and social implications of ERM. As a result, threats will be created if this framework is widely followed, which seems likely as ERM is institutionalised within regulations, professional practice and expected norms of good management.