COSO framework pioneer speaks
The COSO Internal Control Integrated Framework has seemingly been around forever, though in reality it has been around only since 1992.
The framework has truly become a standard when it comes to internal financial controls, despite plenty of criticism over the years.
As far as the COSO risk management framework goes, it's fair to say that it has not been adopted nearly as widely. ComputerWorld offers an interesting interview with Richard Steinberg, the lead project partner of the PricewaterhouseCoopers team that in 1992 developed the COSO Internal Control Integrated Framework and in 2004 developed the COSO Enterprise Risk Management Integrated Framework.
He's fairly candid about the internal controls standard noting that, "The principles inherent in the framework have been highlighted, and if that's what security managers have been focusing on, it will be received well. If the hope is for a great deal more detail on information security, then it's probably not going to satisfy those hopes."
As for the ERM framework, he acknowledges that it has a long way to go if it wants to match the internal controls framework in terms of adoption.
"There are principles set forth in the ERM framework that need to be in place in order for a company to have what is defined as an 'effective' ERM process. I do think, however, that many companies take significant steps to manage their risks without having what the COSO framework defines as ERM."
In the end, I would argue that companies have invested much more heavily over time in their financial controls, while the investment imperative in enterprise risk management remains an emerging field. Perhaps the day is coming when the COSO risk management framework becomes a true standard.
- here's the article