Incorporation of international risk management standards into federal regulations

Th e issue of risk management has gained attention in the fi eld of administration due to the dissemination of international frameworks. In Brazilian federal public administration, risk management is a recent and expanding practice. Th is research analyzes how international corporate risk management frameworks have been adopted by the federal government through regulations and guidelines. Th e study adopts the concepts of coercive, normative, and mimetic forces from the neo-institutional theory, and examines the presence of international norms in the Brazilian regulations. Th rough a qualitative approach, content analysis in documents, norms, interviews, and seminars was used to identify traits of the COSO ERM and ISO 31000/2009 frameworks, which were chosen based on relevance. Results identify important actors pushing for the use of international frameworks, such as international organizations, professional associations, and public agencies, especially those related to government audits. Despite the strong international infl uence, the Brazilian norms are adapted to the organizations’ context and allowing the maintenance of national autonomy.


INTRODUCTION
Enterprise risk management is considered to be an important instrument within the framework of corporate governance. It is also known as "new risk management" (Palermo, 2014). Enterprise risk management is the integral, formal and systematic use of risk management and it has been adopted by various types of organizations, including the public sector (Oulasvirta & Anttiroiko, 2017).
The diffusion, adoption and use of enterprise risk management, like managerial innovation, has been the focus of research during recent decades. It has been increasingly diffused abroad, reaching a variety of organizations throughout the world. However, studies related to the diffusion of this instrument in the public sector are still restricted to countries which have adopted it in an anticipated manner, which in general are considered developed (Collier & Woods, 2011;Crawford & Stein, 2005;Oulasvirta & Anttiroiko, 2017;Palermo, 2014;Woods, 2009 talks, using a qualitative approach through content analysis (Bardin, 2011).
The COSO consists of the main financial and accounting professional associations in the United States of America. The COSO ERM was developed by the British company PricewaterhouseCoopers (PwC), with the collaboration of a consultative board of American professionals (Hayne & Free, 2014 (Leitch, 2010). These models of Anglo-Saxon origin were born from searches for fraud in financial/accounting reports (Delmas, 2002;Delmas & Montes-Sancho, 2011;Delmas & Montiel, 2008;Guler, Guillén, & Macpherson, 2002;Hayne & Free, 2014).
The incorporation of the foreign models doesn't guarantee that the implementation of risk management will be successful. Various environments and cultures need to adapt the content of these models to adjust their object of focus, with the risk of straying from the end sought by the norm (Dobija, 2015;Oulasvirta & Anttiroiko, 2017).
In addition to contributing to the literature dealing with Latin America's late adoption of these standards, this article helps understand the process of normalizing enterprise risk management in the Brazilian federal government, highlighting the forces and actors involved in this process.

THE ADOPTION OF MANAGERIAL INNOVATIONS IN THE INTERNATIONAL CONTEXT
Recent studies deal with the dissemination of the voluntarily adopted models which define and regulate activities (Hayne & Free, 2014), for example, various ISO norms (Delmas, 2002;Delmas & Montes-Sancho, 2011;Delmas & Montiel, 2008;Guler et al., 2002) and the COSO ERM model (Hayne & Free, 2014), among others (Durand & McGuire, 2005;Perez-Aleman, 2010). According to Rogers (1995, p. 5), diffusion consists of a "process through which innovation is communicated by certain channels over time by members of a social system. " The neo-institutional approach predominates in the explanation of the diffusion of international models (Guler et al., 2002;Perez-Aleman, 2010). It emphasizes diffusion by way of isomorphism which is a product of coercive, imitative and normative forces, which conduct the adaptation of organizational characteristics with the environment (DiMaggio & Powell, 1983).
The coercive type is derived by exogenous pressures, exercised by other organizations and the cultural expectations of society. It may manifest itself through persuasion or an invitation to act jointly, in addition to technical and legal requirements. In this manner, various countries, as well as international organizations and development agencies, can impose their expectations on government, which often are pressured to meet standards which are considered legitimate (DiMaggio & Powell, 1983;Dobbin, Simmons, & Garrett, 2007;Weyland, 2005). Thus, imitative isomorphism occurs when an organization takes what other organizations are doing in terms of solutions for problems, such as the model. Normally this occurs when technologies are insufficiently understood or there is uncertainty in the environment. The reproduction of the characteristics of these organizations may be involuntary or explicit, and can be made viable by consulting firms or professional associations. Companies adopt the practices of these organizations to increase their legitimacy, to demonstrate that they are improving their processes. Finally, normative isomorphism is related to professionalization, given that members of certain professions tend to define work methods. It should be noted that these professional categories suffer imitative and coercive pressures. The sources of this isomorphism are related to education and a cognitive base. Thus, it is professional networks which diffuse organizational models seen as legitimate by their adopters, due to the approval of these networks.
Applying these concepts to the organizational field in the public sector, governments seek legitimacy through the adoption of characteristics of global solutions that are already accepted and legitimized (Meyer, Boli, Thomas, & Ramirez, 1997) or seek to imitate governments or institutions which have greater legitimacy (DiMaggio & Powell, 1983;Dobbin et al., 2007;Weyland, 2005). Thus, they emulate their peers or utilize models that are available, seeking those which are most notable and accessible (DiMaggio & Powell, 1983;Miller & Banaszak-Holl, 2005;Soule & Earl, 2001;Strang & Soule, 1998). Individuals in political positions end up depending on this legitimacy to defend the viability of their proposed solutions (Amenta & Ramsey, 2010). Finally, governments can adopt standardized procedures due to pressure from professional and academic associations, as well as private organizations which produce methodologies (DiMaggio & Powell, 1983;Hall, 1993;Strang & Soule, 1998).
Despite similar pressures, these answers may not appear at the same time. In developing economies, the adoption of international models tends to be delayed. This is explained in part due to innovation learning within other contexts, and the need to adapt innovation to the local context, which leads to greater difficulties in its implementation, given the differences between material resources and knowledge or due to specific cultural differences (Perez-Aleman, 2010). These aspects apply to managerial innovations, such as risk management, whose adoption has intensified during the past 20 years, especially in relation to the COSO ERM and ISO 31000:2009 models (Huber & Scheytt, 2013;Scheytt, Soin, Sahlin-Andersson, & Power, 2006).

ENTERPRISE RISK MANAGEMENT MODELS
The model known as COSO II, "Enterprise Risk Management -Integrated Structure", was launched in 2004. The first model COSO 1 , known as COSO I, arose in 1992 with the publication of the "Internal Control -Integrated Structure, " but it is not considered enterprise risk management because its focus is internal control.
COSO II does not substitute the previous version, but rather incorporates issues of internal control and introduces risk management through new components and incorporated elements. In the conception phase, COSO II counted on the assistance of PwC and a consultative board, made up of consultants, academics and executives. At the time of its launch, COSO already had a good reputation due to its historical success in establishing guidelines and best practices (Hayne & Free, 2014). The updating of COSO II in 2017 preserved the main aspects of the previous version and made its text clearer and broader. In addition, this version includes aspects of managerial and strategic culture, such as a broader vision of objectives and organizational levels, in a way that enables organizations to get more out of enterprise risk management (Committee of Sponsoring Organizations of the Treadway Commission [COSO], 2017).
The ISO 2 31000:2009 (International Organization for Standardization [ISO], 2009) on the other hand, was developed by a special committee, made up of delegations from 28 countries. They improved the concepts, guidelines and practices of technical norms which preceded them such as AS/NZS 4360:2004, established by the joint committees of Australia and New Zealand which led to the original international norm (Leitch, 2010). Unlike COSO II, this norm does not take a prescriptive approach, instead offering general principles and guidelines in terms of enterprise risk management.
These models are quite similar and do not present conflicts between each other, and should become further aligned in the next few years (Moeller, 2011). There are more similarities than differences between the two models. However, ISO 31000:2009 offers a more simplified approach (Gjerdrum & Peter, 2011). Box 1 presents the similarities identified between the models and Box 2 presents a few differences. 1 COSO is a non-profit committee dedicated to the improvement of financial reports through ethics, the effectiveness of internal controls and corporate governance, and it arose with the mission to create systematic structures which address the new scenario presented by corporations. It is formed by some of the main financial and accounting professional associations of the United States. 2 ISO is a world forum which seeks consensus in the elaboration of international norms through the conciliation of interests of a variety of segments within society. Its norms are developed through various national organizations of normalization, currently present in more than 150 countries.

Scope
Applicable to the entire organization and at lower organizational levels. Can be used in any type of organization.

Risk concept
Risk is positive and negative (opportunities and threats).

Documentation
Requires the establishment of a risk management policy.
Requires the establishment of risk assessment criteria.
States that all risk management activities should be documented.

Characteristics
The implementation of risk management takes into account the specific needs of the organization.
Dynamic, iterative process that contributes to continuous improvement.

Integration of risks with objectives.
Risk management is incorporated into organizational processes.
Need to consider cost-benefit in the treatment of risks.
The risk management process does not guarantee the achievement of objectives.

Process
Establishment of context / objectives, identification, analysis and evaluation, treatment, communication and monitoring.
Source: Elaborated by the authors.
In terms of the differences, it should be emphasized that in terms of responsibility, while COSO defines specifically who is involved, ISO lets the organization define the central roles. Still, in relation to the roles, it appears that the elevated involvement of auditing professionals in the use of the models makes them transcend this functions, and enables them to perform consulting activities for organizations (Zwaan, Stewart, & Subramaniam, 2011 Guidance Detailed and prescriptive. Generic principles and guidelines.

Publication
By entities of accounting and auditing professionals.
Procedure for creating ISO standards (consensus).

Responsabilities
Establishes specific responsibilities. Defines roles of CEO, Board of Directors, internal auditors, senior and other managers. States that the managers closest to the potential issues should be the risk owners.
At the discretion of the organization. Definition through establishment of policy, context and risk owners.
Source: Elaborated by the authors.

THE ADOPTION OF ENTERPRISE RISK MANAGEMENT BY THE PUBLIC SECTOR
Various studies address the diffusion and adoption of tools and systems, which initially were designed for private companies, but later were adopted by the public sector (Jackson & Lapsley, 2003;Oulasvirta & Anttiroiko, 2017;Spano, Carta, & Mascia, 2009;Troshani, Jerram, & Hill, 2011).
In particular, the adoption of enterprise risk management by the public sector has been discussed by some authors, for example public organizations in the United Kingdom, and local governments in Finland (Oulasvirta & Anttiroiko, 2017), the United Kingdom and Australia (Collier & Woods, 2011;Crawford & Stein, 2005;Woods, 2009).
In the case of local governments in Finland, risk management was applied mostly in specific areas such as health, security and finance, rather than the integral use of enterprise risk management, demonstrating the existence of "silos". In addition, Oulasvirta and Anttiroiko (2017) relate the lack of a perceived benefit on the part of managers when comparing the implementation costs of enterprise risk management. It has been verified that the pressures of voluntary adoption of the enterprise corporate risk management have not had the desired effect when senior managers do not adhere to the project. Thus, according to the authors, public sector organizations should be more selective about adopting management tools than they usually are (Oulasvirta & Anttiroiko, 2017).
Meanwhile in the United Kingdom, the introduction of enterprise risk management by local governments has been influenced by performance audits realized by the central government, which present expectations that enterprise risk management systems are based on already available professional model practices (Palermo, 2014;Woods, 2009).  (Gibbs, 2008), the characteristics presented in Boxes 1 and 2 were utilized.

METHODOLOGY
Then, we observed the concepts and recommendations of the international models reflected in the norms and the decisions of the Federal Accounting Court (TCU). We then used the TCU's database (TCU, 2017b), which identified the number of citations and conditions under which the international models are cited or referenced in the documents or accords of this government body. The search was conducted in September 2017 and used the keywords "COSO" and "risks" in combination, and the term "31000" in isolation. The collection resulted in 185 accords and 4 normative acts, with the first occurrences appearing in 2006, and most of the references related to COSO I. The COSO II and ISO models appeared beginning in 2010. In relation to the normative acts, two dealt with both models and two referred exclusively to COSO ERM. In terms of the accords, 43 did not mention these models and most of these were related to COSO I. Of the other accords, 25 treated both models, 99 treated just COSO II and 18 dealt exclusively with ISO 31000:2009.
Finally, we conducted interviews to complement the documentary analysis with six specialists in risk management as illustrated in Box 3. It should be noted that the first two interviewees participated directly in the elaboration of the Joint Normative Instruction MP/CGU No. 1 (2016). A variety of data sources and treatment methods were employed to obtain the triangulation methodology (Flick, 2007).

ENTERPRISE RISK MANAGEMENT ADOPTION INITIATIVES BY THE FEDERAL GOVERNMENT
The process of adopting enterprise risk management by the federal government was largely addressed in 2016, even though it was initiated in the 1990s. In the initial phase, few government bodies were involved with the model. After the issue was normalized by Joint Normative Instruction MP/CGU No. 1 (2016), the implementation of this tool became prevalent in the federal Executive Branch.
The first initiatives took place in a fragment fashion in several organizations of the federal government. The Central Bank in the 1990s, after the advent of the Real Plan, initiated financial risk management. In 2011, according to several of the interviewees (I1 and I2) and a talk (ENAP, 2017), the Central Bank began to use enterprise risk management in a broader fashion.
According to one of the interviewees (I2), during the beginning of the first decade of the 21 st century, initiatives by the Ministry of Social Security and the Secretariats of the National Treasury and Internal Revenue were presented in the federal sphere, and in 2013 enterprise risk management was presented by the National Program of Public Management and Debureaucratization (Decree No. 5,378, 2005), which was discontinued in 2017. This program published a manual (Ministry of Planning, Development and Management [MPDG], 2013), based on the British Treasury's Orange Book (Her Majesty's Treasury [HM Treasury], 2004). However, according to some of the interviewees (I1, I2), the use of this methodology was voluntary and did not achieve relevant dissemination on this occasion. More structured initiatives have permitted an expansion of enterprise risk management in public management, as has occurred in the Federal Accounting Court, the Federal Comptroller General's Office and then the Ministry of Planning, Development and Management. For example, in 2009, seeking to support a bill, the Federal Accounting Court conducted a study of internal controls, exploring models and verifying whether other countries have amplified their role, coming to treat them as risk management instruments. In 2011, the Federal Accounting Court established the improving of enterprise risk management as a strategic objective. According to the interviewees (I3), the subject continued to be a subject of interest in strategic planning in 2015.
An important mark in the history of the Federal Accounting Court was the application of a questionnaire in 2013 to evaluate the maturity of risk management in 65 organizations of indirect administration. The response of these bodies favored reflection about this subject. At the same time, according to one of the interviewees (I1), the fact that the Federal Accounting Court realized this study at the time, demonstrated that the court supported this approach. Thus, the establishment of technical requisites and the expectations of this body in regard to this subject placed a coercive and at the same time normative pressure on professionals within the governmental auditing area.
For the Federal Comptroller General's Office, an important mark in its history was an invitation made to the Organization of Economic Cooperation and Development (OECD) in 2009. It paid a visit and produced a report on the Brazilian federal public administration's system of integrity (ENAP, 2017; Organisation for Economic Cooperation and Development [OECD], 2012). One of the recommendations of the report was to "integrate risk management as a key element of responsible management, and as a way to promote integrity and prevent improbity, embezzlement and corruption" (OECD, 2012, p. 19). The report pointed out gaps in risk management and highlighted the guiding role of the Federal Comptroller General's Office (CGU). With this, the subject was studied in a more intense manner by the CGU. These efforts were contemplated with financing from the Interamerican Development Bank (IDB) in its program to Strengthen Prevention and Combat Corruption in Brazilian Public Management, which, among other subjects, includes risk management. In 2012 it formed a working group which sought to establish a methodological reference for risk management in public administration (I1).
In 2016, Minister Valdir Simão, ex-minister of the CGU and then Minister of Planning, who accompanied the work of the OECD, proposed the implementation of risk management for the instrumentalization of public managers (I1). In this manner, together with the CGU, led at the time by Minister Luiz Navarro, who also accompanied the work of the OECD, he decided to elaborate the publication of the Joint Normative Instruction MP/CGU No. 1 (2016), normalizing the application of this methodology in the federal Executive Branch (I1, I2). This agenda led to other important events related to this subject as reflections of federal public administration, culminating in the publication of Decree No. 9,203 (2017), and the preparation of a bill in which management risk is explicitly addressed (I1).

ANALYSIS OF NORMS, GUIDELINES AND ACCORDS
This study has revealed a greater presence of the COSO model in the analyzed documents. The COSO model appeared before the ISO model and soon won recognition, initially as a discussion of internal controls. This model is sponsored by five important American organizations, including the Institute of Internal Auditors (IIA) which demonstrates its popularity among professional auditors. It is also supported by the International Organization of Supreme Audit Institutions (INTOSAI), by the IDB, by the Work Bank and the Government Accountability Office (GAO) of the United States (TCU, 2009).
Meanwhile, ISO 31000:2009 appeared only in 2009. According to one of the interviewees (I1), ISO offers a more practical approach, while COSO is more doctrinaire. Another point in favor of this model is that the ISO, as an international normalization organization, was better known than COSO, given that it is present in various countries and contains a definition of norms of the most varied natures, such as metrology, food safety, quality systems and environmental protection, among others.
The acceptance of these models, according to some of the interviewees (I1, I4), was facilitated by organizations of elevated prestige conceiving and supporting these models which confers legitimacy on them, providing security for anchoring enterprise risk management in the public sector. Another interviewee (I4) points out the use of these models facilitates the standardization of concepts and language.
The mention of these models in these norms and accords demonstrates the influence that they possess. In evaluating the significance of the excerpts present in these documents, we verified mainly the recommendations of how to apply these models and the recognition that they are important references for enterprise risk management due to their legitimacy, credibility and acceptance. Box 4 shows examples of these excerpts. In the mentioned excerpts, the model is associated with: a) "best international practices"; b) "a reference for the realization of a benchmark"; c) "established models"; d) "internationally recognized [models]"; and e) "milestones", which at the same time confer legitimacy on the models, norms and constructed understandings, because they are based on something legitimate which is accepted internationally.

BOX 4 INFLUENCES OF FRAMEWORKS ON RISK MANAGEMENT PRACTICES IN THE BRAZILIAN ADMINISTRATION
In our research, other models were also mentioned, but with less frequency than the studied models, as can be seen in Box 5. These models have a strong relationship with the two models studied here, with the exception of the United Kingdom model, which recognizes other models, but doesn't affirm that it is based on them. Using the factors presented in Boxes 1 and 2, we found various aspects of the studied models in the principal norms selected, which guide enterprise risk management in the Brazilian federal administration. Box 6 describes the analysis realized with publications that address enterprise risk management as one of their subjects, which is to say, they are not specific.

Basic Governance Reference Applicable to Public Administration Bodies and Entities
Brings several aspects of risk management as a matter related to governance. Quote both frameworks in its text, and states that COSO II "is still used as a reference in the topic of risk management" (TCU, 2014, p. 4 Two of the norms analyzed have risk management as their main subject: a) the reference to combat fraud and corruption (TCU, 2017a), which is specific to risks related to this subject; and b) Joint Normative Instruction MP/CGU/PR No. 1 (2016), which offers general guidelines which determine the implementation of risk management in the context of all the bodies and entities of the federal Executive Branch.
The reference to combatting fraud and corruption directly cites the studied models, recommending their use. In addition, it points out that COSO is the dominant risk management model in the international corporate scenario, especially in the United States, and dedicates a specific topic to the Brazilian technical norm (NBR) ISO 31000:2009. In addition, it states that adaptations of these models have given origin to models applied to the public sector, including, for example, the GAO model (TCU, 2017a).
Some excerpts of Joint Normative Instruction MP/CGU/PR No. 1 (2016) are practically identical to the models analyzed here, including, for example, the principle that deals with "systematic, structured and opportune" risk management (ISO, 2009, p. 7). Moreover, it adopts a model structure made up of components, which are identical to the components of COSO ERM (Committee of Sponsoring Organizations of the Treadway Commission [COSO], 2004, p. 7). This perception is confirmed by the Federal Accounting Court (2017a, p. 25): "that the risk management part of this [Normative Instruction] is based on Coso II".
The perception of the interviewees (I1, I2, I3), especially those who participated in the elaboration of Joint Normative Instruction MP/CGU/PR No. 1 (2016), is that the main references used in the elaboration of the instruction are COSO and ISO 31000:2009. One of the interviewees (I2) added that the Orange Book (HM Treasury, 2004) was used as one of the main references.
Box 7 illustrates the characteristics of these norms related to the studied models. An organization's risk management system shall cover all organizational levels in an integrated manner. "Must be integrated with the organization's risk management activity, which is a broader activity because that includes a systemic view of most relevant risks the organization is exposed to". (TCU, 2017a, p. 23).; "[…] the reference was designed to assist any public organization" (TCU, 2017a, p. 12).

Normative guideline
IN 01/2016 -MP/CGU -Covers internal controls, risk management and governance within the Federal Executive Branch.
Reference for combating fraud and corruption: applicable to public administration bodies and entities

Risk concept
Art. 2, XIII -"risk: possibility of occurrence of an event that will have an impact on the fulfillment of the objectives".
Risk management accepts positive and negative outcomes, as described in the COSO and ISO 31000:2009 frameworks. "To minimize, monitor and control the likelihood and impact of negative events or maximize the use of opportunities" (TCU, 2017a, p. 24).

Documentation
Risk management policy covered in section IV, for the implementation by Federal Executive Branch organizations.
The risk management policy applies because it states that it must be integrated with the organization's risk management, and mentions IN 01/2016.
The policy should establish risk management criteria specified in Art. 17, II, b) "how and with what frequency the risks will be identified, evaluated, treated and monitored".
"This stage also defines the scope and risk criteria for the rest of the process" (TCU, 2017a, p. 27).
Implementation of policy and guidelines subject to CGU auditing requires appropriate documentation to be produced.
"Documenting and assigning responsibility for risks and controls is important" (TCU, 2017a, p. 28 [...] in order to create the conditions to achieve objectives and fulfil purposes" (TCU, 2017a, p. 24).
Art. 14, V "Use of risk management to support the continuous improvement of organizational processes". "Should be considered by the organization during its activities" (TCU, 2017a, p. 22).
Art. 14, III "Establishment of internal control procedures proportionate to risk, observing costbenefit ratios, and intending to add value to the organization".
"The benefit from the implementation of anti-fraud and anti-corruption controls should be greater than its cost" (TCU, 2017a, p. 33 Publication MP e CGU (Administration and Internal Audit). TCU (External Audit).

Responsabilities
Responsibilities covered throughout the text and specifically in section V.
Assignment of responsibilities to be coordinated.
Source: Elaborated by the authors.
Joint Normative Instruction MP/CGU No. 1 (2016) offers general guidelines so that the government bodies can have a certain amount of autonomy in customizing their risk management models. According to the understanding of the interviewees (I1), the norm is doctrinaire; it does not establish a specific rite, and maintains flexibility for use in various types of organizations. On the other hand, more specificity is observed in the studied models, with their having determinations in terms of responsibilities, the institution of committees and steps to follow. An example of this is the determination of the risk management policy that the entities should institute. They point out various aspects that should be present in the policy, and also determine a timeframe for them to be put into practice.

DIFFUSION ANALYSIS
The analysis of documents and norms related to the risk management of federal public administration indicates the prominence of control bodies in the incentives for managers to use this instrument. The Joint Normative Instruction MP/CGU No. 1 (2016) itself corroborates the role of internal auditing in spreading the application of risk management in Art. 2, III: "[...] it assists the organization in realizing its objectives, based on the application of a systematic and disciplined approach to evaluate and improve the efficiency of risk management processes [...]". This result is in line with the trends observed by Maijoor (2000), namely the growth of internal control systems, which are intimately related with risk management, and are part of the reforms undertaken by corporate governance in various nations, which also increases the relevance of internal auditors. The role of auditing can also be observed in other countries (Zwaan et al., 2011).
It has been verified that, in federal public administration, the oldest normalization that addresses enterprise risk management dates from 2014, and that the first accord to mention a specific model of enterprise risk management was released in 2010. This fact not only demonstrates how current this subject is in the country, but also as noted in one of the interviews (I1), the existence of a certain interval of time needed for the repercussion of international models in the Brazilian context, given that COSO ERM was launched in 2004. Another motive for this delay may be associated with rationality and selectivity in the adoption of managerial innovations in the public sector, as observed by Oulasvirta and Anttiroiko (2017). Using this same line of analysis, it was not possible to observe influences of the latest update to COSO ERM, which occurred in 2017, due to the short timeframe between its release and the development of the current study.
This chronology enables us to conclude that before managers paid attention to enterprise risk management, it was already a concern of the external control body. According to some of the interviewees (I1, I4), the auditors initiated their recommended practices basing their arguments on international models up until the moment of the effective institutionalization of enterprise risk management. In addition, the first normative instruction about this subject was published by the external control body (TCU, 2014). The Executive Branch regulated risk management only in 2016 in conjunction with the internal control body through Joint Normative Instruction MP/CGU No. 1 (2016).
In line with this, one of the interviewees (I4) reinforced the importance of the Federal Accounting Court in the introduction of enterprise risk management in federal public administration. In part, this pioneering role may be attributed to the international influence of INTOSAI: "the Federal Accounting Court, as a member of INTOSAI, also recognizes and uses the model [COSO I] as a base for its evaluations [...]" (TCU, 2009b, p. 10) 3 . Some of the interviewees (I1, I4, I5, I6) point out, in the same line, the role of professional associations as important diffusors of these models.
Thus, normative isomorphism is very much present, in view of the strong structure of the professional categories dealing with enterprise risk management. In the Brazilian public sector, enterprise risk management appeared mainly in audit related bodies, even though risk constitutes a concern for managers. In this area, the COSO is very well known, and has been for a long time, due to the use of COSO I. It is present in universities and is part of the repertoire of professionals in the accounting and auditing area.
Enterprise risk management is a very recent instrument, especially in the public sector. Thus, an insufficient knowledge of this instrument also favors imitative isomorphism, through the adoption of available models of easy use, such as those studied here.
The interviewees mentioned their own personal experiences with studies of these models in academia. Some of them (I2, I5) took courses on these specific models, such as AS/NZS 4360:2004. Another studied them on his own (I1). The interviewees were teachers of specialized courses in the Federal Comptroller General's Office in 2008 and 2009 (p. ex., I1), and in private courses, which have been sought after by civil servants (for ex., I5). It may also be observed in the dissemination of knowledge through personnel hiring processes. Some of the interviewees obtained knowledge about enterprise risk management when they were in one governmental body and again when they used them in another (I2, I4).
Thus, in accordance with imitative isomorphism, we have verified that the use of these models occurs in an involuntary manner through civil servants who have had access to these models through classes, talks and training. It also occurs in a voluntary manner, given that large consulting firms promote these models, such as, for example, PwC, which participated in the elaboration of COSO ERM. In addition, international organizations and agencies, such as the OECD, have recommended the use of these enterprise risk management instruments in Brazil. Thus, there is evidence of influence related to coercive isomorphism. In the same way, coercive pressures are observed in the expectations of the control bodies themselves.
It should be emphasized that the efforts made to implement a broad model in terms of the norms and guidelines of the federal government, contemplating risks in an integral fashion in its diverse units, avoids a fragmented approach to risk management by sectors as observed in the Finnish case (Oulasvirta & Anttiroiko, 2017).

CONCLUSIONS
We have observed the strong influence of international models, as expected. Models such as the COSO ERM and ISO 31000:2009 have been used as a base for efforts to implement enterprise risk management in the federal public administration, in search of an internationally accepted legacy. However, the presence of models considered to be international references in the normative instructions of the Federal Accounting Court and other federal bodies, does not guarantee their application. Their effective adoption depends on various factors, such as leadership and instrument promotion (Oulasvirta & Anttiroiko, 2017). Since risk management uses a different logic of action in the public sector, it may be difficult to institutionalize. One example of this is offered by Azevedo, Aquino, Lino and Cavelmoretti (2019): risk management and mandatory measures according to Complementary Law No. 101 (Law of Fiscal Responsibility, 2000) are realized in a ceremonial manner by the analyzed governments. In other words, its adoption is not effective.
Despite the coercive and normative forces which have led risk management to be included in the normative instructions of the federal government and external control bodies, the real adoption of risk management in a general manner by executive bodies under public management still seems to be a distant step.
The influence of the Anglo-Saxon risk management models analyzed is not necessarily that of a specific country, but of international organizations which promote and disseminate these practices. The COSO model is sponsored by American associations and elaborated by one of the Big 4 auditing firms, PwC, which is based in London, while the ISO model has roots in the model previously elaborated by Australia and New Zealand.
The organizations which legitimize the adoption of these norms are international and of a professional nature. Among them we find: a) non-governmental organizations (NGOs) who act internationally, for example the OECD and the IDB; b) consultants and consulting firms; c) academia; d) professional associations, mainly those related to the accounting profession and the auditing area, such as INTOSAI and the IIA; and e) the government's own bodies and specialists, considered references due to their technical capacity.
It should be noted that despite the fact that the Brazilian norms studied present strong links with international models, the way in which they are structured, as general guidelines, makes it possible to maintain national autonomy and customize them within organizational contexts. Future research can examine the institutionalization (successful or not) of enterprise risk management in public sector organizations and how it has changed the behavior of managers and the conduct of public policies, services, and the type of control exercised by the internal bodies of these organizations.