SciELO - Scientific Electronic Library Online

vol.54 issue1The roots of budgetary and financial accounting in BrazilLimits of Brazilian public accounting and control systems to address the systemic corruption problem: lessons from the Swedish and Italian cases author indexsubject indexarticles search
Home Pagealphabetic serial listing  

Services on Demand




Related links


Revista de Administração Pública

Print version ISSN 0034-7612On-line version ISSN 1982-3134

Rev. Adm. Pública vol.54 no.1 Rio de Janeiro Jan./Feb. 2020  Epub Mar 09, 2020 

Article: Special issue

Incorporation of international risk management standards into federal regulations

Incorporación de modelos internacionales de gestión de riesgos en las reglamentaciones federales

Flávio Sergio Rezende Nunes de Souza1

Marcus Vinícius de Azevedo Braga2

Armando Santos Moreira da Cunha1

Patrick Del Bosco de Sales1

1 Fundação Getulio Vargas / Escola Brasileira de Administração Pública e de Empresas, Rio de Janeiro / RJ- Brazil

2 Universidade Federal do Rio de Janeiro / Instituto de Economia Rio de Janeiro / RJ - Brazil


The issue of risk management has gained attention in the field of administration due to the dissemination of international frameworks. In Brazilian federal public administration, risk management is a recent and expanding practice. This research analyzes how international corporate risk management frameworks have been adopted by the federal government through regulations and guidelines. The study adopts the concepts of coercive, normative, and mimetic forces from the neo-institutional theory, and examines the presence of international norms in the Brazilian regulations. Through a qualitative approach, content analysis in documents, norms, interviews, and seminars was used to identify traits of the COSO ERM and ISO 31000/2009 frameworks, which were chosen based on relevance. Results identify important actors pushing for the use of international frameworks, such as international organizations, professional associations, and public agencies, especially those related to government audits. Despite the strong international influence, the Brazilian norms are adapted to the organizations’ context and allowing the maintenance of national autonomy.

Keywords: enterprise risk management; public administration; COSO ERM; ISO 31000; Brazil


El interés en la gestión de riesgos ha crecido de manera constante, fortalecido por la difusión de modelos internacionales. En la administración pública federal de Brasil, el uso de la gestión de riesgos es reciente y se está expandiendo. Esta investigación analiza cómo las normas y directrices del gobierno federal adoptan los modelos internacionales de gestión de riesgos corporativos. Siguiendo la teoría neoinstitucional, se investigó la exposición a fuerzas coercitivas, normativas y miméticas, y la presencia de conceptos de normas internacionales en la reglamentación brasileña. Se utilizó el análisis de contenido en documentos, normas, entrevistas y seminarios para identificar los rasgos de los modelos COSO ERM e ISO 31000/2009, adoptados por su relevancia. Los resultados identifican actores importantes que ejercen presión para la adopción de modelos internacionales, como organizaciones internacionales, asociaciones profesionales y agencias públicas, especialmente las vinculadas a la auditoría gubernamental. A pesar de la fuerte influencia, la estructuración de estándares permite el mantenimiento de la autonomía nacional y su personalización en el contexto de las organizaciones.

Palabras clave: gestión de riesgos corporativos; administración pública; COSO ERM; ISO 31000-2009; Brasil


O interesse no gerenciamento de riscos tem crescido continuamente, fortalecido pela disseminação de modelos internacionais. Na administração pública federal brasileira, o uso da gestão de riscos é recente e encontra-se em expansão. Esta pesquisa analisou como modelos internacionais de gerenciamento de riscos corporativos são adotados pelas normas e orientações do Governo Federal. Aplicam-se os conceitos de forças coercitivas, normativas e miméticas da teoria neoinstitucional e observa-se a presença de conceitos das normas internacionais na normativa brasileira. Aplicou-se a análise de conteúdo em documentos, entrevistas, normas e palestras, a fim de identificar traços do modelo do Comitê das Organizações Patrocinadoras de Treadway (Committee of Sponsoring Organizations of the Treadway Commission [COSO]) para Gerenciamento de Riscos Corporativos (Enterprise Risk Management [ERM]), conhecido como modelo “COSO ERM”, e do modelo da Organização Internacional de Normalização (International Organization for Standardization [ISO]), conhecido como Norma ISO 31000:2009, adotados por sua relevância. Os resultados identificam que importantes atores exercem pressões para adoção dos modelos internacionais, como os próprios organismos internacionais, associações profissionais e órgãos públicos, em especial aqueles ligados à auditoria governamental. Apesar da forte influência verificada, a estruturação das normas permite a manutenção da autonomia nacional e sua customização no contexto das organizações.

Palavras-chave: gerenciamento de riscos corporativos; administração pública; COSO ERM; ISO 31000:2009; Brasil


Enterprise risk management is considered to be an important instrument within the framework of corporate governance. It is also known as “new risk management” (Palermo, 2014). Enterprise risk management is the integral, formal and systematic use of risk management and it has been adopted by various types of organizations, including the public sector (Oulasvirta & Anttiroiko, 2017).

The diffusion, adoption and use of enterprise risk management, like managerial innovation, has been the focus of research during recent decades. It has been increasingly diffused abroad, reaching a variety of organizations throughout the world. However, studies related to the diffusion of this instrument in the public sector are still restricted to countries which have adopted it in an anticipated manner, which in general are considered developed (Collier & Woods, 2011; Crawford & Stein, 2005; Oulasvirta & Anttiroiko, 2017; Palermo, 2014; Woods, 2009).

This influence spans countries and internationally the norms and practices developed in and for one context have been applied to countries with different contexts. This study analyzes the influence of international models of enterprise risk management of Anglo-Saxon origin on the norms and orientations of the Brazilian federal government on this issue. It focuses on the two international models which are considered the most relevant: a) the Committee of Sponsoring Organizations of the Treadway Commission [COSO] for Enterprise Risk Management [ERM] model, known as “COSO ERM”; and b) the International Organization for Standardization [ISO]) model, known as “ISO 31000:2009”. To do this, we have evaluated norms, documents and accords, as well as interviews and talks, using a qualitative approach through content analysis (Bardin, 2011).

The COSO consists of the main financial and accounting professional associations in the United States of America. The COSO ERM was developed by the British company PricewaterhouseCoopers (PwC), with the collaboration of a consultative board of American professionals (Hayne & Free, 2014). ISO 31000:2009, on the other hand, is derived from a model created by the Australia/New Zealand Standards Committee [AS/NZS]), known as Norm AS/NZS 4360:2004 (Leitch, 2010). These models of Anglo-Saxon origin were born from searches for fraud in financial/accounting reports (Delmas, 2002; Delmas & Montes-Sancho, 2011; Delmas & Montiel, 2008; Guler, Guillén, & Macpherson, 2002; Hayne & Free, 2014).

The incorporation of the foreign models doesn’t guarantee that the implementation of risk management will be successful. Various environments and cultures need to adapt the content of these models to adjust their object of focus, with the risk of straying from the end sought by the norm (Dobija, 2015; Oulasvirta & Anttiroiko, 2017).

In addition to contributing to the literature dealing with Latin America’s late adoption of these standards, this article helps understand the process of normalizing enterprise risk management in the Brazilian federal government, highlighting the forces and actors involved in this process.


Recent studies deal with the dissemination of the voluntarily adopted models which define and regulate activities (Hayne & Free, 2014), for example, various ISO norms (Delmas, 2002; Delmas & Montes-Sancho, 2011; Delmas & Montiel, 2008; Guler et al., 2002) and the COSO ERM model (Hayne & Free, 2014), among others (Durand & McGuire, 2005; Perez-Aleman, 2010). According to Rogers (1995, p. 5), diffusion consists of a “process through which innovation is communicated by certain channels over time by members of a social system.”

The neo-institutional approach predominates in the explanation of the diffusion of international models (Guler et al., 2002; Perez-Aleman, 2010). It emphasizes diffusion by way of isomorphism which is a product of coercive, imitative and normative forces, which conduct the adaptation of organizational characteristics with the environment (DiMaggio & Powell, 1983).

The coercive type is derived by exogenous pressures, exercised by other organizations and the cultural expectations of society. It may manifest itself through persuasion or an invitation to act jointly, in addition to technical and legal requirements. In this manner, various countries, as well as international organizations and development agencies, can impose their expectations on government, which often are pressured to meet standards which are considered legitimate (DiMaggio & Powell, 1983; Dobbin, Simmons, & Garrett, 2007; Weyland, 2005). Thus, imitative isomorphism occurs when an organization takes what other organizations are doing in terms of solutions for problems, such as the model. Normally this occurs when technologies are insufficiently understood or there is uncertainty in the environment. The reproduction of the characteristics of these organizations may be involuntary or explicit, and can be made viable by consulting firms or professional associations. Companies adopt the practices of these organizations to increase their legitimacy, to demonstrate that they are improving their processes. Finally, normative isomorphism is related to professionalization, given that members of certain professions tend to define work methods. It should be noted that these professional categories suffer imitative and coercive pressures. The sources of this isomorphism are related to education and a cognitive base. Thus, it is professional networks which diffuse organizational models seen as legitimate by their adopters, due to the approval of these networks.

Applying these concepts to the organizational field in the public sector, governments seek legitimacy through the adoption of characteristics of global solutions that are already accepted and legitimized (Meyer, Boli, Thomas, & Ramirez, 1997) or seek to imitate governments or institutions which have greater legitimacy (DiMaggio & Powell, 1983; Dobbin et al., 2007; Weyland, 2005). Thus, they emulate their peers or utilize models that are available, seeking those which are most notable and accessible (DiMaggio & Powell, 1983; Miller & Banaszak-Holl, 2005; Soule & Earl, 2001; Strang & Soule, 1998). Individuals in political positions end up depending on this legitimacy to defend the viability of their proposed solutions (Amenta & Ramsey, 2010). Finally, governments can adopt standardized procedures due to pressure from professional and academic associations, as well as private organizations which produce methodologies (DiMaggio & Powell, 1983; Hall, 1993; Strang & Soule, 1998).

Despite similar pressures, these answers may not appear at the same time. In developing economies, the adoption of international models tends to be delayed. This is explained in part due to innovation learning within other contexts, and the need to adapt innovation to the local context, which leads to greater difficulties in its implementation, given the differences between material resources and knowledge or due to specific cultural differences (Perez-Aleman, 2010). These aspects apply to managerial innovations, such as risk management, whose adoption has intensified during the past 20 years, especially in relation to the COSO ERM and ISO 31000:2009 models (Huber & Scheytt, 2013; Scheytt, Soin, Sahlin-Andersson, & Power, 2006).


The model known as COSO II, “Enterprise Risk Management - Integrated Structure”, was launched in 2004. The first model COSO1, known as COSO I, arose in 1992 with the publication of the “Internal Control - Integrated Structure,” but it is not considered enterprise risk management because its focus is internal control.

COSO II does not substitute the previous version, but rather incorporates issues of internal control and introduces risk management through new components and incorporated elements. In the conception phase, COSO II counted on the assistance of PwC and a consultative board, made up of consultants, academics and executives. At the time of its launch, COSO already had a good reputation due to its historical success in establishing guidelines and best practices (Hayne & Free, 2014). The updating of COSO II in 2017 preserved the main aspects of the previous version and made its text clearer and broader. In addition, this version includes aspects of managerial and strategic culture, such as a broader vision of objectives and organizational levels, in a way that enables organizations to get more out of enterprise risk management (Committee of Sponsoring Organizations of the Treadway Commission [COSO], 2017).

The ISO2 31000:2009 (International Organization for Standardization [ISO], 2009) on the other hand, was developed by a special committee, made up of delegations from 28 countries. They improved the concepts, guidelines and practices of technical norms which preceded them such as AS/NZS 4360:2004, established by the joint committees of Australia and New Zealand which led to the original international norm (Leitch, 2010). Unlike COSO II, this norm does not take a prescriptive approach, instead offering general principles and guidelines in terms of enterprise risk management.

These models are quite similar and do not present conflicts between each other, and should become further aligned in the next few years (Moeller, 2011). There are more similarities than differences between the two models. However, ISO 31000:2009 offers a more simplified approach (Gjerdrum & Peter, 2011). Box 1presents the similarities identified between the models and Box 2 presents a few differences.

BOX 1 similarities between COSO ERM and ISO 31000:2009 frameworks 

In terms of the differences, it should be emphasized that in terms of responsibility, while COSO defines specifically who is involved, ISO lets the organization define the central roles. Still, in relation to the roles, it appears that the elevated involvement of auditing professionals in the use of the models makes them transcend this functions, and enables them to perform consulting activities for organizations (Zwaan, Stewart, & Subramaniam, 2011).

Source: Elaborated by the authors.

BOX 2 differencesbetween the COSO ERM and ISO 31000:2009 frameworks 


Various studies address the diffusion and adoption of tools and systems, which initially were designed for private companies, but later were adopted by the public sector (Jackson & Lapsley, 2003; Oulasvirta & Anttiroiko, 2017; Spano, Carta, & Mascia, 2009; Troshani, Jerram, & Hill, 2011).

In particular, the adoption of enterprise risk management by the public sector has been discussed by some authors, for example public organizations in the United Kingdom, and local governments in Finland (Oulasvirta & Anttiroiko, 2017), the United Kingdom and Australia (Collier & Woods, 2011; Crawford & Stein, 2005; Woods, 2009).

In the case of local governments in Finland, risk management was applied mostly in specific areas such as health, security and finance, rather than the integral use of enterprise risk management, demonstrating the existence of “silos”. In addition, Oulasvirta and Anttiroiko (2017) relate the lack of a perceived benefit on the part of managers when comparing the implementation costs of enterprise risk management. It has been verified that the pressures of voluntary adoption of the enterprise corporate risk management have not had the desired effect when senior managers do not adhere to the project. Thus, according to the authors, public sector organizations should be more selective about adopting management tools than they usually are (Oulasvirta & Anttiroiko, 2017).

Meanwhile in the United Kingdom, the introduction of enterprise risk management by local governments has been influenced by performance audits realized by the central government, which present expectations that enterprise risk management systems are based on already available professional model practices (Palermo, 2014; Woods, 2009).


The data was collected by the examination of norms and documents, semi-structured interviews and seminars given by the National School of Public Administration (ENAP) about the challenges of implementing the Joint Normative Instructions of the Ministry of Planning, Development and Management (MPDG) and the Ministry of Transparency and the Federal Comptroller General’s Office (CGU) No. 01/2016(National School of Public Administration [ENAP], 2017). The data was then submitted to content analysis (Bardin, 2011).

First, we selected the norms which structure this subject in this country, including: a) the basic reference on governance (Federal Accounting Court [TCU], 2014); b) Law No. 13,303 (2016); c) the Joint Normative Instruction MP/CGU No. 1 (2016); d) the Federal Accounting Court’s reference on the combat of fraud and corruption (TCU, 2017a); and e) the Federal Comptroller General’s Normative Instruction No. 3 ([CGU], 2017). In the codification of the comparative analysis (Gibbs, 2008), the characteristics presented in Boxes 1 and 2 were utilized.

Then, we observed the concepts and recommendations of the international models reflected in the norms and the decisions of the Federal Accounting Court (TCU). We then used the TCU’s database (TCU, 2017b), which identified the number of citations and conditions under which the international models are cited or referenced in the documents or accords of this government body. The search was conducted in September 2017 and used the keywords “COSO” and “risks” in combination, and the term “31000” in isolation. The collection resulted in 185 accords and 4 normative acts, with the first occurrences appearing in 2006, and most of the references related to COSO I. The COSO II and ISO models appeared beginning in 2010. In relation to the normative acts, two dealt with both models and two referred exclusively to COSO ERM. In terms of the accords, 43 did not mention these models and most of these were related to COSO I. Of the other accords, 25 treated both models, 99 treated just COSO II and 18 dealt exclusively with ISO 31000:2009.

Finally, we conducted interviews to complement the documentary analysis with six specialists in risk management as illustrated in Box 3. It should be noted that the first two interviewees participated directly in the elaboration of the Joint Normative Instruction MP/CGU No. 1 (2016).

Source: Elaborated by the authors.

Box 3 Interviewsconducted 

A variety of data sources and treatment methods were employed to obtain the triangulation methodology (Flick, 2007).


The process of adopting enterprise risk management by the federal government was largely addressed in 2016, even though it was initiated in the 1990s. In the initial phase, few government bodies were involved with the model. After the issue was normalized by Joint Normative Instruction MP/CGU No. 1 (2016), the implementation of this tool became prevalent in the federal Executive Branch.

The first initiatives took place in a fragment fashion in several organizations of the federal government. The Central Bank in the 1990s, after the advent of the Real Plan, initiated financial risk management. In 2011, according to several of the interviewees (I1 and I2) and a talk (ENAP, 2017), the Central Bank began to use enterprise risk management in a broader fashion.

According to one of the interviewees (I2), during the beginning of the first decade of the 21st century, initiatives by the Ministry of Social Security and the Secretariats of the National Treasury and Internal Revenue were presented in the federal sphere, and in 2013 enterprise risk management was presented by the National Program of Public Management and Debureaucratization (Decree No. 5,378, 2005), which was discontinued in 2017. This program published a manual (Ministry of Planning, Development and Management [MPDG], 2013), based on the British Treasury’s Orange Book (Her Majesty’s Treasury [HM Treasury], 2004). However, according to some of the interviewees (I1, I2), the use of this methodology was voluntary and did not achieve relevant dissemination on this occasion.

More structured initiatives have permitted an expansion of enterprise risk management in public management, as has occurred in the Federal Accounting Court, the Federal Comptroller General’s Office and then the Ministry of Planning, Development and Management. For example, in 2009, seeking to support a bill, the Federal Accounting Court conducted a study of internal controls, exploring models and verifying whether other countries have amplified their role, coming to treat them as risk management instruments. In 2011, the Federal Accounting Court established the improving of enterprise risk management as a strategic objective. According to the interviewees (I3), the subject continued to be a subject of interest in strategic planning in 2015.

An important mark in the history of the Federal Accounting Court was the application of a questionnaire in 2013 to evaluate the maturity of risk management in 65 organizations of indirect administration. The response of these bodies favored reflection about this subject. At the same time, according to one of the interviewees (I1), the fact that the Federal Accounting Court realized this study at the time, demonstrated that the court supported this approach. Thus, the establishment of technical requisites and the expectations of this body in regard to this subject placed a coercive and at the same time normative pressure on professionals within the governmental auditing area.

For the Federal Comptroller General’s Office, an important mark in its history was an invitation made to the Organization of Economic Cooperation and Development (OECD) in 2009. It paid a visit and produced a report on the Brazilian federal public administration’s system of integrity (ENAP, 2017; Organisation for Economic Cooperation and Development [OECD], 2012). One of the recommendations of the report was to “integrate risk management as a key element of responsible management, and as a way to promote integrity and prevent improbity, embezzlement and corruption” (OECD, 2012, p. 19). The report pointed out gaps in risk management and highlighted the guiding role of the Federal Comptroller General’s Office (CGU). With this, the subject was studied in a more intense manner by the CGU. These efforts were contemplated with financing from the Interamerican Development Bank (IDB) in its program to Strengthen Prevention and Combat Corruption in Brazilian Public Management, which, among other subjects, includes risk management. In 2012 it formed a working group which sought to establish a methodological reference for risk management in public administration (I1).

In 2016, Minister Valdir Simão, ex-minister of the CGU and then Minister of Planning, who accompanied the work of the OECD, proposed the implementation of risk management for the instrumentalization of public managers (I1). In this manner, together with the CGU, led at the time by Minister Luiz Navarro, who also accompanied the work of the OECD, he decided to elaborate the publication of the Joint Normative Instruction MP/CGU No. 1 (2016), normalizing the application of this methodology in the federal Executive Branch (I1, I2). This agenda led to other important events related to this subject as reflections of federal public administration, culminating in the publication of Decree No. 9,203 (2017), and the preparation of a bill in which management risk is explicitly addressed (I1).


This study has revealed a greater presence of the COSO model in the analyzed documents. The COSO model appeared before the ISO model and soon won recognition, initially as a discussion of internal controls. This model is sponsored by five important American organizations, including the Institute of Internal Auditors (IIA) which demonstrates its popularity among professional auditors. It is also supported by the International Organization of Supreme Audit Institutions (INTOSAI), by the IDB, by the Work Bank and the Government Accountability Office (GAO) of the United States (TCU, 2009).

Meanwhile, ISO 31000:2009 appeared only in 2009. According to one of the interviewees (I1), ISO offers a more practical approach, while COSO is more doctrinaire. Another point in favor of this model is that the ISO, as an international normalization organization, was better known than COSO, given that it is present in various countries and contains a definition of norms of the most varied natures, such as metrology, food safety, quality systems and environmental protection, among others.

The acceptance of these models, according to some of the interviewees (I1, I4), was facilitated by organizations of elevated prestige conceiving and supporting these models which confers legitimacy on them, providing security for anchoring enterprise risk management in the public sector. Another interviewee (I4) points out the use of these models facilitates the standardization of concepts and language.

The mention of these models in these norms and accords demonstrates the influence that they possess. In evaluating the significance of the excerpts present in these documents, we verified mainly the recommendations of how to apply these models and the recognition that they are important references for enterprise risk management due to their legitimacy, credibility and acceptance. Box 4shows examples of these excerpts.

Source: Elaborated by the authors.

Box 4 influences of frameworks on risk management practices in the Brazilian Administration 

In the mentioned excerpts, the model is associated with: a) “best international practices”; b) “a reference for the realization of a benchmark”; c) “established models”; d) “internationally recognized [models]”; and e) “milestones”, which at the same time confer legitimacy on the models, norms and constructed understandings, because they are based on something legitimate which is accepted internationally.

In our research, other models were also mentioned, but with less frequency than the studied models, as can be seen in Box 5. These models have a strong relationship with the two models studied here, with the exception of the United Kingdom model, which recognizes other models, but doesn’t affirm that it is based on them.

Source: Elaborated by the authors.

BOX 5 other frameworks identified in court rulings 

Using the factors presented in Boxes 1 and 2, we found various aspects of the studied models in the principal norms selected, which guide enterprise risk management in the Brazilian federal administration. Box 6describes the analysis realized with publications that address enterprise risk management as one of their subjects, which is to say, they are not specific.

Source: Elaborated by the authors.

BOX 6 Federal Government norms addressing risk management 

Two of the norms analyzed have risk management as their main subject: a) the reference to combat fraud and corruption (TCU, 2017a), which is specific to risks related to this subject; and b) Joint Normative Instruction MP/CGU/PR No. 1 (2016), which offers general guidelines which determine the implementation of risk management in the context of all the bodies and entities of the federal Executive Branch.

The reference to combatting fraud and corruption directly cites the studied models, recommending their use. In addition, it points out that COSO is the dominant risk management model in the international corporate scenario, especially in the United States, and dedicates a specific topic to the Brazilian technical norm (NBR) ISO 31000:2009. In addition, it states that adaptations of these models have given origin to models applied to the public sector, including, for example, the GAO model (TCU, 2017a).

Some excerpts of Joint Normative Instruction MP/CGU/PR No.1 (2016) are practically identical to the models analyzed here, including, for example, the principle that deals with “systematic, structured and opportune” risk management (ISO, 2009, p. 7). Moreover, it adopts a model structure made up of components, which are identical to the components of COSO ERM (Committee of Sponsoring Organizations of the Treadway Commission [COSO], 2004, p. 7). This perception is confirmed by the Federal Accounting Court (2017a, p. 25): “that the risk management part of this [Normative Instruction] is based on Coso II”.

The perception of the interviewees (I1, I2, I3), especially those who participated in the elaboration of Joint Normative Instruction MP/CGU/PR No. 1 (2016), is that the main references used in the elaboration of the instruction are COSO and ISO 31000:2009. One of the interviewees (I2) added that the Orange Book (HM Treasury, 2004) was used as one of the main references.

Box 7 illustrates the characteristics of these norms related to the studied models.

Source: Elaborated by the authors.

BOX 7 Characteristics of enterprise risk management guidance norms in the Federal Government 

Joint Normative Instruction MP/CGU No. 1 (2016) offers general guidelines so that the government bodies can have a certain amount of autonomy in customizing their risk management models. According to the understanding of the interviewees (I1), the norm is doctrinaire; it does not establish a specific rite, and maintains flexibility for use in various types of organizations. On the other hand, more specificity is observed in the studied models, with their having determinations in terms of responsibilities, the institution of committees and steps to follow. An example of this is the determination of the risk management policy that the entities should institute. They point out various aspects that should be present in the policy, and also determine a timeframe for them to be put into practice.


The analysis of documents and norms related to the risk management of federal public administration indicates the prominence of control bodies in the incentives for managers to use this instrument. The Joint Normative Instruction MP/CGU No. 1 (2016) itself corroborates the role of internal auditing in spreading the application of risk management in Art. 2, III: “[...] it assists the organization in realizing its objectives, based on the application of a systematic and disciplined approach to evaluate and improve the efficiency of risk management processes [...]”. This result is in line with the trends observed by Maijoor (2000), namely the growth of internal control systems, which are intimately related with risk management, and are part of the reforms undertaken by corporate governance in various nations, which also increases the relevance of internal auditors. The role of auditing can also be observed in other countries (Zwaan et al., 2011).

It has been verified that, in federal public administration, the oldest normalization that addresses enterprise risk management dates from 2014, and that the first accord to mention a specific model of enterprise risk management was released in 2010. This fact not only demonstrates how current this subject is in the country, but also as noted in one of the interviews (I1), the existence of a certain interval of time needed for the repercussion of international models in the Brazilian context, given that COSO ERM was launched in 2004. Another motive for this delay may be associated with rationality and selectivity in the adoption of managerial innovations in the public sector, as observed by Oulasvirta and Anttiroiko (2017). Using this same line of analysis, it was not possible to observe influences of the latest update to COSO ERM, which occurred in 2017, due to the short timeframe between its release and the development of the current study.

This chronology enables us to conclude that before managers paid attention to enterprise risk management, it was already a concern of the external control body. According to some of the interviewees (I1, I4), the auditors initiated their recommended practices basing their arguments on international models up until the moment of the effective institutionalization of enterprise risk management. In addition, the first normative instruction about this subject was published by the external control body (TCU, 2014). The Executive Branch regulated risk management only in 2016 in conjunction with the internal control body through Joint Normative Instruction MP/CGU No. 1 (2016).

In line with this, one of the interviewees (I4) reinforced the importance of the Federal Accounting Court in the introduction of enterprise risk management in federal public administration. In part, this pioneering role may be attributed to the international influence of INTOSAI: “the Federal Accounting Court, as a member of INTOSAI, also recognizes and uses the model [COSO I] as a base for its evaluations [...]” (TCU, 2009b, p. 10)3. Some of the interviewees (I1, I4, I5, I6) point out, in the same line, the role of professional associations as important diffusors of these models.

Thus, normative isomorphism is very much present, in view of the strong structure of the professional categories dealing with enterprise risk management. In the Brazilian public sector, enterprise risk management appeared mainly in audit related bodies, even though risk constitutes a concern for managers. In this area, the COSO is very well known, and has been for a long time, due to the use of COSO I. It is present in universities and is part of the repertoire of professionals in the accounting and auditing area.

Enterprise risk management is a very recent instrument, especially in the public sector. Thus, an insufficient knowledge of this instrument also favors imitative isomorphism, through the adoption of available models of easy use, such as those studied here.

The interviewees mentioned their own personal experiences with studies of these models in academia. Some of them (I2, I5) took courses on these specific models, such as AS/NZS 4360:2004. Another studied them on his own (I1). The interviewees were teachers of specialized courses in the Federal Comptroller General’s Office in 2008 and 2009 (p. ex., I1), and in private courses, which have been sought after by civil servants (for ex., I5). It may also be observed in the dissemination of knowledge through personnel hiring processes. Some of the interviewees obtained knowledge about enterprise risk management when they were in one governmental body and again when they used them in another (I2, I4).

Thus, in accordance with imitative isomorphism, we have verified that the use of these models occurs in an involuntary manner through civil servants who have had access to these models through classes, talks and training. It also occurs in a voluntary manner, given that large consulting firms promote these models, such as, for example, PwC, which participated in the elaboration of COSO ERM. In addition, international organizations and agencies, such as the OECD, have recommended the use of these enterprise risk management instruments in Brazil. Thus, there is evidence of influence related to coercive isomorphism. In the same way, coercive pressures are observed in the expectations of the control bodies themselves.

It should be emphasized that the efforts made to implement a broad model in terms of the norms and guidelines of the federal government, contemplating risks in an integral fashion in its diverse units, avoids a fragmented approach to risk management by sectors as observed in the Finnish case (Oulasvirta & Anttiroiko, 2017).


We have observed the strong influence of international models, as expected. Models such as the COSO ERM and ISO 31000:2009 have been used as a base for efforts to implement enterprise risk management in the federal public administration, in search of an internationally accepted legacy. However, the presence of models considered to be international references in the normative instructions of the Federal Accounting Court and other federal bodies, does not guarantee their application. Their effective adoption depends on various factors, such as leadership and instrument promotion (Oulasvirta & Anttiroiko, 2017). Since risk management uses a different logic of action in the public sector, it may be difficult to institutionalize. One example of this is offered by Azevedo, Aquino, Lino and Cavelmoretti (2019): risk management and mandatory measures according to Complementary Law No. 101 (Law of Fiscal Responsibility, 2000) are realized in a ceremonial manner by the analyzed governments. In other words, its adoption is not effective.

Despite the coercive and normative forces which have led risk management to be included in the normative instructions of the federal government and external control bodies, the real adoption of risk management in a general manner by executive bodies under public management still seems to be a distant step.

The influence of the Anglo-Saxon risk management models analyzed is not necessarily that of a specific country, but of international organizations which promote and disseminate these practices. The COSO model is sponsored by American associations and elaborated by one of the Big 4 auditing firms, PwC, which is based in London, while the ISO model has roots in the model previously elaborated by Australia and New Zealand.

The organizations which legitimize the adoption of these norms are international and of a professional nature. Among them we find: a) non-governmental organizations (NGOs) who act internationally, for example the OECD and the IDB; b) consultants and consulting firms; c) academia; d) professional associations, mainly those related to the accounting profession and the auditing area, such as INTOSAI and the IIA; and e) the government’s own bodies and specialists, considered references due to their technical capacity.

It should be noted that despite the fact that the Brazilian norms studied present strong links with international models, the way in which they are structured, as general guidelines, makes it possible to maintain national autonomy and customize them within organizational contexts. Future research can examine the institutionalization (successful or not) of enterprise risk management in public sector organizations and how it has changed the behavior of managers and the conduct of public policies, services, and the type of control exercised by the internal bodies of these organizations.


Amenta, E., & Ramsey, K. M. (2010). Institutional theory. In K. T. Leicht, & J. C. Jenkins (Eds.), Handbook of politics: State and society in global perspective (pp. 15-39). New York, NY: Springer. [ Links ]

Azevedo, R. R; Aquino, A. C. B; Lino, A. F; & Cavelmoretti, G. (2019). A precariedade do conteúdo informacional dos anexos de riscos fiscais de municípios brasileiros. Advances in Scientific and Applied Accounting, 12(2), 4-22. [ Links ]

Bardin, L. (2011). Análise de conteúdo. Lisboa, Portugal: Ed. 70. [ Links ]

Collier, P. M; & Woods, M. (2011). A comparison of the local authority: adoption of risk management in England and Australia. Australian Accounting Review, 21(2), 111-123. [ Links ]

Committee of Sponsoring Organizations of the Treadway Commission. (2004). Enterprise risk management: integrated framework. Jersey City, NJ: Author. [ Links ]

Committee of Sponsoring Organizations of the Treadway Commission. (2017). Enterprise risk management: integrating risk with strategy and performance. Jersey City, NJ: Author . [ Links ]

Crawford, M., & Stein, W. (2005). “Second order” change in UK local government: the case of risk management. International Journal of Public Sector Management, 18(5), 414-423. [ Links ]

Decreto n. 5.378, de 23 de fevereiro de 2005. (2005). Institui o Programa Nacional de Gestão Pública e Desburocratização - GESPÚBLICA e o Comitê Gestor do Programa Nacional de Gestão Pública e Desburocratização, e dá outras providências. Brasília, DF. [ Links ]

Decreto n. 9.203, de 22 de novembro de 2017. (2017). Dispõe sobre a política de governança da administração pública federal direta, autárquica e fundacional. Brasília, DF. [ Links ]

Delmas, M. (2002). The diffusion of environmental management standards in Europe and in the United States: an institutional perspective. Policy Sciences, 35, 91-119. [ Links ]

Delmas, M., & Montes-Sancho, M. J. (2011). An institutional perspective on the diffusion of international management system standards: the case of the environmental management standard ISO 14001. Business Ethics Quarterly, 21(1), 103-132. [ Links ]

Delmas, M., & Montiel, I. (2008). The diffusion of voluntary international management standards: responsible care, ISO 9000, and ISO 14001 in the chemical industry. Policy Studies Journal, 36(1), 65-93. [ Links ]

DiMaggio, P., & Powell, W. (1983). The iron cage revisited: institutional isomorphism and collective rationality in organizational fields. American Sociological Review, 48, 147-160. [ Links ]

Dobbin, F., Simmons, B., & Garrett, G. (2007). The global diffusion of public policies: social construction, coercion, competition, or learning? Annual Review of Sociology, 33(1), 449-472. [ Links ]

Dobija, D. (2015). Exploring audit committee practices: oversight of financial reporting and external auditors in Poland. Journal of Management & Governance, 19(1), 113-143. [ Links ]

Durand, R., & McGuire, J. (2005). Legitimating agencies in the face of selection: the case of AACSB. Organization Studies, 26(2), 165-196. [ Links ]

Escola Nacional de Administração Pública. (2017). Seminário Gestão de Riscos: desafios para implementação da Instrução Normativa Conjunta MP/CGU (video). Retrieved from: ]

Flick, U. (2007). Managing quality in qualitative research. London, England: SAGE. [ Links ]

Gibbs, G. (2008). Analyzing qualitative data. London, England: SAGE. [ Links ]

Gjerdrum, D., & Peter, M. (2011). The new international standard on the practice of risk management: a comparison of ISO 31000:2009 and the COSO ERM framework. Risk Management, 31(2), 8-13. [ Links ]

Government Accountability Office. (2014). Standards for Internal Control in the Federal Government (GAO-14-704G). Washington, DC: Author. [ Links ]

Government of Canada. (2012). Guide to integrated risk management: a recommended approach for developing a corporate risk profile. Retrieved from: ]

Guler, I., Guillén, M., & Macpherson, J. M. (2002). Global competition, institutions, and the diffusion of organizational practices: the international spread of ISO 9000 quality certificates. Administrative Science Quarterly, 47(2), 207-232. [ Links ]

Hall, P. A. (1993). Policy paradigms, social learning, and the state: the case of economic policymaking in Britain. Comparative Politics, 25(3), 275-296. [ Links ]

Hayne, C., & Free, C. (2014). Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management. Accounting, Organizations and Society, 39(5), 309-330. [ Links ]

Her Majesty’s Treasury. (2014). The orange book: management of risk - principles and concepts. Retrieved from: ]

Huber, C., & Scheytt, T. (2013). The dispositif of risk management: reconstructing risk management after the financial crisis. Management Accounting Research, 24(2), 88-99. [ Links ]

Instrução Normativa CGU n. 03, de 9 de junho de 2017. (2017). Aprova o Referencial Técnico da Atividade de Auditoria Interna Governamental do Poder Executivo Federal. Retrieved from: ]

Instrução Normativa Conjunta MP/CGU n. 1, de 10 de maio de 2016. (2016). Dispõe sobre controles internos, gestão de riscos e governança no âmbito do Poder Executivo federal. Retrieved from: ]

International Organization for Standardization. (2009). Risk management: principles and guidelines (31000:2009). Geneva: Author. [ Links ]

International Organization of Supreme Audit Institutions. (2007). Guidelines for internal control standards for the public sector: further information on entity risk management (INTOSAI GOV 9130). Brussels, Belgium: Author. [ Links ]

Jackson, A., & Lapsley, I. (2003). The diffusion of accounting practices in the new “managerial” public sector. International Journal of Public Sector Management, 16(5), 359-372. [ Links ]

Lei n. 13.303, de 30 de junho de 2016. (2016). Dispõe sobre o estatuto jurídico da empresa pública, da sociedade de economia mista e de suas subsidiárias, no âmbito da União, dos Estados, do Distrito Federal e dos Municípios. Brasília, DF. [ Links ]

Lei Complementar n. 101, de 4 de maio de 2000. (2000). Estabelece normas de finanças públicas voltadas para a responsabilidade na gestão fiscal e dá outras providências. Brasília, DF. [ Links ]

Leitch, M. (2010). ISO 31000:2009 - the new international standard on risk management. Risk Analysis, 30(6), 887-892. [ Links ]

Maijoor, S. (2000). The internal control explosion. International Journal of Auditing, 4 (1), 101-109. [ Links ]

Meyer, J. W., Boli, J., Thomas, G. M., & Ramirez, F. O. (1997). World society and the nation-State. American Journal of Sociology, 103(1), 144-181. [ Links ]

Miller, E. A., & Banaszak-Holl, J. (2005). Cognitive and normative determinants of State policymaking behavior: lessons from the sociological institutionalism. Publius, 35(2), 191-216. [ Links ]

Ministério do Planejamento, Desenvolvimento e Gestão. (2013). Guia de orientação para o gerenciamento de riscos: versão final. Retrieved from: ]

Moeller, R. R. (2011). COSO enterprise risk management: establishing effective governance, risk, and compliance processes (2nd ed.). Hoboken, NJ: John Wiley & Sons. [ Links ]

Organisation for Economic Cooperation and Development. (2012). OECD integrity review of Brazil: managing risks for a cleaner public service (OECD Public Governance Reviews). Paris, France: OECD Publishing. [ Links ]

Oulasvirta, L., & Anttiroiko, A. V. (2017). Adoption of comprehensive risk management in local government. Local Government Studies, 43(3), 1-26. [ Links ]

Palermo, T. (2014). Accountability and expertise in public sector risk management: a case study. Financial Accountability & Management, 30(3), 322-341. [ Links ]

Perez-Aleman, P. (2010). Collective learning in global diffusion: spreading quality standards in a developing country cluster. Organization Science, 22(1), 173-189. [ Links ]

Rogers, E. M. (1995). Diffusion of innovations (4th ed.). New York, NY: The Free Press. [ Links ]

Scheytt, T., Soin, K., Sahlin-Andersson, K., & Power, M. (2006). Introduction: organizations, risk and regulation. Journal of Management Studies, 43(6), 1331-1337. [ Links ]

Soule, S., & Earl, J. (2001). The enactment of State-level hate crime law in the United States: intrastate and interstate factors. Sociological Perspectives, 44(3), 281-305. [ Links ]

Spano, A., Carta, D., & Mascia, P. (2009). The impact of introducing an ERP system on organizational processes and individual employees of an Italian regional government organization. Public Management Review, 11(6), 791-809. [ Links ]

Standards Australia/Standards New Zealand. (2004). Australian/New Zealand Standard AS/NZS 4360:2004: Risk Management. Homebush, NSW: Standards Australia/ Wellington: Standards New Zealand. [ Links ]

Strang, D., & Soule, S. A. (1998). Diffusion in organizations and social movements: from hybrid corn to poison pills. Annual Review of Sociology, 24(1), 265-290. [ Links ]

Tribunal de Contas da União. (2009b). Critérios gerais de controle interno na administração pública: um estudo dos modelos e das normas disciplinadoras em diversos países. Brasília, DF: Author. [ Links ]

Tribunal de Contas da União. (2009a). Portaria 189/2009. Aprova a realização do projeto contas. Retrieved from: ]

Tribunal de Contas da União. (2012). Acórdão 1.233/2012, Ata 19/2012 - Plenário. Retrieved from: ]

Tribunal de Contas da União. (2013). Acórdão n. 7.128/2013, Ata 43 - Segunda Câmara. Retrieved from: ]

Tribunal de Contas da União. (2014). Referencial básico de governança aplicável a órgãos e entidades da administração pública. Brasília, DF: Author. [ Links ]

Tribunal de Contas da União. (2015a). Acórdão n. 242/2015, Ata 5/2015 - Plenário. Retrieved from: ]

Tribunal de Contas da União. (2015b). Acórdão n. 1.294/2015, Ata 19/2015 - Plenário. Retrieved from: ]

Tribunal de Contas da União. (2017a). Referencial de combate à fraude e corrupção: aplicável a órgãos e entidades da Administração Pública. Brasília, DF: Author. [ Links ]

Tribunal de Contas da União. (2017b). Pesquisa integrada do TCU. Retrieved from: ]

Tribunal de Contas da União. (2017c). Acórdão n. 729/2017, Ata 12/2017 - Plenário. Retrieved from: ]

Troshani, I; Jerram, C; & Hill, S. R. (2011). Exploring the public sector adoption of HRIS. Industrial Management and Data Systems, 111(3), 470-488. [ Links ]

Weyland, K. (2005). Theories of policy diffusion: lessons from Latin American pension reform. World Politics, 57(2), 262-295. [ Links ]

Woods, M. (2009). A contingency theory perspective on the risk management control system within Birmingham City Council. Management Accounting Research, 20(1), 69-81. [ Links ]

Zwaan, L; Stewart, J; & Subramaniam, N. (2011). Internal audit involvement in enterprise risk management. Managerial Auditing Journal, 26(7), 586-604. [ Links ]

1COSO is a non-profit committee dedicated to the improvement of financial reports through ethics, the effectiveness of internal controls and corporate governance, and it arose with the mission to create systematic structures which address the new scenario presented by corporations. It is formed by some of the main financial and accounting professional associations of the United States.

2ISO is a world forum which seeks consensus in the elaboration of international norms through the conciliation of interests of a variety of segments within society. Its norms are developed through various national organizations of normalization, currently present in more than 150 countries.

3In 2007, INTOSAI updated its guidelines for public sector control standards incorporating COSO II (INTOSAI, 2007).

[Original version&393;

Received: April 04, 2018; Accepted: November 09, 2019

Flávio Sergio Rezende Nunes de Souza - Master’s in Administration from the Foundation Getulio Vargas / Brazilian School of Public and Business Administration (FGV EBAPE); Cabinet of Institutional Security of the President of the Republic (GSI-PR). E-mail:

Marcus Vinícius de Azevedo Braga - PhD in Public, Strategic and Development Policy from the Federal University of Rio de Janeiro (UFRJ); Master’s in Education from the University of Brasília (UnB); Federal Comptroller General’s Office (CGU). E-mail:

Armando Santos Moreira da Cunha - PhD in Management from the Higher Institute of Work and Business (Portugal); Master’s in Public Administration from the University of Southern California (USC); Professor at the Foundation Getulio Vargas / Brazilian School of Public and Business Administration (FGV EBAPE). E-mail:

Patrick Del Bosco de Sales - Master’s in Administration from the Foundation Getulio Vargas / Brazilian School of Public and Business Administration (FGV EBAPE); Instructor at the Admiral Newton Braga Center of Instruction (CIANB). E-mail:

Creative Commons License This is an open-access article distributed under the terms of the Creative Commons Attribution License