Using the 2017 COSO ERM Framework to Examine Risks at Wells Fargo
In this assignment, students identify how an organization's culture can affect its strategies, objective setting, performance, and communication in ways that allow risk management and ethics failures to occur. The aggressive sales tactics and toxic environment at Wells Fargo bank documented in the business press from approximately 2009 to 2016 provide the setting. Students use the Enterprise Risk Management Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2017) to identify specific risk management failures at Wells Fargo. Students also describe how these failures might violate the ethics code of a professional accounting organization. Students conclude with recommendations for improving overall risk management at Wells Fargo. I report evidence that the assignment increases students’ knowledge about and ability to use a risk management framework and a code of professional ethics. The findings also show that students can write detailed, actionable guidance for improving risk management in a realistic setting.Abstract
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) established an enterprise risk management (ERM) framework in 2004 to help organizations manage their risks better (COSO, n.d.). The most recent revision of that framework defines five interweaving components (governance and culture; strategy and objective-setting; performance; review and revision; and information, communication and reporting) and describes how they must work together to drive success (COSO, 2017). The framework explains how these areas’ close ties mean failure in one area can destroy value in all areas. Thus, managers must consider and evaluate all framework elements (Hayne & Free, 2014). The COSO ERM Framework includes 20 specific principles that provide guidelines in each area. My colleagues and I have used this assignment in multiple sections of undergraduate AIS courses to categorize questionable acts at Wells Fargo using the COSO ERM Framework's principles and the elements of a professional ethics code. I could find no other published educational case or assignment that analyzes the Wells Fargo scandal through a 2017 COSO ERM lens.
The assignment also helps students understand the linkage between effective ERM and ethical behavior. The toxic environment and aggressive sales tactics at Wells Fargo Bank from approximately 2009 to 2016 (Glazer, 2018; Scudder, 2016) provide the setting for students’ exploration. The assignment requires students to read three news reports about the Wells Fargo scandal and categorize each ERM failure they identify into one of the 20 COSO ERM principles. Then, students identify specific ethical failures using a professional organization's ethics code. Finally, students use the five areas of the COSO ERM Framework to develop and recommend specific strategies that could improve risk management at Wells Fargo. Students learn how an organization's risk relates to its ethical environment by analyzing its transgressions using both a risk management framework and ethical guidelines.
Enterprise Risk Management and Professional Ethics
COSO's Enterprise Risk Management Framework
Organizations have used the COSO ERM framework to manage risk (Society of Corporate Compliance and Ethics & Health Care Compliance Association, 2020) and integrate risk management with organizational agility (Walker, 2022). The COSO ERM Framework (2017) is a risk assessment tool many companies use to manage their expectations and risks while fulfilling their strategies and achieving goals (Spain, 2020).
The COSO ERM Framework allows organizations to consider risk management and strategy simultaneously to enhance overall organizational value and increase organizations’ resilience. Organizational resilience is an entity's ability to accept, adapt, and rebound from complex environmental factors and disruptions (Vakilzadeh & Haase, 2021). Resilient organizations have a risk-aware culture and are proactive (not reactive) in managing risk (Kunkel, 2021). Thus, in this assignment, I have students use the COSO ERM Framework to organize their consideration of the activities at Wells Fargo.
Codes of Professional Ethics
Organizations must prioritize enterprise-wide risk management and their development of ethical cultures to protect against legal and regulatory threats (Hagel, 2020); students starting their business careers must know the value of both. For example, the Society of Corporate Compliance and Ethics (2023) integrates compliance and ethics issues. Formal codes of conduct and ethical principles espoused by organizations can guide employees toward sound business practices (Butcher, 2020), and teaching ethics has become a key element in almost all accounting programs (Poje & Zaman Groff, 2022).
Patelli (2022) finds that exposure to the Institute of Management Accountants (IMA) ethics code (IMA, 2017) helps employees understand that such codes establish values and standards to guide members’ conduct and can lead to organizations’ success. Butcher (2020) notes the importance of having accounting and finance students learn about ethical behavior. Tennant (2023) connects codes of professional ethics to successful fraud prevention. Weiss (2018) makes the case that organizations need an ethical culture to reinforce values-based behavior and a long-term commitment to integrity. Epley and Kumar (2019) describe the design of ethical organizations as a critical element in controlling risk and increasing agility.
In this assignment, I ask students to choose a code of professional ethics and apply it to Wells Fargo practices. As written, the assignment has students choose from among the ethics codes of the American Institute of Certified Public Accountants (AICPA, 2014), the Institute of Internal Auditors (IIA, 2019), the Institute of Management Accountants (IMA, 2017), or ISACA (n.d.); adopting instructors can add easily add to this list or restrict the choices to codes of ethics with which their students are familiar.
Learning Objectives
I designed this assignment (which appears in the Appendix) to help students develop their knowledge about risk and professional ethics by applying the principles of both to realistic business settings. Students who complete the assignment should gain the following specific knowledge, skills, and abilities:
-
Evaluate enterprise risk management and apply ethics concepts to particular business activities
-
Identify an organization's risk vulnerabilities in a realistic business setting using relevant components of the COSO ERM (2017) Framework
-
Use a professional code of ethics to recognize ethical violations in a realistic business setting
-
Describe linkages between effective risk management practices and ethical behavior
Critical Thinking Skills
The assignment also helps students develop critical thinking skills. Belkin (2017) reports that half of employers surveyed complain that college graduates lack critical reasoning skills and recommends having students analyze documents, spreadsheets, and newspaper articles to develop support for or critiques of an argument. This assignment has students read newspaper articles, take positions on reported activities at Wells Fargo, and then defend their positions with logical arguments based on cited facts. Thus, the assignment helps students develop critical thinking skills.
General Teaching Guidance
Since enterprise risk management includes all functional business areas, this assignment applies to various audiences. However, since risk management and controls are key topics in most Accounting Information Systems (AIS) courses, students in an AIS class could especially reap the assignment's benefits. In the Teaching Notes (available from the author or to faculty members of the AIS Educator Association), I offer suggestions for implementing this assignment in other courses.
Prerequisite Knowledge
To work on this assignment, students should have read the COSO ERM (2017)Executive Summary (the five components and 20 principles) and at least one of the four professional ethics codes. Adopting instructors can either customize the list of ethics codes to match what their students have seen in previous coursework or have students read them before beginning this assignment.
I like to let students choose the ethics code they use because it allows them to identify an organization with which their career goals align. Most of my students enter the AIS course with a basic knowledge of professional ethics codes through their financial and managerial accounting classes. Depending on their students’ knowledge levels, instructors can briefly review ethics codes in class or assign them as preliminary readings.
Scaffolding Adjustments and Grading
Instructors can adjust the difficulty level and breadth of the assignment by adding levels of scaffolding (Vygotskiĭ & Cole, 1978). To familiarize students with ERM and ethics concepts, I lecture in class about the 2017 COSO ERM Framework and accounting professional codes of ethics. I also use a previously published case on the COSO 2004 Framework (Haywood & O’Reilly-Allen, 2013). Working in groups during class (for about 45 minutes), students identify COSO 2017 ERM and ethics issues. We then spend about 15 minutes discussing the groups’ conclusions before students tackle this assignment as homework.
I weight the assignment as 5 percent of students’ overall course grade. The grading is subjective; for example, I only award an “A” on this assignment if an answer is thorough, insightful, free of spelling and grammatical errors, and cites specific examples from the assigned articles to support arguments. The Teaching Notes include a rubric that instructors can use or modify.
Assignment Efficacy
In this section, I report the efficacy of using the assignment in an undergraduate AIS course. Although 214 students from my university and two other schools completed the assignment between the Spring 2018 and Spring 2022 semesters, only 125 questionnaires were usable.
I administered the assignment in undergraduate accounting information systems classes during the Spring 2018, Spring 2019, Spring 2020, and Spring 2022 semesters. I also used it in my Spring 2021 AIS classes; however, the pandemic-caused remote nature of course delivery prevented me from collecting anonymous questionnaire feedback. Two colleagues, one at a small public university in the South and another at a large public university in the West, also used the assignment in their AIS courses. They both followed their respective schools’ Institutional Review Board policies for collecting student data.
In the Spring 2019 and Spring 2020 semesters, I handed out the pre-questionnaire before starting the unit on COSO ERM. However, my colleague at the small public university obtained both pre- and post-questionnaire data before having students do the assignment but after covering the COSO ERM Framework. In my Spring 2022 class, I followed my colleague's approach; I also administered the survey after covering the COSO ERM framework in class but right before I distributed the assignment. I did this to determine if the assessment's timing impacted my students’ scores. Responses under both situations yielded similar outcomes, but I analyze and report them separately in the next section.
Student Performance
The first learning objective requires students to evaluate enterprise risk management using components and principles of the 2017 COSO ERM Framework. Student survey questions 1 (What do you know of the 2017 COSO ERM Framework or other enterprise risk management models?”) and 6 (“Explain how you can apply the 2017 COSO ERM Framework or other enterprise risk management models as a business professional.”) are open-ended. Most students (80 percent) taking the pre-assignment survey either left the answers blank, wrote “I don't know,” or failed to articulate their knowledge confidently.
After completing the assignment, 77 percent of students responded to Question 1 with answers that mentioned the framework's guidance for improving risk, performance, and culture or commented on overall areas or principles of the framework. Ninety percent of responses to Question 6 discussed assessing risk and internal controls, evaluating the company internally or implementing ethics, and citing improvement in culture, strategy, and core values.
Students’ Self-assessments
Questions 2 through 5 asked students to rate their ability to perform or understand specific assignment elements on an 11-point Likert scale. Responses of students who completed the questionnaire before learning about COSO ERM in their classes appear in Table 1.
Responses to Questions 2-5 from students who completed the questionnaire after learning about COSO ERM in their classes appear in Table 2.
I analyzed the results using a paired-samples t-test. Mean scores on the post-assignment were significantly higher than the mean scores on the pre-assignment survey, with p-values at least <.01. This evidence suggests strongly that students believed the activities helped them gain a better understanding of the COSO ERM Framework and how it relates to ethical behavior.
Question 7 (What would you recommend to improve this assignment?) solicited student feedback once they had completed the assignment. Sixty-four percent left this answer blank or expressly indicated not changing the assignment. Twelve percent asked to cover the topic more in class or provide additional examples (or both); another 10 percent requested more precise instructions in the future. In subsequent semesters, I clarified the instructions and provided extra class time to ensure students fully understood the assignment requirements. The other 14 percent of the students mentioned various alternatives, including using group work, different companies, or other industries.
In the Spring 2022 semester, I added Question 8 (Approximately how many hours did you spend completing this assignment?) so that other instructors could gauge the level of commitment to the assignment. Students responded between one and eight hours, with an average of 2.75 hours.
These survey results and the strong assignment performance demonstrate that the assignment achieved its learning outcomes. As one student summarized, “I think [the assignment] was a good assignment. It presented a real-world scenario [that] was … flawed [regarding] risk management, and the requirements helped me understand both ethical standards and COSO.”
Faculty Member Reactions to the Assignment
Each of the two faculty members who used the assignment in their classes felt that the assignment met its learning objectives. They also reported that their students had engaged with the assignment because it featured a real company.
Concluding Thoughts
Weaknesses in governance and culture can cause and magnify failings in strategy, objective setting, performance and information, communication, and reporting. A company can have controls in place, but if the culture lacks basic ethics guidelines and risk management components, behaviors and actions can wreck the organization's foundation (Lublin, 2017).
This assignment helps students conceptualize and think critically about managers’ actions that can increase an organization's risk and violate ethics guidelines. The COSO ERM Framework shows that organizations can use risk management effectively to maximize firm value. Using Wells Fargo as an example, students understand the importance and interconnectedness of the ERM framework and professional ethics in a realistic business setting.