A building-block approach for implementing COSO's enterprise risk management—integrated framework: here is a way organizations of all sizes, cultures, and risk experiences can apply the framework without becoming overwhelmed by it
Brian Ballou
EXECUTIVE SUMMARY: As a result of the highly publicized business failures, scandals, and frauds over the past several years, senior managers must now comply with a series of laws, regulations, and listing standards calling for strengthened corporate governance and risk management. To help them comply, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its framework for enterprise-wide risk management, Enterprise Risk Management--Integrated Framework, in September 2004. The goal of the framework is to enable organizations to standardize enterprise risk management (ERM) so that organizations can more easily benchmark, establish best practices, and have more meaningful dialogue about the critically important issue of risk management. One concern regarding the COSO ERM framework is that its overreaching nature can appear overwhelming for some organizations, particularly those that are small in size or have not previously established an ERM culture.
This article presents a building-block approach to implementing the COSO ERM framework that makes it usable to organizations regardless of their size or previous experience in risk management. Our building-block process enables organizations to evolve ERM as they establish a risk culture and offers better opportunities for efficient and effective allocation of resources for ERM activities.
**********
Managing risk is an important aspect of running an organization that is sometimes overlooked--despite the unprecedented level of business failures and financial reporting scandals over the past several years. The responsibility of overseeing risk management falls on the board of directors, while the ownership responsibility for enterprise risk management falls on the CEO and senior executives.
In Risk from the CEO and Board Perspective by Mary Pat McCarthy and Timothy Flynn, Hewlett-Packard board member Jay Keyworth states, "In my years at H-P and in talking to other board members from large Fortune 50 companies, I find that people thought that actually becoming familiar with the business itself and the details of the business, and particularly the half-dozen major areas of potential risk the company faces, was not really a board responsibility." (1) Keyworth has been on H-P's board for 19 years, served as chairman of the Progress and Freedom Foundation, worked as the Science Advisor to President Reagan, and dealt with risk and governance issues while serving on six other boards. His comment in the McCarthy and Flynn book suggests that boards might not have taken responsibility for risk management to the extent that stakeholders expect.
From directors on down to other people in the organization, the need for enterprise risk management is even more important than ever because of today's business environment. Organizations now face unprecedented challenges as they compete in an increasingly global, volatile, and regulated business environment. Further, meeting customer needs, managing complex supply chains, utilizing strategic alliance partners, and ensuring effective and efficient internal business process performance are increasingly more difficult, even with today's more sophisticated, real-time information systems. Added to these pressures are the threats to an organization's reputation. There is an ever-strengthening public perception that organizations are improperly, or not all, socially responsible. This perception is due in part to the public's belief that organizations are not doing enough to improve the communities and environments in which they operate. Further damaging organizations' reputations is the distrust from frauds and reporting restatements, especially from 1999 to 2004.
Taken together, the increasingly complex nature of business risks suggests that companies need to develop a formal process for managing their portfolio of risk properly. But, until recently, there has not been a standardized framework for approaching enterprise risk management (ERM) that organizations could use to establish benchmarks and best practices. To address this void, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed an enterprise risk management framework, Enterprise Risk Management--Integrated Framework, which was released in September 2004. COSO includes representatives from IMA (the Institute of Management Accountants), AICPA (American Institute of Certified Public Accountants), AAA (American Accounting Association), FEI (Financial Executives International), and IIA (the Institute of Internal Auditors); PricewaterhouseCoopers LLP was instrumental in researching and developing the framework. COSO's framework defines ERM as follows:
Enterprise Risk Management is a process, effected by
an entity's board of directors, management, and other
personnel, applied in a strategy setting and across the
enterprise, designed to identify potential events that may
affect the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding the
achievement of entity objectives.
IMPLEMENTING THE FRAMEWORK
The COSO ERM framework can be intimidating upon first review. The report consists of two volumes: One presents the framework, and the other offers helpful guidance for implementing it. One of the drawbacks with introducing such a comprehensive framework is that it requires a significant investment of time and resources to fully implement within an organization. Further complicating this challenge is that effective ERM requires ownership by executives, careful oversight by directors, and a cultural shift at most organizations. That makes the initial implementation of the framework the biggest challenge before the process can reach its potential.
Our practical approach to implementing the framework should help organizations become comfortable using an entity-wide portfolio approach to risk management, including an allowance for the culture shift needed for an ERM framework to achieve its potential. This practical implementation, encompassing the entire framework, uses a building-block approach. The approach consists of: (1) implementing the ERM framework on a limited basis across each of the framework's eight interrelated components, shown in Figure 1, and (2) placing initial emphasis on entity-wide risks across all four risk categories--strategic, operations, reporting, and compliance--shown in Panel A of Figure 2. The ERM framework can be expanded, including an eventual cascading of the framework throughout other levels of the organization as senior management becomes comfortable with the culture the framework creates. Part of that cultural change requires that people throughout the organization take ownership of risk management.
There are several benefits associated with using a building-block approach to implementing the COSO ERM framework:
* Size Does Not Matter. All organizations can benefit from enterprise risk management to some degree, no matter what size they are. COSO argues that its ERM framework is applicable for small companies as well as mid-sized and large firms, as long as each component is present and functioning properly. Smaller organizations can benefit from having a structured, formal ERM process that can be expanded over time--to the extent that doing so makes sense for the organization. They, too, can use a formal building-block approach in which the framework is applied on a limited basis and only entity-wide risks are included during initial implementation.
* Culture Shifts Take Time. Shifting employees' attitudes about risk management to include monitoring, measuring, and controlling certain risks while sharing, avoiding, and accepting other risks will not occur effectively in a short period of time. Initially, many employees may view ERM as the latest corporate trend that distracts from running the business. As the framework evolves over time, however, employees are more likely to adopt the ERM philosophy when they see senior management and board members adopting it. As the risk management culture develops throughout the organization, each aspect of the ERM framework can be incorporated efficiently into day-to-day operations.
* Better Allocation of Resources. Implementing an effective ERM framework will consume significant resources. No organization has excess resources lying in wait for adopting a new framework for managing risk. But by first understanding entity-wide risks, executives and directors can determine the amount of resources they need to devote to each component of ERM. For example, certain business units can be identified as having more significant risk that can affect the organization overall, while other units that are more mature but excellent sources of cash flow might be identified as needing fewer resources for effective ERM.
There are also several pitfalls to avoid when using a building-block approach to ERM that can occur if an organization is not careful to emphasize the cultural shift. Two of the more important challenges are:
* Simplification of the Framework. Over time, the initial ERM framework becomes too simplified for effectively understanding entity-wide risks and making management decisions. Thus, organizations need to invest a sufficient amount of time and resources to implement an effective ERM framework culture and establish a foundation for managing risks not only at the entity level but at other levels of the organization as the framework evolves, as shown in Panel B of Figure 2. Sufficient time and resources should be invested in each component of COSO's framework to help avoid oversimplification.
* Skeptical Perceptions Associated with Implementing a Framework. When an organization opts to roll out new initiatives slowly, skeptics within the organization often will assume that there is an ulterior motive. For example, even if the initial rollout of an organization's ERM framework emphasizes ownership of risk management only within pockets of the organization, executives and directors should try to create a risk management culture across the entire organization. This will demonstrate their commitment to the ERM initiative to all employees and curb skepticism. Furthermore, if the organization only introduces a skeletal risk management framework, securities analysts might see it only as a signal that an organization is following trends to meet shareholder expectations. Thus, executives should ensure that a firm-wide risk management culture is developed, even though initial rollouts of the framework might not involve every aspect of the organization.
USING THE BUILDING-BLOCK APPROACH
Let's now look at how to implement an ERM framework using a building-block approach. This approach, as outlined in Figure 3, incorporates all steps of the COSO ERM framework so that risk owners and other employees within the organization can compare risk management initiatives with those of other organizations and have more meaningful discussions with people from those organizations. But if only parts of the framework are implemented during initial rollouts, these comparisons and discussions might be difficult.
Our building-block approach provides organizations with the time to gain comfort with utilizing a formal ERM framework such that executives, with oversight by directors, can make informed decisions on how best to develop a more intricate framework that cascades throughout the organization. In the last step, monitoring, we encourage organizations to continue to expand their ERM frameworks at a rate and in directions that make the most sense based on people's experiences with the framework.
Internal Environment
There are many components of an organization's internal environment described in COSO's framework that we believe ultimately should be emphasized as an organization develops its ERM framework, but only three elements are critical for laying the foundation for ERM: a risk management philosophy, culture, and organizational structure. Based on our three subcategories under "Create a Risk Management Culture" in Figure 3, many organizations might argue that they already have a risk culture. But the cultural items we note will serve to create a risk culture only if a risk management philosophy and organizational structure are also in place. We should note that the COSO report includes several other categories under internal environment, some of which we have reclassified under these three components.
There are two necessary conditions for an internal environment to facilitate an effective risk culture: (1) an awareness of the risk appetites of key stakeholders and (2) a philosophical commitment to align the organization's risk appetite embedded in its strategic objectives, strategies, and other initiatives with those of the key stakeholders. An emphasis on aligning risk appetites is not likely to occur unless the risk management organizational structure includes some level of responsibility of ERM for all C-level employees and directors. Although the authority and responsibility for ERM should lie with a risk committee of the board of directors and a chief risk officer, the remaining directors and executives should read reports and discuss the risk levels and their alignment with stakeholder risk appetites.
Objective Setting
An organization needs to specify its strategic objectives and the key strategies for achieving them. Defining its risk appetite and ensuring that it is aligned with the organization's objectives and strategies are also part of the objective-setting component. An organization's risk appetite should be aligned with stakeholders such as shareholders, key employees, and external entities involved in the supply chain, such as suppliers and customers. An organization should foster open and transparent dialogue with its shareholders because risk/return preferences should be agreed upon by all.
Event Identification
Identifying risk events that could impact an organization is an important step in developing an ERM framework. Because of the potential for forgetting risks, organizations need to carefully create risk categories and consider various ways that such risks can occur. The four risk categories in COSO's ERM framework are clearly universal to most organizations. In Figure 2, Panel A, we offer examples in parentheses of the types of risk that likely affect most organizations to varying degrees. Organizations should also consider risk interdependencies. In other words, are risk events isolated, are they part of a chain reaction, or do they result in ripple effects? We encourage organizations to utilize holistic, systems-type thinking to develop a deep understanding of the full impact of risk. This knowledge will be useful during the next phase of the framework, risk assessment. Also, organizations should consider the methodologies and techniques that might be used to assess and measure risk management to better understand the resources required to complete the ERM framework. Enterprise Risk Management--Integrated Framework provides examples of various methodologies and techniques.
Risk Assessment
The risk assessment stage is the place the "rubber meets the road" in an ERM framework. Here, organizations first estimate probabilities/frequencies and cost impacts of risk events. By first carefully considering the source of events and interdependencies with other risk events, organizations are in a better position to make these estimates. Also, estimates can be made utilizing various approaches. An estimated probability or cost can be used. Some organizations prefer to use relevant ranges. Others use various scenarios, such as best case or worst case. There is no right answer; rather, organizations should use an approach that is agreeable and most consistent with other components of the framework, such as risk appetite.
Figure 4 provides an example of various risks that a hypothetical "Company M" faces relative to its risk appetite. The general probability of each risk occurring is graphically plotted in Graph A. The diagonal line represents Company M's risk appetite--the points at which Company M would prefer its risks to lie.
Risk Response
Other than risk appetite, determining risk response is the most important decision that organizations make in developing an ERM framework. Because risk events by definition are uncertain, deciding whether to accept or avoid a risk-related activity can have significant consequences for an organization. By choosing to share a risk, an organization is committing to expend resources to purchase an insurance premium or enter into a strategic alliance. By choosing to reduce a risk, an organization is committing to implement control activities, which generally consume resources.
Organizations should also be careful to consider the impact of risk responses for a given risk on other risks. This relationship is commonly referred to as risk correlation, a challenging aspect of ERM. For example, the decision to implement a quality-control procedure to ensure end-product quality can lead to increased production cycle time, increasing the risk of late delivery to customers. An organization that chooses this risk response should, for example, ensure that there is sufficient cycle time remaining to perform the quality inspections or that the penalty for any late deliveries is less costly than the cost of delivering defective products.
The risk response choice results in alterations to inherent plotting of risks graphically. A decision to avoid a risk results in the removal of that risk from the plot because the underlying activity is no longer being performed, as shown in Graph B of Figure 4. For any risks that are accepted, the initial risk plot remains because no action is taken to reduce it. For any risks that are shared or reduced, the impact of the strategy serves to reduce the inherent risk. On a plot, an arrow can be used to represent a reduction in probability/ frequency (e.g., a horizontal arrow), cost impact (e.g., a vertical arrow), or both (e.g., a diagonal arrow). After considering the risk response, the remaining risk serves as the residual risk that an organization has decided is appropriate based on its risk appetite.
Control Activities
Organizations that decide to reduce risks need to identify control activities that can be used to effectively reduce risks or the costs associated with them. Note that control activities under the COSO ERM framework expand beyond what have traditionally been considered control activities under the notion of internal control. A control activity consists of any initiative or activity that reduces the probability/frequency of any risk or reduces the associated cost impact. What has been traditionally considered "internal control" is a subset of possible control activities and applies to those activities that specifically manage financial reporting risks.
The next aspect of control activities is determining the cost of risk reduction activities. In our example, Company M is determining all costs associated with its premiums for insurance or other risk-sharing contracts, agreements associated with its alliance, and implementation of control activities. Organizations, however, must be careful to consider that the impact of risk sharing and reduction activities is not likely to eliminate the risk in question. Rather, the activities likely reduce the probabilities/frequencies of risk (preventive), cost impacts (detective), or both (preventive and detective). An effective way to understand that residual risks remain is to adjust the risk plots with arrows representing the reduction of risk from the associated share or reduction activity. Thus, the adjusted risk costs for Company M consists of the costs of the premium, alliance, or control activity plus the residual probability/frequency multiplied by the residual cost impact, as depicted in Graph B of Figure 4.
Information and Communication
Even a building-block ERM framework needs effective information systems and communication channels. At a minimum, information systems should be able to track actual information to inform the organization about occurrences of actual events, including those avoided. For Company M, information systems should also track the actual costs of premiums, alliances, and control activities so that a comparison of the costs of actual risk events to the estimates of them can be performed as part of monitoring. Further, organizations need to ensure that timely reporting of ERM occurs at all levels of the organization that are actively involved in managing the framework, most notably the responsible party for ERM, such as the chief risk officer. In particular, the effectiveness of the ERM framework at managing risk events and the actual costs associated with the events should be reported. Perhaps most important, the responsible party should provide updates on ERM effectiveness and costs to senior executives and directors.
Monitoring
Monitoring is important for a building-block ERM approach because at this point the organization makes decisions about how to expand its ERM framework throughout the organization. By performing separate risk assessments comparing actual events and their associated costs to estimated risk probabilities and costs, the organization can refine its risk assessment and response decision-making process such that some degree of internal standardization can occur. Further, as executives and directors gain comfort with the ERM framework, a solid risk philosophy and culture can be developed that will enable more effective internal marketing of the benefits of the framework as it is expanded throughout other parts of the organization.
AUGMENTING THE ERM FRAMEWORK
Our building-block approach should help augment COSO's Enterprise Risk Management--Integrated Framework so that organizations of all sizes, cultures, and risk experiences can implement the framework successfully without becoming overwhelmed by its overreaching goal. Organizations can decide how to best evolve their framework, including the activities within each component and the extent to which the framework is applied throughout the organization. The key aspects to this building-block approach are to start by: (1) considering entity-wide risks, then cascading the framework throughout the organization over time, and (2) including all phases of the COSO framework but limiting those phases to the basic elements needed to construct a solid foundation that can be evolved over time. Accordingly, we encourage all C-level managers and directors to obtain and read a copy of COSO's full report so that an understanding of the endgame of the ERM framework can be established. With an effectively developed and carefully implemented ERM framework, most organizations should improve the probability of achieving their objectives.
Figure 1: Eight Interrelated
Components of Enterprise
Risk Management--Integrated
Framework
INTERNAL ENVIRONMENT
OBJECTIVE SETTING
EVENT IDENTIFICATION
RISK ASSESSMENT
RISK RESPONSE
CONTROL ACTIVITIES
INFORMATION AND COMMUNICATION
MONITORING
Figure 2: Categories of Risk and Organization of
Enterprise Risk Management *
Panel A: Four Categories and Corresponding Types of Risk
STRATEGIC
(Governance, Strategic Objectives, Business Model,
External Forces, etc.)
OPERATIONS
(Business Processes, Upstream Value Chain, Downstream
Value Chain, Financial, etc.)
REPORTING
(Information Technology, Financial, Internal, Intellectual
Property, Reputation, etc.)
COMPLIANCE
(Securities & Exchange Commission, Environmental, Legal,
Contractual, etc.)
Panel B: Organizational Levels of Enterprise Risk Management (ERM)
ENTITY-LEVEL
Fundamental to the Initial ERM Framework
DIVISION LEVEL
Expand ERM as Needed Over Time
BUSINESS UNIT LEVEL
Expand ERM as Needed Over Time
SUBSIDIARY LEVEL
Expand ERM as Needed Over Time
* Adapted from the Committee of Spnsoring Organizations
of the Treadway Commission (COSO), Enterprise Risk
Management--Integrated Framework, 2004.
Figure 3: Components of a Practical
Enterprise Risk Management Framework
The headings below come from the COSO framework, but the
descriptions under them are the authors' suggestions for a
practical, building-block approach to implementing the
COSO framework, Enterprise Risk Management--Integrated
Framework.
INTERNAL ENVIRONMENT
Develop a Risk Management Philosophy
* Take steps to understand the risk appetites of key
stakeholder groups of the organization.
* Take steps to align the risk appetites of all stakeholder
groups.
Create a Risk Management Culture
* Emphasize integrity and ethical values in every
endeavor.
* Emphasize the role of employee commitment and
capability by giving them incentives and measures.
* Design human resources policies and practices to
support a risk culture.
Design a Risk Management Organizational Structure
* Establish responsibility for all board members and
senior executives.
* Consider organizing a risk committee beyond the
audit committee.
* Assign authority and responsibility for risk management
to an executive such as a "chief risk officer."
OBJECTIVE SETTING
Establish Clear, Strategic Objectives and Strategies
* At entity-wide level.
* At other levels of the organization to the extent that
a direct, material impact on the entity is reasonably
likely.
Determine Entity-Wide Risk Appetite
* Align the risk appetites of key stakeholders with
those of the company's strategic objectives and
strategies and its alliance partners.
EVENT IDENTIFICATION
Identify Risk Events
* Consider factors influencing objectives and
strategies.
* Analyze each risk category (i.e., strategic, operational,
reporting, and compliance) carefully.
Consider Event Interdependencies (i.e., isolated, part of a
chain reaction, those that cause ripple effects)
Identify Measurement Issues Associated with Methodologies
or Techniques Utilized
RISK ASSESSMENT
Select Assessment Technique (e.g., point estimates,
probability/loss ranges, best/worst-case scenarios)
Assess Inherent Probability/Frequency of Risk Events
Assess Cost Impact of Risk Events (any losses per unit of
output multiplied by output until contained)
Consider Plotting Risks on a Graph
RISK RESPONSE
Identify and Select Response for Each Risk (accept risk,
avoid risk, share risk, or reduce risk)
Consider Effects of Risk Response on Other Risks
Adjust Risks Graphically Plotted During Risk Assessment
* Accepted risks (estimated risk cost is plotted).
* Avoided risks (remove plots from graph).
* Shared and reduced risks (alter plots based on
control activities).
CONTROL ACTIVITIES
Shared Risks
* Assess costs of premiums for insured risks.
* Assess forfeited returns and/or costs to manage
alliances.
Reduced Risks
* Identify control activities needed to reduce risk.
* Assess all costs associated with control activities.
Adjust Graphic Plots of Risks
* Determine the extent to which a shared risk activity,
such as insurance, an alliance, or a control activity,
reduces inherent probability/frequency estimates (preventative)
and/or cost impact estimates (detective).
* Estimate total risk costs, which are the sum of residual
risk costs and premium/alliance/control activity
costs.
INFORMATION AND COMMUNICATION
Ensure that Information Systems Can Measure and Report
Risk
* Actual risk event occurrences (including those associated
with avoided activities).
* Actual costs of shared risk activities such as insurance
premiums and control activities.
* Actual costs of risk events.
Communicate ERM Effectiveness and Costs
* Ensure proper periodic reporting of ERM within the
organization, particularly among people responsible
for managing and overseeing ERM.
* Chief risk officer or other responsible executive
should measure and document ERM effectiveness
and costs.
* Responsible party reports on ERM effectiveness and
costs to executives and board of directors.
MONITORING
Perform Separate Risk Evaluations
* Compare actual event occurrences with residual
probability/frequency estimates.
* Compare actual costs with risk sharing/reduction
and residual cost impact estimates.
Reevaluate Risk Assessments
* Incorporate any changes to risk appetite, objectives,
strategies, etc.
* Identify any events not previously identified.
* Add/revise estimates for probability/frequency,
share/reduce cost, and/or cost impact estimates.
Consider Areas to Expand ERM Framework Based on
COSO's Integrated Risk Management--Integrated
Framework
Figure 4: Risk Appetite, Assessment, and Response for
"Company M"
PART A: RISK APPETITE ASSESSMENT
"Company M," a mature organization, is controlled by several
large retirement funds. The company's board of directors
and executives assess its risk appetite at a low enough
level such that reasonable rates of return and fairly steady
income streams result over time. Further, the organization
has a long-established brand name for quality and durability
of its products, dominates market share for its industry,
and operates in an industry with high entry costs. Accordingly,
the company sets its risk appetite such that its risk
preferences mainly are low-probability events with low to
moderate cost impacts. The line drawn diagonally through
Graph A and Graph B represents the organization's risk
appetite, and the organization will choose to manage risks
so that they are as close to the risk appetite line as possible.
[GRAPHICS OMITTED]
PART B: RISK ASSESSMENTS
Assume that the organization identifies its five most important
entity-wide risks.
Risk 1. The market share loss from a new entrant, which
the organization has assessed as significantly
below its risk appetite.
Risk 2. A reduction in product quality associated with the
replacement of its aging workforce, which is heavily
unionized.
Risk 3. Government approval of a new product line being
considered that includes use of a chemical that the
U.S. Environmental Protection Agency (EPA) has
targeted for investigation based on its potential for
contaminating the atmosphere.
Risk 4. Rising supply-chain costs associated with the distribution
of finished products from the organization's
plants to authorized dealers and distributors.
Risk 5. The cost associated with worker injuries from the
dangerous nature of the production process of the
organization's products. The organization has self-insured
in the past, but costs and liability exposures
have been rapidly increasing over the past
several years.
Graph A illustrates how these risks within the ERM framework
might be graphically plotted.
PART C: RISK RESPONSES
Assume that the organization wants to manage its risks
close to its risk appetite. The organization in this example
could choose a different response for each risk.
Risk 1. There is no need to consume resources to manage
the risk further, so Company M accepts the marketshare
risk.
Risk 2. Company M chooses to reduce the probability and
cost impact by investing in the human
resource business process such that a favorable
union contract and training programs
can be implemented to attract quality
employees who will continue the tradition of
quality.
Risk 3. Company M chooses to avoid it by opting
not to pursue the new product line until the
EPA resolves the issues surrounding the controversial
chemical.
Risk 4. Company M forms an alliance with a distribution
company that has a core competency
in distribution that can help reduce the probability
and cost impacts of distribution risks.
Risk 5. Because the probability of work-related incidents
has proven to be difficult to reduce,
Company M purchases worker compensation
insurance to reduce the cost impacts associated
with the risks.
Responses to Risks 3, 4, and 5 involve significant
costs associated with the control activity in Risk 3,
alliance in Risk 4, and policy premium in Risk 5. The
key to these decisions is that the risk response costs
plus remaining residual risk costs should be less
than the risk costs if the risks are accepted. The
adjusted plots in Graph B illustrate how the risk
responses impact the inherent risk assessments.
Brian Ballou, Ph.D., CPA, is an associate professor of accounting at Miami University in Oxford, Ohio. His teaching and research emphasis is on enterprise risk management, risk-based assurance, and performance measurement. You can reach him at (513) 529-6213 or balloubj@muohio.edu.
Dan L. Heitger, Ph.D., is an assistant professor of accounting at Miami University. His teaching and research emphasis is on new product development, activity cost estimations, incentive systems, and performance measurement. You can reach him at (513) 529-6208 or heitgedl@muohio.edu.
(1) Mary Pat McCarthy and Timothy P. Flynn, Risk From the CEO and Board Perspective, McGraw-Hill, New York, N.Y., 2004, pp. 152-153.
COPYRIGHT 2005 Institute of Management Accountants
COPYRIGHT 2008 Gale, Cengage Learning
No comments:
Post a Comment