After the unveiling of a draft update to a deeply entrenched internal control framework, a band of naysayers is calling for a blank-sheet-of-paper approach.

The Committee of Sponsoring Organizations of the Treadway Commission recently published a draft of its widely accepted Internal Control – Integrated Framework for public comment. COSO said the update retains the basic tenets of the 20-year-old framework, but updates it to adapt to increasing complexity and pace of change, to mitigate risks to the achievement of objectives, and to provide reliable information to support good decision-making.

Tim Leech, managing director at consulting firm Risk Oversight, is circulating a draft article of his own to drum up some thinking about his view that the root of risk management failure is flawed risk and control management frameworks, methods, and tools. Advocating radical new approaches around enterprise risk management, he calls for an upending of “ERM herd mentality.”

He's not alone in seeking change. “The recent COSO revision of their internal control framework has me thinking it is a perfect time to scrap everything,” says Dan Clayton, director at CHAN Healthcare Audit, in posts to governance discussion groups. “Why are we developing standards for the future based on a historical foundation rather than a current need?” The greater need in the current environment, says Clayton, is a focus on creating accountable, transparent organizations.

“We are coming out of an era where legal mitigation, financial accuracy, and threat management were the way to protect corporate reputation while management went about their own way to create value,” Clayton says. “However, more is being asked today. What management does and does not do to create and protect value is prime public conversation. Why, then, are we aligning our value contribution to our old concepts of operational efficiency, reporting accuracy, and compliance? Should we not choose a new foundation that first meets or tries to address the need for clear accountability and transparency, and then decide how to apply our traditional concepts?”

In his article due to be published in a professional journal, Leech cites a report of the “Senior Supervisors Group,” or eight banking and securities regulators in the United States and Europe, that concluded the 2008 banking and financial crisis was caused by or exposed various corporate deficiencies in governance, firm management, risk management, and internal control. On top of liquidity risk management problems, firms were dogged by failures to adhere to acceptable risk levels, compensation that conflicted with control objectives, inadequate infrastructure to identify and measure risk, and cultures that rewarded risk takers more than risk and control personnel.

“What is not stressed in the SSG report,” writes Leech, “is that virtually all of the organizations they reviewed as part of their study would have claimed prior to the crisis to have effective enterprise risk management practices,” and virtually all of the companies studied by the SSG were certified by CEOs and CFOs under Sarbanes-Oxley to have effective internal control over financial reporting. He laments that the report does not attempt to identify the root causes that would explain widespread risk and control failures.

In Leech's view, COSO and regulators are mistaken to remain on the same path with existing risk and control management approaches. “The global cost of failed risk and control management frameworks over the last five years totals in the trillions of dollars,” he writes.

The COSO framework update is open for comment through March 31. 2012.