Note: This post has also appeared on the blogs of the Public Interest Section of the American Accounting Association and the Sustainability Investment Leadership Council. I encourage you to use these links to peruse these outstanding online publications.
Three years ago, COSO updated its Integrated Framework for Enterprise Risk Management (ERM). It was a noteworthy event in the business community, given that the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is the leading authority that promulgates guidance about internal control and enterprise risk management systems.
Prior to this update, organizations utilized a cubic ERM framework that COSO first promulgated in 2004, following a scandal plagued era that featured the collapses of Enron, Arthur Andersen, and WorldCom. The original cubic ERM model emphasized the practices of event identification, risk assessment, control practices, and response capabilities.
After years of widespread use, the 2004 COSO Cube became synonymous with the practice of ERM. In its 2017 update, though, COSO presented a new “Focused Framework” with five components: (a) Governance and Culture, (b) Strategy and Objective Setting, (c) Performance, (d) Review and Revision, and (e) Information, Communication, and Reporting. To emphasize the “interrelated” nature of these five components, COSO designed a visual framework that weaves the five together in the form of a multi-colored Helix.
The designers of the Integrated Reporting <IR> Framework may have taken this Helix into account when they defined their own framework development goals earlier this year. Since 2013, issuers of integrated reports have used the International Integrated Reporting Council’s (IIRC’s) colorful Six Capitals model to structure their presentations. Some even referred to the framework as the Octopus Model, given its vaguely mollusk-like shape.
Like COSO, the IIRC felt the need to update this original framework. Its design project remains in progress, but the organization recently issued a model entitled “From String to Spring” that features an extension of the Six Capitals model.
Each of the six capitals of the <IR> Framework, like each of the five components of the ERM framework, is represented by a colorful String. Whereas the five “interrelated” Strings of the ERM framework are woven into a colorful Helix, the six “integrated” Strings of the <IR> Framework are woven into a colorful Spring.
Given the obvious similarities between the Helix and the Spring, it is hard to believe that the two design teams were oblivious to each other’s efforts to update their original Frameworks. Indeed, by presenting such similar models, COSO and the IIRC remind us of the significant “interrelationships” and “integrations” that link the functions of enterprise risk management and integrated reporting.