Integrated Risk Management: The New Frontier in COSO-Driven Sustainability Reporting

Integrated Risk ManagementSustainability
Written By John A. Wheeler

In the rapidly evolving corporate sustainability landscape, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has provided a framework for integrated control across the business. This framework, known as the COSO Internal Control-Integrated Framework (ICIF), incorporates a risk-based approach to designing, assessing, and reporting on internal controls. It is widely recognized as a comprehensive internal control, oversight, and assurance framework for external reporting and sustainable business management.

COSO's Integrated Control Framework

In their latest guidance, "Achieving Effective Internal Control Over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control-Integrated Framework," COSO provides a detailed explanation of how to apply the principles of ICIF to sustainability. The guidance includes each of the 17 principles in ICIF-2013, with each principle and its points of focus explained and interpreted for application to sustainability. The guidance also provides insights into how the principles are being considered and implemented, either directly or indirectly, through new and proposed regulations, evolving professional standards, and organizational practices.

The Limitations of a Traditional GRC Approach

While some companies have adopted a Governance, Risk, and Compliance (GRC) approach and its associated rigid software tools to manage specific compliance requirements of laws and regulations, this approach has not been widely used in sustainability reporting due to the lack of regulation in this area. The GRC approach and associated software tools often result in a fragmented and compliance-driven perspective. This can lead to a narrow focus on meeting regulatory requirements rather than an interconnected view of the organization's sustainability risks and opportunities. Moreover, the GRC approach often needs to adequately address the multidisciplinary nature of sustainability, resulting in gaps in the organization's sustainability reporting and risk management processes. Furthermore, layering on additional fragmented controls and software tracking tools can lead to redundancy and increased costs.

IRM is the linchpin for sustainability reporting

IRM links the four major risk disciplines - ERM, ORM, ITRM and GRC - to provide an integrated view of risk and control.

The Case for Integrated Risk Management (IRM)

In contrast to the traditional GRC approach, an Integrated Risk Management (IRM) approach offers a more comprehensive and strategic perspective on sustainability reporting. It provides a structured approach to managing the broad spectrum of risks associated with sustainability, including performance, resilience, assurance, and compliance risks. Here are several reasons why companies should consider an IRM approach:

  1. Interconnected View of Risks: IRM provides an interconnected view of the organization's risks, enabling it to identify better, assess, and manage its sustainability risks. This can lead to more effective risk management strategies and improved sustainability performance.

  2. Alignment with Business Strategy: IRM helps align the organization's sustainability objectives with its overall business strategy. This can enhance the organization's ability to achieve its sustainability goals and drive sustainable business performance.

  3. Improved Data Quality and Control: IRM can improve the quality and control of the data used for sustainability reporting. This is particularly important given sustainability data's increasing complexity and diversity, ranging from greenhouse gas emissions to employee turnover rates.

  4. Enhanced Assurance: By implementing effective IRM, organizations can improve the reliability and assurance of their sustainability reporting. This can increase trust and confidence among stakeholders, including investors, customers, and regulators.

  5. Better Response to Regulatory Changes: The regulatory landscape for sustainability reporting is rapidly evolving. An IRM approach can help organizations better respond to these changes, ensuring they remain compliant while leveraging new opportunities for sustainable business performance.

Benefits of IRM for Key Stakeholders

Unlike GRC, IRM extends its benefits to key stakeholders in the business, such as the c-suite, board of directors, and operational management. For instance, the CFO's role has evolved to manage business issues cross-functionally, requiring a bird's-eye view to maintain agility and embrace new trends or regulations. IRM provides this interconnected view, enabling CFOs and other key stakeholders to build trusted relationships, achieve business goals, drive connectivity, and meet stakeholder demands.

Modern IRM Technology Providers

Modern IRM technology providers offer open, non-proprietary, cloud-based platforms that enable better connections with third parties for risk management and data integration. These platforms provide integrated systems that enable tracking and reporting, making cross-functionality more critical than ever to be auditable and traceable. With new regulations emerging, staying ahead of change is nonnegotiable, and these platforms provide the necessary tools.

Furthermore, modern IRM technology solutions link the strategic, business outcome-driven view of enterprise risk management (ERM) to the execution-level, process-driven view of operational risk management (ORM). This linkage provides a comprehensive view of risk across the organization, enabling better decision-making and risk mitigation strategies. Additionally, IRM technology can provide greater visibility into the risks of technology assets that enable the business processes, which are typically fragmented into IT risk management/cybersecurity tools. This enhanced visibility can help organizations manage their IT risks and improve their cybersecurity posture.

The Move Beyond GRC to IRM

Shifting from a traditional, compliance-driven GRC approach to a more comprehensive IRM approach can significantly enhance an organization's sustainability reporting. By considering an IRM approach, organizations can better manage their sustainability risks, improve the quality and assurance of their sustainability reporting, and drive sustainable business performance. This shift aligns well with the principles of COSO's ICIF, offering a more interconnected and practical approach to managing sustainability risks and reporting.

John A. Wheeler

John A. Wheeler is the founder and CEO of Wheelhouse Advisors, a global risk management strategy and technology advisory firm. A recognized thought leader in integrated risk management, he has advised Fortune 500 companies, technology vendors, and regulatory bodies on risk and compliance strategies.

https://www.linkedin.com/in/johnawheeler/
Previous

The Dunning-Kruger Effect in Humans and Its Echo in AI: How IRM Can Help
Next

Global Impact of EU's CSRD: The Essential Three-Step Action Plan