ESG Risk Management Is Here. It’s Not as Scary as You Might Think
Everywhere business executives look these days, the discussion is turning to “ESG”—environmental, social, and governance issues—and how a company can demonstrate that it has its own ESG house in order.
ESG risks might seem a bit overwhelming, especially to businesses already awash in so many other demands for risk assurance. The truth is less scary. ESG risk management does have its unique challenges, but in many ways the task is similar to other risk management efforts that companies have had to confront for years. You just need the right approach to assessing risk and the right tools to tame it.
Let’s begin by defining what ESG actually is. We could define it by listing all the specific issues that might fit under the ESG umbrella, and that number would be quite large. For example:
- Environmental: Greenhouse gas emissions; water usage; renewable energy usage; recycled materials used in your products; the recyclability of your own products; hazardous waste production.
- Social: Forced labor in the supply chain; workforce diversity; unionization; pay equity among gender and racial groups; parental leave; employee mental health.
- Governance: Shareholder rights; boardroom diversity; anti-corruption measures; consumer privacy; accurate financial reporting.
That’s a non-exhaustive list, by the way; we could add dozens more. If you wanted to reduce all those specific issues into a single concept, it would be this: ESG gives a company’s stakeholders a better sense of the non-financial issues relevant to performance and value.
From there, those stakeholders (i.e., investors, employees, consumers, business partners, and regulators) can make better decisions about how to interact with the business because they have a better sense of how the company’s actions do or don’t align with their ethical and investing priorities. That’s the logic behind all this.
And make no mistake, the push for better reporting of ESG data is growing. The U.S. Securities and Exchange Commission plans to propose new regulations in 2022 requiring public companies to disclose ESG data to investors. The European Union already has such a requirement now. The U.S. House of Representatives recently approved the ESG Disclosure Simplification Act, which would codify public companies’ ESG disclosure into law. However, the Senate has not taken up the legislation.
Investors want more ESG disclosure too. Dozens of investment firms, collectively with trillions of dollars at their disposal, use various ESG criteria to screen investment candidates. For example, BlackRock (the largest such firm in the world, with roughly $9.5 trillion in assets), has made climate change risks a primary criteria for its investment decisions. Private equity firms also want more ESG data from investment targets, because the firms’ own limited partners (college endowments, pension funds, etc.) want to ensure that their investment efforts align with their values.
The Goal: Better Data
Despite the wide range of ESG issues, the fundamentals of what a company needs to do here are straightforward. You need to assess your business processes—including your relationships with third parties—and extract relevant data about your ESG risks. Then you report that data to stakeholders and, where necessary, make improvements to your operations.
To a certain extent, then, ESG assurance and reporting is like cybersecurity assurance. There, too, you need to understand where the risks are within your enterprise, including risks that might arise from third parties working with you. You need to examine business processes, extract relevant data, and report it. Then you shore up weaknesses in your security regime and repeat the process all over again.
The substance of what you want to assess and report is very different, to be sure. But how you go about assessing, measuring, monitoring, remediating, and reporting—that is, the processes a compliance team would need to build and follow—is not.
So as daunting as ESG assurance might seem at first glance, compliance teams already experienced in managing cybersecurity risk won’t find themselves totally lost.
All that said, ESG assurance still does have some specific challenges.
First, you’ll need to identify which ESG issues are material to your business. For example, a tech services firm might pay more attention to social and governance issues (e.g., workforce diversity and privacy compliance), and less attention to environmental issues. Meanwhile, a manufacturer might pay much more attention to greenhouse gas emissions and workforce unionization rates.
A company can define its ESG materiality standard in several ways. You could talk with stakeholder groups to understand which ESG issues are important to them and use their feedback to articulate the set of ESG issues you’ll report. You should also talk with any relevant regulators to see what ESG disclosures they might require.
You could also visit publishers of ESG frameworks, such as the Sustainability Accounting Standards Board (SASB) or the Task Force on Climate-Related Financial Disclosures (TCFD). For example, SASB offers a free materiality map where you can look up your specific industry and see what disclosures SASB recommends that you make.
After you identify the ESG disclosures you want to make, you’ll need to use ESG frameworks to assess your company’s ESG performance, find areas that need improvement, and implement remediation steps. For example, if you want to track labor practices in your supply chain, you might find that the contracts you have with suppliers don’t include any clauses that they meet your labor standards—so you’ll need to start adding that language into new contracts.
Numerous ESG frameworks exist, published by groups such as SASB, the TCFD, the Global Reporting Initiative, and others. It’s possible that regulators might adopt new rules that require all companies to use a specific framework, but much more likely that regulators will only require a business to use a “widely recognized” framework or some requirement similar to that language. That’s how the Securities and Exchange Commission handled compliance with the Sarbanes-Oxley Act in the 2000s: it recommended an internal control framework such as COSO, but never specifically said, “Thou shalt use COSO.”
Back to Technology Demands
Whatever ESG framework you use, your company will still need the right technology to use that framework effectively. Just like cybersecurity compliance, to manage all these ESG tasks with manual processes is pretty much impossible. You will have too many questionnaires to track, too many certifications to document, and too many remediation steps to confirm.
ESG assurance, like any other assurance task in the modern era, needs to harness technology to get the job done. That means mapping of risks, compliance obligations, and controls; automated evidence collection; a repository for documentation; and easy reporting to stakeholders.
Those are the technology capabilities a business is going to need in order to meet the demands of the ESG era. And rest assured, that era is upon us.
Get the Latest on Compliance Operations.
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently.
Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.
Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.