Environmental, social, and governance – ESG – and business continuity are both increasingly important to risk management and compliance discussions. But rarely does the conversation span both disciplines, which isn’t surprising that approach mirrors the structure of most organizations. When ESG and business continuity join forces, however, the results can be beneficial for both disciplines – and for the organization overall.
Consider the overlapping goals and objectives of ESG and business continuity. A lack of sustainability, for instance, is a threat to continuity and resilience. Poor alignment with customers’ values is a threat to continuity. And failing to proactively manage the consequences of changing climate conditions throughout the supply chain – internal and external – increases the likelihood of disruption.
The first step in working together is to get to know each other. Business continuity meet ESG.
ESG is a set of initiatives and goals that enable sustainable development based on a blueprint developed by the United Nations. ESG focuses on the planet, its ecosystems, and people. It includes all the direct and indirect inputs that comprise product or service delivery, including supply chains, internal operations, and channels.
For many organizations, ESG is a story for the market. For some, it’s a story and a score. But at the core, ESG is an ongoing journey to reduce negative impacts on the planet and people over time.
ESG includes elements that are common for all industries, such as greenhouse gas emissions reduction and forced labor protections. There are also elements that are sector specific, like animal welfare in protein production and forestry stewardship in textile manufacturing.
In the past, ESG reporting was voluntary. Today, however, ESG-related topics are becoming increasingly regulated, which can be a challenge for businesses. There are hundreds of regulations in effect, with more on the way. Businesses can be required to comply with regulations in their home locations, as well as those where they source and sell.
While the development of a global standard was started in October 2021 with ISSB at the United Nations Climate Change Conference (COP26), reporting organizations are now required to manage a complex and dynamic set of requirements that are likely to increase in the foreseeable future.
ESG is all about telling a story on sustainability and values, maintaining the performance data to back it up, and managing the actions to improve over time.
At a high level, business continuity is about ensuring the continuity of product and service delivery, even when faced with one or more catastrophic events.
Why ESG Now?
Similar in many ways to business continuity, ESG is driven primarily by four influencers – regulators, the investment community, customers, and reputation.
ESG regulatory pressures continue to rise, with a particular focus on measuring an organization’s carbon footprint related to the development and delivery of products and services. For example, Germany’s Supply Chain Due Diligence Act just went into force at the start of the 2023. It mandates companies with 3,000 or more employees in Germany to take appropriate measures to respect human rights and the environment within their supply chains. Similarly, in the US, the state of California has proposed legislation in the Corporate Climate Accountability Act that will require companies with at least $1 billion in revenue to report and verify their Scope 1, 2, and 3 emissions. Also on the horizon is a proposal from the USSEC that will require ESG reporting beginning in 2024.
An increasing number of investors are establishing strict ESG-related criteria before they consider investing in a company – again with a focus on carbon emissions, climate-related risks, conflict minerals, human rights, and employment conditions. These institutional investors impose their own ESG disclosure requirements that leverage standards under the Global Reporting Initiative (GRI), the Sustainable Accounting Standards Board (SASB) and the Task Force for Climate Related Financial Disclosure (TCFD), among others.
Meeting these investor requirements is critical for access to capital, with research showing that an organization’s ESG ratings can affect 33%-40% of the cost of capital. BlackRock and State Street are two examples where an investment will not be made in an organization without strong ESG practices and outcomes.
Similarly, customers are evaluating their suppliers’ ESG practices by assessing workplace conditions, human rights performance, diversity and inclusion, carbon emissions, and more.
Social pressure is also a key driver. A strong ESG story and scoring can be a market differentiator. A growing number of customers will support and buy from organizations that align to their values.
Don’t Confuse ESG with TPRM
Because so much of the ESG focus is on supply chain, many confuse ESG with third-party risk management (TPRM). Still others look at ESG as a subset of the broader TPRM landscape.
To clarify, ESG is not just a responsibility of an organization’s suppliers. Strong ESG starts with actively governed and measured internal standards – which then extend into the supply chain. Where results fail to align to expectations, corrective action should be taken.
A relationship between ESG and TPRM clearly exists, but they are not the same. TPRM exclusively focuses on external partners and the impact on the business, whereas ESG includes both internal and external responsibilities.
Both can be more effective and efficient with shared information, including:
- Who do you rely upon for product/service development through delivery?
- What do they provide?
- Where do they operate (e.g., locations, as well as their logistical paths)?
- Who are your supplier’s suppliers?
- What are their controls and do those meet your expectations?
- What are the results of independent audit and verification?
- Do they meet your expectations (e.g., carbon reduction, water conservation, etc.)?
- What are the agreed-upon opportunities for improvement?
- What improvement actions do the third parties plan to take?
- What are the threats to the third parties?
- Who are the alternates for each third-party dependency?
The Intersection Between Business Continuity and ESG
Cyber and supply-chain risks remain the leading causes of disruption. Note however, that supply-chain disruption is no longer just about failure caused by a disruptive event. Disruption can also be the result of an inability to meet ESG obligations and expectations.
Sustainability and continuity are clearly intertwined.
Many of the shared data elements are also necessary to understand and manage business continuity. But the relationship is more than simply sharing data.
Those organizations with leading ESG, TPRM, and business continuity practices also benefit from early-warning networks, such as risk/threat intelligence that triggers a response, as well as risk-sensing capabilities. The latter involves real-time monitoring of outlets to detect adverse media, legal filings, and threat-related information. Risk-sensing uses natural-language processing and covers news media, open-source public records from government agencies (e.g., FCC, Office of Foreign Assets Control [OFAC], law enforcement agencies, and tax authorities), press releases, and reports by nongovernmental organizations.
Cementing the Relationship
ESG also benefits from coordination with business continuity.
Business continuity and ESG share the risks associated with reputational impairment and sustainable product and service delivery. With shared data, risk/threat intelligence, and risk sensing, both disciplines can manage these risks efficiently and successfully.