Environmental Social and Governance (ESG) is having a major impact on businesses. Prompted by customers, investors and regulators, managers are moving to address ESG risk in their offerings, operations, and supply chains.
The moment for ESG has clearly arrived. And business leaders should look to proven approaches for risk management to better understand and address ESG-related priorities
Evaluating ESG Risk
ESG encompasses a broad set of risks that include climate change, water security, preservation of biodiversity, human rights and labor standards, diversity and inclusion, cybersecurity, and board composition to name just a few.
At first glance, ESG risk looks like a collection of dissimilar things. Some risks are global threats with massive macroeconomic impacts. Others are specific to an organization and its strategies and capabilities. But a closer look provides some clarity.
One theme that unites ESG risks is that they all contribute to a sustainable approach to development that promotes the well-being of the natural environment and its inhabitants. The United Nation’s Sustainable Development Goals provide context for the risks and opportunities under ESG.
Another common theme is that investors are increasingly focused on understanding the environmental and social impacts of an asset or organization before investing.
Investors have seen the correlation between ESG maturity and business performance. This is not simply to say that every company with an ESG program outperforms its peers (though many do). But organizations that manage ESG well offer greater transparency into their risk exposure, which enables investors to make better pricing decisions.
ESG-focused funds recorded inflows of $641B in 2021, continuing an upward trend of the previous two years. ESG funds now account for 10% of worldwide fund assets – which means that ESG transparency can significantly increase a business’s access to capital.
ESG Risk is Trending – But It’s Not All New
Some ESG risks arise from the practices and standards (or lack of) of a business’ suppliers.
Third-party risk management (TPRM) deals with the potential risks that arise from relying on outside parties – suppliers (at any tier), vendors, and contractors – that perform services or activities on behalf of a business.
Human rights and labor standards, conflict-minerals management, and product safety and quality testing apply under TPRM and have been part of responsible supply-chain operations for decades for some sectors – including apparel and consumer-goods manufacturing.
Many countries including Australia, the UK, and US have laws requiring businesses to identify, assess, and address modern slavery risks in their operations and supply chains.
What is New with ESG Risk
Businesses are facing several important new requirements surrounding ESG issues and ESG reporting:
- Climate-related disclosure
In the US, the SEC has announced its new proposals, which include reporting on climate-transition strategies and impacts and Scope 3 emissions for large public companies.The UK has announced climate-change reporting rules for large companies and partnerships based on the Task Force on Climate-Related Financial Disclosures (TCFD).The EU has required reporting under the Non-Financial Reporting Directive (NFRD) since 2014. In 2023, the Corporate Sustainability Reporting Directive (CSRD) will go into effect amending the NFRD with detailed reporting requirements and assurance requirements for all large companies and any in regulated markets.
- Assurance for reporting
The intent of the new US proposal is that a company’s emissions reporting be reviewed by outside auditors like financial reporting is today. In fact, financial statements related to climate-transition impacts would be subject to existing audit rules. And after a phase-in period, emissions reporting for Scope 1 and 2 would be held to reasonable assurance, which includes supporting evidence to reduce risk of misstatement.
- Supply-chain transparency
Another area is managing environmental and social risks in the supply chain.When the EU rolls out the Corporate Sustainability Due Diligence Directive in 2023. It will require companies to identify and act on environmental and human-rights risks in their operations and end-to-end supply chains. It will also require auditing of any reported information.In June 2022, the Uyghur Forced Labor Prevention Act increased the requirements on businesses to prove that goods produced in China’s Xinjiang Uyghur Autonomous Region (XUAR) are allowed to enter the US.
Here’s Why ESG Management Requires a Risk-Based Approach
ESG encompasses a broad and diverse set of risks, so it makes sense that there is no one-size-fits-all approach to manage ESG risks. But organizations have been effectively managing diverse risks under one roof, so to say, for a long time. The use case is not new, and there are proven practices.
Risks – including ESG risk – can be classified in three categories:
Preventable risks – These risks are internal to an organization and can be managed effectively with rules. An example is requiring suppliers to comply with site inspections to ensure workers operate under safe conditions and are treated fairly. The focus for managers is establishing policies and ensuring compliance.
Strategy risks – These risks are voluntarily accepted by a business as the means to an end. An example is when an energy-services company accepts the risk of sourcing content from local suppliers to meet the requirements of the regional government. The focus for managers is to minimize the likelihood and impact of the risk. For the energy-services provider, this could mean higher costs from added supervision of local suppliers and more rigorous project management.
External risks – These risks are external to an organization and outside its control or influence. An example is a natural disaster or a new political regime. The focus for managers is to identify potential risks and mitigate their impacts. An example is diversifying supply from different parts of the world to hedge against political and/or logistics risks.
Keys for Best Practice ESG Risk Management
Risk management techniques for assessing, managing, and monitoring each risk type are proven ground. There are additional capabilities you’ll want for an end-to-end best practice approach for ESG risk.
The data needed for effective risk management is commonly found in many, diverse locations. These include databases and a range of internal systems – enterprise resource management (ERP), contract management, purchasing systems, and human resources to name a few.
It’s critically important to be able to easily take in data from any and all the internal systems to gain a complete picture of risk in your organization.
Today many important risk signals come from outside an organization. These signals come from “social listening” and web-crawling technologies that analyze millions of data points from news sources, public records, and social media in near real-time to identify issues and trends that impact risks.
For many organizations risk-sensing capabilities are a critically important part of fully understanding a rapidly evolving risk landscape.
It’s not uncommon that a single event impacts multiple risks. For example, an operational risk, like inconsistent quality control in manufacturing, results in increased sales returns. If unchecked, that can lead to an erosion of brand value or reputational risk. Gaining insight to connections between related risks is another important capability for a comprehensive understanding of risk and part of a best practice approach to risk management.
While ESG risk may be trending, it really is simply a set of threats and opportunities in a complex and dynamic environment that are best managed with a proven approach and appropriate technology. To all the risk managers out there, you got this.