ESG risk management is there. It’s not as scary as you might think


Wherever business leaders look these days, the discussion turns to “ESG” – environmental, social and governance issues – and how a company can demonstrate that it has its own ESG house in order.

ESG risks can seem a little overwhelming, especially for companies already overwhelmed with so many other demands for risk assurance. The truth is less scary. ESG risk management has its own challenges, but in many ways the task is similar to other risk management efforts companies have faced for years. You just need the right approach to assessing risk and the right tools to tame it.

Let’s start by defining what ESG really is. We could define it by listing all the specific issues that could fall within the scope of ESG, and that number would be quite large. For example:

  • Environment: Greenhouse gas emissions; water consumption; the use of renewable energies; recycled materials used in your products; the recyclability of your own products; generation of hazardous waste.
  • Social: Forced labor in the supply chain; workforce diversity; unionization; pay equity between genders and racial groups; parental leave; employee mental health.
  • Governance: Rights of shareholders; the diversity of meeting rooms; anti-corruption measures; consumer privacy; accurate financial reports.

This is a non-exhaustive list, by the way; we could add dozens more. If you wanted to reduce all these specific issues into a single concept, it would be this: ESG gives a company’s stakeholders a better idea of ​​the non-financial issues related to performance and value.

From there, these stakeholders (i.e. investors, employees, consumers, business partners, and regulators) can make better decisions about how to interact with the company because they have a better idea of ​​how the company’s actions do or do not align with their ethical and investment priorities. That’s the logic behind it all.

And make no mistake, the pressure for better reporting of ESG data is growing. The U.S. Securities and Exchange Commission plans to propose new regulations in 2022 requiring public companies to disclose ESG data to investors. The European Union already has such a requirement now. The US House of Representatives recently approved the ESG Disclosure Simplification Act, which would codify public company ESG disclosure into law. However, the Senate did not take up the bill.

Investors also want more ESG disclosure. Dozens of investment firms, collectively with trillions of dollars, use various ESG criteria to screen investment candidates. For example, BlackRock (the largest such company in the world, with approximately $9.5 trillion in assets), has made climate change risks a primary consideration for its investment decisions. Private equity firms also want more ESG data on investment objectives, as the companies’ own limited partners (university endowments, pension funds, etc.) want to ensure that their investment efforts are aligned with their values.

The goal: better data

A vector character waters a plant for a graphic

Despite the wide range of ESG issues, the fundamentals of what a company should do here are simple. You should assess your business processes, including your relationships with third parties, and extract relevant data on your ESG risks. Then you communicate this data to stakeholders and, if necessary, make improvements to your operations.

To some extent, therefore, ESG assurance and reporting is like cybersecurity assurance. Again, you need to understand where the risks lie within your business, including risks that may arise from third parties working with you. You need to examine business processes, extract relevant data and report it. Then you fix the weaknesses in your security regime and repeat the process again.

The substance of what you want to assess and report is very different, of course. Corn how are you doing assessment, measurement, monitoring, remediation and reporting, i.e. the processes that a compliance team should create and follow, is not.

So, as daunting as ESG assurance may seem at first glance, compliance teams already experienced in managing cybersecurity risk won’t be totally lost.

Issues specific to ESG

Two vector characters are symbolically working on their environmental plan.for ESG

That said, ESG insurance still has specific challenges.

First of all, you will need to identify the ESG issues material to your business. For example, a technology services company might pay more attention to social and governance issues (eg, workforce diversity and privacy) and less attention to environmental issues. Meanwhile, a manufacturer might pay much more attention to greenhouse gas emissions and labor unionization rates.

A company can define its ESG materiality standard in several ways. You can engage with stakeholder groups to understand which ESG issues are material to them and use their feedback to articulate the set of ESG issues you will report. You should also discuss with relevant regulators to see what ESG information they might require.

You can also visit ESG framework editors, such as the Sustainability Accounting Standards Board (SASB) or the Working Group on Climate-Related Financial Disclosures (TCFD). For example, the SASB offers a free materiality map where you can research your specific industry and see what disclosures the SASB recommends you make.

After identifying the ESG disclosures you wish to make, you will need to use ESG frameworks to assess your company’s ESG performance, identify areas for improvement and implement corrective actions. For example, if you want to track labor practices in your supply chain, you may find that the contracts you have with suppliers do not include any clauses indicating that they meet your labor standards. So you will have to start adding this language in new contracts.

Many ESG frameworks exist, published by groups such as SASB, TCFD, Global Reporting Initiative, etc. It’s possible that regulators will pass new rules that force all companies to use a specific framework, but it’s much more likely that regulators won’t require a company to use a “widely recognized” framework or a requirement similar to this. language. This is how the Securities and Exchange Commission handled Sarbanes-Oxley compliance in the 2000s: it recommended an internal control framework such as COSO, but never specifically said, “You will use the COSO”.

Back to technology requirements

A vector character symbolically works with a robot on its ESG program

No matter which ESG framework you use, your business will always need the right technology to use that framework effectively. Much like cybersecurity compliance, managing all of these ESG tasks with manual processes is next to impossible. You’ll have too many quizzes to complete, too many certifications to document, and too many remediation steps to confirm.

ESG assurance, like any other assurance task in the modern age, must leverage technology to get the job done. This means mapping risks, compliance obligations and controls; automated evidence collection; a repository for documentation; and easy reporting to stakeholders.

These are the technological capabilities a company will need to meet the demands of the ESG era. And rest assured, that era is upon us.

The post office ESG risk management is there. It’s not as scary as you might think appeared first on hyperresistant.

*** This is a syndicated blog from the Security Bloggers Network of hyperresistant written by Matt Kelly. Read the original post at:


About Author

Comments are closed.