“ESG risks” is one of those somewhat maddening terms of art in corporate compliance. It’s clear enough to understand that environmental, social, and governance issues are things a company shouldn’t ignore — but also too imprecise for compliance and risk professionals to have a standard process for dealing with them.
That may be starting to change.
For example, banks are starting to ask more probing questions about ESG risks when considering whether to lend money to corporate customers. That makes sense; if banks are lending to a real estate developer who wants to rehab an urban waterfront, they want to understand that project’s risks from climate change. If they’re lending to a firearms business, they want to know the risks around gun control legislation or litigation over mass shootings.
The fund will push companies to disclose more about ESG risks and give more support to shareholder resolutions calling for companies to do more about climate change.
The banks aren’t alone. BlackRock, the largest investment fund in the world, just announced that it will pay far more heed to climate change and sustainability issues as it decides where to invest its $7 trillion pile of cash. The fund will push companies to disclose more about ESG risks and give more support to shareholder resolutions calling for companies to do more about climate change.
What’s interesting is that banks and BlackRock aren’t pushing companies to take specific stances on ESG issues They simply want companies to disclose their ESG risks in a more structured manner. They want to know how a company has quantified and mitigated those risks, so they can make better investment decisions.
As often happens, that requires a blend of compliance and risk management. One without the other won’t do much.
Begin With a Bigger Risk Assessment
To assess your ESG risks accurately, you first need a framework or set of standards to assess your business operations against. Compliance and risk officers have numerous choices.
For example, the Sustainability Accounting Standards Board (SASB) has been publishing industry-specific sustainability standards since 2011. It has standards for 77 industries, from mining to food & beverage to transportation plus many more. SASB has also developed a set of standards for sustainability issues it deems financially material — an important consideration for publicly traded companies.
SASB isn’t the only option. The Organization for Economic Co-operation and Development (OECD) has its Due Diligence Guidance for Responsible Business Conduct, published in 2018. The Corporate Human Rights Benchmark ranks large companies based on their sustainability disclosures, and lists what those disclosures are. ISO 26000 offers a path for social responsibility, although technically it’s only guidance rather than a formal ISO standard where a company can certify its compliance. The Global Reporting Initiative (GRI) is yet another.
None of these standards are legally required; a company can choose which one makes the most sense for its own operations. Some even complement each other. For example, you might choose to use SASB or GRI standards for disclosure, and follow the OECD guidance to perform the supply chain due diligence that will inform what you ultimately disclose.
From there, the mechanics of the next steps should sound familiar. The company performs a gap analysis to see how its current operations differ from ideal ESG standards. You use tools to track remediation steps, test improvements, and document progress. The data is fed into a sustainability report that can be disclosed to investors, lenders, consumers, or anyone else.
At an abstract level, that process isn’t new. It’s the same one companies have used for years...
At an abstract level, that process isn’t new. It’s the same one companies have used for years to develop compliance with the Sarbanes-Oxley Act, Justice Department expectations for FCPA compliance, or any number of other regulations.
What’s New Is the Urgency of ESG Risk Management
Regulators have been edging toward ESG issues for some time. For example, the Securities and Exchange Commission has guidance pushing companies to discuss climate change risk (although the guidance is 10 years old and has never been the source of enforcement action). The European Union has its Directive on Non-Financial Reporting, requiring large companies to publish sustainability reports.
The real action, however, is coming from people with money to invest or time to spend on social media. Companies are getting squeezed from banks and investment funds on one side and hashtag activism on the other. So ESG risk management is getting pushed up the priority list for boards and the C-suite.
Compliance, risk, and audit teams need to think about how to address that priority. Frameworks and assessments might be more the domain of an audit or risk function; policy and procedure management or internal reporting is more the domain of compliance.
Plus, other functions like procurement or operating units in the First Line of Defense are the ones making the business run in this new, ESG-managed world. So you need their support too, or else ESG will be just another program that looks great on paper but exists nowhere else.
Again, the mechanics of that should feel familiar. In-house risk or compliance committees have existed for years, grappling with SOX or FCPA or cybersecurity or whatever else comes along. Many of the people who serve on those committees would be the same ones serving on an ESG committee — or even better, the risk committee expands its duties to include ESG too.
The urgency is growing, and some frameworks and other tools to address ESG are new. The fundamental process, however, is not.