Published

The New Urgency for ESG Risk Management

“ESG risks” is one of those somewhat maddening terms of art in corporate compliance. It’s clear enough to understand that environmental, social, and governance issues are things a company shouldn’t ignore — but also too imprecise for compliance and risk professionals to have a standard process for dealing with them. 

That may be starting to change. 

For example, banks are starting to ask more probing questions about ESG risks when considering whether to lend money to corporate customers. That makes sense; if banks are lending to a real estate developer who wants to rehab an urban waterfront, they want to understand that project’s risks from climate change. If they’re lending to a firearms business, they want to know the risks around gun control legislation or litigation over mass shootings. 

The fund will push companies to disclose more about ESG risks and give more support to shareholder resolutions calling for companies to do more about climate change. 

The banks aren’t alone. BlackRock, the largest investment fund in the world, just announced that it will pay far more heed to climate change and sustainability issues as it decides where to invest its $7 trillion pile of cash. The fund will push companies to disclose more about ESG risks and give more support to shareholder resolutions calling for companies to do more about climate change. 

What’s interesting is that banks and BlackRock aren’t pushing companies to take specific stances on ESG issues They simply want companies to disclose their ESG risks in a more structured manner. They want to know how a company has quantified and mitigated those risks, so they can make better investment decisions.

As often happens, that requires a blend of compliance and risk management. One without the other won’t do much.

Begin With a Bigger Risk Assessment

To assess your ESG risks accurately, you first need a framework or set of standards to assess your business operations against. Compliance and risk officers have numerous choices. 

For example, the Sustainability Accounting Standards Board (SASB) has been publishing industry-specific sustainability standards since 2011. It has standards for 77 industries, from mining to food & beverage to transportation plus many more. SASB has also developed a set of standards for sustainability issues it deems financially material — an important consideration for publicly traded companies. 

SASB isn’t the only option. The Organization for Economic Co-operation and Development (OECD) has its Due Diligence Guidance for Responsible Business Conduct, published in 2018. The Corporate Human Rights Benchmark ranks large companies based on their sustainability disclosures, and lists what those disclosures are. ISO 26000 offers a path for social responsibility, although technically it’s only guidance rather than a formal ISO standard where a company can certify its compliance. The Global Reporting Initiative (GRI) is yet another. 

None of these standards are legally required; a company can choose which one makes the most sense for its own operations. Some even complement each other. For example, you might choose to use SASB or GRI standards for disclosure, and follow the OECD guidance to perform the supply chain due diligence that will inform what you ultimately disclose. 

From there, the mechanics of the next steps should sound familiar. The company performs a gap analysis to see how its current operations differ from ideal ESG standards. You use tools to track remediation steps, test improvements, and document progress. The data is fed into a sustainability report that can be disclosed to investors, lenders, consumers, or anyone else. 

At an abstract level, that process isn’t new. It’s the same one companies have used for years...

At an abstract level, that process isn’t new. It’s the same one companies have used for years to develop compliance with the Sarbanes-Oxley Act, Justice Department expectations for FCPA compliance, or any number of other regulations

What’s New Is the Urgency of ESG Risk Management

Regulators have been edging toward ESG issues for some time. For example, the Securities and Exchange Commission has guidance pushing companies to discuss climate change risk (although the guidance is 10 years old and has never been the source of enforcement action). The European Union has its Directive on Non-Financial Reporting, requiring large companies to publish sustainability reports. 

The real action, however, is coming from people with money to invest or time to spend on social media. Companies are getting squeezed from banks and investment funds on one side and hashtag activism on the other. So ESG risk management is getting pushed up the priority list for boards and the C-suite.

Compliance, risk, and audit teams need to think about how to address that priority. Frameworks and assessments might be more the domain of an audit or risk function; policy and procedure management or internal reporting is more the domain of compliance. 

Plus, other functions like procurement or operating units in the First Line of Defense are the ones making the business run in this new, ESG-managed world. So you need their support too, or else ESG will be just another program that looks great on paper but exists nowhere else.

Again, the mechanics of that should feel familiar. In-house risk or compliance committees have existed for years, grappling with SOX or FCPA or cybersecurity or whatever else comes along. Many of the people who serve on those committees would be the same ones serving on an ESG committee — or even better, the risk committee expands its duties to include ESG too. 

The urgency is growing, and some frameworks and other tools to address ESG are new. The fundamental process, however, is not. 


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


Watch Out for Hoax Reports to Your Hotline
ESG Ownership: Compliance, Convergence and Opportunity

Our 2020 Risk & Compliance Trends & Predictions

Every year as we prepare to launch our annual Top 10 Risk & Compliance Trends report, we discuss the complexity of the environments in which our organizations operate. This year is no different; however, how we are approaching that complexity is. Here is an overview of the key themes we are seeing in 2020.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

5 Tips for Managing Third-Party Cybersecurity

Companies are rightfully concerned about data breaches. High profile cases show the value of managing third-party risk before major incidents can occur. Here are five tips to engage.  

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments