As organizations navigate a changing risk landscape, the complexity of new risk factors has prompted their stakeholders and regulators to demand that they reconsider how they conduct their business. Organizations are being asked to make substantive changes to further instill accountability, transparency and sustainability at all levels of their operations. In particular, there has been an emphasis on instituting environmental, social and governance (ESG) programs in organizations.
While much of the focus so far as been on the needs and benefits of adopting ESG principles in organizations, the actual process for implementing these changes has been unclear. This knowledge and practice gap persists because there has been limited information available to guide risk professionals on how to support their organization and manage ESG risks. One way for risk professionals to accomplish this is to use an enterprise risk management (ERM) program to create a systematic and holistic approach to managing ESG risks as part of the broader risk portfolio. By taking the practical steps outlined in this article, risk professionals will be better equipped to integrate and manage ESG risks through their ERM program.
The Value of an ESG Focus
ESG has garnered greater attention in recent years, especially given the broad range of areas it touches. The increased focus on ESG principles and practices can provide organizations with a framework to understand the sustainability of the business. As transformational changes are made that instill and promote ESG practices, organizations can realize benefits like:
- Establish a competitive advantage: Adapt and
capitalize on -changing environmental and socio-
economic conditions with strategic growth and cost reductions that help set the organization apart from its competitors
- Embrace a culture shift: Attract and retain top talent as more -individuals are looking to work for organizations with strong ESG principles where they can contribute to the greater good
- Enhance brand: Create awareness and demonstrate a commitment to incorporating ESG principles into
business practices across the organization
- Enhance risk posture: Tailor risk solutions to enhance the organization’s position with regard to current and emerging ESG risks
As organizations continue to incorporate ESG factors into their operational and strategic decision-making, adopting an integrated approach to managing ESG-related risks will become critical to their success. Organizations will need a standardized approach to identify, measure and manage ESG risks across their organization and clear and effective ways to communicate ESG activities to their stakeholders.
Adopting the ERM Perspective
As ESG continues to influence the overall risk posture of an organization, it will require the same level of attention and focus as any other risks. ERM provides a holistic and systematic approach for an organization to manage its portfolio of risks, and it may offer particular value in the context of these complex, long-term issues. It enables organizations to systematically identify, assess and monitor potential, actual and emerging risk exposures. In turn, identified risk exposures and their associated treatment and mitigation plans inform enterprise-wide planning, risk-informed decision-making, and provide insight into key business activities such as strategy, operations and audit.
Using an ERM approach to address ESG risks as part of the broader risk portfolio will allow organizations to engage and empower stakeholders to focus on the appropriate management of ESG risks, and make improvements across the following areas:
- Risk culture: Drive risk-based dialogue and decision-making at all levels of the organization to empower an integrated approach to managing ESG risks.
- Risk insight: Enhance ESG risk awareness to improve the organization’s ability to manage current risks and proactively identify emerging risks.
- Resource allocation: Identify risk exposures to inform how and where to invest resources that will have a direct and sustained impact on improving ESG risk posture.
- Risk acumen: Advance risk intelligence to enhance -organizational expertise through professional -development to effectively manage ESG risks across
- Risk integration: Implement risk management controls within core business practices to strengthen the first layer of defense against ESG risks.
Integrating ESG into an ERM Program
Risk professionals can take five specific steps to integrate and manage ESG risks through an established ERM program. These steps emphasize early engagement, operational integration, program scalability and data utilization.
1. Engage ESG Leads Early
As part of its ESG strategy, an organization needs to appoint leads to guide implementation of the strategy and support efforts to develop initiatives and meet specific goals. Since it is essential to manage ESG risks in a systematic and efficient manner, ESG efforts will need to be aligned and integrated with the organization’s ERM program. Risk professionals should engage ESG leads early to discuss ways to manage ESG risks across the organization.
Upon engagement with the ESG leads and ERM committee, risk professionals should confirm the team members responsible for implementing the strategy, goals and initiatives. These individuals will become the leads for each of the specific ESG risks.
2. Derive ESG Risks from ESG Strategy
An ESG strategy will likely outline the specific goals and initiatives and will convey tangible actions that the organization will take to achieve desired outcomes. As risk is a deviation from an expected outcome or a degree of uncertainty to achieving that expected outcome, the risks monitored will need to align with the ESG strategy. Risk professionals must review the ESG strategy, goals and initiatives and work with the ESG risk leads and ERM committee to identify the ESG-related risks to monitor. In addition, risk professionals will need to identify instances of upside or downside volatility, which will provide a more accurate outlook on likelihood of gain or loss in value.
Once the ESG risks align with the ESG strategy, goals and initiatives, risk professionals can work with the team to validate and document the risk statement and volatility scenarios.
3. Determine Risk Appetite for ESG Risks
Organizations often manage their risk profile within the parameters of their risk appetite. This informs their willingness to seek or accept a certain degree of risk in pursuit of achieving their desired outcome for a strategy, goal or initiative.
Since risk appetite concisely articulates the attitude toward risk-taking throughout the organization, it will need to apply to ESG risks so that all stakeholders have a clear understanding of the degree of exposure that the organization is willing to accept. Risk professionals will need to work with ESG risk leads and the ERM committee to develop a risk appetite statement, which will provide guidance to operationalizing the appetite for the specific ESG risks.
Once the risk appetite statements align with the ESG risks, risk professionals should consider providing tangible upper and lower limits to clearly convey the scenarios to their various stakeholders.
4. Adopt a Holistic Approach to Manage ESG Risks
Organizations with an established ERM program should not reinvent the wheel when it comes to addressing ESG risks. Instead, organizations should leverage established ERM programs to provide a systematic and holistic approach to manage ESG risks.
An established ERM program will be made up of different components (e.g., governance, framework, policies, procedures), and these components should be amended to account for ESG risks. Risk professionals will need to pay special attention to the following components:
- Risk identification: Integrate ESG risks into risk survey questions and have respondents rate these risks on likelihood, impact and velocity.
- Risk assessment: Adapt risk assessment scales of likelihood, impact and velocity to be applicable for ESG risks.
- Risk controls: Adapt risk response plans to ensure a holistic approach to managing ESG risks, including avoiding, preventing, transferring and mitigating risks.
- Risk dependencies: Integrate ESG risk dependencies such as driver and impact to demonstrate correlation with other risks and activities in the organization.
After the ERM program accounts for ESG risks, risk professionals should concisely summarize the amendments and inform the ESG risk leads and the ERM committee. Risk professionals should also clearly document the ESG risks and risk responses, as well as any dependencies throughout the organization.
5. Leverage Data to Assess ESG Risks
As part of any established ERM program, data is essential to monitor risk exposure and risk treatment plans and assess whether the organization is effectively managing its risk profile. Established ERM programs will rely on properly selected data to inform risk-based dialogue and decision-making. To monitor exposure and progress, decision-makers will need a full understanding of the risks. Risk professionals should work with the ESG risk leads and ERM committee to select the appropriate indicators for each of the ESG risks. Part of this process is determining whether sufficient and quality data is available in the organization. This may also warrant a conversation with business functions that oversee data and information systems.
Once there is consensus on the key risk indicators and data sources, risk professionals need to document the agreed-upon indicator and the rationale for selecting it. In some cases, the risk professional will need to document how the data for the indicator is extracted, as that can have an impact on the reported data.