How ESG Cultivates a New Paradigm in Risk Management
This article was first published by David Sütterlin, Partner, Head of Risk Consulting at Ernst & Young Switzerland. You can read the original version here.
In brief
- From compliance over reputation to resilience, understanding ESG risks and opportunities is crucial for any business.
- We highlight seven key areas to focus on when integrating ESG aspects into organization’s overall risk management.
In a global business landscape marked by constant change, understanding and navigating risks is an integral part of building organizational resilience and solidifying reputation. In this context, the increasing focus on environmental, social and governance (ESG) factors is a trend that challenges companies from multiple perspectives, including its risk management practices.
The regulator constantly specifies increasingly detailed requirements, companies enter into public and internal commitments, and other stakeholders - from board members to customers and investors - raise their expectations and hold them accountable. It means managing ESG risks has become compulsory exercise and a matter of trust. According to the 2023 EY Global C-suite Insights Survey, more than 81% of organizations already have a CSO or equivalent position within their leadership hierarchy. And 9 out of 10 executives report board oversight of their organizations’ sustainability and ESG agendas.
Crafting a robust ESG strategy is not merely an optional supplement, but a fundamental component to achieve long-term business resilience. Vigilant and integrated ESG risk management serves as the backbone of a solid business strategy, linking ESG factors with traditional risk aspects, providing not only a comprehensive and risk-based approach to risk mitigation, but also the ability to identify unexpected opportunities.We highlight seven areas to focus on as you move toward holistic, integrated risk management that includes sustainability aspects.
Integrated ESG risk management
A lack of roles, responsibilities and adequate capabilities can lead to inconsistent and uncoordinated risk management processes across the organization especially when it comes to the integration of ESG aspects.
Therefore companies need to review their governance structure for alignment with stakeholder expectations and establish an integrated Risk Appetite Framework incorporating expertise from relevant functions (such as sustainability teams). With that streamlining the Risk Management Taxonomy and methodology can be assured. This needs to be backed up by relevant documentation such as policies, procedures, and RACI matrices to govern ESG risks relating roles and responsibilities.
Double materiality
A double materiality assessment evaluates both how sustainability risks impact a company's finances and the effect the company's activities have on society and the environment. By facilitating future planning and risk management, strengthening accountability to stakeholders, society and the environment, and providing information for strategic decision-making, it becomes a critical element of the company's sustainability plan.
Assessing double materiality comprehensively can be resource-intensive and requires specific expertise and benchmarks. Companies might lack the necessary resources or prefer to allocate them to core business activities. At the same time, organizations can struggle to integrate the outcome of a double materiality assessment into an existing business strategy and (risk management) processes.
To progress in this area, organization’s need a detailed picture of their business practices and operations along its value chain. External expertise of validated frameworks and methodologies can be helpful in conducting a comprehensive double materiality assessment.
Third-party risk management
Third-party risk management has become more important due to ESG aspects because a business's ESG risks can extend to its partners, suppliers, and other affiliated third parties, potentially impacting the business's overall sustainability and reputation. By adopting robust third-party risk management, businesses can better control these risks, align operations with their ESG objectives and ensure that their business practices meet regulatory, ethical, and social standards.There is often no single ownership and transparent inventory of third-party relationships, which is a breeding ground for potential gaps and overlaps in risk management activities.
Considering this, we recommend the creation of risk assessments, surveys and screenings from vendors that can be used in combination with control frameworks and regulations. For that it is important to create transparency and centralize the data sets of third-party providers to get a consistent perspective on the risk profile and assessment data. Technology-enabled solutions support automated due diligence, continuous monitoring and analysis of opportunities and threats.
Internal controls
Many companies apply an ad hoc and siloed approach to internal controls in the ESG context, without applying common frameworks and metrics. This approach brings the risk of gaps or errors at a time when stakeholder expectations are rising and confidence in ESG disclosures is critical.
A readiness assessment will help organizations to evaluate their internal control framework and create a roadmap from an ESG perspective. Effective policies and controls are key to support the integration of ESG matters into its control systems, including the design of related business and IT controls. Companies may also like to consider getting attestation services for assurance on key ESG metrics and reporting.
Internal audit
Leading internal audit functions provide a strategic partnership to an organization's ESG programs - providing proactive insights and assurance to increase confidence in managing ESG risks, measuring and reporting progress, and achieving defined ambition and targets.
A comprehensive analysis will help businesses to understand ESG gaps in their internal audit function. This should cover internal audit ESG awareness, capabilities and capacity. The goal is to achieve an integrated approach across all related functions and three lines of defense. Investing in external expertise with a focus on ESG Risk Management can be a quick and efficient way to get a businesses’ internal audit function where it should be.
ESG program risk management
Faced with the need to run a transformative ESG program, organizations may struggle for various reasons, including lack of stakeholder buy-in, higher ESG program costs and challenges around realizing the intended benefits.
Risk, quality, benefit and performance management are the foundational focus areas to help management make well-informed decisions,increase stakeholder buy-in and ensure a successful implempentation.
In a first step, companies should review their ESG transformation program and perform a feasibility analysis based on best practices and benchmarks. Working from this basis, a roadmap for the program, including immediate mitigation measures for identified risks and a plan to realize benefits can be created
Technology enablement
Technology based enablers can be a valuable addition to an organization’s ESG governance risk and control landscape – but only if they enhance existing capabilities. Otherwise, they can be an additional burden and worthless investment for the organization and governance.
To derive value from technological enablement, it is important to first define technical and business requirements. If in-house expertise to do this is not available, seek external support to guide you through vendor selection process and manage the process of tool implementation and roll-out. As with any new technology, user trainings are essential to get personell up to speed quickly and support them on the change journey.
Summary
Navigating ESG risks and opportunities holistically ensures preparedness and adaptability to evolving business landscapes, reinforcing organization’s resilience and supporting your efforts to build trust and achieve external and internal sustainability ambitions. Working with an experienced and knowledgeable external provider can smooth company’s journey toward effective, integrated risk management.
About the Author
David Sütterlin leads the Enterprise Risk team of EY in Switzerland. He has been advising national and international clients on Risk Management, Internal Audit, GRC/IRM platform strategy and SAP transformations for over 13 years, mainly focusing on the health care and life sciences sector.
In the context of “Sustainability Governance, Risk & Compliance”, he helps organizations integrate ESG into their core business strategy to create long-term, sustainable value for all stakeholders; manage related risks; and implement a digitally enabled ESG governance and control framework that meets regulatory requirements. See the whole profile.