For years, many Chief Risk Officers (CROs) and Chief Sustainability Officers (CSOs) have operated in silos. But with ESG risks growing more prominent, it’s time to break down these barriers, and operate as one team. The more closely the risk function and the ESG function work together, the better prepared they will be to respond to all kinds of risks.
Here are six reasons to integrate ESG into ERM:
ESG is not just a risk, but a BIG one: ESG risks are closely linked to other enterprise risks. For example, the failure to lower carbon emissions could adversely impact a company’s reputation, compliance posture, and financial health. These risk relationships are best understood when ESG risks are mapped to other enterprise risks. The result is a more nuanced risk understanding that can help companies define the scale, scope, and context of their risk management activities. Better risk visibility also allows stakeholders to assess and make more informed decisions about which risks to prioritize and manage.
Use resources more efficiently:
When ESG risks are managed as part of a centralized ERM program, companies can enrich risk data while eliminating the duplication of effort, minimizing risk gaps, and optimizing capital allocation.
Strengthen first-line involvement:
The people on the front lines are often the best-positioned to spot emerging ESG risks such as a child labor issue in the supply chain. These timely insights can help companies act on ESG risks and opportunities proactively. Therefore, it’s imperative that the first line be involved in ESG risk identification and assessment. Many ERM programs already have clearly-defined risk management roles and responsibilities for the first line which ESG teams can easily capitalize on.
Improve risk reporting:
ERM taxonomies use a common, consistent language to identify, assess, and report risks. When ESG risks are expressed in these terms, decision-makers can better understand how an ESG issue like unscientific waste management or a lack of employee diversity can impact corporate strategy and objectives. This makes it easier to secure investments for ESG initiatives.
Boost compliance and resilience:
Compliance requirements like TCFD recommendations expect companies to incorporate ESG risks into ERM programs. Long-term corporate viability also depends on a company’s ability to predict and respond to all risks and opportunities – including ESG-related ones.
Evidence of an integrated risk management program suggests that ESG has been embedded into – and not simply bolted onto – the company’s strategy and operations. Greenwashing concerns are also eliminated when ESG is made part of an established ERM program. It indicates that the company is committed to doing the right thing which, in turn, strengthens credibility with shareholders, investors, and customers.
Many companies already have an ERM program to identify, assess, and manage risks. Even in the absence of such a program, companies usually have defined risk management roles, responsibilities, and tasks. These measures provide a starting point for ESG risks to be identified and managed with confidence. Here’s how to capitalize on the synergies between ERM and ESG for better business resilience:
With environmental and social risks intensifying, it’s important that companies articulate just how much ESG risk they’re willing to tolerate in pursuit of their strategic objectives. For example, eliminating all plastic packaging may be too great a financial risk for an eCommerce company. However, switching to renewable energy may be a more viable option.
These kinds of decisions are easier to make when companies have a good understanding of their ESG risk tolerance levels in the context of their larger enterprise risk appetite. With these insights, stakeholders can then adjust ESG and risk strategies for optimal outcomes. Get Ahead of ESG Risks by Leveraging the Synergies between ESG and ERM
Incorporating ESG risks into existing risk registers does two things. One, it elevates the significance of ESG in senior management discussions. Two, it improves visibility into how ESG risks influence and interact with other enterprise risks.
ESG risks can be identified through a range of methods including risk interviews, online surveys, and risk workshops with investors, customers, and the board.
How well do you know your ESG risks?
ESG risks range from the broad to the specific, including:
Some companies map out their enterprise risks – including ESG risks – at least once a year. This helps them identify which risks need to be addressed on priority.
Many companies also use a single source of risk truth to improve risk visibility. They map ESG risks to other enterprise risks, as well as controls, testing processes, compliance requirements, risk owners, reporting lines and strategic objectives – all in one integrated data model. The result is a holistic risk view that empowers management to make better-informed decisions, and provide better risk oversight.
One of the biggest barriers to ERM-ESG alignment is a lack of communication between risk management and ESG functions. The ESG team doesn’t always speak the same language as the risk team. Equally, risk professionals aren’t often trained to understand, analyze, and respond to ESG risks. This must change if we want to enable a targeted and meaningful approach to ESG risk management.
Many companies have talked about the difficulties of understanding and quantifying ESG risks. These challenges can’t be solved in silos. ESG and ERM teams must work together toward setting risk evaluation standards, best practices, and scoring methodologies that can be equally and consistently applied across all risk types. Since ERM programs already deal with multiple risk types, they must evolve to include ESG risks.
Effective ESG risk management also requires collaboration between ESG teams and other functions, including HR, Legal, and Supply Chain Management. Their collective inputs can help companies build a richer and more nuanced picture of ESG risks in the context of other business risks.
Questions to consider
• Are there opportunities in your company for cross-functional collaboration on ESG risks and issues?
• Is your CSO involved in creating and reviewing the risk register?
• Does the ESG team have a representative on the ERM committee?
• Are ESG terms translated to fit ERM taxonomies?
ESG risk management requires a disciplined approach with well-defined roles, responsibilities, and processes. The best way to start is with ERM frameworks like this one issued by COSO and WBCSD. It provides practical guidelines for companies to navigate and manage emerging ESG risks – particularly sustainability risks.ESG risks can be identified and assessed using a range of qualitative and quantitative methods – including a megatrend analysis, SWOT study, ESG materiality assessments, stress testing, and a what-if scenario analysis. These tools, when used as part of an ERM program, help companies understand the severity of ESG risks in relation to other enterprise risks. Management can then prioritize the risks that need the most attention.
Risk responses can vary based on a company’s unique risk profile, appetite, and tolerance, as well as the costs and benefits of each response. It helps to have an ESG subject matter expert who can provide insights and guidance on the appropriate risk treatment.
ESG risk management activities must also be reviewed and modified for effectiveness. Well-defined key risk and performance indicators can alert management to any changes in risk identification and response.
Many third-party risk management programs focus on operational disruptions, bribery, corruption, and compliance risks. But ESG risks are equally important, given that an organization’s supply chain can account for more than 90% of its greenhouse gas (GHG) emissions.
Incidents of child labor, worker exploitation, and health and safety issues can also surface across supply chains. Companies have a responsibility to monitor and mitigate these risks through proper third-party screening, periodic risk assessments, and ongoing monitoring and due diligence.
Here's where it helps to integrate ESG with third-party risk management as well as ERM. Having a common platform for all this data can greatly improve risk visibility. It gives management a more nuanced and contextual understanding of ESG risks across their supply chain.
An integrated platform also helps ESG and supply chain governance teams communicate and share data with ease, thus minimizing redundancies and enabling a more holistic approach to third-party ESG risk management.
At MetricStream, we recognize that ESG isn’t a standalone process. It’s deeply connected to ERM, as well as governance and compliance. When all these elements are managed in an integrated and collaborative manner, companies can reduce risk exposure, drive growth, and strengthen stakeholder confidence.
MetricStream ESGRC integrates ESG with governance, risk, and compliance (GRC) in one powerful product. It streamlines and automates ESG risk assessment, management, and monitoring across the enterprise and third-party ecosystem, while also simplifying ESG compliance and disclosures.
MetricStream ESGRC is part of our ConnectedGRC suite of products which enables a holistic approach to ESG, ERM, cyber risk, and multiple other GRC processes.
Discover how MetricStream ESGRC can help you get ahead of ESG risks.
Download MetricStream ESGRC Product Overview
TCFD WORKSHOP - Session 4 – Risk Management, February 2022
Sustainability and enterprise risk management: The first step towards integration - WBCSD
Enterprise Risk Management: Applying enterprise risk management to environmental, social and governance-related risks, Executive Summary – COSO, WBCSD, October 2018
Environmental, Social and Governance: An integration to long-term strategy via risk management – KPMG, April 2020