Integrating sustainability into risk management
Given that sustainability issues are being discussed in the media every day, business – as a fundamental stakeholder within society – ignores this topic at its peril. The push for regulation is slowly pressuring organisations to understand and monitor their sustainability impacts and subsequently integrate them into their company-wide risk management systems. To assist these corporations, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the World Business Council for Sustainable Development in their draft guideline “Enterprise Risk Management – Integrated Framework” have collaborated to provide guidance on how companies should integrate ESG risks into their enterprise risk management systems.
The key finding from our interviews is that the systematic integration of sustainability issues into risk management is only at the beginning of its journey. Most companies surveyed are coming up against obstacles before achieving anything near effective integration. Included below are some of the articulated challenges.
Challenge 1: The time period for certain ESG issues to create an impact
More than half of the companies surveyed indicated that a major challenge is the perceived time it takes for sustainability risks to cause or contribute to negative impacts. Currently, risk management typically operates and focuses on short- and medium-term time horizons. However, certain sustainability issues, such as the impacts of water scarcity and climate change, are taking much longer to have a business impact. Per our 2018 Global Water Risk survey, an important number of participants did not see this risk becoming a real concern for another 10 years. It is difficult for management to prioritise or allocate resources to such long-term risks (over shorter-term risks), and therefore the existence of these risks does not necessarily translate into corporate action.
Challenge 2: Lack of awareness of sustainability in the business context
Although most of the risk managers interviewed were aware of sustainability topics, very few had really seen any progress in recent years and did not believe that they were important for their businesses. Issues around climate change and corporate impacts on people do not seem to have permeated the membranes of most enterprise risk management systems in the organisations where we conducted interviews. Indeed, only one of the companies referred to specific climate change and environmental protection risks. Not one company referred to human rights risks (including labour risks), be they in their own organisation or in their supply chains. This was another surprising finding, given the level of media coverage on poor working conditions, child labour, and modern slavery. This reinforces the view that many companies are barely at the start of their ESG journeys with regard to integrating issues into their risk management processes. Given that the UN Global Compact has been in existence for almost 20 years, the embedding of its four pillars now needs to be prioritised, and at some level addressed within risk registers.
Challenge 3: Materiality
Although sustainability issues may not rank high on risk registers, the risk managers with whom we spoke did indicate that they are looking to develop an understanding of what sustainability means within their risk universe. Not unsurprisingly, when risk and sustainability come together, the question of materiality becomes a central challenge. The approach to materiality has a fundamentally different starting point for sustainability risks than for conventional financial risks. In order to assess key risk areas, one first needs to consider the impact that the company has on the environment and on the people with whom its products or services interact – not initially on the business itself (as with financial risks). Those that pose the greatest potential to have a severe and negative impact on the environment and/ or people are likely to result in a material risk to the company. These are the risks on which risk managers should focus. By following this process, they introduce a concept of prioritisation.
Challenge 4: Moving from the nice words in the sustainability reports to making a tangible difference to the business model
Regulators around the world have identified that the front ends of annual reports, which generally include sustainability issues, need to be more fair and balanced. This means not only reporting the good but also the risks and obstacles that the companies face. This is a real challenge for many. Even if companies want to report on a negative impact or risk (which is likely to already be public in some form or other), their general counsels are more likely than not to advise against public comments. However, what is being seen in practice is that when companies are prepared to report in more balanced ways, the whole report becomes more credible and believable, rather than being viewed as a marketing document. So although some companies have set up steering committees for general sustainability issues that have public reporting within their remit, from the companies interviewed, these sustainability issues do not appear to be filtering through to operational risk management.
Challenge 5: Sustainability risks exist beyond contractual relationships
Throughout the world, governments are introducing legislation that makes companies responsible for behaviours beyond their first-tier suppliers – just look at the various pieces of Modern Slavery legislation. Often the most severe and negative ESG risks are those that arise several tiers down the supply chain, where there is no legal relationship with the top organisation. However, governments have recognised that it is these top organisations which use their influence and leverage to address these risks. This may be a complex challenge for risk management to grapple with, but just because it is complex does not mean it should be ignored.
One big opportunity: The importance of leadership from top management
Several of the company experts surveyed clearly recommend that the impetus for integration should come from top management and that the Executive Board should actively promote the topic. This is essential. Without leadership from decision-makers and the right tone from the top, they can hardly expect the rest of the business to pursue a sustainable path, let alone expect risk management to address sustainability risks when they do not see them as strategic priorities. Fundamentally, embedding sustainability practices within an organisation requires cultural change – and the behaviours of senior management have a huge influence on this culture. They need to message the importance of sustainability, articulate why it is important for their business, build it into their strategic models, include incentives that promote good sustainability behaviours and not the opposite, and be consistent with their public statements inside the organisation. As former COSO Chairman Bob Hirth says, “Risks to sustainability are ultimately also risks for companies, even if they are new and emerging, complicated or long-term. Issues such as climate change, human rights, or scarcity of resources have the potential to influence the profitability, success, or even survival of organisations.” A risk management system that does not address sustainability issues will forever remain incomplete.
About the enterprise risk management - Integrated framework
Entities, including businesses, governments and non-profits, face an evolving landscape of environmental, social and governance (ESG)-related risks that can impact their profitability, success and even survival. Given the unique impacts and dependencies of ESG-related risks, COSO and WBCSD have partnered to develop guidance to help entities better understand the full spectrum of these risks and to manage and disclose them effectively. This guidance is designed to help risk management and sustainability practitioners apply enterprise risk management (ERM) concepts and processes to ESG-related risks.
COSO’s Enterprise Risk Management — Integrating with Strategy and Performance (COSO ERM Framework) defines risk as “the possibility that events will occur and affect the achievement of strategy and business objectives.” This includes both negative effects (such as a reduction in revenue targets or damage to reputation) as well as positive impacts (that is, opportunities such as an emerging market for new products or cost saving initiatives).
“This application guidance to the COSO ERM framework is something that can have a massive impact. For those of us who know the relevance of COSO, this is a major step toward the vision that business can speed the transition to a more sustainable world,” says Peter Bakker, President and CEO at WBCSD. “When companies have a better grasp on their risks, they can make better business decisions – often with more sustainable outcomes. We believe this work will help drive positive change in corporate governance, worldwide.”
Highlights of the guidance include:
• Approaches to overcome ESG-related risk challenges across the ERM process, from governance to risk identification and assessment through to communication and reporting;
• Innovative responses to manage both the upside and downside of ESG-related risks;
• Methods for developing and maintaining a culture of continuous improvement for managing ESG-related risks.
This article first appeared in the Global Goals Yearbook 2019, “Aligning profit with purpose”, published by non-profit Macondo Foundation with the support of Mazars.
Source: Respective study p. 1 and World Business Council for Sustainable Development release from October, 23, 2018