Sector Risks

ESG Risk Management – Key Aspects You Need To Know

The world’s interdependence has led to an ecosystem of risks that appear to have quantum qualities. How do businesses manage environmental, social, and governance initiatives given this radical uncertainty?

Money is pouring into environmental, social, and governance (ESG) initiatives, investing, and reporting. The value of global assets applying ESG data to drive investment decisions has more than tripled over the eight years to 2020 to $40.5 trillion, according to the research firm Opimas. The Financial Times recently reported that ESG funds would outnumber conventional funds by 2025. But why? A combination of factors, but no doubt including COVID-19 awakened our collective sixth sense that Mother Nature is not too happy. There is also enlightened self-interest on the part of capital markets arising from the prospect of traditional business models collapsing over the next decade. While we all have a vested interest in saving the planet and ensuring strong economic growth over the longer term, capital markets matter more than we do for two big and basic reasons. They have the money, and we do not. Investment funds invest in people’s savings with a view to sustainability over longer-term returns on those savings. Herein lies heavily regulated fiduciary undertakings, which are fulfilled in a number of ways, addressing the long-term benefits of future generations. A long-term return is clearly dependent on sustainable growth with well-functioning markets and good corporate governance. And ESG issues are drivers of long-term risk, long-term return, or both. For example, business resilience and long-term financial performance are determined by detecting investable signals gleaned from monitoring how well management is managing transition (to Net-Zero) and long-term ESG issues and opportunities. Metrics are proven to be material to a company’s long-term operations and performance.

Three dimensions

There are three principal dimensions to the ESG risk landscape for risk professionals

First, confusion exists given the alphabet soup of global ESG standards which abound. The good news, however, is that we can expect significant improvements in the near term with much work being done to coalesce principal standards. This will help focus resources and improve the quality of disclosures made by companies. With some 80 percent of S&P 500 valuations attributable to intangible assets, we will shortly see the arrival of “integrated financial and non-financial reporting.”

Second, the quality of third-party ESG ratings and performance analyses is uneven. Pressure on boards to demonstrate pathways to Net-Zero has accelerated the practice of alchemy. Specifically, generating mathematized numbers, in the form of ESG ratings, to accurately reflect what is deemed to be material – that is, what really matters to companies across particular industry sectors. The challenge with this approach is that people can find themselves generating plugged numbers and statements. By this, I mean numbers and statements with no drill-down to source data and which therefore cannot always be independently verified and audited.

Finally, the reliability of ESG risk data provided by companies themselves remains the most complex challenge. Why? ESG pertains to all of the nonfinancial activities undertaken by companies across all of their operational activities. This translates to different people, using different ESG and operational languages, and different ways of measuring risk. Does this sound familiar?

Consider the diagram MIT reports that ESG data is unreliable depicting principal ESG operational challenges. Now add to it supply chain, cyber, privacy, GDPR, antislavery, and anti-bribery data, for instance, all of which fall under the S of ESG. Add them to that risk governance, and incident and crisis management, which fall under the G of ESG. What do you see? ERM wine in an ESG bottle.

Risk and reward

Risk and opportunity are conjoined – two sides of the same coin. What joins them together is uncertainty – the quality and reliability of information and knowledge with which to credibly inform decisions toward the achievement of objectives. In essence, anything which can accelerate, slow down or obstruct the pursuit of an objective is a risk. In practical terms, every time we make a decision, we are managing a risk that things might go up or they might go down, they might go according to plan or they might not. That is why framing the ESG risk–reward equation requires that we step back momentarily to consider the big picture. Companies are not created to manage risks. They are created to generate value. Whether it is a charity created to generate social good, or a commercial entity created to generate surpluses across all stakeholders, all entities are created to generate the value of one kind or another. Value generation has a natural rhythm to it, the yin and yang of value creation and value preservation. And the decisions we make as we wrestle with both towards the achievement of our organizational objectives is what we call managing risk.

Using risk jargon and looking back, ESG risk has been the proverbial Grey Rhino grazing placidly on the plains over the years – that is a highly likely but ignored threat. It took the form of a steady flow of weather phenomena, SARS, MERS, Ebola, and so on streaming across our news channels. But then, to mix metaphors a little, a Black Swan appeared. It took the form of a sudden, previously unimagined thing stopping the global economy. The Grey Rhino was the risk source, the Black Swan the global lockdown we have been living with for the past 12 months.

Curiously, however, from this destruction have come new opportunities where the first dividends already received include new ways of working, accelerated digital transformations (significantly in terms of breaking down human resistance to change), and new technologies from sequestering greenhouse gases to reimaged ways of doing old things in new ways. Boards intuitively understand that to grow and sustain a business over the longer term we need to risk failure in trying out new things, while nurturing and sustaining the cash cow – while also keeping enough reserves for the rainy day. That is because boards have an appetite for certain types of risks, in pursuit of their value-creation objectives. But they also know that to consistently and reliably generate value over time they need an equally robust approach to value preservation. Here it is likely that strategic leadership will mandate zero tolerance for any downsides. So, for example, risk can only be a bad thing in quality, safety, security, IT, data privacy, and so on, where any deviation from expected results cannot, and will not, be tolerated. The takeaway is that every time we make a decision we are managing a risk toward the achievement of an objective.

Mark Twain

Do multinational corporations (MNCs) know what they know, do they know what they don’t know? This simple question has a nontrivial answer which reminds me of one of Mark Twain’s quotes: “It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” Today we live in a complex non-linear world where very many core functions and processes are outsourced or partnered. This gives rise to networked, extended, distributed organizational structures. When things go seriously wrong, the only option can often be the best of the wicked options and sensing ways forward from there. Hence complexity. In ESG terms, this explains the serious challenges with seeking to establish Scope 3* baselines and transition pathways to future state Net-Zero commitments. At the top of the corporate pyramid, up to 60 percent of S&P 500 companies will have at least one physical asset at risk from climate change. The prospect of significant “stranded assets” on the horizon leads to concerns ranging from value deterioration in many cases to value collapse in others. In the middle of the pyramid, there are 60,000 MNCs in the world, which between them directly control 500,000 subsidiaries which in aggregate account for half the global economy. The rest of the pyramid comprises hundreds of thousands of suppliers contracted by the top and middle of the pyramid. Over recent decades, globalization (and profit at all costs) has caused outsourcing of both core functions and core processes across long, fragile supply chains. MNCs today are highly networked and extended across multiple ecosystems. They are comprised of hyper-interconnected, hyper-interdependent complex systems spread across a multipolar geopolitical world growing in uncertainty.

This leads to one big and a basic fact: MNCs are too big to know what is going on in, and across, their ecosystems. ESG risks have a massively compounding effect on existing management challenges. How? Whereas international financial accounting does not require us to report on the financial status of suppliers and partners, ESG standards require that organizations report on Scope 3 emissions (under environmental), work practices across our outsourced suppliers (under social), and competent frameworks across both of those that can “demonstrably and credibly” cause the generation of independently verifiable and auditable information. Not only can organizations not possibly know what they do not know, but now they are required to disclose what they know for sure! So, the key takeaway, to paraphrase Bill Clinton’s quip on the economy, it’s the Ecosystem, Stupid! When the CFO, sustainability, and investment officers ask the CRO for input, do not start with traditional methods, and absolutely do not start generating lists of risks. Step back and look at the bigger picture. The external and internal contexts. Those interconnections and interdependencies between the internal and extended components of the organization. Your ecosystem. If you do not know your ecosystem, you will never join the dots connecting what matters most to the achievement of objectives.

The bear in the woods

There is an old saying that when you are running, you do not need to be faster than the bear, just faster than the other guy. This has direct relevance to ecosystem governance. Ecosystems, digitalization, and the pace of technological advancement give rise to a new type of complex risk. A risk that up until recently could not be seen by the naked eye using traditional risk methods and practices. By traditional practices, I mean those practices borne of some decades ago which assumed that all risks could, with a blend of trusted technique(s) and thoughtful consideration, be reasonably identified. Once identified, they could then be assessed and demonstrably credible estimates made as to the likelihood of their occurrence(s). This traditional approach is still sound enough at the level of single entities which are not significantly networked and are relatively self-contained. That is to say, they are not part of any ecosystem, the dynamics of which significantly influence the achievement of their business objectives. This approach, however, does not work at the level of MNCs where the norm is to have quantum risks. That is, you have risks, which exist in different states, simultaneously, across systems, yet they cannot be observed together. The important thing to understand about these risks is that they are borne of ecosystems, and the more complex and dynamic the ecosystem the more difficult they are to identify. They are particularly difficult to identify and assess unless you know how to track and trace them using advanced technologies and agile risk practices.

The governance challenge is huge as the nature of ecosystems is that MNCs only have jurisdiction over those they control directly and only the power of inquiry over those which whom they have good contracts. The solution lies in a governance approach to ecosystem-level transparency directed towards sensing and anticipating faster than your less adaptive competitors who will get eaten by the bear. ESG risks are clearly quantum risks. They are borne of your ESG ecosystem, of which you have low to no visibility. The takeaway here is that ESG risks are quantum risks that constantly traverse ecosystems. They are not static, and to see them you need to be able to dynamically monitor your ecosystems. Everything described above can be done reliably, effectively, and affordably. It is not a technology challenge, as such, but a challenge in reimagining new ways of doing old things.

 Practical steps

I was reviewing A practical guide to sustainability reporting using GRI and SASB Standards published in April 2021 and noted its excellent case studies. One artifact included a materiality matrix that contained nearly 40 discrete ESG topics across people, profit, planet, and product. It immediately struck me that for all intents and purposes, it could just as easily have been an ERM matrix, be it with the environment and social centers of gravity. These kinds of visualizations of what matters most to an organization can be dynamically linked. First, they can be linked to company objectives where they are tagged to those primary and secondary objectives which underpin performance, as well as other attributes. And they can be linked to company ecosystems so that you can join the dots with actionable insights jumping straight off the screen. However, I would say, particularly to those running committees directed towards answering multiple ESG questionnaires and getting out big 80- to 100-page ESG reports, that they should start small and start smart. Pick two or three things that matter most to your organization today and work on those. Find automation that facilitates fast, effective, and reliable communications across your ecosystem, starting with a small part of your ecosystem first. It is as simple and as complex as that.

This article was first published in the Enterprise Risk magazine of the IRM. Peadar Duffy, the author, is the founder and director of SoluxR which is an ESG Risk as a Service (RaaS) provider and a member of IRM’s Innovation Special Interest Group.


You may also like

Leave a reply

Your email address will not be published. Required fields are marked *

More in Sector Risks