Delivering ESG in GRC

Written by The GRC Pundit

Published on2021-04-15Updated on2021-04-15Discussion3 Comments on Delivering ESG in GRC

ESG – Environmental, Social & Governance – is all the rage and buzzword with investors, regulators, lawmakers, and citizen activists. Pressure is mounting from multiple fronts for organizations to implement ESG reporting in their organizations. In one respect, this is an evolution of sustainability and corporate social responsibility (CSR) efforts of the past. However, ESG is broader with more momentum. Where CSR and sustainability were too often (but not always) pushed from a marketing perspective, ESG has the momentum and force to become a significant measurement of the integrity of the organization. Integrity in that what the organization commits to in its values is a reality throughout the organization and the extended enterprise.

In a previous blog, Tale of Two Futures: Blade Runner or Star Trek?, I pointed out that a lot of GRC (Governance, Risk management, and Compliance) and ERM (Enterprise Risk Management) programs in organizations are unbalanced and do not reflect reality. If you look at these programs you would think the predominant risk to organizations was IT security risk. That is a significant risk, but I point out in the article that environmental risks and health and safety risks were often buried in other departments and not part of the broader ERM and GRC programs and has to be corrected. This blog was a few months before COVID-19 hit the world and validated my point. Organizations need to restructure their approach to GRC (and its components of governance, risk management, and compliance) to embrace and deliver on ESG monitoring and reporting.

One thing to note, ESG is more than the E (environmental). Too often I see organizations seeing that lead E and they have a perception that ESG is just about environmental values and climate change. It is so much more than this. The S (social) and the G (governance) is just as important as the E in ESG. Let’s unpack this, there are many standards and various definitions for ESG, but we can put a comprehensive view together . . .

• E = Environmental. Measures and reports on the values and commitment of the organization to stewardship of the natural world and environment. It includes reporting and monitoring of the organization’s environmental initiatives for climate change, waste management, pollution, resource use and depletion, greenhouse gasses, and such.

• S = Social. Measures and reports on the values and commitments and now the company treats people. This includes employee and customer/partner relations, human rights (e.g., anti-slavery), diversity and inclusion, anti-harassment and discrimination, the privacy of individuals (both employees and others), working conditions and labor standards (e.g., child labor, forced labor, health and safety), and how the company participates and gives back to society and the communities it operates within.

• G = Governance. Measures and reports on the culture and behaviors of the organization in context and alignment to its values and commitment. This includes finance and tax strategies, whistleblower and reporting of issues, resiliency, anti-bribery and corruption, security, board/executive diversity and structure, and overall transparency and accountability.

ESG crosses business boundaries. The modern organization is not defined by brick-and-mortar walls and traditional employees. The modern organization is a web of third-party relationships: vendors, suppliers, outsourcers, service providers, contractors, consultants, temporary workers, intermediaries, agents, partners, and more. To truly deliver on ESG requires monitoring and managing the shared values and integrity throughout the extended enterprise of the organization. Legislation and regulation are focused on this, like the European Union’s Directive on Corporate Due Diligence and Accountability with Germany’s corresponding Due Diligence Act (to name one of many).

THE CHALLENGE: Delivering 360° Situational Awareness of ESG

I am getting a lot of inquiries from organizations looking to integrate and automate their ESG and GRC program. To deliver ESG reporting through their GRC strategy, process, and technology.

The official definition of GRC, found in the OCEG GRC Capability Model, is that GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. These are all the effective elements needed to deliver on ESG monitoring and reporting. It starts with the governance and setting the objectives of the organization that are aligned with the values and commitments delivered in ESG statements, from there the organization needs to monitor uncertainty to the objectives and ensure that the organization is acting with integrity to meet these objectives and commitments/values.

However, the technology environment to accomplish this is fragmented. I am getting inquiries from confused organizations that want clarity in who delivers the breadth of true GRC that would include the aspects of ESG. On one side you have platforms that Forrester and Gartner cover in their corresponding Waves and Magic Quadrants. These solutions are more focused on the G in ESG and some aspects of the S, with a predominant focus on information security. Then you have solutions that are covered in the Verdantix Operational Risk Green Quadrant which has a completely different set of solutions covered and these solutions focus more on the E and the other part of the S in ESG. I have been in RFPs where the organization wants a single integrated solution to manage GRC, ERM, ESG, EH&S in one platform . . . to find they have to go with best of breed solutions.

The next generation GRC platform that is going to lead the future is going to bring these worlds together. There will always be best-of-breed specialty risk systems that are integrated into the broader GRC architecture, but organizations need a complete platform that can deliver on 360° situational awareness across GRC areas, including environmental, and health and safety risks and deliver on full ESG monitoring and reporting. The race is on and organizations are looking now.