ES-G-RC – The Role of GRC in Delivering ESG
ESG – Environmental, Social, Governance – remains front-page business news. Organizations around the world and across industries are challenged to define, implement, and report on ESG. The pressures are coming from all directions: investors, customers, employees, regulators, and activists. The reality is that ESG has teeth, and organizations have to do something about it.
Previous iterations of ESG were Corporate Social Responsibility (CSR) and Sustainability. These were often passed around the organization like a hot potato and often landed in the lap of marketing as a branding exercise. This is not the case with ESG; the risk exposure to the organization is too great. I find that the Corporate Compliance and Ethics Officer (CECO) is the most common role leading the coordinated/federated ESG strategy in the organization. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships, and transactions.
However, understanding ESG is complex. What I see happening in organizations reminds me of the parable of the blind men and the elephant. One blind man touches the tail and thinks it is a rope, another touches the body and feels a wall, and another touches a leg and says it is a tree. The same is happening with ESG as different functions/departments see what impacts them. Some focus on the E for the environment and think that is the most important since it leads the acronym ESG. Others are focused on the S, and others the G. All three are critical, and intersect with each other.
As a guide, but not exhaustive, ESG covers:
- Environment. Climate change, natural resource utilization, pollution and waste, biodiversity, certification, carbon footprint/emissions.
- Social. Child labor, forced labor, socio-economic inequality, privacy, personal data use, diversity and inclusion, working conditions, health and safety, product liability.
- Governance. Corporate governance, fraud, anti-bribery and corruption, anti-money laundering, internal controls over financial reporting, security, corporate conduct and behavior, anti-competitive practices, tax transparency, ownership and structure.
There is no single global standard for ESG. There is some reporting guidance, and the most popular is the Global Reporting Initiative (GRI), and what is now the Value Reporting Foundation (the merger of the International Integrated Reporting Council (IIRC) and the Sustainability Accounting Standards Board (SASB)). Nothing is complete; they each have their different perspectives. The organization is left to develop a strategy and process that delivers what they need to report to their respective/interested stakeholder groups.
GRC the Missing Link in ESG Strategy & Processes
Organizations need more structured guidance on how to deliver on ESG strategy and processes across the diverse areas of ESG.
Enter Governance, Risk Management, and Compliance (GRC). Ironically, all the elements of ESG are part of a well-structured GRC strategy. When I first defined and used the GRC acronym back in February 2002, I had in mind a complete view of organization objectives, risks, and compliance/controls with an architecture that unifies strategy, process, accountant ability, and reporting. The OCEG GRC Capability Model supporting guidance has included all the areas/components of ESG for the past fifteen years.
The official definition of GRC, found in the GRC Capability Model, is that GRC is a capability to reliably achieve objectives [GOVERNANCE], manage uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. You start with objectives of the organization, and these can be an entity, division, department, process, project, or asset level objectives and from there have the context to manage risk/uncertainty and act with integrity.
The common core element of the ESG and GRC acronyms is the G for governance. A good ESG strategy is going to start with a strong governance structure. It is here that the organization sets clearly defined objectives for ESG overall and each component/area of ESG and varying sub-elements. Once objectives are established, the organization can assess, monitor, and manage uncertainty to those ESG objectives, risk management. From there, the organization can provide assurance and report that it is operating with integrity in the context of stated ESG statements, commitments, and obligations.
Let’s now apply the GRC Capability Model to an ESG specific context. The GRC Capability Model has four components: Learn, Align, Perform, Review. Applied specifically to ESG, this is how it works:
- LEARN. Here we clearly understand both the internal and external ESG context of the organization. The external context includes what is expected of the organization from stakeholders, regulators, customers, and other influencer groups for ESG. The internal context looks at what executives and employees are doing and expects and the processes, transactions, and relationships of the organization. Learn then takes a close look at the organization’s culture and how it aligns with ESG, and how it may need to adapt. Finally, it identifies and documents stakeholders that are part of the ESG program and reporting requirements and relationships.
- ALIGN. Next, we have to align the organization to work together as an ESG team and clearly detail the ESG objectives, risks, and controls. This starts with direction in providing an established ESG working group/committee led by someone with authority to deliver on ESG and GRC. The overall objectives of ESG are documented, and the process begins to identify the supporting objectives and related risks in ESG. These objectives and risks are assessed for uncertainty and conformance to requirements, and an overall program is designed with appropriate policies, processes, monitoring, issue reporting, and assurance.
- PERFORM. This then moves us to perform. Once we have the ESG/GRC process designed, it needs to become operational. This starts with clearly defined ESG related controls and policies to be implemented across the extended enterprise. From here, various groups need to be communicated and educated on their role and responsibilities in ESG. There should be clearly established incentives for achieving objectives while providing an appropriate response to issues and failures. The organization should have established processes for reporting issues, assessing ESG/GRC, reporting, and responding to issues that arise.
- REVIEW. From here, we move to the review component, the continuous improvement, and assurance. This involves ongoing monitoring and reporting on ESG to various stakeholder groups. Audit provides a critical role in providing assurance on ESG objectives, risks, and related processes, policies, and controls. And the organization looks for ways to continuously improve ESG in the organization’s context and its broader objectives and operations.
Of course, that is the summary version of the GRC Capability Model used for ESG. There is a lot more detail and breakout of each component as there are well-defined practices, actions, controls, and documentation for areas of Learn, Align, Perform, and Review.
GRC, and in this context ESG, is something organizations do and not something they purchase. You do not go out and buy GRC, and you cannot go out and buy ESG. ESG, as a part of GRC, is performance and objectives done through actions, behaviors, and transactions of the organization. No one technology solution on the planet does everything needed for GRC, and there is certainly none that does everything for ESG. You have heard the term “it takes a village.” In the case of GRC, and ESG as part of GRC, it takes an architecture. There can be a core reporting and monitoring platform, but it requires integration with other business systems and external content/intelligence providers.
If you are defining your organization’s ESG strategy, I encourage you to look at the GRC Capability Model and adapt it to your specific needs. As with any standard/framework, it is adjusted to your particular context. If you are looking for technology that can help manage and report on ESG as you build your ESG architecture (GRC architecture), please feel free to reach out to me for objective guidance and input on the array of solutions available in the market and what best meets your specific needs . . .
5