In the previous post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. Then we dove deep into the first trend of the need for GRC agility, and then explored GRC resilience and explored GRC resilience again . . . and we now continue with the third trend of five, integrity . . .
The third global trend in the GRC market for solutions and services is INTEGRITY.
INTEGRITY: 1. the quality of being honest and having strong moral principles; moral uprightness. 2. the state of being whole and undivided.
Organizations are re-evaluating their internal core values, ethics, and standards of conduct in 2023 and how this extends and is enforced across the organization. The integrity of the organization is a front-and-center concern. Organizations see the need to define and live their corporate values in the business, its transactions, with clients, and in third-party relationships. This includes focusing on human rights, privacy, environmental standards, health and safety, corruption, conflicts of interest, compliance, managing risk, conduct with others (e.g., customers, partners), privacy, security, and more. What the organizations communicates in policies, statements, reports, and controls needs to be a reality in the organization and not just smoke and mirrors.
Integrity is played out in ESG – Environmental, Social, Governance . . .
- Environment. Climate change, natural resource utilization, pollution and waste, biodiversity, certification, carbon footprint/emissions.
- Social. Child labor, forced labor, socio-economic inequality, privacy, personal data use, diversity, inclusion, working conditions, health and safety, product liability.
- Governance. Corporate governance, fraud, anti-bribery and corruption, anti-money laundering, internal controls over financial reporting, security, corporate conduct and behavior, anti-competitive practices, tax transparency, ownership, and structure.
Organizations need a cohesive strategy from the board down into operations to address the organization’s integrity in the context of ESG. This moves from strategy down into ESG processes and how this is automated and managed in a GRC (which enables ESG) information and technology architecture.
ESG does not start with RISK!
ESG does not start with risk but with objectives. I cringe when solution providers show me their solutions focused on ESG risk management. That is putting the cart before the horse. To be an organization of integrity requires a focus on principles and objectives. Only in that context can we identify and manage risks to those objectives. An organization may have an objective to be carbon neutral; then, we map the risks of not being carbon neutral. An organization has inclusivity and diversity objectives, no tolerance of child labor objectives, and more. Risks are then mapped to ESG objectives. YOU CAN BET THAT I WILL NEVER RECOMMEND A SOLUTION IN THE MARKET that starts with ESG risk over ESG objectives.
ESG requires focus on the EXTENDED ENTERPRISE!
Brick-and-mortar walls and traditional employees no longer define the modern organization. The modern organization is the extended enterprise: suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, agents, brokers, dealers, partners, and more. ESG, and in this context, integrity, plays out and is measured across these relationships. Martin Luther King Jr stated, “Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.” This statement is true in our individual relationships, and it is true in an organization’s relationships in the extended enterprise. The saying “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organization in the context of ESG. The integrity and ability of the organization to act with integrity in the context of ESG require addressing this across the extended enterprise.
There is so much happening in the regulatory aspects of this. Consider the breadth of ESG impact from just the following (much more can be added) . . .
Broad ESG Regulation
- EU CSRD – 50,000 firms have to respond to this.
- EU CSDDD – requires ongoing continuous due diligence on ESG
Third-Party Due Diligence
- EU CSDDD
- Germany’s LkSG (Supply Chain Due Diligence Act)
- Dutch Due Diligence Act
Modern Slavery (but ties into Third-Party due diligence)
- UK Modern Slavery Act
- Norwegian Transparency Act
- Swiss Human Rights Due Diligence Law
- California Transparency in Supply Chain Act
- Conflict Minerals
- Uyghur Forced Labor Prevention – China Supply Chain Risk
Anti-Bribery & Corruption (under the G)
- US FCPA
- UK Bribery Act
- Sapin II
- SEC Climate Change
IT Security (under the G)
- SEC Cybersecurity
Internal Controls & Governance (under the G)
- US SOX
- UK SOX & Corporate Governance
And, of course, Tax Transparency, Beneficial Ownership, Inclusivity/Diversity, Consumer Duty, PFAS, and much more . . .
The writing is on the wall; organizations must fundamentally change how they approach ESG internally and across the extended enterprise. Organizations should start defining an integrated strategy for ESG to address these forthcoming requirements and stakeholder demands in a unified and consistent approach.
GRC 20/20 will be doing a deep-dive on ESG and these regulations for solution and service providers in the upcoming 2023: How to Market & Sell ESG Solutions & Services.