ES-G-RC: How GRC is the Foundation for ESG and EU CSRD Reporting

Michael RasmussenWritten by
Published onUpdated onDiscussionLeave a Comment on ES-G-RC: How GRC is the Foundation for ESG and EU CSRD Reporting

Environmental, Social, and Governance (ESG) is a growing challenge for organizations to manage and report on. It has become a core part of corporate strategy, driven by values, stakeholder expectations, and regulatory requirements, such as the EU Corporate Sustainability Reporting Directive (CSRD) which impacts 50,000 firms that have to report annually. With over 1,100 data points that goes into CSRD reporting, organizations have to get their ESG act together.

There are different views on ESG, and I respect that. At the heart of ESG is stewardship. Every organization should put a stake in the ground in its commitments and objectives to the environment, to its social commitments, and to the governance of the organization. These may very well vary between organizations. The environmental aspects is much more than climate change, it includes air, water, waste, use of natural resources, and things like elimination of PFAS (forever chemicals). The social and governance aspects also include a lot of elements.

I do not think anyone reading this will disagree that modern slavery, part of the social, is a bad thing. In the end, ESG is best summed up in the words of my favorite fictional U.K. Premier League Coach and philosopher, Ted Lasso, “Doing the right thing is never the wrong thing.” It is up to organizations to define what the right thing is for their organization in context of the environment, the social communities it serves, and the governance of the organization.

But how do organizations ensure their ESG initiatives are well-governed, ESG objectives are set and performance measures, risk-aware of uncertainty in achieving objectives, and compliant with values and commitments of the organization? The answer lies in Governance, Risk Management, and Compliance (GRC).

The Role of GRC in ESG

The OCEG defines GRC as: “an integrated capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).” This definition is a perfect starting point for understanding ESG within an organization. Effective ESG management must begin with well-defined objectives, not just risk assessments. Too many ESG management platforms start with risks, which is like putting the cart before the horse. ESG objectives should drive risk identification, not the other way around. As an analyst, I will NEVER recommend an ESG solution that does not start with ESG objectives, and ESG program management.

At its core, ESG is about setting and achieving objectives. Organizations must begin with a clear vision of what they aim to accomplish in the environmental, social, and governance domains.

  • Environmental Objectives. Companies must define their commitments to sustainability, whether through carbon footprint reduction, waste management, energy efficiency, elimination of PFAS, or responsible sourcing of materials. These objectives should be measurable and aligned with broader industry and regulatory expectations.
  • Social Commitments. The social component of ESG involves ensuring fair labor practices, no tolerance for modern slavery, employee well-being, and ethical supply chain labor practices. Organizations must consider how they engage with employees, communities, and stakeholders to foster a socially responsible culture.
  • Governance Standards. Effective governance is the backbone of a successful ESG strategy. This includes ensuring ethical leadership, internal controls, anti-corruption, robust data protection policies, regulatory compliance, and transparency in decision-making. Strong governance creates trust and accountability within the organization and among external stakeholders.

Without a structured approach provided by GRC, ESG efforts risk becoming fragmented and ineffective. GRC offers the necessary framework to integrate ESG goals into daily operations, ensuring they are well-governed, managed, and continuously improved.

The GRC Capability Model and ESG

In recent ESG and EU CSRD workshops I conducted in Stockholm and Utrecht, I presented the OCEG GRC Capability Model 3.5, and it resonated with over 60 organizations working on ESG. The model provides a comprehensive framework for ESG management through four core components: Learn, Align, Perform, and Review.

  1. Learn (Understanding ESG Contexts). Before setting ESG objectives, organizations must first understand the broader context in which they operate. The learning phase is foundational, as it establishes a comprehensive understanding of the external and internal factors influencing ESG strategy.
    • External Context. This includes understanding the regulatory landscape, evolving standards, and market trends. For example, organizations operating in the EU must align with the CSRD, which mandates transparency in ESG disclosures and reporting. This also includes understanding where you do business and who you do business with.
    • Internal Context. Organizations must assess their internal capabilities, culture, values, ethics, policies, and existing ESG initiatives. This helps in identifying gaps and areas where improvements are necessary. I always recommend organizations take an inventory of their current array of policies that relate to the aspects of ESG.
    • Stakeholders. Companies must recognize the role of investors, employees, regulators, and customers in shaping their ESG approach. Stakeholder expectations must be integrated into ESG planning to ensure long-term credibility. The same with customers, organizations that are not aligned with the values of their customers risk significant challenges in the market as the past few years have shown us several examples.
    • Corporate Culture. A successful ESG strategy aligns with an organization’s ethical values and corporate mission. ESG must be embedded into the company’s DNA rather than treated as a compliance requirement alone.
  2. Align (Defining the ESG Strategy). Once the organization has learned its ESG landscape, it must align its strategy with clearly defined objectives and a structured approach to risk management.
    • Direction. Organizations need to define their ESG mission and values and set a clear vision for sustainability and social responsibility. This includes defining who is the lead on ESG and what roles and departments are part of the team.
    • Objectives. ESG goals must be SMART (Specific, Measurable, Achievable, Relevant, Time-bound) and aligned with the organization’s values, commitments, and obligations.
    • Identification. Identifying risks and opportunities that could hinder or help ESG progress. These could include regulatory, reputational, operational, and environmental. Risk is the effect of uncertainty on objectives (ISO 31000), in this case the ESG objectives.
    • Analysis. Once identified, risks must be assessed based on their uncertainty in the organization achieving its ESG objectives. A structured approach can help prioritize risk management efforts and enable the organization to achieve or even exceed ESG objectives.
    • Design. Organizations must build a structured ESG program that includes policies, frameworks, internal controls, and dedicated teams responsible for execution as well as those accountable for objectives and risks. A well-designed program enables consistent application and progress measurement.
  3. Perform (Executing the ESG Program). With the strategy in place, organizations must implement and operationalize ESG across all levels of the business.
    • Controls. Implementing and monitoring ESG-related internal controls ensures compliance with internal objectives and external standards. This includes emission tracking, supply chain audits, and ethical labor practices.
    • Policies. ESG-related policies, which there are a plethora, should be well-documented, accessible, and actionable. These policies must provide clear guidance on the range of environmental, social, and governance practices, expectations, and boundaries.
    • Communication & Education. Employees and stakeholders need to be educated on ESG objectives, related policies and internal controls, and their role in achieving them. Effective communication fosters engagement and accountability.
    • Incentives & Accountability. ESG performance must be tied to incentives, such as executive compensation linked to sustainability targets. Employees participation in environmental programs. At the same time, organizations must establish accountability mechanisms for ESG compliance.
    • Monitoring & Reporting. Continuous monitoring is necessary to track ESG progress. Organizations should leverage technology and data analytics to ensure real-time insights and accurate reporting.
  • Review (Ensuring Continuous ESG Improvement). ESG is not a static initiative but an evolving process requiring regular assessment and updates.
    • Monitoring & Auditing. ESG monitoring and data collection should be conducted to evaluate performance to internal controls, policies, and standards.
    • Assurance. Internal and external stakeholders require assurance that ESG commitments are being met. Organizations must build transparent reporting mechanisms that align with frameworks. Regular internal audits provide assurance, while external audits provide third-party validation of assurance. Organizations facing CSRD have to move from limited assurance to reasonable assurance over the next few years.
    • Continuous Improvement. ESG strategy must evolve in response to changing regulations, market trends, and stakeholder expectations. Companies should use insights from audits and reviews to refine and enhance their ESG initiatives.

The EU CSRD requires organizations to report on sustainability and ESG performance with the same rigor as financial reporting. The GRC Capability Model ensures that organizations can:

  • Define the organizations ESG objectives in context of the organizations values and obligations.
  • Identify ESG risks and opportunities with a structured approach.
  • Implement internal controls to ensure ESG compliance and risk mitigation.
  • Maintain accurate and comprehensive ESG records to meet regulatory reporting requirements.
  • Continuously assess and improve ESG performance to align with evolving standards.

GRC is the foundation for successful ESG implementation. Organizations must take a structured approach to ESG, leveraging the GRC Capability Model to define objectives, manage risks, and maintain compliance. ESG is not just about checking a regulatory box—it’s about embedding sustainability into the organization’s core strategy. By following the Learn, Align, Perform, and Review approach, organizations can transform ESG from a regulatory burden into a driver of long-term value and resilience.

Leave a Reply