By Shankar Bhaskaran, Managing Director – India, MetricStream
ESG compliance is emerging as India’s top business challenge. Regulator SEBI (Securities and Exchanges Board of India) is asking top companies to report ESG performance in a more detailed format called Business Responsibility and Sustainability Report (BRSR). As the ESG landscape in India matures, investors, consumers, and communities will also hold companies accountable for their ESG performance. Like it or not, Indian companies must face the rising demand for transparency and accountability.
ESG disclosures allow companies to identify potential transition risks, self-assess their ability to sustain in the future and undertake necessary steps to adapt to the changes. If companies are not conscious of this exercise, they stand not only the risk of losing profits but also their market reputation. A corporate governance survey of the top 100 companies in India identified ESG risk among the top major business, financial and operational risks. A leading professional services firm estimated that 75% of companies surveyed agreed that ESG is a part of boardroom discussions. ESG risk is already a hot topic in boardrooms. Managing it successfully, however, is another story.
Most companies in India find it challenging to manage ESG risk because they view ESG as a standalone risk category. However, managing ESG risk in isolation won’t work because all risks in an enterprise, including ESG, are deeply interconnected and intertwined. For example, a company’s relationships with a supplier or vendor may impact its ESG performance. For many organizations, the supply chain is where most carbon emissions come from.
Companies can no longer get away by blaming suppliers because regulators, investors and consumers hold first parties responsible for third-party ESG failures. Now companies must extend their ESG risk management strategy across the third-party ecosystem. Usually, Third-Party Risk Management (TPRM) is treated as a standalone risk category. But for an ESG risk program to work effectively, companies must integrate it with TPRM. Companies can better understand how third parties impact ESG ratings by connecting existing TPRM practices with their ESG program. They will also understand which suppliers contribute the most ESG risks and what commonalities ESG and TPRM regulations share. Integrating ESG and TPRM helps create a cross-functional approach to minimize operational redundancies while making risk management more cost-efficient and agile.
Today, the connections between enterprise risk management (ERM), ESG, and TPRM are unavoidable. Companies are only starting to realize just how interconnected these risks are. Other enterprise risks such as cyber risk, can have a significant impact on ESG and TPRM as well. For example, a cyber-attack on a chemical facility could leak hazardous waste into surrounding ecosystems. Or a pipeline breach could cause fuel shortages.
The key to organizational resilience is understanding how various business risks are interdependent and how they impact the business. Decision makers must therefore gain a broader holistic view of all the risks in the ecosystem. A holistic view of risk is possible only with an approach that interweaves ESG and TPRM into the larger governance, risk, and compliance (GRC) and enterprise risk management (ERM) framework.
When companies apply established ERM practices to ESG and TPRM, decision-makers can see how things such as employee welfare, raw material sourcing, production practices, and waste management can affect a company’s overall risk profile and business objectives. ESG and TPRM connect well with ERM practices like risk identification, materiality assessments, metrics monitoring, and reporting. Hence, they can be easily embedded into the company’s ERM strategy and processes to create a blueprint for the whole enterprise.
Having understood the importance of a connected approach, here are some ways to build those connections between ERM, ESG, and TPRM.
Establish a single source of risk truth. As part of the ERM program, a centralized risk register is a single source of truth. Mapping the risks together helps one understand how they impact and influence each other. Connecting the risks to the associated controls, testing processes, business units, assets, and objectives helps one better understand the risk universe.
Improve cross-functional collaboration. An integrated GRC platform can help all teams – risk management, procurement, sustainability, compliance, or HR – seamlessly communicate and coordinate ESG risk management activities. The better the teams work together, the more prepared the company will be for all the risks that come its way.
Establish robust risk frameworks. Ensure best-in-class ERM frameworks are in place over multiple risk pillars. These should include strategic, operational, financial, compliance and environmental. They also use various qualitative and quantitative methods – including a megatrend analysis, SWOT study, ESG materiality assessments, stress testing, and a what-if scenario analysis.
Have a common risk taxonomy. This will enable risk management and sustainability professionals across locations to have more meaningful conversations about risks and opportunities.
Examine ESG and third-party risks from different angles. For example, consider how the internal operations and supply chain impact the environment and community. Assess how environmental and social changes in the external world would impact business. Conduct vulnerability assessments to determine how much an ESG risk would adversely affect the business.
Get the first line involved. Frontline managers are often the first to spot a potential ESG risk. Create simple mechanisms for them to capture and report these issues. Ensure the data flows quickly to the right people, proactively mitigating the risk.
Leverage automation. Automating ESG and TPRM, monitoring, and reporting within the ERM program will help to act on the right risks faster.
Connecting ESG, TPRM, and ERM helps one to step back and look at the big picture. Decision makers get a complete view of the risk universe. Connecting the dots will help them implement a robust risk management approach to keep these risks in check. Also, by connecting the dots, companies can make sustainability a natural part of daily operations and not simply a compliance activity.
Great post about supply chain risk management. Thanks for shearing with us.