A tidal wave of ESG regulations is looming across markets. To prepare, companies are shifting responsibility for sustainability management and reporting to the risk management domain. Risk executives are investing in enhancing their governance, risk management, and compliance (GRC) systems to account for ESG factors. GRC strategy consultants, software providers, and systems integrators are responding with investments and innovations that increase the business value created by managing ESG risks with their solutions.
Risk in the ESG Age
Today, a company's sustainability performance and disclosures across ESG—environmental, social, and corporate governance matters—has a direct bearing on its cost of capital and its cost of doing business. Investors, customers, employees, and even suppliers expect and reward new levels of transparency from the companies with which they deal.
As a result, tremendous investments have been made by companies across industries and geographies recently in strengthening sustainability management and reporting with sustainability teams, sustainability board committees, and publicly declared sustainability goals. Yet sustainability reporting today is a voluntary exercise. Accountability is minimal. And the risks of misstatement are purely reputational in nature.
All of this is changing, as a tidal wave of ESG regulation enters into force over the course of 2023-24.
Regulators across jurisdictions have taken note of the value of sustainability disclosure, and they are moving en masse to mandate what and how companies report on the sustainability of their business activities across ESG. Globally, more than 750 ESG policy interventions have been made, with more than 100 initiated in 2021 alone. (Source Regulation database). The most robust regulations are centered in the EU, such as the Corporate Sustainability Reporting Directive, or CSRD. But in the US as well, the Securities and Exchange Commission has declared its intention to regulate disclosure on four identified ESG pillars, and has already accepted a proposal to require climate impact disclosures in financial reporting.
As ESG reporting becomes a mandatory set of disclosures made on the public record, ESG performance expands from a source of competitive advantage with investors and customers to become a fundamental requirement of maintaining a license to operate from market regulators. The most sweeping regulations, such as the EU’s CSRD, begin to move ESG towards parity with financial accountability and include audit requirements; their enforcement mechanisms indicate that sustainability disclosures are evolving into a new source of regulatory and legal risk.
To thrive when transitioning from voluntary to mandatory—risky—sustainability reporting, companies need to successfully marry their sustainability capabilities to their risk management and compliance capabilities. And most are starting. At the board level, just over half of companies are currently incorporating ESG into their integrated risk management planning. (Source: Sustainability in the Spotlight). At the executive level, leaders are proactively taking action to ensure they are presenting reliable ESG data, with 9 out of 10 of respondents to a recent Deloitte survey confirming that their organization will invest in enhancing its ESG control environment. (Source: Enhanced Climate Disclosures). Risk and compliance leaders who are beginning to evaluate how to deploy those investments should look to their CISOs and the IT Governance, Risk Management, and Compliance domain, or GRC.
GRC for ESG
As an IT security system in which governance, risk, and compliance are conceived and managed in terms of data, GRC has much of the people, processes, and technology already in place to readily incorporate sustainability metrics into the risk management and compliance domains. Indeed, many extant regulations that are already being managed within GRC, such as protections for human rights and the environment, now fall under the ESG umbrella. Leveraging existing GRC infrastructure to tackle ESG compliance is a way to accelerate the journey to ESG risk maturity, while also increasing the return on previously made investments.
Furthermore, solution providers within the GRC ecosystem have already recognized the opportunity to create more business value for customers by adapting GRC to manage compliance with the new ESG regulations. These players are investing with gusto, in a race to bring solutions to market that answer customer’s evolving needs with ever greater fidelity.
Strategy and risk consultants, for example, are rethinking their core set of GRC advisory tools to incorporate ESG. The refreshed perspectives give insight into enterprise sustainability risk posture, and include tools such as audit, assessment, and change management frameworks, maturity models, and reporting dashboards.
At the software level, the commitments from risk management platform providers couldn’t be greater, with several dedicating themselves to strategies in which sustainability and ESG become the dominant risk management theme for their customers. Each of the leading risk management SaaS platforms has launched their own new ESG products since late 2021. The ESG solutions integrate ESG factors into core risk management, while also catering to the unique challenges and opportunities of sustainability performance management and reporting at both the enterprise and line of business levels. Iteration and development will continue apace in this arena, and accelerate further as customer adoption grows.
As companies begin to purchase these new applications and adapt them to their environments, GRC systems integrators are mastering them and innovating new solutions to solve for unique customer needs, challenges, and opportunities. As they do so, they create unique IP that opens new possibilities for insight and automation with the core platforms on the one hand, and foster an infrastructure that promotes interoperability and holistic management on the other.