Introduction
Over the past few years, environmental and societal risks have dominated the World Economic Forum’s (WEF’s) Global Risk Reports. In the 2022 report, eight of the top ten most severe projected risks were related to either environmental risks like biodiversity loss and natural resource crises, or social risks like social cohesion erosion and livelihood crises.
Together, environmental, social, and governance (ESG) risks have the capacity to create and exacerbate market instability. Climate change may forever alter agricultural, manufacturing, transportation, trade, energy, and economic norms. It can also trigger unpredictable societal changes – human migration, geopolitical friction, and pandemics – that may force transformations in how businesses operate. These are systemic risks that can affect every business on the planet. Yet, many companies are not treating these risks with the same urgency and attention as traditional risks.
Marsh, in association with Cranfield University, analyzed the annual reports of listed companies to gain insights into how businesses evaluate ESG risks. They found that only 30% of FTSE 100 companies showed evidence of reporting climate change risk on a standalone basis in line with the Task Force on Climate-related Financial Disclosures (TCFD) recommendations.
Meanwhile, the 11th EY and IIF global bank risk management survey found that although climate change is quickly emerging as a top risk, it still isn’t properly understood or assessed. Only 45% of banks have embedded climate change risk into their risk taxonomy, while only 43% have integrated it into their enterprise risk management (ERM) frameworks.
This disconnection between ESG and ERM could have significant repercussions. TCFD recommends that companies not only disclose their processes for identifying, managing, and assessing climate-related risks, but also describe how those processes are integrated into their overall risk management program. Failing to comply with these recommendations could invite regulatory penalties, especially in countries that have already made TCFD-aligned disclosures mandatory. It’s only a matter of time before other developed and developing countries follow suit with their own TCFD-aligned regulations.
In the US, the SEC’s proposed climate disclosure rule may soon require public companies to provide information about climate-related risks in their registration statements and annual reports. Similarly, the EU’s Corporate Sustainability Reporting Directive (CSRD) will require large companies to report on sustainability issues such as environmental rights, social rights, human rights, and governance factors in a dedicated section of company management reports.
215 of the biggest global companies report almost $1 trillion at risk from climate impacts, according to the CDP.
Investors are also upping their scrutiny of ESG risk management practices. According to the PwC 2021 Global Investor ESG Survey, 79% of investors agree that ESG risks are an important factor in investment decision-making, and almost half of investors (49%) are willing to divest from companies that aren’t taking sufficient action on ESG issues.
All signs indicate ESG risks are too important to be side-lined or ignored in corporate risk management programs. Integrating ESG risks into ERM processes can help companies understand the full scope of their risks better while improving the accuracy of corporate disclosures. An integrated risk management approach also enables companies to build a risk-informed ESG plan that is forward-looking and lasting, rather than short-sighted and reactive.
In the following pages, we take a deeper look at why it’s imperative to embed ESG into ERM practices, and how to go about it.
Questions to consider
• How do you identify, assess, and manage ESG risks of material significance?
• How do you prioritize ESG risks in relation to other enterprise risks?
• Do you assess the impact of ESG risks across your value chain, including your third-party ecosystem?
• Are ESG risks incorporated into financial planning, as well as corporate performance evaluations?
• Is your reporting transparent and clear about the influence of ESG risks on corporate objectives and strategy?
Why Align ESG with ERM?
For years, many Chief Risk Officers (CROs) and Chief Sustainability Officers (CSOs) have operated in silos. But with ESG risks growing more prominent, it’s time to break down these barriers, and operate as one team. The more closely the risk function and the ESG function work together, the better prepared they will be to respond to all kinds of risks.
Here are six reasons to integrate ESG into ERM
ESG is not just a risk, but a BIG one
ESG risks are closely linked to other enterprise risks. For example, the failure to lower carbon emissions could adversely impact a company’s reputation, compliance posture, and financial health. These risk relationships are best understood when ESG risks are mapped to other enterprise risks. The result is a more nuanced risk understanding that can help companies define the scale, scope, and context of their risk management activities. Better risk visibility also allows stakeholders to assess and make more informed decisions about which risks to prioritize and manage.
Use resources more efficiently
When ESG risks are managed as part of a centralized ERM program, companies can enrich risk data while eliminating the duplication of effort, minimizing risk gaps, and optimizing capital allocation.
Strengthen first-line involvement
The people on the front lines are often the best-positioned to spot emerging ESG risks such as a child labor issue in the supply chain. These timely insights can help companies act on ESG risks and opportunities proactively. Therefore, it’s imperative that the first line be involved in ESG risk identification and assessment. Many ERM programs already have clearly defined risk management roles and responsibilities for the first line which ESG teams can easily capitalize on.
Improve risk reporting
ERM taxonomies use a common, consistent language to identify, assess, and report risks. When ESG risks are expressed in these terms, decision-makers can better understand how an ESG issue like unscientific waste management or a lack of employee diversity can impact corporate strategy and objectives. This makes it easier to secure investments for ESG initiatives.
Boost compliance and resilience
Compliance requirements like TCFD recommendations expect companies to incorporate ESG risks into ERM programs. Long-term corporate viability also depends on a company’s ability to predict and respond to all risks and opportunities – including ESG-related ones.
Build trust
Evidence of an integrated risk management program suggests that ESG has been embedded into – and not simply bolted onto – the company’s strategy and operations. Greenwashing concerns are also eliminated when ESG is made part of an established ERM program. It indicates that the company is committed to doing the right thing which, in turn, strengthens credibility with shareholders, investors, and customers.
Get Ahead of ESG Risks by Capitalizing on the Synergies between ESG and ERM
Many companies already have an ERM program to identify, assess, and manage risks. Even in the absence of such a program, companies usually have defined risk management roles, responsibilities, and tasks. These measures provide a starting point for ESG risks to be identified and managed with confidence. Here’s how to capitalize on the synergies between ERM and ESG for better business resilience:
Integrate ESG risks into enterprise risk appetite statements
With environmental and social risks intensifying, it’s important that companies articulate just how much ESG risk they’re willing to tolerate in pursuit of their strategic objectives. For example, eliminating all plastic packaging may be too great a financial risk for an eCommerce company. However, switching to renewable energy may be a more viable option.
These kinds of decisions are easier to make when companies have a good understanding of their ESG risk tolerance levels in the context of their larger enterprise risk appetite. With these insights, stakeholders can then adjust ESG and risk strategies for optimal outcomes. Get Ahead of ESG Risks by Leveraging the Synergies between ESG and ERM
Expand risk registers to include ESG risks
Incorporating ESG risks into existing risk registers does two things. One, it elevates the significance of ESG in senior management discussions. Two, it improves visibility into how ESG risks influence and interact with other enterprise risks.
ESG risks can be identified through a range of methods including risk interviews, online surveys, and risk workshops with investors, customers, and the board.
How well do you know your ESG risks?
ESG risks range from broad to specific, including:
Some companies map out their enterprise risks – including ESG risks – at least once a year. This helps them identify which risks need to be addressed on priority.
Many companies also use a single source of risk truth to improve risk visibility. They map ESG risks to other enterprise risks, as well as controls, testing processes, compliance requirements, risk owners, reporting lines and strategic objectives – all in one integrated data model. The result is a holistic risk view that empowers management to make better-informed decisions, and provide better risk oversight.
Improve collaboration between risk management and ESG teams
One of the biggest barriers to ERM-ESG alignment is a lack of communication between risk management and ESG functions. The ESG team doesn’t always speak the same language as the risk team. Equally, risk professionals aren’t often trained to understand, analyze, and respond to ESG risks. This must change if we want to enable a targeted and meaningful approach to ESG risk management.
Many companies have talked about the difficulties of understanding and quantifying ESG risks. These challenges can’t be solved in silos. ESG and ERM teams must work together toward setting risk evaluation standards, best practices, and scoring methodologies that can be equally and consistently applied across all risk types. Since ERM programs already deal with multiple risk types, they must evolve to include ESG risks.
Effective ESG risk management also requires collaboration between ESG teams and other functions, including HR, Legal, and Supply Chain Management. Their collective inputs can help companies build a richer and more nuanced picture of ESG risks in the context of other business risks.
Questions to consider
• Are there opportunities in your company for cross-functional collaboration on ESG risks and issues?
• Is your CSO involved in creating and reviewing the risk register?
• Does the ESG team have a representative on the ERM committee?
• Are ESG terms translated to fit ERM taxonomies?
Establish ESG risk management discipline ESG risk management requires a disciplined approach with well-defined roles, responsibilities, and processes. The best way to start is with ERM frameworks like this one issued by COSO and WBCSD. It provides practical guidelines for companies to navigate and manage emerging ESG risks – particularly sustainability risks.ESG risks can be identified and assessed using a range of qualitative and quantitative methods – including a megatrend analysis, SWOT study, ESG materiality assessments, stress testing, and a what-if scenario analysis. These tools, when used as part of an ERM program, help companies understand the severity of ESG risks in relation to other enterprise risks. Management can then prioritize the risks that need the most attention.
Risk responses can vary based on a company’s unique risk profile, appetite, and tolerance, as well as the costs and benefits of each response. It helps to have an ESG subject matter expert who can provide insights and guidance on the appropriate risk treatment.
ESG risk management activities must also be reviewed and modified for effectiveness. Well-defined key risk and performance indicators can alert management to any changes in risk identification and response.
Don’t forget third-party ESG risks
Many third-party risk management programs focus on operational disruptions, bribery, corruption, and compliance risks. But ESG risks are equally important, given that an organization’s supply chain can account for more than 90% of its greenhouse gas (GHG) emissions.
Incidents of child labor, worker exploitation, and health and safety issues can also surface across supply chains. Companies have a responsibility to monitor and mitigate these risks through proper third-party screening, periodic risk assessments, and ongoing monitoring and due diligence.
Here's where it helps to integrate ESG with third-party risk management as well as ERM. Having a common platform for all this data can greatly improve risk visibility. It gives management a more nuanced and contextual understanding of ESG risks across their supply chain.
An integrated platform also helps ESG and supply chain governance teams communicate and share data with ease, thus minimizing redundancies and enabling a more holistic approach to third-party ESG risk management.
How MetricStream Can Help
At MetricStream, we recognize that ESG isn’t a standalone process. It’s deeply connected to ERM, as well as governance and compliance. When all these elements are managed in an integrated and collaborative manner, companies can reduce risk exposure, drive growth, and strengthen stakeholder confidence.
MetricStream ESGRC integrates ESG with governance, risk, and compliance (GRC) in one powerful product. It streamlines and automates ESG risk assessment, management, and monitoring across the enterprise and third-party ecosystem, while also simplifying ESG compliance and disclosures.
MetricStream ESGRC is part of our ConnectedGRC suite of products which enables a holistic approach to ESG, ERM, cyber risk, and multiple other GRC processes.
Discover how MetricStream ESGRC can help you get ahead of ESG risks.
Download MetricStream ESGRC Product Overview
References
TCFD WORKSHOP - Session 4 – Risk Management, February 2022
Sustainability and enterprise risk management: The first step towards integration -WBCSD
Enterprise Risk Management: Applying enterprise risk management to environmental, social and governance-related risks, Executive Summary – COSO, WBCSD, October 2018
Environmental, Social and Governance: An integration to long-term strategy via risk management – KPMG, April 2020
Over the past few years, environmental and societal risks have dominated the World Economic Forum’s (WEF’s) Global Risk Reports. In the 2022 report, eight of the top ten most severe projected risks were related to either environmental risks like biodiversity loss and natural resource crises, or social risks like social cohesion erosion and livelihood crises.
Together, environmental, social, and governance (ESG) risks have the capacity to create and exacerbate market instability. Climate change may forever alter agricultural, manufacturing, transportation, trade, energy, and economic norms. It can also trigger unpredictable societal changes – human migration, geopolitical friction, and pandemics – that may force transformations in how businesses operate. These are systemic risks that can affect every business on the planet. Yet, many companies are not treating these risks with the same urgency and attention as traditional risks.
Marsh, in association with Cranfield University, analyzed the annual reports of listed companies to gain insights into how businesses evaluate ESG risks. They found that only 30% of FTSE 100 companies showed evidence of reporting climate change risk on a standalone basis in line with the Task Force on Climate-related Financial Disclosures (TCFD) recommendations.
Meanwhile, the 11th EY and IIF global bank risk management survey found that although climate change is quickly emerging as a top risk, it still isn’t properly understood or assessed. Only 45% of banks have embedded climate change risk into their risk taxonomy, while only 43% have integrated it into their enterprise risk management (ERM) frameworks.
This disconnection between ESG and ERM could have significant repercussions. TCFD recommends that companies not only disclose their processes for identifying, managing, and assessing climate-related risks, but also describe how those processes are integrated into their overall risk management program. Failing to comply with these recommendations could invite regulatory penalties, especially in countries that have already made TCFD-aligned disclosures mandatory. It’s only a matter of time before other developed and developing countries follow suit with their own TCFD-aligned regulations.
In the US, the SEC’s proposed climate disclosure rule may soon require public companies to provide information about climate-related risks in their registration statements and annual reports. Similarly, the EU’s Corporate Sustainability Reporting Directive (CSRD) will require large companies to report on sustainability issues such as environmental rights, social rights, human rights, and governance factors in a dedicated section of company management reports.
215 of the biggest global companies report almost $1 trillion at risk from climate impacts, according to the CDP.
Investors are also upping their scrutiny of ESG risk management practices. According to the PwC 2021 Global Investor ESG Survey, 79% of investors agree that ESG risks are an important factor in investment decision-making, and almost half of investors (49%) are willing to divest from companies that aren’t taking sufficient action on ESG issues.
All signs indicate ESG risks are too important to be side-lined or ignored in corporate risk management programs. Integrating ESG risks into ERM processes can help companies understand the full scope of their risks better while improving the accuracy of corporate disclosures. An integrated risk management approach also enables companies to build a risk-informed ESG plan that is forward-looking and lasting, rather than short-sighted and reactive.
In the following pages, we take a deeper look at why it’s imperative to embed ESG into ERM practices, and how to go about it.
Questions to consider
• How do you identify, assess, and manage ESG risks of material significance?
• How do you prioritize ESG risks in relation to other enterprise risks?
• Do you assess the impact of ESG risks across your value chain, including your third-party ecosystem?
• Are ESG risks incorporated into financial planning, as well as corporate performance evaluations?
• Is your reporting transparent and clear about the influence of ESG risks on corporate objectives and strategy?
For years, many Chief Risk Officers (CROs) and Chief Sustainability Officers (CSOs) have operated in silos. But with ESG risks growing more prominent, it’s time to break down these barriers, and operate as one team. The more closely the risk function and the ESG function work together, the better prepared they will be to respond to all kinds of risks.
Here are six reasons to integrate ESG into ERM
ESG is not just a risk, but a BIG one
ESG risks are closely linked to other enterprise risks. For example, the failure to lower carbon emissions could adversely impact a company’s reputation, compliance posture, and financial health. These risk relationships are best understood when ESG risks are mapped to other enterprise risks. The result is a more nuanced risk understanding that can help companies define the scale, scope, and context of their risk management activities. Better risk visibility also allows stakeholders to assess and make more informed decisions about which risks to prioritize and manage.
Use resources more efficiently
When ESG risks are managed as part of a centralized ERM program, companies can enrich risk data while eliminating the duplication of effort, minimizing risk gaps, and optimizing capital allocation.
Strengthen first-line involvement
The people on the front lines are often the best-positioned to spot emerging ESG risks such as a child labor issue in the supply chain. These timely insights can help companies act on ESG risks and opportunities proactively. Therefore, it’s imperative that the first line be involved in ESG risk identification and assessment. Many ERM programs already have clearly defined risk management roles and responsibilities for the first line which ESG teams can easily capitalize on.
Improve risk reporting
ERM taxonomies use a common, consistent language to identify, assess, and report risks. When ESG risks are expressed in these terms, decision-makers can better understand how an ESG issue like unscientific waste management or a lack of employee diversity can impact corporate strategy and objectives. This makes it easier to secure investments for ESG initiatives.
Boost compliance and resilience
Compliance requirements like TCFD recommendations expect companies to incorporate ESG risks into ERM programs. Long-term corporate viability also depends on a company’s ability to predict and respond to all risks and opportunities – including ESG-related ones.
Build trust
Evidence of an integrated risk management program suggests that ESG has been embedded into – and not simply bolted onto – the company’s strategy and operations. Greenwashing concerns are also eliminated when ESG is made part of an established ERM program. It indicates that the company is committed to doing the right thing which, in turn, strengthens credibility with shareholders, investors, and customers.
Many companies already have an ERM program to identify, assess, and manage risks. Even in the absence of such a program, companies usually have defined risk management roles, responsibilities, and tasks. These measures provide a starting point for ESG risks to be identified and managed with confidence. Here’s how to capitalize on the synergies between ERM and ESG for better business resilience:
Integrate ESG risks into enterprise risk appetite statements
With environmental and social risks intensifying, it’s important that companies articulate just how much ESG risk they’re willing to tolerate in pursuit of their strategic objectives. For example, eliminating all plastic packaging may be too great a financial risk for an eCommerce company. However, switching to renewable energy may be a more viable option.
These kinds of decisions are easier to make when companies have a good understanding of their ESG risk tolerance levels in the context of their larger enterprise risk appetite. With these insights, stakeholders can then adjust ESG and risk strategies for optimal outcomes. Get Ahead of ESG Risks by Leveraging the Synergies between ESG and ERM
Expand risk registers to include ESG risks
Incorporating ESG risks into existing risk registers does two things. One, it elevates the significance of ESG in senior management discussions. Two, it improves visibility into how ESG risks influence and interact with other enterprise risks.
ESG risks can be identified through a range of methods including risk interviews, online surveys, and risk workshops with investors, customers, and the board.
How well do you know your ESG risks?
ESG risks range from broad to specific, including:
Some companies map out their enterprise risks – including ESG risks – at least once a year. This helps them identify which risks need to be addressed on priority.
Many companies also use a single source of risk truth to improve risk visibility. They map ESG risks to other enterprise risks, as well as controls, testing processes, compliance requirements, risk owners, reporting lines and strategic objectives – all in one integrated data model. The result is a holistic risk view that empowers management to make better-informed decisions, and provide better risk oversight.
Improve collaboration between risk management and ESG teams
One of the biggest barriers to ERM-ESG alignment is a lack of communication between risk management and ESG functions. The ESG team doesn’t always speak the same language as the risk team. Equally, risk professionals aren’t often trained to understand, analyze, and respond to ESG risks. This must change if we want to enable a targeted and meaningful approach to ESG risk management.
Many companies have talked about the difficulties of understanding and quantifying ESG risks. These challenges can’t be solved in silos. ESG and ERM teams must work together toward setting risk evaluation standards, best practices, and scoring methodologies that can be equally and consistently applied across all risk types. Since ERM programs already deal with multiple risk types, they must evolve to include ESG risks.
Effective ESG risk management also requires collaboration between ESG teams and other functions, including HR, Legal, and Supply Chain Management. Their collective inputs can help companies build a richer and more nuanced picture of ESG risks in the context of other business risks.
Questions to consider
• Are there opportunities in your company for cross-functional collaboration on ESG risks and issues?
• Is your CSO involved in creating and reviewing the risk register?
• Does the ESG team have a representative on the ERM committee?
• Are ESG terms translated to fit ERM taxonomies?
Establish ESG risk management discipline ESG risk management requires a disciplined approach with well-defined roles, responsibilities, and processes. The best way to start is with ERM frameworks like this one issued by COSO and WBCSD. It provides practical guidelines for companies to navigate and manage emerging ESG risks – particularly sustainability risks.ESG risks can be identified and assessed using a range of qualitative and quantitative methods – including a megatrend analysis, SWOT study, ESG materiality assessments, stress testing, and a what-if scenario analysis. These tools, when used as part of an ERM program, help companies understand the severity of ESG risks in relation to other enterprise risks. Management can then prioritize the risks that need the most attention.
Risk responses can vary based on a company’s unique risk profile, appetite, and tolerance, as well as the costs and benefits of each response. It helps to have an ESG subject matter expert who can provide insights and guidance on the appropriate risk treatment.
ESG risk management activities must also be reviewed and modified for effectiveness. Well-defined key risk and performance indicators can alert management to any changes in risk identification and response.
Don’t forget third-party ESG risks
Many third-party risk management programs focus on operational disruptions, bribery, corruption, and compliance risks. But ESG risks are equally important, given that an organization’s supply chain can account for more than 90% of its greenhouse gas (GHG) emissions.
Incidents of child labor, worker exploitation, and health and safety issues can also surface across supply chains. Companies have a responsibility to monitor and mitigate these risks through proper third-party screening, periodic risk assessments, and ongoing monitoring and due diligence.
Here's where it helps to integrate ESG with third-party risk management as well as ERM. Having a common platform for all this data can greatly improve risk visibility. It gives management a more nuanced and contextual understanding of ESG risks across their supply chain.
An integrated platform also helps ESG and supply chain governance teams communicate and share data with ease, thus minimizing redundancies and enabling a more holistic approach to third-party ESG risk management.
At MetricStream, we recognize that ESG isn’t a standalone process. It’s deeply connected to ERM, as well as governance and compliance. When all these elements are managed in an integrated and collaborative manner, companies can reduce risk exposure, drive growth, and strengthen stakeholder confidence.
MetricStream ESGRC integrates ESG with governance, risk, and compliance (GRC) in one powerful product. It streamlines and automates ESG risk assessment, management, and monitoring across the enterprise and third-party ecosystem, while also simplifying ESG compliance and disclosures.
MetricStream ESGRC is part of our ConnectedGRC suite of products which enables a holistic approach to ESG, ERM, cyber risk, and multiple other GRC processes.
Discover how MetricStream ESGRC can help you get ahead of ESG risks.
Download MetricStream ESGRC Product Overview
References
TCFD WORKSHOP - Session 4 – Risk Management, February 2022
Sustainability and enterprise risk management: The first step towards integration -WBCSD
Enterprise Risk Management: Applying enterprise risk management to environmental, social and governance-related risks, Executive Summary – COSO, WBCSD, October 2018
Environmental, Social and Governance: An integration to long-term strategy via risk management – KPMG, April 2020