You’ve probably heard the three letters “ESG” used together as part of a risk management or compliance discussion, but what does the acronym really mean? And why are we publishing an article in DRJ talking about its relationship – or potential relationship – to business continuity and resilience?
Simply put, there is a strong relationship with shared goals and objectives between ESG and business continuity across the entire enterprise. For example, a lack of sustainability is a threat to continuity and resilience. Poor alignment with customers’ values is a threat to continuity. And failing to proactively manage the consequences of changing climate conditions throughout your supply chain – internal and external – only increases the likelihood of disruption.
The purpose of this article is to formally introduce the topic of Environmental, Social, and Governance – or ESG – to the business continuity and resilience profession. We also will highlight areas of overlap between these two important disciplines within integrated risk management (IRM) and explain how it can positively impact your organization.
What is ESG?
ESG is a set of initiatives and goals that enable sustainable development based on a blueprint developed by the United Nations. ESG focuses on the planet, its ecosystems, and people. It includes all the direct and indirect inputs that comprise product or service delivery, including supply chains, internal operations, and channels.
Interestingly, for many organizations, ESG is a story for the market. For some, it’s a story and a score, but most important, it’s an ongoing journey to reduce negative impacts on the planet and people over time.
ESG includes elements that are common for all industries, such as greenhouse gas emissions reduction and forced labor protections. There are also elements that are sector specific, like animal welfare in protein production and forestry stewardship in textile manufacturing.
In the past, ESG disclosures were voluntary. Today, however, ESG-related topics are becoming increasingly regulated, which can be a challenge for businesses. There are hundreds of regulations in effect, with more on the way. Businesses can be required to comply with regulations in their home locations, as well as those where they source and sell.
While the development of a global standard was started in October 2021 with ISSB at the United Nations Climate Change Conference (COP26), reporting organizations are now required to manage a complex and dynamic set of requirements which are likely to increase in the foreseeable future.
ESG is all about telling a story on sustainability and values, maintaining the performance data to back it up, and managing the actions to improve over time.
Since this article is being published in DRJ, we’re going to skip a detailed introduction of business continuity, but at a high level, it’s about ensuring the continuity of product and service delivery, even when faced with one or more catastrophic events.
Why ESG Now?
Similar in many ways to business continuity, ESG is driven primarily by four influencers – regulatory, investment community, customers, and reputational standing.
ESG regulatory pressures continue to rise, with a particular focus on measuring an organization’s carbon footprint related to the development and delivery of its products and services. For example, Germany’s Supply Chain Due Diligence Act will go into force at the start of the 2023, mandating companies with 3,000 or more employees in Germany to take appropriate measures to respect human rights and the environment within their supply chains. Similarly, in the US, the state of California has proposed legislation in the Corporate Climate Accountability Act that will require companies with at least $1 billion in revenue to report and verify their Scope 1, 2, and 3 emissions. Also on the horizon is a proposal from the USSEC that will require ESG reporting beginning in 2024.
An increasing number of investors are establishing strict ESG-related criteria before they consider investing in a company – again with a focus on carbon emissions, climate-related risks, conflict minerals, human rights, and employment conditions. These institutional investors impose their own ESG disclosure requirements that leverage standards under the Global Reporting Initiative (GRI), the Sustainable Accounting Standards Board (SASB) and the Task Force for Climate Related Financial Disclosure (TCFD), among others. Meeting these investor requirements is critical for access to capital, with research showing that an organization’s ESG ratings can affect between 33%-40% of the cost of capital. BlackRock and State Street are two examples where an investment will not be made in an organization without strong ESG practices and outcomes.
Similarly, customers are evaluating their suppliers’ ESG practices by assessing workplace conditions, human rights performance, diversity and inclusion, carbon emissions and more.
Social pressure is also a key driver. A strong ESG story and scoring can be a market differentiator. A growing number of customers will support and buy from organizations that align to their values.
How Does ESG Relate to TPRM?
Because so much of the ESG focus is on supply chain, many confuse ESG with third-party risk management (TPRM). Still others look at ESG as part of the broader TPRM landscape.
We should clarify that ESG is not just a responsibility of an organization’s suppliers. Strong ESG starts with actively governed and measured internal standards – which then extend into the supply chain.. Where results fail to align to expectations, corrective action should be taken.
A relationship between ESG and TPRM clearly exists, but they are not the same. TPRM exclusively focuses on external partners and the impact on the business, whereas ESG includes both internal and external responsibilities.
Both can be more effective and efficient with shared information, including:
- Who do we rely upon for product/service development through delivery?
- What do they provide?
- Where do they operate (e.g., locations, as well as their logistical paths to reach us)?
- Who are the supplier’s suppliers?
- What are their controls and do those meet our expectations?
- What are the results of independent audit and verification?
- Do they meet our expectations (e.g., carbon reduction, water conservation, etc.)?
- What are the agreed-upon opportunities for improvement?
- What improvement actions do the third parties plan to take?
- What are the threats to the third parties?
- Who are the alternates for each third-party dependency?
Is There a Relationship Between Business Continuity and ESG?
Cyber and supply-chain risks remain the leading causes of disruption. Note however, s, that supply-chain disruption is no longer just about failure caused by a disruptive event. Disruption can also be the result of an inability to meet ESG obligations and expectations.
Sustainability and continuity are clearly intertwined.
Many of the shared data elements are also necessary to understand and manage business continuity. But the relationship is more than simply sharing data.
Those organizations with leading ESG, TPRM, and business continuity practices also benefit from early-warning networks, such as risk/threat intelligence that triggers a response, as well as risk-sensing capabilities. The latter involves real-time monitoring of outlets to detect adverse media, legal filings, and threat-related information. Risk sensing uses natural-language processing and covers news media, open-source public records from government agencies (e.g., FCC, Office of Foreign Assets Control [OFAC], law enforcement agencies, and tax authorities), press releases, and reports by nongovernmental organizations.
Cementing the Relationship
ESG also benefits from coordination with business continuity.
Business continuity and ESG share the risks associated with reputational impairment and sustainable product and service delivery. With shared data, risk/threat intelligence, and risk sensing both disciplines can manage these risks efficiently and successfully.