Podcast transcript: How to integrate ESG risk into risk management

26 min approx | 06 Sep 2019

Chris Hagler     

Welcome to Sustainability Matters, a regular podcast series of Ernst & Young (EY). My name is Chris Hagler. I'm one of the leaders in our climate change and sustainability services practice, and your host for this series. We've designed this podcast series to provide leading trends and practical advice about environmental, social and governance, or ESG, issues and opportunities facing businesses today.

Today, our topic is ESG and risk management. Two leading organizations, the World Business Council for Sustainable Development, or the WBCSD, and COSO, the Committee of Sponsoring Organizations for the Treadway Commission, recently released the final version of a document called “Applying enterprise risk Management to environmental, social and governance-related risks.” This document was designed to provide guidance to help risk and sustainability practitioners apply ERM concepts to ESG-related risks. 

This topic is particularly relevant today. Ten years ago, the top global risks, in terms of impact and likelihood, didn't include social or environmental issues for the most part. But today, three of the top five risks, as identified by the World Economic Forum, are climate-related. This just reinforces how important it is to understand how climate and other ESG risks can impact an organization. 

Today we have three experts on the topic of ESG and risk. With me today in person is Paul Sobel, and joining me on Skype is Rodney Irwin and Mark Weick from Dow. Paul Sobel is the chairman of COSO. Rodney Irwin is managing director of the World Business Council for Sustainable Development's Redefining Value and Education programs. And together, they worked as a team that included EY consultants to create this guidance. 

We also have with us Mark Weick, Director of Sustainability Programs at the Dow Chemical Company, who can provide us with practical advice on addressing ESG and risk. He was also very instrumental in helping create this guidance. 

Paul, I'm going to ask you this first question. COSO and WBCSD partnered together to develop this extensive piece of guidance on how to integrate ESG‑related risks into enterprise risk management. Why do you think this was needed?

Paul Sobel

Well, when COSO completed the ERM framework and issued it in 2017, we knew it was a fundamentally very sound framework, but it was still a bit theoretical. We were looking for opportunities that could really be applied at a practical level within organizations. 

Now, as you alluded to earlier, and I think Rodney will probably talk more about, ESG risks have become much more prevalent over the last decade. Investors have high expectations with regards to how effectively these risks are managed. So COSO and WBCSD saw a joint opportunity to issue practical guidance in how to manage this evolving and significant grouping of risks, while still using a very sound framework, such as the COSO ERM Framework.  


Rodney, maybe you could give us, first of all, a little bit of background about WBCSD; I'm not sure everyone is familiar with it. Why did you believe this was the right time to partner with COSO to create this Guidance? 

Rodney Irwin

WBCSD, or the World Business Council for Sustainable Development, is a membership-based organization headquartered out of Geneva, Switzerland. And in 2020, we will celebrate our 25th anniversary. The organization was created to help businesses convene and discuss some of these pressing challenges and opportunities; I think that's an important word that we must actually focus on during this podcast, as well as risk. 

We bring together around 200 of the world's largest organizations to look at the opportunities that the Sustainable Development Agenda presents, as well as the risks that need to be managed. And we help businesses understand the impacts and dependencies they have on various forms of niche natural capital or social capital issues and, hopefully, get them to work in collaboration to build solutions that they can then use to compete on performance and not on methodology when it comes to the real world.


So, Rodney, you said natural capital and social capital issues. Can you clarify for me a little bit, what type of risks and opportunities are these as it relates to environmental, social, governance? 


If we look at ESG, the "E" generally relates to all things to do with the natural world. And within the context of sustainable development, we consider that to be natural capital.  No business operates in a vacuum. It operates with the societies that it needs to purchase its products and services, as well as provide its manpower. 

The issues that companies are currently facing are very different to, say, those of 30 years ago. We now know that the resources being extracted from the Earth and the capacity of the Earth to grow the resources needed for a business is limited. And we have examples today of where certain products are dependent on existing stocks of rare-earth metals that will expire.  So, we know the companies have that dependency on natural capital.

No company can survive in a society that's not flourishing. Because without people having access to work, and access to decent work that provides a decent salary, then there is no money in the economy to purchase goods and services. So, there is a circle here that is symbiotic and interdependent. What companies are now realizing is that the development agenda is something that they need to pursue, and by pursuing that, that means managing those impacts and dependencies that are negative and pursuing those opportunities that the agenda is actually presenting to them.


This is Paul. I'd like to reinforce that last comment Rodney made, and one that he had mentioned at the beginning of his discussion as well. The COSO framework is titled “Integrating with Strategy and Performance” for a very good reason. This is not just about managing the downside of risk, the bad things that happen. 

It's also about pursuing opportunities, helping a company create more value and have more long-term success. 


Mark, can you share with us, from your perspective what these environmental, social, governance risks and opportunities look like? 

Mark Weick

From Dow's perspective, the kinds of environmental, social and governance issues that we face, and really the themes behind these issues, are well represented on page 8 of the guidance document, where under the environment category, we talk about themes of climate change and natural resources, and pollution and waste. As Rodney pointed out well, opportunities in clean tech and green building and renewable energy. 

Then there is a group of social-themed, human capital, product liability, stakeholder opposition and social opportunities, again, where we talk about the opportunities in communications and access to finance and access to healthcare, and in nutrition and health. 

Then in the governance side, we talk about corporate governance, but we also talk about corporate behavior within Dow and with other companies. This is a set of key issues like business ethics and accounting and corruption and instability and tax transparency. 

All of those kinds of things need to be considered when you're looking at the enterprise risks for an organization, and also the menu of opportunities available to an organization as they grow and as they serve a sustainable society.


That is really helpful, Mark, as you were talking, I was thinking that these didn't sound like sustainability risks, they sounded like business risks. How do you look at that at Dow? 


Increasingly at Dow, sustainability is business. Our business strategy is interwoven with our sustainability strategy. Our ambition as a company is to be the most customer-centric, innovative, inclusive and sustainable material science company in the world. 

What you might consider, or someone might have considered in the past, sustainability concerns, are just simply good business. So, this guidance is trying to make sure that we drive home the point that environmental, social and governance issues and themes are not some sort of side stream or separate conversation. They're an integral part of a successful business strategy.


We talked a lot about the ESG side, but we haven't talked that much about what ERM is, enterprise risk management. So, our audience is probably a mix of sustainability professionals, risk professionals, finance professionals. Paul, can you talk to us a little bit about what ERM is, and how it can be used to raise sustainability or ESG issues in a company? 


Yes, happy to. The definition of nterprise risk management that's included in the 2017 Framework. It says, "Enterprise risk management is the culture, capabilities, and practices integrating with strategy-setting and its performance," hence the title for the framework, "that organizations rely on to manage risk in creating, preserving, and realizing value." 

I think what's important in that definition, is "creating, preserving, and realizing value." Enterprise risk management — a decade ago — was probably viewed more as how do we minimize the negative impacts of those bad things that happen, where now it's evolved to be how can we be more successful. Preserving value is still a part of the definition, we can't ignore that. When we think really about long-term success, it's about also creating and realizing value.

ERM is not a process. It's not a department. It's not something that's bolted on. It really has to become a part of the thinking of everybody in the organization. I like to refer to it as a risk mindset, that they think about those principles in making decisions. Ultimately, successful ERM is really just enhancing people's ability to make good business decisions.


Well, Rodney, I can tell you, my clients ask me about this all the time, and it is so nice to have definitive guidance to go to them with when addressing how they should go forward. One of the things you said was that this gives the ESG people and the ERM team a common language, the ability to speak about issues and opportunities facing the company in the same way. What are some other practical parts of this guidance that will be useful for companies? Then, Mark, I'm going to ask you to chime in on this as well, please.   


The guidance has been written with two audiences in mind. So, it contains enough of the risk management language and process and definitions that the risk management community will be familiar with, but at the same time it also includes the references to the sustainability agenda and allows the sustainability professional and the risk management professional to have meaningful conversations around these risks and opportunities that really do need to be addressed in the decision‑making process. 

Apart from the common language, we have, throughout the document, delivered a number of real examples of fictitious companies; we have created a fictitious company called Pro PNP, which we use as a way of highlighting how the risk management process could come alive. We've also included other examples within the document. 

There's also a wealth of resources that exist outside of the guidance that both sustainability and risk management professionals can access, such as a diagnostic tool to help them to identify where they are today and identify where they want to be, and together, we can help them move in that direction. There is a board game that's been created to actually start those conversations, a bit of a fun way of introducing this topic to the different communities. And we're going to continue with the pilots, and we'll be developing cases as a result of that.


This guidance is particularly helpful because it uses the language that both enterprise risk management people would be familiar with, as well as the language that people who work in the fields of environmental, social and governance issues would understand. So, it's a very effective bridge and helps both sides think about longer-term issues with a common framework. That's what we're finding most valuable about this guidance. 


Mark, can you tell us a little bit more on how you've used this guidance at Dow? 


In my role at Dow, I direct both sustainability and enterprise risk management. It's been very helpful to be able to refer to this as we, for example, engage the people who own the topics around enterprise risk management in the company with the ESG concerns that relate to their particular topics, and also to be able to explain an enterprise risk management process in clear terms to people who are more concerned about environmental, social or governance issues. 

It's a very effective bridge that I use in conversation with experts on one side, say finance experts, who are more concerned sometimes about ERM as a process, and then environment, health and safety professional, who might be more concerned about the ESG issues.  


Mark, it sounds like you're, the perfect person to respond, given you have both ESG and risk reporting up through you. That's not really the case with a lot of my clients. Rodney, what are your thoughts on how a company can use this practically? Then, Paul, I'm going to ask you as well. 


When we run our workshops to help companies implement the guidance, where we start is at chapter one, which is looking at governance. And there, you can see very simply, by asking participants to a workshop to draw the governance structure of the risk management process and sustainability, or ESG, in most organizations is some sort of disconnect. Through actually acknowledging that there is a disconnect, you can help bridge some of those challenges.

Where there is connection, there sometimes can still be concerns over the raising of these issues to the appropriate decision-making body. And throughout the guidance, we have explored how best the company can start to do that. One of the really interesting things in chapter three is looking at the way in which risks are prioritized. 

So through the research that we conducted in advance of actually drafting this guidance, we were told time and time again by member companies that were involved in the research, that the time frame being used by the risk management community to assess and prioritize risks was perhaps too short, compared to perhaps some of the ESG challenges and the time frames under which they were being considered. 

So, the guidance gives examples of how other mechanisms can be used to prioritize. One such example is not looking at likelihood but looking at vulnerability or the ability to respond to vulnerability, or other dimensions in the risk management process. And that is one of the ways in which the guidance adds value. By actually then going through the diagnostic tool that we developed, you can also see where you have perhaps the areas of most challenge. 

Based on the workshops that we've done to date, I'd say companies are facing challenges around the disconnect that exists in the governance. That can be resolved quite efficiently once the problem is acknowledged, as well as the prioritization process.


I do actually talk to quite a few people around the world about this. It's been a very hot topic during my term as COSO Chair. Rodney did a good job of outlining it. First, stepping back, when people ask, how do we make the ERM Framework practical, I typically tell them, start with the 20 principles. 

Go through those principles and try and assess where are we as an organization and where do we need to be? Where do we have the biggest gaps related to those principles? That can be a real practical way of taking something that may seem overwhelming at the beginning and operationalizing it. 

The same applies for ESG. And this is where, again, I was somewhat amazed myself at how many good examples came out in this guidance. A reader of the guidance can look at it and say we need help with regards to a certain principle. Rodney mentioned a couple of the principles in the performance component that I think are very good examples. And reading the principle, you get an idea. 

But then, going to some of the specific examples that are in the guidance that WBCSD brought, or even some of the references to other sources, which I found extremely helpful for me as I gained more knowledge and experience on ESG risk, I think can really help a company tremendously. 

The challenge here is that it's not cookie‑cutter. There's no one‑size‑fits-all. It's really important that companies try to understand the principles, figure out how to apply them to ESG risks and then make it real for their unique risk profile and their unique circumstances.


You mentioned other guidance and other things that are out there. I very often talk about the Task Force on Climate-Related Financial Disclosures at the same time when I'm talking about this, because it provides a good background, specifically on climate, but obviously this guidance covers significantly more than that. 


I'll admit, that was a task force I wasn't very familiar with until I started reading about it in the earlier drafts of the guidance. I agree with you, Chris, that's very valuable information. And again, I think those who spend the time to go through this entire guidance will find other very valuable sources that may be fit for purpose for their particular needs.


Agreed. Alright gentlemen, we have been talking a lot about practical. I'd like to hear from each of you three things you think a company should do as they think about integrating ESG into their ERM processes. Mark, I'm going to start with you. 


I would advise a company to think very carefully about their impact and dependencies on the six capitals that are outlined on page 25 of the guidance. There's financial capital, manufactured capital; there’s human capital, social capital, natural capital and intellectual capital. 

When you think carefully about particularly your dependencies on those six capitals, you may think differently about the kinds of risks and opportunities that your enterprise has, that can be significant and have significant impacts not only now but into the future. 

The future brings me to the second recommendation. Think long-term. At Dow, back in 2009, we started thinking about our next-generation sustainability goals by looking at the future of the company and society on what will be Dow's 200th birthday, the year 2097. A lot of people thought we were crazy looking out that far, but it really helped us to understand where the company would be going to serve a sustainable society at that time frame, and then we were able to back up to think about the opportunities and risks that would then become articulated in the new company ambition and our 2025 sustainability goals. 

The third recommendation that I would have is to do a serious materiality assessment; to think through very carefully, what are the material issues, the most important issues that you need to tackle as a company, that matter most to the success of the company, as well as to your stakeholders? That is a good indication of the kinds of ESG concerns that you may need to bring into your corporate strategy and into your enterprise risk management discipline. 


Perfect. Rodney, what are your thoughts on the three things that a company should address in integrating ESG and ERM? 


The three things I would suggest that a company looks at, I'll be a bit more basic than Mark. I would actually ask the risk management community and the sustainability community to actually just have a coffee and get to know each other. Talk to each other and understand what each other's roles within the organization are. 

And during that conversation, look at the risks that the company currently discloses versus the risks, or the ESG issues, that they have in their sustainability reports or integrated reports. And if you notice a material disconnect, there is reason for you furthering your conversations together.

Secondly, I would make sure that you bring to the attention of the senior management, if not the board, the fact that this guidance exists, as well as the research that you've just conducted to show the disconnect, perhaps, in your own risk management processes. And make sure that, maybe they’re not going to read maybe the full document, but there is an executive summary that's available to them. Make sure that the people that make decisions in the company are aware that this document is there. 

And building, then, on what's already been said by Mark, I think really looking at the governance of the risk management process and the sustainability or ESG process and seeing how you could better align those processes to help with the implementation going forward. 




Well, it's great going last, because I think Mark and Rodney took some of my ideas, but I will try to position them maybe a little bit differently. Make sure all of you have at least read the guidance, whether you want to start with the executive summary, as Rodney mentioned, or dive into the full guidance. 

It's a free download from the COSO website, so there's really no reason not to at least go get it and use it as a reference going forward. There's a lot of really helpful information in there that will make you more successful in managing these types of risks.

The second thing I wanted to talk about, again, Rodney hit straight on, which is make sure that you are, in any way you can, trying to influence your board and senior management to appreciate, understand and incorporate assessment of these types of risks as part of their ongoing agendas. It's hard to really be successful long-term if you're not consistently looking at these types of risks. Risk managers and sustainability managers can have an influence in trying to make that happen. 

And to try and differentiate a little bit from what Rodney said, I would say that you can be involved with and influencing the type of information, the type of reporting, that goes up to particularly the board level. Make sure they're getting the right information, so they can provide that governance oversight and, ultimately, be giving the right direction to the executives in terms of how to manage these risks. 

The third is maybe a little bit of a departure. It's very relevant for this topic. It wasn't covered extensively in the guidance, but it was touched upon. I think there's still around the world, particularly in North America, a bit of a disconnect between a recognition of the ESG risks and the actual reporting on those risks as a part of either regulatory filings, sustainability reports, etc. 

There's so much opportunity for improvement around the world. There is some good guidance that's coming out of SASB and GRI, etc. And I would encourage all of those listening to this podcast to be advocates within their organizations, to try to advance the transparent reporting of ESG risks. 


That's a perfect segue, because my last question to you, Paul, was going to be, sort of, what's next? Where do we go with this now that we've got this great guidance and these two great organizations who've come together to create this? Sounds like helping a little bit with disclosures and focusing on that is part of what's next. What else do you see? 


I think that will be a big part of it. And this is something, Rodney, I guess, our two organizations need to talk about, is whether there are any particular areas where we need a deeper dive. COSO kind of has three levels of, I guess, guidance or publications. The frameworks sit at the top. The application guidance, which is a little bit broader, would be next. Then, again, the deeper dive guidance I think could be very helpful. 

We haven't had a chance to really take a good deep breath since this was issued late last year. But I believe there will probably be opportunities. Maybe it's around the six capitals from integrated reporting, I'm not sure. But I think there are opportunities to continue collaborating on getting better guidance out there to the business community. 


I'll tell you that my colleagues at EY would love to continue to support the efforts as we potentially take a deeper dive into the six capitals or into other specific areas. Well gentlemen, thank you so much. I appreciate you sharing your insights, your experiences, and providing guidance on how we use this very useful tool. 

For the listeners out there, if you want to learn more, you can access the guidance at COSO.org. You can also find it at WBCSD.org. Learn more about EY's point of view on ESG and risk at our Sustainable Impact Hub at EY.com. Follow us @EY_sustainable, and you can follow me @ChrisHagler. 

So, we look forward to you joining us on other podcasts and welcome any ideas you may want to share in terms of future podcasts. Thank you all very much.