6 steps to building an effective ERM framework to encompass ESG risk

All of this is intersecting with a public desire for companies to do right ethically and environmentally, plus increased investor demands for greater transparency and a recalibration of the modern workplace in a late-pandemic, post #MeToo era of employee and employer awareness. As this upheaval unrolls across everything from workplace culture to global citizenry and environmental stewardship, ESG risk and the increasing importance of managing them develops in absolute lockstep. So much so that we’ve now reached a point where no company, regardless of size or public or private status, can view developing resilience to ESG risk as an optional matter or a can that can be kicked down the road. We cannot simply check the box on ESG as we consider risk management strategies: this must become a No. 1 priority.

The good news is that while there has been a rapid increase in all kinds of new but investment-intensive models to tackle ESG, the toolkit and the expertise to do so actually already exist and are at many leaders’ disposal. Enterprise risk management (ERM) frameworks, when paired with an evolved and leading-class strategic approach to mitigating risk, can effectively model for, and manage, ESG for all kinds and sizes of organization. ERM is defined as a process, effected by an entity's directors/trustees, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Let’s break down the issues that executives need to know, as well as the strategic steps to monitor, manage and control the ESG risks that lie ahead.

Understanding the ESG landscape

ESG, as a term, covers a triple threat of environmental risk, social impact and corporate governance practices, along with what many companies don’t realize — the massive upside opportunities of managing them. As a unique universe of interconnected risks, it has been gathering risk velocity for some time but continues to gather speed. Together, ESG risk factors have sent corporations looking for ways to refine protocols and strategies to best manage their multifaceted implications for the way their organizations function, build profit and appear to everyone from their own people to the entire outside world.

With traditional forms of risk, the event horizon can be three to five years between risk exposure and impact to your business and your reputation. But with ESG the situation is more complex. An environmental risk event, for instance, can have short-term fallout as well as long-term implications for the reputation of your business and long-term value. Take the case of an environmental accident from company negligence. Within hours you could expect to see negative media coverage and public condemnation across social media. Within days regulatory complications arise and most likely you will be dealing with clean up and reparations for decades. All of this adds up to reputational damage that if not addressed, can mean loss of business contracts, decline in customers, as well as important partners distancing themselves from your company.

ESG risk doesn’t have to come in the form of a major environmental disaster that makes front-page news. The universe of risk is far more interconnected through almost every business practice. A coffee company falling down on fair trade practices, packaging that isn’t recyclable or non-sustainable energy usage today are just a few examples of the many factors that can create negative customer impressions that impact sales, damage reputation and even lead to investor fallout. And while your leadership team is dealing with these kinds of external outcomes, additional ESG risk comes from within in many shapes, from talent development requirements and practices to labor policy and workplace culture.

The Cone Communications Millennial Employee Study¹ found 64% of millennial employees won’t take a job if an employer doesn’t have a robust corporate social responsibility program in place. And with purpose-driven, socially motivated Gen Z making up 30% of the US workforce by 2024, the need for companies to become socially aligned with causes for good (and have the governance practices in place to support them) is now critical.

Ask yourself these questions as you ponder your current resilience to ESG risk. Are we a purpose-driven organization that our employees can support? Are we diverse from our workforce to our board? Do we have the recruitment practices and workplace environment and culture to foster equity, inclusion and diversity? If not, it’s time for change and a serious look at maturing your current ERM framework to manage ESG risk. Doing so will align your business with the perceptions and beliefs of the audiences that are critical to the survival of your business: your employees, customers and investors.

Identifying ESG as a universe of risks

ESG risk is not an island and can’t be managed in silos. It is an interconnected universe of risks that touches and impacts many aspects of an organization with each risk affecting others. Quality and resourcing of raw materials, or wastewater production will inevitably affect product production and reputation. While some companies look for new methodologies to understand and respond to material ESG risk, an ERM framework that incorporates assessment and management of ESG risks, is a leading practice approach to leverage.

The discipline of ERM applied to an organization’s ESG risks is a way for leadership to evolve their thinking and recognizing that significant risks a can be triggered by factors as diverse as hiring practices, workplace culture, selection of packaging materials, manufacturing and trade arrangements on the other side of the world. In a corporate landscape that was, for decades, geared around returning value to shareholders based on financial results, the business model of every 21st century organization must be recalibrated around a much broader and inclusive idea of what true value means to all audiences.

Understanding upside – ESG as opportunity

As you build or evolve your ERM framework to assist in managing ESG risk and help to prevent worst case scenarios, it’s important to understand that ESG risks also present opportunities to review and improve company practices that can actually bring real business benefits and a massive upside. Embracing ESG risk into your corporate strategies can better position your organization for a potential competitive edge over those peers and competitors who fail to do so.

As you begin to formulate your approach, assess your business for the upside gains of every strategy. Will committing to net-zero carbon emissions create goodwill and improve customer perceptions of your brand? Could adding qualified, diverse members to a board help bring new perspective to company strategy and boost the organization’s reputation with investors and customers? And could the-process of upgrading environmental practices for compliance also present a positive opportunity for reputation enhancement, as well as potential improved efficiencies? There are already many instances of companies seeing upside benefits. Large airlines that are beginning to market their sole use of sustainable fuels, an ESG strategy, are also building consumer loyalty among customers who prioritize environmentally friendly travel. Organizations that rely heavily on transportation logistics fleets are transitioning to electric vehicles to meet emissions reductions for fuel consumption but on track for long-term cost reductions for possible fuel and maintenance.

Using ERM to assess – and quantify – ESG risk

We can’t manage or model risk without first assessing, and most significantly quantifying, ESG risk across your organization. Which parts of your business are most exposed to ESG risk? Do your production facilities rely on fossil fuels for energy – an environmental risk factor with implications for renewable-energy-friendly customers. Are your products manufactured overseas by cheap labor? Is your supply chain a liability in an age of net-zero carbon emission declarations? A leading-class ERM framework must be built around five risk pillars – strategic, operational, financial, compliance and environmental. These will enable a more complete assessment of risk exposure and quantify likely impacts. Quantification, lacking in some ERM frameworks, is essential and involves performing a baseline valuation of your business and then determining the deviation – up, or more typically, down – for each risk factor on your company value. By modeling the predicted impact of identified risks, it’s then possible to map and prioritize appropriate strategic courses of action across your organization.

Meeting stakeholder expectations – embedding ESG risk into an ERM framework

Responding to ESG risk or planning for it, varies in complexity based on sector, operating model or the level of exposure in your industry. But regardless of industry or sector, embedding ESG risk into your overall ERM framework is essential for ongoing business operations, and just as critically, to meet the rising demands and expectations of boards, audit committees, investors and all other stakeholders.

Many businesses will face high environmental risk factors, while others may need more focus on DEI factors within their workplaces. To build an effective approach, first start with a material assessment of your risk factors, understand how leadership aligns around issues and regardless of whether you have a young or mature ERM framework, ensure any strategies help your business comply with new SEC guidelines on ESG reporting.

Building an effective ERM framework will provide you with the essential, quantifiable, data needed both to understand the scale and the variables affecting ESG risks, as well as plan potential mitigation outcomes and the strategies to affect them. Six key steps to consider include:

1. Coordinate all responsible parties:

By its nature, ESG risk isn’t typically owned by one person or departmental lead in a company. It requires a collaborative and unified approach, including the company’s sustainability officer to input on environmental policy, chief diversity officer on social, DEI and cultural issues, and appropriate C-suite leadership on all governance matters. For smaller sized businesses that might mean director of HR or COO.

2. Prioritize and rank ESG risks:

All resources, time and money are finite, so prioritizing the most impactful ESG risk for your company is essential, and then allocating resources to it, and others, as practical.

3. Determine risk tolerance:

As you prioritize risk, work with corporate leadership to determine the company’s risk tolerance across ESG matters. Allocate resources and budget accordingly.

4. Define and set sustainability development goals (SDGs):

What are your company’s ESG management objectives? Will you change environmental practices, evolve workplace culture, adopt a net-zero carbon emissions pledge? Set achievable goals with a defined timeline and metrics to chart and measure success. And determine strategies to achieve each goal. The United Nation’s 17 Sustainable Development Goals (SDGs)² provide an excellent framework to build around.

5. Align internal and external communications:

Ensure you communicate your company’s position and goals with employees so they can buy into the process and feel co-ownership. And design a communications process and plan that embeds ESG messaging into all external communications with customers, the media and investors.

6. Monitor risks and adjust as needed:

ESG risks may evolve over time or new ones emerge meaning it’s critical to monitor ongoing risk over time, adjusting strategies accordingly. To do so requires high quality, standardized data from all ESG touch points of your organization.

Remember, as you evolve and implement ERM strategies and monitor risk, ESG is a moving target with implications that can hit hard today and last for years. It’s increasingly global and interconnected and managing it with an effective ERM framework is central to protecting everything you do as a business, your people and your culture for today – and tomorrow.

Special thanks to Audrey Bauman, John Rogula, Michael Tippett and Mangesh Ulman for their contributions to this article.