Jon Reed’s recent article suggesting that ESG has teeth highlights that emerging ESG regulations threaten new financial burdens and risks enterprises are just waking up to. Jon said he had a complete attitude adjustment after discussions with Brian Sommers, who recently analyzed the impact of ESG in his new book Executive's ESG Playbook.
Jon observes that new regulations on climate change, banned materials and labor, require executive-level attention regardless of your political orientation on the various matters. Enterprises are going to have to take these things seriously if they want to continue selling into Europe, the US, and particularly in California, one of the largest US economies, which is enacting some of the toughest ESG regulations in the world.
Taking ESG seriously by adopting new software, reporting processes, and supply chain imperatives will be table stakes for all companies with global aspirations. But these also need to be balanced with a broader set of risks comprehensively. These include cybersecurity, IT, GRC (governance, risk management, and compliance), and additional third-party risks outside of the scope of ESG.
Comparing risks holistically
For starters, better approaches are required to surface these risks to CEOs and boards in an apples-to-apples kind of way. Top executive support will be essential in prioritizing funding and championing the culture change required to meet these risks head-on. Cybersecurity, third-party risks, and ESG risks arise in entirely different ways. But all of them threaten financial impacts of varying levels of probability.
Companies will need to develop a framework for translating these into dollars lost or potential occurrence that is relevant to their infrastructure, partnerships, process and technology stacks. Addressing or mitigating each one of these risks will come with various costs in skills development, new tools, infrastructure, culture change or new supply chain partnerships. A systemic approach can guide better discussions on balancing these investments across the emerging risk landscape.
There is also a need to continuously map new signals about these risks to enterprise exposures. How might growing US-Chinese tensions impact our supply chain or sales opportunities? How might new pandemic lockdowns affect our bottom line? What does the discovery that our product has a now-banned chemical in one of its key components or manufacturing processes mean for our business?
Risk chain analysis
Fortunately, risk management has a model to riff off from the security vulnerability management industry. Modern software stacks often comprise various open-source components that get vetted for security issues before publication. Occasionally researchers discover new vulnerabilities, like the Heartbleed bug, that no one had previously discovered during the two years after it was published in a popular cryptographic library. In the following days and weeks after the discovery, software and security teams rushed to replace the component with a safer one.
This helped drive interest and the development of new software supply chain analysis tools that automatically map newly discovered cyber risks to existing software stacks to prioritize remediation. Similar approaches will be required to inventory and prioritize issues, such as the discovery of banned substances in product bills of materials. As Brian observed, this may not be easy since equipment providers may not have insight into banned chemicals in the gaskets, fire retardant, printed circuit boards, seals, and packaging that go into their equipment.
It may be up to intrepid researchers to discover these issues through careful analysis after the fact, much like the security researchers do today. New risk management tools that inventory bills of materials, supply chain providers, and existing business processes could help map newly discovered or emergent risks to a company’s risk portfolios for prioritization and remediation.
Agreeing on meaning
Each company will also have to develop a shared framework for communicating what different types of risks mean in terms of company values and risk requirements and how these map out across various teams and processes within the company. Some domains, like Generally Accepted Accounting Principles (GAAP), are pretty well established for financial risks.
ESG practices are still a work in progress. For example, are you going to decide that it’s OK to purchase carbon offsets from dubious schemes? Company stakeholders agree that carbon offsets provide a way to perform cost/benefit analysis around more ambitious plans to replace gas fleets in the supply chain or pay more for locally sourced raw materials.
There are also other emerging social and community-oriented metrics to consider that may not be currently required but have demonstrated value in local communities. For example, Social Determinants of Health is a new practice correlating various environmental and social factors to health outcomes. Metrics include things like income, locations of healthy and unhealthy food, education, and home ownership. Some healthcare providers are starting to adopt these measures. They may also provide insight and increase employee engagement in industries like supermarkets, food vendors, and financial services firms as well.
The learning and development tools industry has developed one promising approach to help enterprises create a shared understanding of the meaning of job roles that may apply to risk management. HR and talent development teams need to map out internal skills requirements for things like opening a new factory, implementing a new technology stack, or launching a sustainability program. The problem is that managers have different ways of describing these needs. The various recruitment boards and training services can include tens of thousands of categories for classifying skills that don’t directly map across platforms.
So enterprises are developing skills taxonomy programs for developing a shared understanding of what these mean within the enterprise. Vendors like Degreed, EdCast, LinkedIn, and IBM are starting to offer AI-power skills discovery tools that map internal hiring and skills development requirements across the various learning and recruitment platforms. Similar risk taxonomy programs could automatically map enterprise risk management requirements to newly discovered risks and new regulations across different enterprise domains.
It is growing increasingly apparent that the future of risk management requires a holistic approach for comparing, prioritizing, and responding to risks across domains. It’s also telling that big named management firms have adopted an increasingly complex lexicon of buzzwords to describe these new capabilities, including Vulnerability Risk Management (VRM) for cybersecurity, GRC platforms, Third Party Risk Management Platforms (TPRM), cybersecurity risk ratings platforms, supply chain risk management, IT Vendor Risk Management Solutions (IT VRM), and Sustainability and ESG software. Surprisingly, one dropped its Integrated Risk Management ratings category a year before writing that leading organizations were adopting IRC over GRC.
Perhaps it’s time to start thinking about these collective tools as simply Enterprise Risk Management (ERM) with various integrations, capabilities, and third-party components that build on these core platforms. The term has a long history among different professional groups. Unifying everything under one umbrella could go a long way to empowering risk management leaders in developing a more comprehensive risk management strategy.
In the long term, it may also be worth investigating the role that digital twins of supply chains, business processes, products, and physical processes could play in unifying these different domains into a coherent framework. The supply chain industry is already starting to adopt this concept. Recent research from Altair has found that the banking industry is similarly adopting digital twins to address security, fraud detection, and sustainability challenges.
Tackling risks across various categories in a systemic way will not be easy. No one tool is going to do it. It will require conversations and collaboration across all levels of the company. Change is never easy, but the various pending deadlines may push things along.
It’s also important to note that one company’s risk is another’s opportunity. Political tensions, large-scale fires and floods, and new ESG regulations will also create some opportunities for companies that can quickly fill the new gaps. Companies that develop the capability to identify and respond to the impacts of various risks systemically and continuously as they emerge will be in a better position to take advantage of these opportunities.