How to Build Your GRC Strategy in an ESG Era

Looking for a path to environmental, social and governance (ESG) insights in a forest of GRC data

The last few years have shined a light on GRC (governance, risk management, and compliance) processes and shifted many attitudes towards risk. Yet, many organizations are left with numerous questions: What are the best practices to identify, analyze, monitor, and manage risks specific to your organization? Do these risk activities support future business growth, and should you implement ESG controls or reporting?

2021 was a year of resiliency as we rode the waves of the pandemic while facing surmounting pressures to address ESG (environmental, social, governance) within organizations. 2022 continued these themes of resiliency and integrity as the escalation of military conflict between Russia and the Ukraine ushered in further uncertainty to the global landscape but brought in agility. Last year saw the emergence of genAI and brought the already present threat of cybercrime and the need for improved cybersecurity to the forefront of concerns for organizations. The end of 2023 saw conflict arise in Gaza which has carried over into this year bringing more uncertainty to the region and to the world. And over the course of these last few years, ESG regulations continue to be proposed and put into action across the globe.

Firms globally and across industries are focusing on resiliency. The organization must maintain operations in the midst of uncertainty and change, and this is becoming a key regulatory requirement in some industries, such as financial services. This requires a holistic view into the objectives and performance of the organization in the context of uncertainty and risk.

Organizations are striving for operational and business resiliency that requires integration and symbiotic interaction of risk management and business continuity. The organization in 2024 has to be a resilient and agile organization with full situational awareness of the interconnected risk environment that impacts them. To execute on strategy and be both agile and resilient, the organization must see the individual risk (the tree), and the interconnectedness of risk to strategy and objectives (the forest).

The Mathematics of Risk Management

Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential and sometimes chaotic relationships and impacts in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, the effect is proportional to the cause.

In the non-linear world of business, however, risks are exponential. Business is chaos theory realized. The small flutter of risk exposure can disrupt objectives or even bring down the organization. If we fail to see the interconnections of risk in the non-linear world of business objectives, the result is often exponential to unpredictable.

In this context, the organization must also address ESG in its strategy and operations. ESG remains front-page business news and organizations around the world as well as across industries are challenged to define, implement, and report on ESG. The pressures are coming from all directions: investors, customers, employees, regulators, and activists.

The reality is that ESG has teeth and organizations must do something about it. The goal is to be an organization of integrity to ensure that the values, ethics, statements, and commitments are a reality in practice, process, relationships, and transactions.

ESG regulations today

ESG-related issues, as we define them today, are nothing new. For centuries people across the globe have attempted to raise awareness and support of these issues. Over the last century, entire movements and organizations have been formed dedicated to environmental and social issues of the times, which have contributed to ESG awareness entering the mainstream and raising them to the forefront of global concerns.

The term "ESG"—environmental, social, governance—was coined in 2004 in a report from the United Nations (UN) titled "Who Cares Wins" and has since become a universal term. The last decade has seen regulations and policies regarding ESG become something of a trend as governing bodies across the globe have begun to see the necessity for ESG awareness and concern. The European Union (EU) has led the way in this regard, starting most notably with the Non-Financial Reporting Directive (NFRD) in 2014.

The NFRD got the ball rolling with EU companies disclosing ESG-relevant information, something they have expanded upon over the decade since. It required large public-interest companies in the EU—defined as companies with 500 or more employees (including listed entities and insurance companies)—to disclose non-financial and diversity information (environmental protection, treatment of employees, anticorruption and anti-bribery, etc.) in their annual reports. The NFRD was replaced by the CSRD, which passed vote in 2022 and went into effect last year, at the beginning of 2024.

The Corporate Sustainability Reporting Directive (CSRD) not only replaced the NFRD but expanded upon it, attempting to address major structural weaknesses in current ESG regulation reporting. With nearly 5x as many entities listed in the EU as under the NFRD—roughly 50,000 impacted—the CSRD has a broader scope which includes businesses, banks, and insurance companies. It also expanded the extent to which those impacted are required to report on sustainability-focused topics, such as social responsibility, respect for human rights, anticorruption measures, and board diversity. They must also report on how environmental and social matters are influencing their development and achieving environmental targets (i.e. double materiality).

In order for a company to be required to comply with the CSRD, at least two of the three following conditions must apply:

• Greater than €40 million in net turnover
• Balance sheet total assets greater than €20 million
• 250 or more employees

Furthermore, non-EU companies with an annual turnover within the EU of at least €150 million over two years consecutively must comply with the CSRD.

These regulations will apply this year for reports that will be published next year, which must disclose both current and potential impacts related to a company's operations, across its value chain—including products, services, business relationships—supply chains, as well as double materiality. The European Sustainability Reporting Standards (ESRS) lay out detailed reporting requirements for companies within the EU under the umbrella of the CSRD, including EU subsidiaries and non-EU companies operating within the EU, with the first set being adopted in 2023. The ESRS cover:

• General reporting principles
• A list of mandatory disclosure requirements for EU companies pertaining to the identification and governance of sustainability matters
• The 10 ESG topics where disclosure is required make companies subject to a materiality assessment

Similar, additional reporting standards should be expected moving forward.

The Corporate Sustainability Due Diligence Directive (CSDDD) was proposed back in 2022, passed by EU Parliament in April of this year, passed by the EU Council in May, and will go into effect this year after its publication in the EU Journal. It establishes legal accountability for companies concerning environmental and human rights violations, not only within the EU but across the globe. It has undergone some changes since December that reduced the scope of entities impacted and extended the timeline of implementation.

Businesses will be obligated to address both current and potential adverse impacts on human rights and the environment, including those related to their own operations, subsidiaries, and, most importantly, suppliers. To achieve compliance with the CSDDD, companies will have to identify, prevent, mitigate, and account for negative environmental and human rights impacts within operations, subsidiaries, and value chain. Large companies will additionally be required to align their business strategies with the Paris Agreement's goal of limiting global warming to 1.5ºC. As a result, these companies must have a plan for reaching net zero GHG emissions.

Companies based out of the EU will be required to comply with the CSDDD if they meet the following:

• 1,000 employees or more
• A net worldwide turnover of €450 million

Companies based outside the EU will also likely be subject to compliance with the CSDDD if they conduct a significant amount of business in the EU. Those found not in compliance will be subject to penalties both at the EU and state level:

• At the state level, designated authorities will supervise and impose sanctions, such as fines and compliance orders
• At the EU level, there will be a network of supervisory authorities to ensure coordinated enforcement

Those that do not pay fines, as it stands presently, will be subject to injunction measures in consideration of the company's annual turnover when imposing monetary penalties, such as 5% of the company's net turnover. Compliance with this directive may also influence the awarding of public contracts and concessions.

Fortunately for companies late in preparing for the CSDDD, it will be implemented gradually over the course of five years, with the larger companies being impacted first:

• By 2027 companies with 5,000+ employees and €1,500 million annual turnover
• By 2028 companies with 3,000+ employees and €900 million annual turnover
• By 2029 companies with 1,000+ employees and €450 million annual turnover

Non-compliance with the CSDDD could result in hefty penalties, so companies should be preparing now to comply. Some companies may be adversely affected, though they may not be subject to the CSDDD themselves, but by relationships with companies who are impacted by these regulations.

Outside of the EU, others have followed their lead with ESG regulations. The Financial Conduct Authority in the United Kingdom requires a disclosure regime for ESG matters under the Task force on Climate-related Financial Disclosures (TCFD), formed in 2015. Companies which are deemed a "premium listed company, asset manager, or FCA-regulated pension provider" and others will be required to make statements on annual financial reports. The FCA is also working on Sustainability Disclosure Requirements (SDR) as well as investment labels.

In the United States, the Securities and Exchange Commission (SEC) announced the formation of a climate and ESG task force in 2021, which will focus on material gaps or misstatements in issuers' disclosure of climate risks under existing rules. Initiatives will be developed "to proactively identify ESG-related misconduct" as well as climate disclosures for public companies. Also, in the state of California the Climate Corporate Data Accountability Act was passed by the State Assembly in September 2023.

In addition, there have also been global efforts to promote accountability and sustainability. The International Financial Reporting Standards (IFRS) Foundation has established sustainability disclosure standards and frameworks. The International Sustainability Standards Board (ISSB), formed back in 2021 in response to strong market demand, is developing standards that will result in a high-quality, comprehensive global baseline of sustainability disclosures focused on the needs of investors and the financial markets. They have a large amount of global support from a variety of entities.

The ISSB has set out four key objectives:

• Develop standards for a global baseline of sustainability disclosures
• Meeting the information needs of investors
• Enable companies to provide comprehensive sustainability information to global capital markets
• Facilitate interoperability with disclosures that are jurisdiction-specific and/or aimed at broader stakeholder groups

In August of 2022, the ISSB absorbed their predecessor the SASB, formed in 2011, and assumed responsibility for maintaining all SASB standards. This entails:

• Helping companies disclose relevant sustainability information to their investors
• Identifying the sustainability-related risks and opportunities most likely to affect an entity's cash flows
• Identifying access to finance and cost of capital over the short, medium, or long term
• Identifying the disclosure topics and metrics that are most likely to be useful to investors

In addition to the above examples, numerous other countries around the world have already implemented or are making plans to implement ESG-related legislation including Japan, Australia, Brazil, and Germany.

From Resilience to Agility

How can organizations not only be resilient but also agile while maintaining integrity amidst change and uncertainty/risk? Organizations are seeking to increase organizational integrity so that they live up to their ethics, values, commitments, and obligations while dealing with uncertainty. They are also looking to increase operational and business resiliency and agility.

"Ironically, all the elements of ESG are part of a well-structured GRC strategy. The official definition of GRC, found in the GRC Capability Model, is that GRC is a capability to reliably achieve objectives [GOVERNANCE], manage uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]."

You start with objectives of the organization--these can be an entity, division, department, process, project, or asset-level objectives--and from there have the context to manage uncertainty/risk and act with integrity.

Organizations need more structured guidance on how to deliver on GRC and ESG strategy and processes across the diverse areas of objectives, risks, and obligations:

1. Understand where you are and where you want to be. It starts with an honest assessment of your current state of GRC and ESG processes in the organization. What is being done today, what is working, what is not working, and, most crucially, what needs to change. From there you can define your ideal future state in two years and build your roadmap to move from your current state to your future state.
2. Get the right team on board. GRC and ESG are complex: they involve a lot of different departments. You need to identify the right core team members as well as the supporting team members. This involves framing a charter for a cross-department committee that can work together to address GRC and ESG in an integrated context. It also requires someone who is in charge and ultimately accountable for the integrated GRC & ESG strategy.
3. Select the right technology foundation. You need to build your strategy on the right information and technology foundation that can deliver on your future integrated state of GRC and ESG. GRC and ESG software and technology should fully support your vision and be able to deliver efficiency, effectiveness, and agility to your GRC/ESG strategic plan and processes.
4. Break things down into stages. This is a journey from your current state to your future state--not a light switch that you flip on. You need to prioritize and break things down into stages that are achievable for your organization. If you try to take on too much too quickly then the project fails.
5. Be ready for change. We live in a dynamic world where things change rapidly. You must be flexible in being able to address change to your risk, regulatory, and business environments as you execute your strategy and beyond. In the end, this is what we are trying to deliver: agility, resiliency, and integrity in the midst of a dynamic, distributed, and disrupted business environment.

The integration of ESG considerations into GRC strategies is no longer optional but essential for organizations aiming to thrive in today's complex business landscape. As regulatory pressures mount and stakeholder expectations evolve, companies must adopt a proactive approach to managing their environmental, social, and governance impacts. By following the five-step plan outlined above and embracing the interconnected nature of GRC and ESG, organizations can build resilience, enhance agility, and maintain integrity in the face of ongoing challenges. The journey towards a comprehensive GRC strategy in the ESG era may be demanding, but it offers significant opportunities for sustainable growth, improved risk management, and long-term value creation.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.