Integrating ESG, ERM & Compliance Reporting Can Be Done; Start Where You Are

While some U.S. organizations have taken a proactive approach assessing ESG risks, many still struggle to incorporate these risks into their existing compliance, legal and enterprise risk management (ERM) programs while breaking down siloed communications among their leaders. 

Compliance professionals have an opportunity to transform and create a unified risk management approach without imposing additional operational burden by leveraging their current compliance program function.

Getting started & who owns ESG

Start with existing activities that are already taking place in your organization. But ensure you have a good grasp of each of the ESG factors relevant to your organization and industry to avoid missed opportunities. Create an inventory of activities and risks, begin identifying owners of the metrics and then start collecting data.

The following are some example ESG activities and metrics:

• Green building and sustainability efforts: Carbon emissions, natural resources use, waste management, landscape choices, electric vehicle usage, product circularity
• Diversity, equity and inclusion (DEI): Employee and resource group diversity, supplier diversity
• OSHA, safety management program and emergency preparedness plans: Workplace violence preventionProgram, safety improvements
• Cybersecurity and data privacy: Breach notifications, breach costs, cybersecurity and privacy-related policies and procedures
• Human resources: New hires, retention rates, flexible work options, employee benefits
• Workplace health and well-being: Food safety, tobacco use, alcohol use, vaccinations, charity care services efforts
• Board composition: Percentage of female, male and underrepresented populations, independent directors
• Governance: Compliance program updates, integrated risk management program, new or strengthened policies

There is no single right or wrong answer to the question of who owns ESG; this is completely dependent on the organization and its structure. 

Consider which framework these activities will best align with. If there is an existing ERM governance structure at your organization in addition to a compliance program, there is an opportunity to integrate the identified ESG activities to avoid duplication of efforts. 

Over time, as communication and engagement strategies mature, you may develop an all-inclusive report or data dashboard to showcase metrics, risks and trends across the programs. 

The role of compliance officers

Compliance officers play a critical role in strategizing with leaders and the board about the organization’s mission and values, their commitment to integrity, fiduciary duty and corporate responsibility. Regulations, including upcoming ESG disclosures, are not what should drive organizations to demonstrate commitment to regulatory requirements and ethical business practices. Additionally, ESG is not only a risk management and compliance activity but also a branding outlet with ways to capitalize on opportunities that can bring additional funding and capital and also create competitive advantages. 

Consider including an ESG commitment statement into the compliance program plan, the code of conduct and ethics and/or in a separate ESG policy to set expectations from stakeholders — employees, third-party vendors, customers, investors and the community at large. Organizations faltering on their ESG initiatives will put their corporate reputations on the line and can potentially negatively impact stakeholders’ trust.

Compliance officers are uniquely positioned to facilitate cross-functional collaboration and ensure the organization is meeting its ESG priority areas as compliance programs were specifically designed to manage risks. The most practical way to incorporate ESG risks into the compliance framework is through the annual compliance risk assessment survey. 

Instead of having separate processes for risk assessment and ESG materiality assessments with stakeholders, combine the activities to streamline the process. Consider asking key culture questions to assess employees’ perception of ESG strategies like:

• How do you believe the organization promotes ESG sustainability?
• What activities or efforts you believe would foster greater focus on ESG in the organization?
• What initiatives are taking place in your department that could qualify as an ESG activity?

Reporting alignment

Integrated reporting of ESG, ERM and compliance metrics will streamline and strengthen an organization’s grasp of its major risks and issues. After building a framework to integrate ESG into ERM, the organization should keep the momentum up with relevant stakeholders.

This includes reporting out on findings and recommendations from risk owners. Additionally, building accountability of the risk owners by transparency of the reporting, highlighting that certain risks get communicated to leadership and the board and demonstrating ongoing progress reports will all emphasize that the risks metrics captured are important.

Creating a sustainability budget

Delineating a specific budget for ESG or sustainability activities is essential. ESG activities can share budget with compliance and/or risk management, or any other key business areas that make sense to your organization’s governance structure. This demonstrates true commitment to compliance but also to your organization’s vision and mission, and that is the ultimate goal.

Should your organization be limited in budget and resources, here are ways to prioritize your activities: focus on activities with the biggest impact in the community and business return on investment and activities with the highest levels of risk in terms of regulations, financial impact and reputational impact. For example, tracking carbon emissions is one ESG area that needs a dedicated lead that manages a budget to capture the full process of activities required to successfully measure carbon emissions. There are compliance, risk management and audit aspects for tracking and disclosing carbon emissions adequately.