Looking Beyond the Acronyms: A More Practical Approach to ESG & GRC
Companies that adhere to ESG standards and GRC policies sometimes miss the forest for the trees. Although they want to be known for doing business with integrity and transparency, they associate the alphabet soup of requirements with compliance burden instead of embracing them as essential strategies for identifying and mitigating risks and strengthening their brands.
As ESG and GRC became corporate buzzwords over the years, companies also grew increasingly overwhelmed. The individual elements and scope of these acronyms vary by industry and within organizations. They could mean different things to different companies.
For one, there’s not a single global standard for ESG; there are various reporting standards. Each organization must choose and develop the most suitable strategy and process. The UN Global Compact is a key driver in advocating for responsible and ethical business practices, focusing on human rights, labor, the environment, and anti-corruption. It’s the largest corporate sustainability initiative in the world, with over 16,000 participating companies and 3,800 non-business participants.
While the management principles behind GRC have been around for a long time, the way those principles are being used is evolving as more regulations requiring risk management emerge. GRC applies to all organizations across industries with departments that perform compliance work, such as internal audit, legal, finance, and IT.
Expanding Corporate Responsibilities
Companies have traditionally used GRC to help them achieve business objectives with integrity, the overarching goal of existing GRC regulations such as:
- U.S. Foreign Corrupt Practices Act (FCPA)
- U.K.’s Bribery Act
- France’s Duty of Vigilance Law
- Australia’s Modern Slavery Act
Corporations trying to comply with the abovementioned regulations are facing even more requirements. Next year, the German Supply Chain Due Diligence Act will take effect. In the U.S., the Securities and Exchange Commission has proposed rule changes that will require registrants to include certain climate-related disclosures in their registration statements and periodic reports.
It’s easy to see why these growing requirements can feel challenging. Let’s take a look at how you can ease the pressure.
A Practical Approach to ESG and GRC
Although ESG and GRC are distinct, they share many commonalities. Focus on those common attributes for a holistic approach to compliance. Concentrate your efforts on operationalizing ESG and GRC, so they become part of your corporate culture.
ESG and GRC share “G” for governance and both help companies attain principled performance. Governance refers to how a company is run and how management makes decisions and fulfills the company’s mission.
For ESG adherence, governance covers human rights, fair labor, and antibribery and anticorruption practices, among others. These areas overlap with GRC for companies that comply with FCPA, the Modern Slavery Act, and similar laws. While ESG is all about reporting, GRC focuses on processes (e.g., risk assessments, due diligence, and ongoing monitoring). You can, however, use GRC processes to help you with ESG reporting.
While ESG doesn’t specify “R” for risk, the issues it deals with (labor, human rights, climate, environment) actually refer to the risks that companies must manage for GRC compliance. It behooves you to use ESG as an indicator of certain risks you need to mitigate or remediate.
For example, a company doing business in Germany can use the “E” standards in ESG to assess the risks it needs to manage under the new German law, which requires due diligence in the environment (e.g., non-compliant waste disposal, illegal import, and export of hazardous materials). It also requires due diligence in human rights (e.g., child labor), a component of similar laws such as the Modern Slavery Act.
Both ESG and GRC standards can help you screen the right third-party intermediaries, from upstream suppliers to downstream vendors and agents. You can use ESG and GRC principles to avoid unnecessary third-party risks that can damage your brand and increase production costs if they turn out to be dishonest, unethical, or corrupt.
The Role of Technology
The manual collection and analysis of information necessary for due diligence, reporting, and compliance are one of the biggest challenges faced by many companies. It’s time-consuming, prone to errors, and simply inadequate. Automation is a prerequisite for improving the process and increasing both efficiency and effectiveness in compliance.
Technology can play a crucial role in integrating your ESG and GRC efforts and facilitating compliance. Choose an end-to-end third-party risk management platform that can be tailored to your company’s risk exposure, criteria, thresholds, and workflows. If you’re looking to automate your manual processes or to improve your existing electronic system, here are some of the capabilities you should look for when evaluating a TPRM solution:
- Risk assessments configured to your unique criteria and thresholds
- Baseline benchmark reporting with the ability to repeat at set frequencies
- Ongoing monitoring and reporting
- Resilience indicators across key ESG performance areas
- Custom questionnaires covering risk assessment and review
- Executive risk summary on subject entity and associates
- Risk-based due diligence covering litigation, criminality, bankruptcy, and ultimate beneficial ownership (UBO)
- Discreet inquiries under strict confidentiality rules
- Third-party training, certification, and verification
ESG and GRC can help you earn social capital and strengthen your brand on top of compliance. Indeed, more than 90% of S&P 500 companies and 70% of Russell 1000 companies now publish ESG reports in some form, according to a McKinsey report. Don’t get hung up on the acronyms and the burden they imply. Embrace them as part of your long-term strategy for achieving business goals and advancing the organizational mission.