Looking for a path to environmental, social and governance (ESG) insights in a forest of GRC data
The last two years have shone a light on GRC – governance, risk management, compliance – processes and shifted many attitudes towards risk. Yet many organizations are left with many questions: What are the best practices to identify, analyze, monitor, and manage risks specific to your organization? Do these risk activities support future business growth, and should you implement ESG controls or reporting?
2021 was a year of resiliency as we rode the waves of the pandemic while facing surmounting pressures to address ESG – environmental, social, governance – within organizations. 2022 will continue these themes of resiliency and integrity but brings in agility.
Firms globally and across industries are focusing on resiliency. The organization must maintain operations in the midst of uncertainty and change, and this is becoming a key regulatory requirement in some industries (e.g., financial services). This requires a holistic view into the objectives and performance of the organization in the context of uncertainty and risk.
Organizations are striving for business and operational resiliency that requires integration and symbiotic interaction of risk management and business continuity. The organization in 2022 has to be a resilient and agile organization with full situational awareness of the interconnected risk environment that impacts them. To execute on strategy and be both agile and resilient, the organization has to see the individual risk (the tree), and the interconnectedness of risk to strategy and objectives (the forest).
The mathematics of risk management
Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential and sometimes chaotic relationships and impacts in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, the effect is proportional to the cause.
In the non-linear world of business, risks are exponential. Business is chaos theory realized. The small flutter of risk exposure can disrupt objectives or even bring down the organization. If we fail to see the interconnections of risk in the non-linear world of business objectives, the result is often exponential to unpredictable.
In this context, the organization also must address ESG in its strategy and operations. ESG remains front-page business news. Organizations around the world and across industries are challenged to define, implement, and report on ESG. The pressures are coming from all directions: investors, customers, employees, regulators, and activists.
The reality is that ESG has teeth, and organizations must do something about it. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships, and transactions.
From resilience to agility
How can organizations not only be resilient but also agile while maintaining integrity amidst change and uncertainty (risk)? Organizations are seeking to increase organizational integrity that they live up to their ethics, values, commitments, and obligations amid uncertainty. They are also looking to increase business and operational resiliency and agility.
Ironically, all the elements of ESG are part of a well-structured GRC strategy. The official definition of GRC, found in the GRC Capability Model, is that GRC is a capability to reliably achieve objectives [GOVERNANCE], manage uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].
You start with objectives of the organization, and these can be an entity, division, department, process, project, or asset level objectives and from there have the context to manage risk/uncertainty and act with integrity.
Organizations need more structured guidance on how to deliver on GRC and ESG strategy and processes across the diverse areas of objectives, risks, and obligations.
A 5-step plan to address your GRC strategy in an ESG era
- Understand where you are and where you want to be. It starts with an honest assessment of your current state of GRC and ESG processes in the organization. What is being done today, what is working, what is not working. And, to get to the point, what needs to change. From there you can define your ideal future state in two years and build your roadmap to move from your current state to your future state.
- Get the right team on board. GRC and ESG are complex, they involve a lot of different departments. You need to identify the right core team members as well as the supporting team members. This involves framing a charter for a cross-department committee that can work together to address GRC and ESG in an integrated context. It also requires someone who is in charge and ultimately accountable for the integrated GRC & ESG strategy.
- Select the right technology foundation. You need to build your strategy on the right information and technology foundation that can deliver on your future state of GRC/ESG. ESG and GRC software and technology should fully support your vision and be able to deliver efficiency, effectiveness, and agility to your GRC/ESG strategic plan and processes.
- Break things down into stages. This is a journey from your current state to your future state, it is not a light switch that you flip on. You need to prioritize and break things down into stages that are achievable for your organization. If you try to take on too much too quickly then the project fails.
- Be ready for change. We live in a dynamic world and things change. You must be flexible in being able to address change to your risk, regulatory, and business environments as you execute your strategy and beyond. In the end, this is what we are trying to deliver: agility, resiliency, and integrity in the midst of a dynamic, distributed, disrupted business environment.
For additional insights
Join Michael and SAI360’s Jamie Walsh for an upcoming webinar, How to Build Your GRC Strategy, covering:
- Why your organization needs a solid GRC strategy in 2022
- Considerations when building your GRC framework
- How to think about ESG risks in the context of your existing processes
- Next steps you can take in your GRC journey – wherever you are now