Skip to main content

How to Operationalize ESG with GRC | Guest Blog by Michael Rasmussen

Take advantage of GRC’s structured guidance to deliver on ESG strategy and processes.

ESG – Environmental, Social, and Governance – is pressuring organizations from every angle. Investors are making investment decisions based on the ESG practices of companies. Individual directors on boards are being voted out based on ESG metrics. Employees are making decisions on whom they work for based on shared values, as well as clients/customers. And regulators are taking focus on ESG, the most recent being the SEC with its proposed disclosure requirements for climate change.

Organizations around the world and across industries are challenged to define, implement, and report on ESG. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships and transactions.

However, understanding ESG is complex. As a guide, but not exhaustive, ESG covers:

  • Environment. Climate change, natural resource utilization, pollution and waste, biodiversity, certification and carbon footprint/emissions.
  • Social. Child labor, forced labor, socio-economic inequality, privacy, personal data use, diversity and inclusion, working conditions, health and safety and product liability.
  • Governance. Corporate governance, fraud, anti-bribery and corruption, anti-money laundering, internal controls over financial reporting, security, corporate conduct and behavior, anti-competitive practices, tax transparency, ownership and structure.

The challenge is that there is no single global standard for ESG. There is some reporting guidance – the most popular is the Global Reporting Initiative (GRI) – and what is now the Value Reporting Foundation (the merger of the International Integrated Reporting Council (IIRC) and the Sustainability Accounting Standards Board (SASB)).

Nothing is complete; they each have their different perspectives. The organization is left to develop a strategy and process that delivers what they need to report to its respective/interested stakeholder groups. 

GRC: The missing link in ESG strategy and processes

Organizations need more structured guidance on how to deliver on ESG strategy and processes across the diverse areas of ESG. 

Enter Governance, Risk Management and Compliance (GRC). Ironically, all the elements of ESG are part of a well-structured GRC strategy. This delivers a complete view of organizational objectives, risks, compliance and controls with an architecture that unifies strategy, process, accountant ability and reporting.

In fact, the OCEG GRC Capability Model supporting guidance has included all the areas/components of ESG for the past 15 years. 

The common core element of the acronyms ESG and GRC is the G for governance. A good ESG strategy is going to start with a strong governance structure. It is here that the organization sets clearly defined objectives for ESG overall and each component/area of ESG and varying sub-elements. Once objectives are established, the organization can assess, monitor and manage uncertainty to those ESG objectives; risk management. From there, the organization can provide assurance and report that it is operating with integrity in the context of stated ESG statements, commitments and obligations. 

Applying the GRC Capability Model to an ESG-specific context

The GRC Capability Model has four components: Learn, Align, Perform and Review. Applied specifically to ESG, this is how it works.

  • Learn. Here we clearly understand both the internal and external ESG context of the organization. The external context includes what is expected of the organization from stakeholders, regulators, customers and other influencer groups for ESG. The internal context looks at what executives and employees are doing and expects and the processes, transactions and relationships of the organization.Learn then takes a close look at the organization’s culture and how it aligns with ESG and how it may need to adapt. Finally, it identifies and documents stakeholders that are part of the ESG program and reporting requirements and relationships.
  • Align. Next, we have to align the organization to work together as an ESG team and clearly detail the ESG objectives, risks and controls. This starts with direction in providing an established ESG working group or committee led by someone with authority to deliver on ESG and GRC. The overall objectives of ESG are documented and the process begins to identify the supporting objectives and related risks in ESG. These objectives and risks are assessed for uncertainty and conformance to requirements, and an overall program is designed with appropriate policies, processes, monitoring, issue reporting and assurance. 
  • Perform. This then moves us to perform. Once we have the ESG/GRC process designed, it needs to become operational. This starts with clearly defined ESG-related controls and policies to be implemented across the extended enterprise. From here, various groups need to be communicated and educated on their role and responsibilities in ESG. There should be clearly established incentives for achieving objectives while providing an appropriate response to issues and failures. The organization should have established processes for identifying issues, assessing ESG/GRC, and reporting and responding to issues that arise.
  • Review. From here, we move to the review component: continuous improvement and assurance. This involves ongoing monitoring and reporting on ESG to various stakeholder groups. Audit provides a critical role in providing assurance on ESG objectives, risks and related processes, policies and controls. And the organization looks for ways to continuously improve ESG in the organization’s context and its broader objectives and operations. 

GRC Capability Model used for ESG.

 

Of course, that is the summary version of the GRC Capability Model used for ESG. There is a lot more detail and breakout of each component as there are well-defined practices, actions, controls and documentation for areas of Learn, Align, Perform and Review.

ESG, as a part of GRC, is performance and objectives done through actions, behaviors and transactions of the organization. If you are defining your organization’s ESG strategy, I encourage you to look at the GRC Capability Model and adapt it to your specific needs. As with any standard/framework, it is adjusted to your particular context.

Technology plays a crucial role in delivering ESG. Organizations need a core ESG/GRC reporting and monitoring platform. However, this architecture needs to be as engaging for front-line employees as it is for the back-office subject matter experts. It needs to be highly configurable and adaptable to the ESG context of the organization. And it needs to be able to integrate with other business systems and external content/intelligence providers. 

 


Take the next step in ESG by starting a conversation with SAI360. Learn how our technology enables you to realize your ESG strategy.

About the Author

Michael Rasmussen, The GRC Pundit and the founder of GRC 20/20, is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 27+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester. Michael has contributed to U.S. Congressional reports and committees and is an OCEG GRC Fellow, and an Honorary Life Member and a Global Ambassador of Risk Management with the Institute of Risk Management.

Profile Photo of Michael Rasmussen