Experienced risk managers have long understood that managing risks within a company can’t be done in isolation. They know that risk management truly adds value when it operates cross-departmentally, contributing to the overall success of the company.
What used to be a good practice but not necessarily a mandatory approach in risk management is now becoming a pressing requirement due to Environmental, Social, and Governance (ESG) regulations. These new rules require cross-departmental cooperation and even extend beyond the company’s own borders.
This presents a significant challenge for companies and it’s safe to anticipate that meeting these requirements will be nearly impossible without adequate technological support. In this article, we’ll explore how integrated risk management and ESG are joining forces to create a sustainable future. We’ll delve into the complexities of this new regulatory landscape, the crucial role of technology, and the ways in which companies can effectively navigate these changes.
Does everyone in the organization understand these risks and consider the implications for their processes?
Tackling Modern Risk Management Challenges
In today’s fast-paced world, risk managers face numerous challenges. It’s not just about spotting risks but figuring out which ones matter most and how they impact a company’s strategy, goals, and key figures. Effective risk management means knowing who within the organization needs to respond and adjust processes when new risks arise. It also involves assessing how infrastructure, finances, and employees are affected, along with managing projects and supplier dependencies.
Specialized teams and risk specialists—such as Compliance Management, Business Continuity Management (BCM), Information Security Management, and Sustainability Management—are essential in developing management systems that meet legal requirements, ISO standards, and best practices.
Our data protection officers know everything about GDPR regulations and the relevant risks for the organization. But the big question is: “Does everyone in the organization understand these risks and consider the implications for their processes?” Or: “How can we prove that GDPR regulations are taken seriously and that risk-mitigating measures have been implemented across different departments, countries, or regions?” This is where Integrated Risk Management (IRM) helps specialists in various domains to:
- Identify and evaluate major topics.
- Manage topics across the organization by providing a unified system to address measures.
- Define responsible parties affected by risks (e.g., through questionnaires).
- Provide a system to monitor and track implementation effectively.
If we achieve this in our organization, we take a big step toward meeting the requirements of ESG regulations.
ESG: The New Entrant to the Risk Management Scene
Successfully integrating risk management within an organization simplifies compliance with Environmental, Social, and Governance (ESG) requirements. Historically, voluntary standards like the Global Reporting Initiative (GRI) and the UN Sustainable Development Goals (SDGs) formed the basis for ESG reporting.
However, recent years have seen a shift towards legal regulations aimed at achieving the goals of the Paris Agreement to limit global warming to 2°C, preferably 1.5°C.
The critical question remains: “Does the entire organization understand these risks?”
In Germany, key regulations include the Supply Chain Due Diligence Act (LkSG), the Corporate Sustainability Reporting Directive (CSRD), and the Corporate Sustainability Due Diligence Directive (CSDDD). Each of these regulations has significant implications:
- LkSG: Effective since 2023, this law requires large companies (with 1,000+ employees) to ensure human rights and environmental standards throughout their supply chains. Major issues include child labor, forced labor, and discrimination. Companies must produce annual reports, make them publicly available on their websites, and submit them to the Federal Office for Economic Affairs and Export Control (BAFA).
- CSDDD: This EU initiative shares similar goals with the LkSG but applies Europe-wide. It was renegotiated to reduce the number of affected companies and extend implementation timelines. This directive is expected to come into force by 2027 for companies with 5,000+ employees.
- CSRD: The most relevant regulation for risk managers, this directive mandates comprehensive sustainability reporting. It ensures that companies provide detailed accounts of their ESG practices.
The Corporate Sustainability Reporting Directive (CSRD)
The CSRD is a pivotal European Union directive that marks a new era of sustainability reporting. Its phased introduction in Germany will see the number of companies subject to this directive surge from about 500 to approximately 15,000. Across Europe, it is estimated to affect 50,000 companies.
The CSRD aims to enhance the quality and scope of sustainability reporting, focusing on supply chain activities in areas such as due diligence, human rights, and environmental and sustainability risks. It mandates formal complaint procedures, such as whistleblowing systems, and requires publication within the annual management report, shifting away from the non-financial reporting format used by its predecessor, the Non-Financial Reporting Directive (NFRD).
Requirements under the European Sustainability Reporting Standards (ESRS)
Under the CSRD, companies must adhere to stringent audit obligations and face potential sanctions for non-compliance. This directive introduces specific requirements for the risk management process, underscoring the need for detailed sustainability reporting. To facilitate this, the European Sustainability Reporting Standards (ESRS) have been developed, providing a uniform framework for sustainability reporting. The ESRS outlines over 80 disclosure obligations and more than 1,000 data points that companies need to report. Additionally, a technical XBRL structure is being drafted to streamline data extraction, benchmarking, and verification.
Challenges and Responsibilities of Risk Managers
Risk managers now face an expanded set of responsibilities, particularly in ensuring compliance with these detailed and extensive requirements. The increasing complexity of managing sustainability risks necessitates a collaborative approach between ESG and risk management teams. Integrating these regulations into a robust risk management framework ensures that companies can not only comply with current laws but also proactively address future ESG challenges. By adopting a holistic approach to risk and ESG management, organizations can navigate the complexities of modern business environments more effectively.
But a critical question is: Who spearheads ESG efforts within an organization? Is it the newly founded ESG department, the communications team, the finance department responsible for annual reports, or the risk management team?
Strategic Integration
A successful ESG strategy requires a clear captain to navigate these waters, setting a strategic course and defining organizational goals. This involves a comprehensive materiality assessment to identify important issues, an impact assessment to gauge the effects of the organization’s activities, and a stakeholder assessment to consider various interests.
Governance and Implementation
Effective governance structures are essential, encompassing guidelines, policies, responsibilities, and continuous improvements. The primary step involves extending these structures across departments, entities, and subsidiaries. Understanding the business context, including departments, assets, processes, and products, as well as the local context of countries and legal structures, is crucial. Extending the ESG framework to include suppliers and supply chain involvement can significantly enhance its effectiveness.
Organizations must navigate various standards and regulations, including the LKSG, CSRD, GRI, and ESRS. Depending on the company’s appetite, introducing requirement goals can enhance effectiveness, though it adds complexity. Each standard brings specific topics and focuses, requiring coordinated responsibility and management.
If measures are not implemented, it indicates a risk.
Materiality and Impact Assessments
The cornerstone of the CSRD requirements is the materiality assessment, which evaluates the significance of sustainability issues based on their potential impacts on the organization. This involves double materiality, considering both the impacts of sustainability issues on the organization (financial materiality) and the organization’s impacts on the environment (impact materiality). Assigning responsibility for each impact dimension—environment, operational/financial, legal, strategy, and stakeholders—ensures comprehensive management.
Stakeholder Engagement
Engaging internal and external stakeholders in the materiality and impact assessment processes is vital. Their concerns and perspectives must be incorporated, with internal coordinators assigned to respective stakeholders. This process helps filter and narrow down the topics to the most relevant ones, making the implementation manageable.
Data Management and Reporting
A robust system for generating and sending questionnaires, collecting responses, and creating comprehensive reports is essential. External data integration and an early warning system for new trends, dangers, and risks further enhance the management framework.
Reporting and monitoring ESG information is a complex task, requiring the development of key performance indicators (KPIs) and the collection of new data. This data must be monitored through internal dashboards and published in external reports. Additionally, incident management systems and whistleblowing mechanisms are necessary to report and address issues promptly.
Moving together: IRM and ESG
Navigating the complexities of integrated risk management and ESG compliance requires a strategic, collaborative, and systematic approach. By aligning risk management practices with ESG requirements, organizations can not only meet regulatory demands but also drive sustainable growth and resilience in a rapidly evolving landscape. A good integrated approach and solid GRC (Governance, Risk, and Compliance) software are essential to cut through the complexities and achieve meaningful impact.
This article is a précis of the presentation by Steffen Schürg delivered at the RMA Risk Management Congress 2024 in Hamburg, Germany, on May 13th 2024.
