This is the third in a series of articles introducing the three components of ESG: Environmental Risk, Social Risk, and Governance Risk.
When we discuss Environmental, Social, and Governance (ESG) risks, governance is often downplayed. It is a mistake to think we already know about governance risks since we understand the concept of basic governance risk and compliance models. The governance risk model in ESG includes organizational leadership and decision-making that includes outside stakeholders and considers the environmental and social impact of the decisions made by those in leadership. In this article, we will reshape your understanding of governance risk as a component of ESG risks in preparation to meet potential future ESG requirements.
What Is Governance Risk?
Governance risk includes the risks related to an organization’s ethical and legal management, the transparency and accuracy of company performance, and involvement in other ESG initiatives important to stakeholders. Governance risk is owned by the board of directors and senior management, but since it cuts across many layers of an organization, governance risk ownership is partly owned by the control owners in the first line of defense. At the top, the board of directors and senior management set the tone and policies that permeate the organization. In a traditional view, those policies and control procedures are implemented by the first line, supported and monitored by the second line of defense, and then tested by the third line. When we take a more inclusive perspective, the governance risk model is also influenced by employees, investors, social pressure, politicians, and many others. These players increase pressure on the organization’s leadership to act in different ways. Corporate shareholders have the right to hold the company accountable for governance issues.
What Are Some Potential Governance Risk Issues?
Governance risk issues do change over time. Currently, many of the problematic governance areas are common across industries. For example, the C-Suite and the board of directors are responsible for executive compensation, setting direction related to ESG initiatives, and addressing concerns related to data privacy.
Executives have come under fire for extravagant lifestyles, unjustifiably high compensation, and “golden parachute” deals in their contracts to guarantee payments even when they are terminated. In the spirit of ESG transparency, boards are setting policies to disclose a comparison of C-suite and the board pay as a ratio to average employee compensation.
Organizations also face reputational risk when they do not follow through on other ESG initiatives. The governance risk model includes monitoring management’s implementation of policies that support social and environmental risk actions and providing accurate and reliable reporting on those efforts.
Customer Data Usage
Customer data usage is also a current area of focus for governance groups in organizations, and the topic of inappropriate data usage has risen in priority. For example, big tech companies have been called before the US Congress to explain how they capture and use your data. Ultimately, the internal policies set in place to address data usage are the responsibility of the C-Suite and the board. When the data usage is deemed inappropriate, they are held accountable.
How to Assess Governance Risk and Compliance
Approaching a governance risk and compliance review can seem overwhelming for most auditors. Often the audit teams do not feel qualified to question the actions of the most senior organization members. The auditor’s role within the governance system is to evaluate the adequacy of the decision-making processes and the flow of information to the internal and external stakeholders.
One stance on testing is to take a bottom-up approach to understand governance risk. This approach reviews the assurance, risk management, and compliance processes meant to inform and guide senior leaders. Essentially, this tests the assurance environment as a reflection of the top levels of governance. If you were to start with the three topics previously discussed, transparency in executive compensation is tested as a mirror image of the governance perspective on race and gender pay equity. An internal audit of the corporate sustainability program would give insight into the board’s motivation for social responsibility. We can also see how risk management silos that overlook the full scope of compliance with privacy regulations reflect the leadership view of confidential data usage.
As we reshape our idea of governance and seek to reduce risk in this area of ESG, we can rely on our tried and true understanding of risk management and compliance auditing skills. Auditors should consider the broader implications inferred from findings throughout the organization as these will provide a baseline for understanding governance risk.
Overcoming Top ESG Program Challenges
Leading organizations have found that their biggest challenges with managing an effective ESG program relate to:
- having one system of record to track all ESG initiatives & claims.
- evidence collection to substantiate the organization’s progress towards those public claims.
- selecting the appropriate framework(s) to map against.
- consolidating results for ESG reporting purposes, whether into stand-alone ESG reports or as part of their broader Annual reporting.
Whether you’re looking to start or accelerate your ESG journey, implementing connected risk management software can help your organization get on the right footing going forward in preparation for potential future requirements.