This content has been archived. It may no longer be relevant
The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
Ameet Barve, former Managing Director and Management Board Member, Lloyds Banking Group
Recently, the industry has seen a big shift in focus towards ESG, with climate change often dominating headlines. Why is it so important to ensure that attention is also turned towards the ‘S’ in ESG?
The core principle behind ESG is one of social contract. If you look at the genesis of ESG, its predecessor was CSR (Corporate Social Responsibility), which comes from the concept of ‘social contract’. The economist Howard Bowen wrote a book in the 1970s that talked about the social responsibility of businessmen: providing jobs; being fair and honest in dealings with employees and customers; and becoming more broadly involved in the conditions of the communities in which they operate. This was when we started seeing the pivot from individual business owners like Andrew Carnegie and J.D. Rockefeller contributing to society, to corporations as a whole taking on a more socially constructive thought process.
Over the years, following perspectives from thought leaders like Sandra Holmes and Prof. Archie Carroll, this evolved into CSR. While as a concept, social contract and CSR have been around for a while, ESG (with all its accompanying regulation and guidance) has made it possible for organizations to quantify and articulate the steps they take in this space.
That said, the environmental and governance elements of ESG are rather more quantifiable than the social, with metrics like carbon emissions and tangible governance actions around processes, values, and controls being broadly homogenous across industries. The social element, however, is somewhat more complicated. While there are topical issues that gain universal attention, quantification in homogenous terms of social initiatives that are targeted for each organization’s unique ecosystem is harder. All elements of E, S, and G overlap in their scope and impact, but there are no obvious metrics that all organizations can use to homogenously articulate their unique, socially focused initiatives. There is a lot of work to be done in defining these but, once actioned, more organizations will be motivated to undertake higher impact, socially focused initiatives.
As this evolves, there are a couple of nuances to ponder:
- The possibility of using ESG as a lens to articulate value creation as opposed to just risk mitigation.
- With ESG regulation becoming more prolific, and pending development of metrics to articulate social initiatives, the inevitable drift in corporate mentality from doing what organizations deeply care about, to only those initiatives they can quantify and advertise.
What are the best practices to improve the process, risk, and control data?
Accurate and timely information is key to an effective RCSA and it all starts with the risk and control data aligned to your enterprise process taxonomy. As a best practice, resources and capacity should be spent initially to create an enterprise taxonomy if one does not exist. If there is already a taxonomy in place, focus should be spent on reviewing for relevancy to pockets of risk and revised to ensure completeness. After this body of work is underway and substantially completed, focus moves to creating an initial baseline of your risk and control population, aligned to the process taxonomy – commonly referred to as the process, risk, and control relationship, or PRCR. This establishes the initial baseline that must be reviewed and updated regularly based on process changes and new initiatives. To be effective, this update must be integrated into the organization’s risk assessment policies and standard process, and also incorporated into the second line risk’s effective challenge review.
Why are first and second line partnership important?
In today’s business and regulatory environment, additional responsibility has been granted to and is expected of the first line to manage and own its risk. While this may not be a change at many organizations, additional requirements have led to the establishment and increased importance of first line risk teams who are required to partner with the second line risk oversight organizations to manage risk effectively and meet expectations as set by the Board. This relationship and partnership drive effective risk management. The second line teams must champion this partnership while also maintaining the level of independence required to meet their oversight responsibility and serving as a consulting resource and risk management expert across the company. While the first and second line risk teams ultimately serve and fulfil different mandates, effective partnership and sharing of information must be within the culture and norms of a company to thrive long term.
Where do we go from here? What are the next steps on the transformational journey?
The risk management journey is one with many off-ramps and opportunities to change course. To be effective, flexibility is a must to learn and change course in response to market, regulatory, and other requirements or expectations. As businesses continue digital transformation efforts, forward-looking risk managers must seek ways to better establish and use data to drive risk identification and seek out pockets of new or unidentified risk. eGRC technology tools continue to develop their capabilities to assist in this work, but more is needed to work with different disparate data sources – both structured and unstructured. The risk professional who is accountable to build the relationship is more important than ever, but data routines must be further developed and implemented to assist executives and Board with where to focus their human capital. Risk managers must seek routines to use the resources in place to do more in this ever-changing and transforming marketplace. This can only be done through the utilization of data to drive decisions through better risk identification and control automation.
David will be speaking at our upcoming Operational Risk Management USA Congress, taking place on October 12-13 at Etc Venues Lexington.
