Dr Glenn Frommer and Theodora Thunder, Principals, The Sustainability Partnership, offer advice to governance professionals on how to understand the drivers and processes used to manage ESG risk. Such an understanding is vital when it comes to successfully reporting on ESG risk in the management discussion analysis (MDA) section of annual reports.

A recent study by the consulting firm Grant Thornton (see their Corporate Governance Review 2017) identified an overall weakness in companies (including some 56% of HSCI listed companies) falling short in their governance reporting when disclosing the processes used to identify, evaluate and manage corporate risk. This article offers advice to governance professionals on the specific area of ESG risk, with a view to helping them assist their organisations to successfully manage ESG risks and to provide the basis for intelligent reporting on these risks in the MDA section of their annual reports.

Components of effective risk management

While the board has the ultimate responsibility for corporate risk strategy, the corporate governance function ensures that strategy, policy and processes integrate and continue to be effective and relevant.
Corporate risk management involves three key levers that oversee its effectiveness:

  1. a well-thought out and fit-for-purpose policy and strategy and the supporting governance structure that organises roles and responsibilities, its management and the oversight of activities
  2. aligned risk-tolerance levels that articulate the board’s expectations and risk appetite, and
  3. the assurance processes and feedback loops that monitor and gauge efficacy of policy and strategy.

These are neither new nor unfamiliar concepts. However, with environmental and social risks now on the board’s agenda vis-à-vis potential impacts from the operating context and stakeholder activism, the governance function is tasked with more complex risk dynamics that require even more clarity on these levers.

Risk governance itself operates as an amalgam of all divisions within an organisation, populated by senior managers and chaired by the relevant legal or financial director, with regular board oversight. The risk management committee (or similar internal group) meets regularly, confirming risk impacts and providing senior management with risk heat maps. While the focus is generally on risks that could have short-term impacts, ESG issues draw attention to the longer-term horizons that affect corporate viability, for example, climate change.

1. Risk policy and strategy

The fit-for-purpose risk policy and strategy is articulated by the board. That is, the board nominates where the risk function is placed within the organisation and where it serves to most benefit the business strategy and the continued organisational development. Is it principally legal (compliance) based, or is it aligned to the financial function, serving to protect the company’s bottom line? From this high-level decision follows the thinking and framework for how risk is assessed, quantified, prioritised and managed across the organisation (see the sidebar ‘Legal or the financial bottom line?’). The benefit of a well-defined policy established and communicated at early stages ensures a high degree of focus, value and efficiency in the subsequent development and enactment of management processes at the operating level.

The business strategy is the conduit through which policy is enacted, that is, policy establishes the development pathway for the business strategy to operate. It is guided by a risk strategy that minimises or mitigates the ESG impacts, whether legally or financially based. The strategy also directs the resources allocated by the board to manage risk and its consequences.

Policy, however, is not static. Risk-focused policies, for example, require active monitoring and documentation to ensure that risk targets are achieved, and, if necessary, the reset to respond to changes that affect organisational development. Programmes that operate under the system of continuous improvement such as the ISO standards would be typical processes that support and test policy resilience.

2. Risk appetite and tolerance

The choice of a fit-for-purpose risk strategy influences how risks are subsequently assessed and managed to support the business strategy. This shapes risk appetite and tolerance, the processes of management and the expected outcomes. Similar to policy, risk appetite and tolerance require continual monitoring to optimise allocation of resources, purpose and practice.

Risk appetite defines the organisation’s capacity to manage risk. It is a function of internal skills and competencies, management systems and the financial capacity to cover the potential outcomes. In practice, risk appetite plays an important role in the calibration of risks, that is, defining materiality of risks. Amongst its functions, the risk appetite supports thoughtful deployment of resources and inhibits development of objectives that would exceed the risk appetite limits.

Risk tolerance refers to the acceptable variation in performance or mitigating actions. In other words, some levels of risk may exceed or be less than the appetite (or capacity to manage), but that difference is within acceptable levels of targets set. As an example, a set amount of funds and other resources are allocated to mitigating environmental breaches on a construction site. Provided the differences between expectations (for example the set dollar limit) and reality (the actual fine) are small, the risk tolerance would be acceptable. The outcome would be a lower risk exposure level that would still be flagged for continued monitoring. In the case of intolerance, a review of the cause of the breach or the capacity to manage the mitigating action would be in order to ensure that the risk is, in fact, effectively managed and that, in future, the tolerance level remains within the acceptable range. Repeated failure to reach tolerance targets should, in turn, flag the governing policy and/or strategy and question its continued appropriateness.

3. Assurance and management processes

Governance incorporates not just risk policy and procedures but the establishment or improvement of competencies and skills to manage impacts and potential disruptions. This raises a question about the operating-level understanding of the internal business and social systems’ infrastructure capabilities (a function of the risk appetite). A regular gap assessment would provide the markers for strengths and weaknesses and point to where resources allocation is needed for capacity improvement.

A productive gap assessment also addresses the risk tolerance in terms of the efficacy of the mitigation programme and outcome. A common mitigating outcome of an assessment is to set development in the direction of optimising business systems efficiency and, to a lesser extent, improvement of the social systems to engage. While business systems optimisation is the most common solution chosen, the actions to mitigate social and environmental risk through such optimisation increasingly demonstrate diminishing returns on their investment and less tolerance in risk acceptance levels. Continued use of this business systems favoured pathway can ultimately lead to the potential loss of competitive advantage. A more balanced, albeit more demanding in practice, approach increases the role of social systems (for example stakeholder engagement, co-generation of value) and the improvement of internal competencies to manage risks.

With the risk governance framework in place, the process for management follows with the deployment of appropriate assurance systems and feedback loops. The choice of systems is subject to specific company needs and functions. However, systems that include audit functions, internal controls and mechanisms for continuous improvement (for example the ‘Deming Cycle’) provide the reliable data and information that is collated, analysed and organised into board-level reports. These reports are expected to reveal which risk activities connect to and support the business strategy. Boards apply their own business expertise to the reports and provide feedback and guidance on adjustments or changes in risk strategy, thus creating the necessary circular management loop necessary for sustainability development.


When discussing ESG risks and their management processes, the following summary points serve to help reporters clarify and articulate their understanding of the issues and to intelligently communicate to vested interests the company’s position and progress.

  • The fit-for-purpose ESG risk management policy and strategy is the responsibility of the board and senior management. They establish the thinking (corporate risk culture) that will guide management activities and determine the long-term organisational development direction. It is the role of the governance function to implement this policy and strategy.
  • The understanding and setting of targets for the risk appetite and tolerance levels are critical to successful risk practices at the operating level. Strategy and processes are monitored and adjusted on a continual basis to ensure relevance and to (re)confirm that policy is fit for purpose. An appropriate gap assessment can help to quickly identify strengths and weaknesses in these areas.
  • Best management practices require capacity building that incorporates both social and business systems for optimal efficacy of purpose and outcomes. Several standards and guidelines are recognised for building such capacity to manage risks, monitor performance and create feedback loops for board and senior management decision making. These include the ISO standards, EHS systems, balanced scorecard, global and industry-specific standards/guidelines and relevant codes of conduct. What is important to all processes is inclusiveness, materiality, transparency and accountability of action.
  • Reporting demands that information be verifiable, timely and relevant to senior decision makers for continued strategy validation and the organisational transformation necessary to achieve stated goals.

Dr Glenn Frommer and Theodora Thunder, Principals
The Sustainability Partnership
For further information contact: Thunder@streeter.com.hk.


SIDEBAR: Legal or the financial bottom line?

In establishing the fit-for-purpose risk strategy, one needs to consider the culture of the organisation that is reflected in the board’s aspirations/goals for the company and enshrined
in policy. If it is legal/compliance driven, the organisation looks at the risks of non-compliance and formulates a set of agreed targets around the risks. Financial risks then fold in as one of the categories of risk within the portfolio. With financial orientation, the organisation looks at the risks that influence the ability to achieve primarily the company’s financial objectives. Non-compliance risks in this scenario have narrow financial impacts. Targets or restrictions common to both typically include operational, safety, reputational, regulatory and the social licence to operate.

An example of a legal-based risk strategy would be a company that manufactures precision widgets that are assembled and supplied to another company. It operates a facility that requires specialised technologies and tools and is operated by a skilled team of professionals. The manufacturing process requires strict specifications and quality controls to ensure minimum error (and waste) in the final product. The risk strategy would consider legal or compliance as its primary driver in purpose. Risks, for example, could include contractual/product specifications and certifications, IP, IT and cyber security, disruptive or obsolete technologies and equipment and staffing issues. The advantage of this strategy is that competitive advantage is achieved through controlled management systems for differentiation and focus. The company establishes and maintains an industry reputation through its precision and quality of product.

An example of a financially aligned strategy would apply to a company that produces finished retail goods and employs a workforce located in multiple jurisdictions. Regulatory issues and compliance-based risks would apply, however the scope of financial risks take precedence due to the business purpose and context in which the company operates. The board’s risk strategy would be financially oriented in consideration of its exposure in reliance on external supply chains and shared community resources, codes of practice and quality control, changes in consumer demographics and customer trends, climate change impacts, manpower and optimised manufacturing systems, geopolitical events, etc. The advantage of this strategy is that it considers context and the wider engagement of stakeholders to achieve and maintain competitive advantage through cost leadership and differentiation.