As risk management becomes more relevant to the governance professional role, a new report highlights the unique contribution practitioners can make to ESG and technology risk management in organisations of all types.

It would be something of an understatement to say that risk is front of mind at the moment in organisations of all types and across all industries. When faced with shocks on the scale of the Covid-19 pandemic, interstate conflict, climate change, biodiversity loss, cyberthreats and digital transformation, it is small wonder that risk management has found its way to the top of the agenda. 

A new report – Roles of Governance Professionals in Today’s Post-Pandemic and Dynamically Changing Risk Environment (the Report), jointly published by the Institute, the Corporate Secretaries International Association Ltd (CSIA) and Ernst & Young Advisory Services Ltd, looks at the implications of this for governance generally and the roles of governance professionals specifically.

‘The current environment has prompted boards to seize the opportunity to reframe their risk management approach and improving risk management has become a top priority to keep pace with disruptions,’ the Report says.

The Report was based on a global survey (the Survey) of 1,752 CSIA members carried out in December 2021. Respondents were governance professionals in diverse industry sectors and organisation types (including listed companies, private enterprises, government and regulatory bodies, and non-governmental organisations), and based in Hong Kong and the Asia- Pacific region, as well as Europe, Middle East, India and Africa (EMEIA). 

The growing relevance of risk 

As you might expect, the greater focus on risk management across all types of entities has had an impact on the work of governance professionals. The Survey indicates that risk management has become a larger part of the governance function in all of the geographical areas included. 

Figure 1 (see ‘Survey findings’), for example, shows that 83.5% of respondents overall reported that they are involved in risk management activities. The figure is particularly high in Asia-Pacific (excluding Hong Kong) (95.1%) and EMEIA (87.3%).

The Survey also assessed which specific areas of risk management governance professionals are involved in and here the findings are particularly apposite to the recommendations of the Report because the areas of ESG and technology risk receive significantly less attention from governance professionals than their traditional domain of regulatory risk (Figure 2). While 57.8% of Hong Kong respondents reported that they play a role in regulatory risk management activities, for example, only 36.5% and 10.6% play a role in ESG and technology risk management activities, respectively.

These findings are also reflected in the data for other geographical areas included in the Survey. In particular, Figure 3 shows that technology risk management lags significantly behind regulatory risk and ESG risk in terms of the degree to which it features in the work of respondents to the Survey. 23.2% of respondents in EMEIA and 36.6% of respondents in Asia-Pacific (excluding Hong Kong) are involved in technology risk management.

The Report explores possible reasons for these findings and makes recommendations on how governance professionals can step up their game in ESG and technology risk management. In an environment of closer stakeholder scrutiny of organisations’ social and environmental impacts, together with the increasing importance of technology to the future prospects of organisations of all types, these issues are certain to have an increasing impact on their evolving roles. Moreover, their unique position as trusted advisers to the board gives governance professionals an opportunity to significantly enhance the value they add to, and their status within, the organisations they serve.

ESG risk management 

Societal and environmental risks dominate the top risks identified in The World Economic Forum’s Global Risks Report 2022. In particular, the health of the planet dominates concerns with climate action failure, extreme weather and biodiversity loss ranking as the top three most severe risks. 

You might expect governance professionals, therefore, to be heavily involved in ESG risk management. Apart from anything else, ESG compliance and disclosure are increasingly becoming a regulatory risk. While ESG reporting requirements vary significantly in different jurisdictions, organisations globally are expected to measure, manage and communicate their environmental performance in areas such as emissions, waste production, and energy and water consumption. Moreover, regulatory requirements are becoming tougher in areas such as climate change, and diversity and inclusion. Organisations globally are having to adapt to much greater expectations of the metrics and targets they disclose relevant to their ESG performance and they are having to expand the scope of their reporting ever further into their supply chain and indirect impacts.

Despite the trends highlighted above, the Survey indicates that overall about half the respondents are currently involved in ESG risk management. The reasons that this critical area of risk management does not feature more highly in the work of governance professionals are probably diverse. The Report speculates that the following factors may be involved:

  • governance professionals being underutilised 
  • governance professionals being of insufficient seniority in the organisations to lead or participate in ESG initiatives 
  • lack of awareness and acknowledgment of ESG as a board-level issue, and
  • governance professionals not having access to the board or key stakeholders within the organisations. 

To enhance their contribution to ESG risk management, the Report recommends that governance professionals should start by improving their own awareness and understanding of ESG issues. ‘To facilitate ESG development within organisations under the ever-changing business landscape, it is vital for governance professionals to continually build on their relevant knowledge base through training and professional development programmes. Only by being well versed in ESG and sustainability factors can governance professionals effectively advise the board on the integration of ESG value drivers into sustainable business models,’ the Report says. 

This will enable governance professionals to play a key role in helping the board stay in touch with ESG developments and enhancing the board’s oversight of ESG risks and opportunities. The Report adds that this also applies to staff at other levels in organisations. It suggests some measures governance professionals can consider to achieve this, including: 

  • circulating newsletters and articles in relation to ESG within the organisation 
  • conveying the board’s ESG message to staff through internal communication channels, and 
  • conducting periodic ESG workshops.

Technology risk management

A similar picture to the one described above emerges in the Report’s discussion of the involvement of governance professionals in the management of technological risks. The management of risks arising from issues such as digital transformation, data privacy, cyberthreats and the adoption of emergent technologies is, and will continue to be, a critical concern for organisations of all types, but the Survey indicates that a relatively small percentage of governance professionals are involved in technology risk management. 

The Report suggests that this is likely to be at least partially the result of the lack of consistency about the role that governance professionals can play in technology governance. A common misunderstanding, for example, is that technology is the solely the responsibility of IT personnel and therefore not within the governance remit. Nevertheless, ensuring compliance with cybersecurity and data privacy regulations would usually be included in a governance professional’s remit as part of their regulatory compliance function. Moreover, governance professionals will ideally be involved in promoting awareness of technology-related issues at the board level. ‘As trusted advisers to the board, governance professionals are in a perfect position to drive and embrace the change from regarding technology as an IT matter to recognising it as a board-level business risk,’ the Report says. 

In addition to ensuring that the many critical issues relating to technology get the attention they deserve from the board, governance professionals can also play a role in equipping the board with tech tools that will increase the effectiveness and efficiency of their oversight of risks. This is another relatively underutilised opportunity for the governance function. The Report points out that one-third of Survey respondents indicated that their organisations are still taking a back seat in the adoption of advanced technologies to support risk management activities. It urges governance professionals to consider getting more involved in promoting digital transformation as a long-term benefit. 

Tools such as board portals, data analytics and artificial intelligence (AI) have already become widely used to enhance board decision-making generally. ‘AI can monitor authoritative sources and quickly analyse large volumes of data, which allows the gap between external regulations and current organisational practice to be highlighted and compliance needs to be immediately transversed,’ the Report points out.

Moreover, other tech tools are available to enable integrated risk management – from incident reporting, top down and bottom up data privacy assessment to compliance declaration. These tools offer governance professionals real-time oversight of the compliance matters for alerting, reporting and escalations, the Report points out. 

A glimpse of the future

The Report emphasises that, while better risk management is a critical issue for organisations of all types to get right, it also represents an opportunity for governance professionals. ‘Governance professionals are in a unique position to support and assist the board in overseeing all high-risk issues in organisations, including regulatory management, ESG and technology governance,’ it says. 

To fulfil this role, however, governance professionals will clearly need to have the relevant skills and competencies. The Report recommends that, to keep pace with the dynamic risk landscape, they will have to continually develop their skill sets to enhance their level of awareness required for an expanded role in risk management.  

The Institute has been working on playing its part in building these skills and competencies. Its ECPD training programme, together with its research and advocacy functions, have been giving greater prominence to risk management issues for some time. Moreover, the Institute in Hong Kong is one of a number of professional organisations in different jurisdictions that provide training and professional development programmes for governance professionals. The findings of the Survey suggest that training provided by professional bodies is rated the highest in terms of providing the required knowledge and skills to keep updated on regulations, technology, ESG and corporate governance. 

Risk management is a complex area and practitioners may be daunted by the scale of what they are taking on, but the Report points out that successfully mastering this aspect of their evolving role will have huge benefits, both for individual practitioners and the profession as a whole.

‘Recognising that changes may lead to risks as well as opportunities, governance professionals are expected to be able to help their organisations to establish an effective system to identify risks and opportunities, as well as to manage the risks and explore the opportunities. By entrenching these activities in their role, governance professionals would further elevate their position as trusted strategic advisers to the board and proactive key members of their organisations.’ 

The report reviewed in this article, published in May 2022, is available on the Institute’s website: