GRC Trends in 2022 (Part 2): Integrity & Environmental Social Governance
Megan Phee: Hi, I'm Megan Phee and this is GRC& Me, where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry- specific challenges, trends, and more. Learn about your methods, solution, and outlook in the space. Hello, this is Megan Phee with GRC& Me. Welcome to part two of our GRC trends of 2022 discussion with CEO of LogicGate, Matt Kunkel and GRC analyst and pundit Michael Rasmussen. Today, Matt and Michael discuss a hot topic in GRC, which is ESG, Environmental, Social, Governance and the role integrity plays in ESG. From talking with many GRC professionals, ESG is a conversation happening cross- functionally and many of us are curious about where and how to get started. So let's listen in to learn more.
Matt Kunkel: Welcome back, Michael, and thank you again for being here for our second part of our two- part podcast episode. In the first episode, we talked about resiliency and agility. In this episode, we're going to talk about integrity and really how that ties into a massive topic that's in our market these days with ES and G or Environmental, Social and, Governance. So maybe let's just start there. Can you just give us and give our listeners an overview of what ES and G even is and what it means?
Michael Rasmussen: Well, ESG stands for Environmental, Social, Governance. I find that a lot of people approach it like the parable of the three blind men and the elephant. Somebody from environmental perspective looks at it... well at ESG says the environment, just like one of the blind men says," Oh, there's an elephant." And feels inside and it's a wall. Somebody looks at it from the social aspect and they see the social piece of it, like the blind man that feels the tail and says it a rope. Then the third blind man says the trunk is a tree. And that might be the person coming from the governance aspect. ESG is broad. It involves a lot of different pieces. And in that context, you have different people that operate with their blinders on and just see their piece of it instead of looking at the full spectrum. A lot of people get stuck on the E in ESG thinking it's all out the environment. And it is. The environment is a critical piece of it. It's one of the three pillars, but it's not the only pillar. The social aspect is very complex. I sat on the social accountability advisory board for a global fortune company dealing with international labor standards and supply chain code of conduct and their global supply chain with 20,000 facilities, dealing with child labor, forced labor, working hours, working conditions, and so forth. That's all under the S. Those are big issues. Privacy is under the S. Individual personal data, that's a social issue. Under the G you've got bribery and corruption, you've got money laundering, you've got internal controls or financial reporting. You've got IT security and all these elements. Now looking at this, the E is one of the big focuses right now. I mean, because you can't pick up a newspaper or magazine without seeing some article about the environment right now. So there's a lot of focus on the E. But I find the E to be also the most forgiving right now because across organizations, we're all in the same boat trying to figure the environment and climate change out. And so I find, even though there's so much focus on the E there's probably the most forgiveness on the E. And then the G, we've had issues of bribery and corruption, and money laundering, and security breaches, and fraud, and wrongdoing. That's less forgiving. And those issues are critical issues, but the G issues are the most common issues across industries. The E is very different from industries. An environmental program in a bank looks very different from environmental program in a petroleum company. The E has a lot of variance across industries while the G has the least amount of variance across industries, it has the most common. The S is the most unforgiving, the social aspects. Well, if you're having issues and you're on the front page of The Wall Street Journal or other news sources on inclusivity and diversity issues, harassment, discrimination issues, child labor, and slavery issues, if your name's being dragged in the mud on the S, those things are the hardest to recover from. I find people are the harshest in judging organizations when it comes to issues on the S. I mean, you can think of child labor right now and all of a sudden our minds gravitate to name brands from a couple decades ago that had child labor issues. It's very, very hard to recover from issues when they relate to the S, because sticks in people's mind. That's probably where some of the greatest reputation and brand exposure is in ES and G. Now ESG we've had for a long time. It hasn't been called ESG. Before we called it corporate social responsibility, CSR or sustainability. Now the challenge there is that corporate social responsibility was a little bit of reporting and branding exercise. It was about responsibilities and not accountability. I can pass around our responsibilities and give them to somebody else. And corporate social responsibility was passed around the organization like a hot potato and often landed in the lap of marketing, became a branding exercise." Oh, let's put green in our logo. That's our CSR initiative." ESG is very different because it's got a lot of teeth and it requires accountability.
Matt Kunkel: That's a great point right there. It requires accountability and I think kind of tying into the tagline of this integrity. From your perspective, how does ES and G relate to integrity within organizations?
Michael Rasmussen: It's a mirror. What we communicate in our ESG reports and statements, our code of conduct, our policies, our values and ethics, then that's a reality in the organization. If you're communicating the world that this is what your organization's about, but your actual internal practices and themes are different, ESG is exposing the lack of integrity in the organization. I have a code of conduct here on my laptop that I use in my policy management workshops that I teach. Back in the year 2000, it was the model code of conduct. Other companies were copying it to be their code of conduct. I had a petroleum company in a workshop in Minneapolis on policies that I was teaching. They say," We nearly copied that code of conduct word for word in 2000 to be our code of conduct." That's Enron's code of conduct that I have. You can have a great ESG reports, you can have a great code of conduct and themes, but the question is, is it a reality in the organization? And that's what integrity's about. It's what we communicate to the world, what our values are that the reflected in the behavior transactions of the organization?
Matt Kunkel: So we've got some listeners that are working at very, very large companies right now. We've got some listeners that are working at kind of mid- size companies and some listeners that are probably working at smaller size companies. What do you think kind of those larger and mid- size companies are doing in the arena of ES and G right now? And what are those smaller companies doing? And if I'm a smaller company, or even a large company, where do I start? There's so much to your point that goes into this, what's a starting spot for me?
Michael Rasmussen: The larger companies are getting more pressure than others because there's BlackRock and State Street are making investment decisions based on ESG practices, individual directors are being voted out by their ESG metrics. You have regulators focusing on this, particularly like a lot of financial services right now where banks and others have to do a lot of close monitoring on environmental impact on the banks assets, because of climate change. You've got significant regulations happening in Europe with the EU directive on corporations due diligence and Germany's corresponding corporations due diligence act. That's going to make GDPR seem like a cake walk in comparison. The German law and the corresponding EU directive that all the member countries of the EU are going to have to pass similar legislation. It requires detailed, ongoing due diligence, not one time, but continuous ongoing, due diligence around ES and G across your extended enterprises. Supply Chain relationships down in nested relationships. That's a lot. But customers are making decisions on who they buy services from based on their values. Employees, particularly millennial and Gen Z, they're making employment decisions, just not on salary and benefits, but on the shared values of the organization. ESG has a lot of focus in mid to large organizations right now and they're signing accountability for it. Typically, I find most of my interactions that accountability is being assigned to the chief ethics and compliance officer, which to me really is the chief integrity officer of the organization. There's sometimes it's assigned to operational risk or in smaller organizations it might be assigned to audit and others, but most of my interactions is the chief ethics and compliance officer that's running with the ESG reporting right now. The small to mid- size organizations, they're struggling to figure it out. They don't have as much pressure coming on them as the large global brands and organizations right now, but they're also in the hot seat as well. And so they're trying to figure things out and they have less resources to deal with it. All these organizations are looking to automate it. The challenge is that ESG is a lot about reporting. You have the GRI, the Global Reporting Initiative, the SASB, the Sustainability Accounting Standards Board, and all these different frameworks for reporting that gives you guidance on what should be in the reports, but doesn't tell you how to manage ESG on an ongoing day by day basis. That's where GRC comes in, with the GRC& Me podcast here. And I have a whole blog article called ESGRC. Obviously the common element being the governance. ESG is about these reportings and communications, GRC is about the process to collect and provide assessments, identify ESG related risks, and be able to deliver the information architecture, to feed into that ESG reporting.
Matt Kunkel: So it sounds like we can't do ESG without GRC, right? We need that process and program to be able then to create the output, which ES and G is, those reports that we need to bring to different regulatory bodies or governance bodies.
Michael Rasmussen: Exactly. And I call it GRC, other companies might call it ERM, ORM, IRM, ABC XYZ, or might not even have a name for it, but you need that type of process to be able to manage and deliver on ESG.
Matt Kunkel: Yeah. It makes all the sense in the world, a hundred percent. There's something that you touched on there that I think is really kind of top of mind and I've seen it in my network and with other organizations, and that's the S in GRC. Especially with the smaller and mid- market companies, you're right. They probably don't have a ton to compete with from an environmental perspective and they're not going to get nailed there. They might not be big enough from a governance perspective, they might not have fraud worries or capabilities, but it's the S, it's that social. It's," Does my brand reflect with my buyers." Buyers, especially millennials and Gen Z, they buy off of that, right? They buy off of who that brand is." I buy Patagonia because I love what they do for their charge to the environment that's out there. And do I believe that this company relates with my values?" Right?" Do they have the diversity actually inclusion programs that I'm looking for in here?" You hit the nail in the head with the S. That's the big part from a small to mid- size company of where you start, right? You start with your brand, you start with your values, because that's how you're going to attract new buyers and it's how you're going to attract talent into the organization.
Michael Rasmussen: That's right.
Matt Kunkel: What do you think is the biggest question, as we head into 2022, around ES and G? Are there any big looming reporting requirements that are out there? Just what do you think is the biggest trend that we will see over the next year with ES and G?
Michael Rasmussen: The biggest challenge in ESG is the extended enterprise, because you are measured by your relationships. Just as an individual, you've heard that saying, I can tell you who you are by the company you keep, your friends. ESG is the extended enterprise. I was just talking to a global automobile manufacturer several months ago. They're completely restructuring their enterprise and operational risk program because of ESG, because most of these risks and things aren't about within traditional brick and mortar business and employees, these ESG related risks we need to monitor report on and this is centered from their legal department with compliance, goes across the extended enterprise of suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, intermediaries, and more. And the biggest challenge with ESG is, it not only involves the traditional brick and mortar business, but it involves all these relationships as well. We've seen things like Dodd- Frank Act with the conflict minerals provision, where manufacturing companies and others have to trace tin, tantalum, tungsten, and gold, 3TG, down to the source smelter or mine, down through layers and layers of the supply chain, to see if they come from the Democratic Republic of the Congo or nine surrounding countries known for crimes against humanity. This is similar to what we're seeing with the EU directive and Germany's law, that you have to do continuous monitoring and due diligence of the extended enterprise, not just at that first level, but layers beneath that. At least somehow you got to be able to address that.
Matt Kunkel: Yeah. I mean, if you think about it, we spend all of this time, energy, resources as an organization to button up our own house, make sure or that our own security policies are in place, make sure that our own governance policies are good, make sure that we're running our own internal social and responsibility programs, right? And then we say," And oh, by the way, you got to do it for all of your suppliers, your vendors, your outsource partners and what about them? Who are their suppliers, vendors, and outsource partners." Right? So it becomes this giant, giant snowball. We have a saying here that it's a good day to be in GRC, but it's a great day to be in GRC, because we're going to have roles and responsibilities that are just going to get larger and larger and larger within the organization, I think, for years to come, because of things like this.
Michael Rasmussen: Yeah. And that's what's exciting about our job is, exciting, challenging is that things are always changing. There's always mergers and acquisitions, new regulations, new risks. For the last 18 months going on two years, we've been dealing with the global pandemic. Who knows 2022, maybe the earth will be destroyed by a Vogon Constructor ship making way for a hyperspace bypass, inaudible. We don't know what's going to happen. There's so much happening out there and that's makes our jobs exciting, because as I said, we need to be able to think creatively about risk and themes as well and then be able to see what can come at us. How can these new dynamics and situations and geopolitical risk or economic risk and themes impact the organization?
Matt Kunkel: Yeah. I think that's why myself and a lot of our logicGaters get up every day, is because that the world is so changing so rapidly. Digital transformation is helping to make that easier, but that's a big risk within organizations too. There's just so much to go on. Well, Michael, thank you so much again for being on the second part of our podcast, talking about ES and G and how that ties into integrity within organizations. Very much appreciated, my friend.
Michael Rasmussen: Oh, it's my pleasure.
Matt Kunkel: So to learn more about how to help your organization address ESG initiatives in 2022, visit logicgate. com or rcx. logicgatecom.
DESCRIPTION
For centuries philosophers have given us the four cardinal virtues: prudence, justice, fortitude, and temperance. For the GRC community at large, there is more than enough room to add to these to cover our unique world and its dealings. At LogicGate, we think that resilience, agility, and integrity are perfect additions.
In our season 4 finale of GRC & Me, LogicGate CEO Matt Kunkel and GRC expert Michael Rasmussen covered resilience and agility. In this episode, the two are back to discuss integrity and apply it to the latest GRC trend, ESG or Environmental, Social, and Governance.