Explaining the regulation of EHS and ESG

It is no secret that navigating today’s highly regulated landscape requires a certain amount of strategic planning within the organisation. As we keep moving forward into an era of corporate sustainability, however, the need for such planning and coordination is going to become even more important: an indispensable capability that compliance and risk teams will need to get right. Written by Florian Haarhaus, International General Manager at NAVEX

To that end, we should clarify the swarm of risk-related acronyms – ESG, GRC, EHS, SRC, and more – buzzing around corporate offices these days. Each one has a legitimate role to play in helping companies manage risk, but compliance officers need to guide all those efforts in a cohesive manner. Otherwise, attempts to manage risk will veer into chaos.

Let’s first decipher what those acronyms mean. Then we can explore how compliance officers can manage them all (like a conductor leading an orchestra) for maximum effect.

From EHS to SRC and GRC to ESG

EHS is a specific subset of regulatory obligations related to environmental, health, and safety standards. They can include legally required environmental protection measures, sanitary standards for consumer products, workplace safety rules, and the like.

SRC, or security risk category, categorises every threat as either physical threats, human threats, or cyber threats. This is a critical aspect of risk management, that allows compliance and/or security officers to focus their security risk strategies and break down tasks.

GRC stands for governance, risk, and compliance, and the concept has floated around risk management circles for 20 years. Broadly speaking, a GRC program helps a company to comply with its regulatory obligations; manage other risks (such as cybersecurity attacks) that do not necessarily correspond to certain regulations; and govern the organisation so that emerging risks can receive prompt attention.

ESG, the buzzword of the moment, stands for environmental, social, and governance factors a company needs to manage. Some of these factors might be required by regulation, such as anti-pollution or fair labour standards; others might be voluntary, such as a commitment to using clean energy or offering employees paid time off to volunteer for good causes.

A considerable amount of overlap exists among these fields. They can be mapped into a word square:

E  H  S

S      R

G  R  C

That is, all EHS risks are also ESG risks and GRC risks, which are considered in SRC; but not all ESG risks are GRC risks, and vice versa.

With the everchanging risk and regulatory landscape, compliance officers must be able to capture all necessary information about these overlapping priorities, so the company can both fulfil its regulatory compliance obligations and meet its risk management goals in an efficient, reliable manner.

What strong compliance capabilities should do

The principal challenge for compliance officers is understanding the risks they have, so they can then collect the data needed to manage risks wisely.

For example, consider the risk of forced labour in the supply chain. That can be a GRC issue, since the company might be required to perform supply chain due diligence to comply with the German Supply Chain Due Diligence Act, the Norwegian Transparency Act, the Modern Slavery Act in either the United Kingdom or Australia, and other laws. At the same time, forced labour is also an ‘S risk’ in ESG, since it can lead to bad publicity, consumer boycotts, and soured business relationships.

An effective compliance program, using the right technology, will bring those overlapping demands to light. It will map risks and regulatory compliance obligations visually, so companies can see which issues keep cropping up repeatedly. With that insight, they can determine which policies and controls serve all those interests most efficiently. For example: “We have these four different supply chain due diligence obligations; so, let’s collect the following data from our suppliers in one single questionnaire, to assure compliance with all four rules at one stroke.”

As corporate sustainability and regulatory compliance keep converging (per the forced labour example above), a compliance system that can help navigate that convergence will become increasingly more important. Ultimately, businesses will need compliance technology that can:

• Incorporate new regulations and sustainability demands into existing compliance frameworks.
• Identify the overlap among those EHS, SRC, ESG, and GRC demands to determine which controls, policies, or procedures will satisfy multiple needs.
• Help collect and track that data in one central repository, for better reporting and a sense of the organisation’s ‘compliance posture’ at any given moment.

To be fair, those three bullet points have always been true as companies struggled first with financial reporting compliance (in the 2000s) and then privacy and security (in the 2010s). Today, the new challenge is sustainability.

The answer, however, is still the same. With clever use of GRC technology, companies will be able to identify and manage risks efficiently and at scale. This will hold true no matter what comes next.