Making the connection – operationalising non-financial risk management and reporting
Over the last couple of years I have heard many senior environmental managers say their greatest challenge is how to operationalise their function. Given that process orientation is a great way to slice through, connect and align functional silos we have been giving some thought on the best way to harness a key process such as risk management to assist in this aim.
Michael Meehan from the Global Reporting Initiative (GRI) had an interesting tip recently for GRI reporters “Don’t think of it as reporting – think of it as strategic risk management“. GRI is the world’s most popular Corporate Social Responsibility (CSR) reporting standard.
In less than 20 years the GRI has gone from zero to 92% of the world’s largest 250 corporations using the GRI standard to report on sustainability and has generated 35,000 reports overall from over 10,000 organisations so there must be something in it.
In 2013 there were over 180 sustainability-related disclosure regulations and other instruments across 45 countries (a threefold increase since 2006)1.
In Australia the ASX introduced Recommendation 7.4 in March 2014 which states “A listed entity should disclose whether it has any material exposure to economic, environmental and social sustainability risks and, if it does, how it manages those risks.“
“For those organisations who have yet to connect the importance of economic, environmental and social sustainability risk disclosure when providing a complete picture of annual performance, financial risk should no longer be able to be considered independent of other impacts.“2
ESG (Environmental, Social and Governance – what the investment community call CSR) has gone from niche to mainstream with an increasing number of investors factoring in ESG risk into their investment decisions.
Unfortunately CSR reporting as a voluntary undertaking pre-dates the incoming mandatory disclosure and there is still an element of “let’s tell everyone all the good things we are doing” rather than “let’s tell specific stakeholder audiences how we are managing our non-financial risk”.
This can obviously lead to a disconnect between what risks are actually being managed and what is being disclosed – a big risk in itself, just ask Peabody Energy in the USA.
On the basis that “you can only manage what you can measure” the issue is further complicated by what and how you report on, fortunately this is becoming less of a problem.
Over the last couple of years we have analysed the plethora of reporting frameworks that have come into being and other than variations in audience perspective and issues around scope there is remarkable consistency around the key risk areas that most companies now need to track and manage.
GRI, ICMM, CDP, SASB, Grenelle2 and so on are all focused on the same key risk areas but the emphasis has been on disclosure rather than management (the assumption being that companies would as a matter course make the connection).
The companies that have made the connection are the companies that have “operationalised” their risk management framework and removed the siloed “functional” approach to managing their risk. In these companies the HSE function is not seen as a “policeman” but as a valuable member of the management team ensuring value is created and protected by actively managing their risk areas and facilitating stakeholder disclosure especially to the decision makers.
1 UNEP, GRI, KPMG & Centre for Corporate Governance in Africa (2013) Carrots and Sticks: Sustainability reporting policies worldwide – today’s best practice, tomorrow’s trends. Available at http://www.globalreporting.org/resourcelibrary/carrotsand-sticks.pdf
2 Ernst & Young, Australia (2014) Let’s talk sustainability May 2014 Issue 1. Available at http://www.ey.com/Publication/vwLUAssets/EY-May-2014-lets-talk-sustainability-issue-1/$FILE/EY-May-2014-lets-talk-sustainability-issue-1.pdf