ESG Risk Management: Look right… and left!

For travelers not used to left-hand traffic, London pedestrian crossings contain warning signs advising to look right, where the threat of passing cars is coming from. Failing to look right and walking out into the street carries the risk of being hit, potentially resulting in bodily harm. Traditional risk management also involves looking for potential threats and trying to avoid these threats, or at least mitigating their consequences.

Risk management practices involve identifying risks that are hazards to an organization — negative events that are usually accompanied by uncertainty. The types of risks described and managed in this context are often financial, operational, reputational, as well as environmental, social, and governance (ESG) risks.

Climate risks may trigger financial instability

Institutions tasked with ensuring the stability of the financial system, such as the European Banking Authority (EBA) and the Financial Stability Board (FSB), have been increasingly vocal about environmental issues or climate change as posing risks to financial institutions, and as a source of potential instability for the global financial system.

As the FSB’s Task Force on Climate-related Financial Disclosures (TCFD) stated in its 2017 report: “One of the most significant, and perhaps most misunderstood, risks that organizations face today relates to climate change.”¹ The TCFD also established a helpful distinction between two types of climate-related risks: (1) Transition risks: “risks related to the transition to a lower-carbon economy;” and (2) Physical risks: “risks related to the physical impacts of climate change.”

In 2021, the EBA presented its proposal on how financial institutions should incorporate ESG risks into their governance, strategies, and objectives.² The report describes how ESG factors, especially climate change, can materialize in the form of existing financial risks (e.g. credit risk, market risk, and operational risk), and it recommends measures for financial institutions to take to ensure their resilience.

Adverse impacts: The definition of risk is expanding

However, the conventional risk management view disregards an equally important perspective: Risks can also be associated with economic activities’ impacts on the environment, the climate, or the human rights of communities. These impacts are thus to be distinguished from the risks that institutions have traditionally kept an eye on. “Adverse impacts” is the terminology used for these outward facing risks in the UN Guiding Principles on Business and Human Rights (UNGPs), in the OECD’s Due Diligence Guidance for Responsible Business Conduct, and by the EU in its Corporate Sustainability Due Diligence (CSDD) Directive.

Due diligence can help businesses identify and avoid risks, says the UN, OECD, and EU

The UNGPs were published in 2011, and they mark an important change in perspective. There was a formalized acknowledgement that the activities of businesses hold the potential to impact people and thus present risks to rightsholders³ in addition to the traditional risks to an organization’s shareholders. The UNGPs state that “the responsibility to respect human rights requires that business enterprises […] avoid causing or contributing to adverse human rights impacts through their own activities […] and seek to prevent or mitigate adverse human rights impacts that are directly linked to their operations, products or services by their business relationships.” Basically, the UN is saying that potential or actual adverse human rights impacts can be identified and avoided if a company conducts human rights due diligence.

The 2011 update to the OECD Guidelines for Multinational Enterprises integrated the UNGPs, promoting the same perspective on adverse impacts.⁴ The OECD Due Diligence Guidance for Responsible Business Conduct further elaborates “how enterprises should avoid and address adverse impacts related to workers, human rights, the environment, bribery, consumers and corporate governance that may be associated with their operations, supply chains and other business relationships.”⁵

Finally, the proposed EU CSDD Directive, published in February 2022, aims to establish minimum requirements for businesses to identify, prevent, cease, mitigate, monitor, disclose, account for, address, and remediate adverse impacts related to human rights and the environment.⁶ Companies will have to meet these expectations by implementing appropriate due diligence processes that cover their own activities, their subsidiaries’ activities, and the value chain activities carried out by companies they have established business relationships with.

Unearth your risk blind spots, prepare for hardening obligations

The conclusion is clear: Blind spots in risk management procedures are no longer merely imprudent. Organizations must no longer only look at financial risks to their institutions. Neglecting the adverse ESG impacts caused by or contributed to through an organization’s own operations, supply chain, and business relationships amounts to a violation of hardening obligations. Sanctions regimes that employ administrative procedures and supervisory disciplinary measures are being developed to punish wrongdoing, and cases being brought to OECD National Contact Points (NCPs) and civil litigation lawsuits are on the rise.⁷

A warning to risk managers everywhere: Look right AND left.