Risk
The risk function should be the engine room of a firm's ESG initiatives and while ESG creates new risks which need to be identified, categorised and controlled, all the firm's risks (and opportunities) should now be viewed through an ESG lens.
Risk identification
The ESG risk landscape is broader than the traditional risk landscape. The time horizons can be longer and the outcomes more nuanced.
[DIAGRAM 1]
- Physical risks – climate-related factors that present existential risks to the firm or its customers, or to the firm's objectives
- Transition risks – risks arising from the firm’s decision to move to a greener or more socially responsible model
- Legal and Reputational risks – the risk of non-compliance with new or changed environmental and social legislation (and the interrelationship between various pieces of legislation) as well as the risk of reputational damage when a firm fails to recognise shifts in attitude to social and climate-related issues. For example, the recent Consumer Duty and operational resilience regulatory initiatives have a clear link to the 'S' of ESG, requiring firms to have greater regard for the impact their actions have on others in society – customers and counterparties.
Firms will need to cast the net wider to capture these risks, drawing in megatrend analysis and insights from sources and sectors outside their traditional view – there are plenty of 'green swans' out there.
And when considering the broadening of the risk landscape, firms should also consider whether their risk inventory needs to be expanded to capture all ESG-related risks fully and whether they have an effective process for identifying these emerging risks.
[DIAGRAM 2]
Risk quantification
As noted, ESG-related risks can have much longer timeframes and more subtle effects. Firms should therefore reassess their quantification criteria, particularly in relation to the 'value' that is at risk, including potential value erosion (or value creation) beyond the narrow scope of profit and loss. The Integrated Reporting Framework, for example, defines six capitals that firms should assess:
- Financial Capital: the traditional yardstick of performance which includes funds obtained through financing or generated through productivity.
- Manufactured Capital: physical infrastructure and technology, such as equipment and tools.
- Human Capital: the knowledge, skills, competencies and other attributes embodied in individuals that are relevant to economic activity.
- Social (and Relationship) Capital: networks together with shared norms, values and understandings that facilitate cooperation within or among groups.
- Natural Capital: the stock of renewable and non-renewable natural resources (e.g. plants, animals, air, water, soil, minerals) that combine to yield a flow of benefits to people.
- Intellectual Capital: the skills and know-how in the workforce, in addition to individuals’ commitment and motivation, which affect their ability to fulfil their roles.
This moves firms away from a traditional five-box model of risk severity which is overly focused on the level of financial loss. For a fully rounded view, it is important to bring in these more nuanced non-financial factors and utilise the range of quantitative (both monetary and non-monetary) and qualitative metrics that will be needed to assess their risk severity.
To note, ESG risks can:
- Be more variable and unpredictable
- Appear over different timelines
- Be novel, with little historical data and precedent
- Be more complex, systemic, and interrelated
- Have a greater focus on risks to others rather than risks to the firm
Based on this, firms should consider whether their approach to risk quantification needs to change. In particular, they should:
- Ensure First Line risk owners understand the full spectrum of risk impacts
- Expand the Risk Control Self-Assessment (RCSA) process to encompass the full range of ESG requirements
- Draw in a broader range of expertise (both internal and external) to assess the risk impacts
Risk Control
The risk identification phase provides the 'what' – the comprehensive mapping of the ESG risk landscape. The risk control phase provides the 'how' – the tools and techniques to control these risks.
Addressing the broad-ranging nature of ESG risks requires a coordinated approach across the firm with ESG requirements being naturally integrated into the BAU, rather than developing inefficient (and ultimately ineffective) parallel processes.
[DIAGRAM 3]
Defining
In the defining phase, firms can consider the macro-level impacts of ESG and how this may affect the firm's strategic objectives in the long term. ESG risks can develop over a far longer timeframe than other risks the firm may encounter. Assessment of the ESG-related business risks may prompt a revision of the firm's strategy:
- Physical risk: the firm, customers or counterparties may be in regions which experience the adverse effects of climate change (or will do so over a foreseeable timeline). Or there may be environmental factors that will disrupt the supply change and routes to market.
- Transition risk: business models or business opportunities may be impacted as economic activity moves towards net zero. This could impact the credit risk or market risk of lending and investment activity, or the overall viability of propositions.
- Legal and Reputational risks: activities which are currently undertaken can become prohibited. Equally, some business and labour practices may become less acceptable as social attitudes change.
These strategic changes should flow through into the firm's Risk Appetite Statement. This should reflect any revised objectives of the firm and any other impacts related to ESG factors — for example, a greater focus on concentration and diversification issues. The ESG lens can reveal a range of unacceptable risks where a firm's activities are concentrated in particular locations or sectors.
Scoping
The scoping phase considers the application of the control framework in the near-to-medium term.
|
Area
|
Issues
|
|
Governance
|
- Does senior management have sufficient expertise in ESG matters?
- Is adequate time devoted to ESG risks in Board, Exco and committee discussions?
- Is there sufficient diversity of people (and opinions) within the senior management team?
|
|
Business plan
|
- Will the identified risks impact future growth and revenue targets?
|
|
Target operating model
|
- Is there a need to review how the firm undertakes its business activities?
|
|
Policies
|
- Are ESG risk control requirements reflected across all the relevant policies within the firm?
- Are there clear statements on exclusions and limits?
|
Embedding
By completing the defining and scoping phases, a firm should have:
- Awareness of the whole ESG-related risk landscape
- Clarity on what is inside and outside of risk tolerance
- Confidence in the firm's strategic approach to ESG risk (and opportunities)
Once this is clear, the firm can embed the ESG risk controls.
|
Area
|
Issues
|
|
Procedures, processes, and controls
|
- What additional controls are required to keep the firm within risk tolerance levels?
- Are these fully documented in the procedures and captured with control repositories?
|
|
Responsibilities, role profiles and objectives
|
- Are changes required to the RACI matrix and the allocation of responsibilities?
- Do staff have clear objectives in relation to ESG controls?
|
|
Training
|
- Do staff understand the required procedures and controls?
- Are staff also clear on the overarching 'why' of the approach?
|
|
Third-party management
|
- Does the selection and ongoing monitoring of third parties align with the firm's overall ESG-related objectives?
- Do any third-party relationships represent an unacceptable level of risk (particularly in relation to reputational risk)?
|
Monitoring and assessing
The crucial final step is ensuring that the implemented controls have the desired effect. And if not, then it is necessary to make any required amendments is necessary.
|
Area
|
Issues
|
|
First Line controls
|
- Is the Quality Assurance process aligned?
|
|
Performance management
|
- Are staff (and senior management) rewarded for actions that align with the firm's ESG objectives?
- Equally, can staff (and senior management) achieve good performance ratings despite failing to deliver on ESG requirements?
|
|
Second and Third Line monitoring and assurance
|
- Does the Compliance Monitoring Plan include coverage of ESG risks?
- Is Internal Audit testing the full range of controls related to ESG?
|
|
RCSA and KRIs
|
- Are ESG risks captured within the RCSA process?
- Do the KRIs show when the firm is outside of tolerance for the full range of physical, transitional, legal and reputational risks?
|
|
MI and reporting
|
- Does MI contain the right mix of leading and lagging indicators and quantitative and qualitative data?
- Is senior management receiving sufficient information for them to make the right decisions?
|
Governance
Applying a risk-focused methodology will avoid much of green myopia which besets many ESG initiatives. But this approach is predicated on the assumption that the governance frameworks will be effective and fit for purpose, and that senior management will take an active and informed role in balancing risk and reward – on ESG and across all matters.
Any ESG initiative will tend towards ineffective greenwashing if senior management lacks clear leadership and direction. Equally, the control of ESG-related risks will not be effectively achieved until an organisation has reassessed the requirements within the ERMF.
An approach that prioritises governance, social and environmental (GSE rather than ESG) reflects the fact that the effective control of environmental and social risks will only be achieved with the leadership of senior management.
Next steps
Faced with evolving requirements and changing risks, it is important that firms take a broad-based approach to ESG. Working where relevant with our legal teams, Hogan Lovells Consulting is helping clients to build approaches to ESG that recognise the importance of good governance, and a holistic view of risk management.
Authored by Frank Brown.
