Applying an enterprise risk management framework to environmental, social and governance risk factors
Friday, March 8, 2019
By Desiree O'Niell
In response to a growing body of evidence that competitive returns and societal benefits are not mutually exclusive, investor demand for socially conscious investments has surpassed $20 trillion in assets under management. The financial services community has responded with a host of innovative products. Most major research houses are even offering environmental, social and governance (ESG) ratings on publicly traded companies.
But what if we were to turn that ESG lens onto ourselves? Are we walking the walk or just talking the talk? What are the risks and how do we manage them?
For many years, corporate social responsibility was seen by financial services firms as “nice to have” rather than an absolute business imperative. But no longer. For the second year in a row, BlackRock CEO Larry Fink has put ESG considerations front and center in his annual . letter to CEOs. Search most major bank websites and you are likely to find corporate social responsibility, diversity and inclusion, and regulatory compliance programs, all of which touch on some aspect of social impact.
But being socially responsible is about more than charity, regulatory compliance or any other discrete program. Social impact arises from how we treat our employees, customers and other stakeholders every day across every aspect of our business. Get it wrong and we face serious risk to shareholder value and our ability to operate.
How, then, do we not only protect our business from the damage of undesirable social outcomes, but also capitalize on the opportunities they present? And how do we do it in a disciplined and consistent manner that starts at the top of the house?
We must begin with the recognition that social impact creates risk and that risk should be managed like any other risk: rigorously and systematically, using our enterprise risk management (ERM) framework.
The Link Between Social Impact and Risk
What is the specific linkage between social impact and risk? Top of mind is the reputational damage associated with any type of risk management blunder. Yet we can be more granular in examining specific impacts to our primary stakeholder groups: our employees and our customers.
If our corporate culture does not promote diversity and pay equity, we may find it difficult to attract and retain the talent needed to achieve our strategic goals, and we may be vulnerable to increased operational and legal risk. If our sales targets are too aggressive, or our policies lead to discriminatory outcomes against disadvantaged populations, we may be vulnerable to fraud, conduct, legal and regulatory risk.
Managing Social Risk: A Step-by-Step Approach
While these risks may be difficult to predict or quantify, we can nevertheless incorporate them into our ERM framework to better prepare to address them going forward. Here is how this might look in practice:
Identify. Define social risk as a risk factor similar to market, credit or operational risk.
Assess. Apply our current risk assessment methodology to evaluate social risk, incorporate it into our risk appetite and establish our risk tolerance.
Measure. Put in place key risk indicators (KRIs) and key performance indicators (KPIs) to help measure social risks.
Control. Set thresholds in line with risk tolerance as defined during the assessment step.
Monitor. Continuously monitor those metrics against defined thresholds.
Say, for example, we want to look at social impact on our employees. We define employee turnover as one of a set of KRIs impacting strategic, legal, operational and reputational risk. We set upper and lower thresholds based on an estimation of healthy turnover levels for our business. After several months, we see that our turnover rate is trending upward and approaching our stated threshold.
We can then perform a root cause analysis to uncover the source of the trend. Are certain demographic groups leaving at a higher rate than others? Is a new competitor luring away our best employees? Are departures driven by culture, policy or other workplace environmental factors? Are we using an inappropriate metric?
At this point, we should be in a good position to determine what, if any, actions we should take.
Extending Social Risk Management to Employees and Customers
We can follow a similar process for other employee-related KRIs and KPIs based on workforce demographics, recruitment and promotion trends, and compensation practices. We can extend the approach to our customers, looking at trends in demographics, retention, complaints, fees, collections and account acquisition, just to name a few.
In many instances, we can use data that we are already disclosing or reporting in our management, financial and regulatory reports. In all instances, our goal as risk managers should be to identify and address potential issues before they become the next big crisis.
Financial services firms need to expand our view of social impact to encompass how we do business with our stakeholders every day. Social impact carries firm-wide risk that cannot be adequately addressed by siloed corporate responsibility, diversity or regulatory compliance programs. Social impact concerns can and should be incorporated into the ERM framework, where they can be proactively identified, assessed, monitored and managed.