Category Archives: Compliance and Risk Management

Enterprise Risks and Risk Management

No business is without some sort of risk and overcoming those risks is the key to achieving an acceptable return on investment of capital, technology and human resources.  Higher levels of risk drive investors to expect greater risk-adjusted returns in exchanging for providing capital to the business.  The risk profile for each company is different; however, commentators have suggested that the range of risks confronting an enterprise may appear within an extensive list that includes the following, in no particular order: financial markets disruption; credit; interest rate; capital; human resources; transactional; data protection and privacy; legal; enforcement actions by federal or state criminal authorities; Foreign Corrupt Practices Act; governmental investigations; regulatory and compliance requirements; cyberattacks; information technology; business continuity and disaster planning; operational; supply chain; financial disclosure; document retention policies and practices and disclosure (obstruction of justice or civil contempt); executive misconduct or negligence (personal and/or professional); brand; reputational; vendors; business partners; third party service providers; customers; and environmental.

The scope of the potential risks to a company above should illustrate why companies need a formalized approach to risk management, systems and programs that have come to be known as “enterprise risk management”, or “ERM”.  ERM programs, which often include compliance aspects or are implemented in conjunction with a separate but related compliance program, have been mandated or highly recommended by federal and state  laws and regulations, such as the Sarbanes-Oxley Act of 2002 and the Dodd-Frank Wall Street Reform and Consumer Protection Act; federal sentencing guidelines; listing standards required by national securities exchanges; credit agencies; directors’ and officers’ liability insurance carriers; and accounting and audit review standards.  In many cases, companies are required, or strongly urged, to create a separate board-level risk management committee and appoint a chief risk officer, a position discussed further below.  Apart from legal and regulatory requirements, companies have recognized that ERM can be deployed as an essential business management tool to assess and analyze business and activities on a risk-adjusted basis; engage in sound strategic planning and financial management which requires that all risks of every line of business and activity be assessed and balanced against profitability, and recognize and prepare for the interdependency of events.

The first step in creating an ERM program is conducting an enterprise-wide risk identification and assessment program, preferably undertaken by an independent third party and with the intent that the assessment process would be continuously updated on a regular basis.  The goal of the risk assessment, which is discussed in more detail below, is to create a solid foundation for designing an ERM program that is aligned with the most material risks confronting the organization.  Once the assessment has been completed the results should be reviewed by the board of directors and the senior management of the company and specialists should be assigned to develop a proposal for the ERM program.  The proposal should be reviewed by the entire board and senior management and approval of the program should be accompanied by a commitment to provide the resources necessary for the program to be successful.  At this point the ERM infrastructure should also be established starting with allocation of risk topics among committees of the board and continuing with the appointment of a chief risk officer and creation of an ERM committee that will include senior representatives from each of the main functional groups of the company and the company’s various business units.

While creation of a standalone committee at the board level to focus on risk management issues and initiatives is growing in popularity it is by no means a universally accepted approach.  Each company must make its own decision and Deloitte has suggested that the follow factors and questions should be considered when deciding whether a risk committee at the board level is appropriate:

  • The needs of the stakeholders: The board should assess the quality of the current risk governance and oversight structure, the risk environment, and the future needs of the organization to determine how best to meet the needs of all of the company’s stakeholders, not just investors.
  • Alignment of risk governance with strategy: Having a risk-focused committee at the board level increases the likelihood that the board, management, and business units be aligned with their approach to risk and strategy, this promoting better risk governance and ensures that risk oversight is value-adding.
  • Oversight of the risk management infrastructure: The decisions about the role of the board-level committee, if any, should be made in the context of larger questions regarding who will be in charge of the people, processes and resources of the risk management program. Assuming that a chief risk officer position will be created, it is important to be clear about reporting obligations for that position (e.g., to the risk committee, the entire board or the CEO).
  • Scope of risk committee responsibilities: Before a board-level committee is formed decisions must be about the scope of its responsibilities. In some cases the committee may be responsible for overseeing all risks; however, the board may decide that certain risks should be primarily addressed by other committees (e.g., the audit committee should maintain oversight of risks associated with financial reporting) and that the purview of the risk committee should be limited.
  • Communication among committees: Particularly when the scope of the responsibilities of the risk committee are to be limited as mentioned above, the board must clear define boundaries among all of the board committees and establish communication channels to be sure that activities do not overlap or that important risks “fall between the cracks”.

Further information on the topics discussed above can be found in G. Goldberg and M. McNamara, Effective Enterprise Risk Management and Crisis Management: Roles and Responsibilities of the Board and Management (August 20, 2012),

This article is adapted from material in Sustainability and Corporate Governance: A Handbook for Sustainable Entrepreneurs, which is prepared and distributed by the Sustainable Entrepreneurship Project and can be downloaded here.

Alan Gutterman is the Founding Director of the Sustainable Entrepreneurship Project, which engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the aspiration to create sustainable enterprises that achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business.  Visit the Project’s Library of Resources for Sustainable Entrepreneurs to download handbooks, guides, articles and other materials relating to sustainable entrepreneurship and keep up with the Project’s activities by following Alan on LinkedInTwitter and Facebook.

You Need a Chief Risk Officer for Your Organization

Lee and Shimpi noted that enterprise risk management (“ERM”) has emerged as an important and essential management practice and a recognized strategic discipline and that organizations have created ERM-specific roles, responsibilities and structures, notably the position of “chief risk officer” (“CRO”) that has taken its place along with other members of the C-suite.  Lee and Shimpi argued that the CRO has become instrumental in assuring that the organization has processes in place so that it complies with the very much heightened risk management expectations of shareholders, regulators, and even elected officials and attorneys general, and in developing and introducing an integrative risk management framework that helps the organization mitigate risks and allocate capital to build shareholder value with a full understanding of both the positive and negative potential of the risks involved.  Specific duties and responsibilities of the CRO generally include central oversight of the organization’s risk assessment and risk appetite; familiarizing the organization, its shareholders, regulators and rating agencies with the ERM program; implementing a consistent, integrated risk management framework throughout the company; managing that program with a particular emphasis on operational risks; and developing ways to mitigate and finance risk within the organization’s larger business strategies.

There are several different strategies that companies use with respect to the reporting obligations of the CRO position.  The most popular approach is for the CRO to report to the CEO, although many companies have the CRO report to the CFO due to the fact that many of the risk factors that a business must face and overcome are finance-related.  A smaller group of companies have opted to have the CRO report directly to the board of directors or the board-level committee responsible for risk management.  Even if the CRO’s first reporting obligation is to another member of the C-suite, the compliance and risk management committee should be vested with explicit authority to oversee the activities of the CRO and his or her support group and should carefully monitor the CRO’s relationship with other members of the senior management team, operating groups, finance, legal and human resources.  Lee and Shimpi commented that the most successful CROs forge close relationships with the internal audit function to gather information about the effectiveness of existing risk management programs and the planning function as a means for integrating risk assessment into the development of the company’s future business strategies.

Goldberg and McNamara advised that the CRO should work closely with the company’s general counsel and other members of the in-house legal team to ensure that potential legal risks and liabilities are integrated into the ERM program and that the program operates in a manner that mitigates liability and risk exposure.  The general counsel should be able to analyze best practices and provide advice to senior management and the members of the board-level compliance and risk management committee on how the ERM program should be structured.  In addition, the general counsel can be a valuable resource in identifying, assessing, prioritizing and managing legal risks and liabilities.  The general counsel is also responsible for advising the board of directors, and the board’s compliance and risk management committee, on their duties and responsibilities with respect to oversight of risk management.

This article is adapted from material in Sustainability and Corporate Governance: A Handbook for Sustainable Entrepreneurs, which is prepared and distributed by the Sustainable Entrepreneurship Project and can be downloaded here.

Alan Gutterman is the Founding Director of the Sustainable Entrepreneurship Project, which engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the aspiration to create sustainable enterprises that achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business.  Visit the Project’s Library of Resources for Sustainable Entrepreneurs to download handbooks, guides, articles and other materials relating to sustainable entrepreneurship and keep up with the Project’s activities by following Alan on LinkedInTwitter and Facebook.

Compliance and Risk Management Committee for Your Board

Compliance with laws and regulations applicable to the company’s business activities and identifying and managing the risks associated with those activities are two of the fundamental duties and obligations of the board of directors.  The emergence of sustainability as a new factor for consideration in boardrooms has expanded the compliance duties to include adherence to voluntary standards that the board has committed to with respect to governance and environmental and social responsibility and broadened the definition of risks to include environmental and social issues and challenges.  While creating a separate board committee to focus on compliance and risk management is not a new phenomenon, such committees have grown in importance.  Some companies separate compliance and risk management into two different committees and companies may also place board-level groups assigned to compliance and/or risk management as subcommittees of another standing committee of the board, such as the audit committee.

In a December 2016 report on how board committees among S&P 500 companies had evolved to address new challenges, the EY Center for Board Matters reported that compliance committees among those companies were typically responsible for oversight of programs and performance relating to legal and regulatory risks and the implementation and maintenance of the company’s code of conduct and related matters.  Specific areas of focus for this committee included the environment, health and safety and technology.  The functions of a compliance committee might overlap with the risk, public policy and sustainability committees.  Sectors most likely to have a compliance committee included health care, energy and financial.

With respect to risk management committees, the preparers of the EY report found that these committees generally were responsible for making recommendations for the articulation and establishment of the company’s overall risk tolerance and risk appetite; overseeing enterprise-wide risk management to identify, assess and address major risks facing the company, which may include credit, operational, compliance/regulatory, interest, liquidity, investment, funding, market, strategic, reputational, emerging and other risks; and reviewing and discussing management’s assessment of the company’s enterprise-wide risk profile.  The functions of a risk management committee might overlap with the finance and compliance committees.  Sectors most likely to have a risk committee included financial services (almost 75% of the companies in that sector had a risk committee), industrials, utilities, consumer discretionary, information technology and consumer staples.

The charter for a board-level compliance and risk management committee should include a statement of purpose that addresses both compliance and risk management, recognizing that the two areas overlap substantially.  From a compliance perspective, the purpose of the committee can be stated to include oversight of the company’s implementation of compliance programs, policies and procedures, including the company’s code of conduct, that are designed to respond to the various compliance and regulatory risks facing the company; and assisting the board of directors and the other committees of the board, notably the audit and governance committees, in fulfilling their oversight responsibilities for the company’s compliance and ethics programs, policies and procedures.  When defining compliance, the focus should not only be on relevant laws and regulations but also any voluntary standards that the board has agreed should be adhered to with respect to the day-to-day conduct of the company’s operations and other activities.  A Global Compact publication recommended that the purpose statement of a risk management committee should include ensuring that the risks and opportunities arising from current and emerging corporate sustainability trends are included and addressed in the company’s Enterprise Risk Management program and that the board is informed of material issues relating to current and emerging economic, social and environmental trends.

 While the name of the committee may imply that compliance and risk management should be considered side-by-side, many companies view the primary focus of the committee to be risk management and that compliance risks are just one of many risks that identified and evaluated along with other operational and business risks.  Given the potential scope of any company’s operational, business and compliance risks, it is important for the board to thoughtfully allocate primary responsibilities for certain types of risks among the board’s various committees to ensure that the appropriate focus and expertise is applied to those risks.  For example, in the charter of its risk and compliance committee the board of directors of Target made it clear that the entire board would retain oversight responsibility over the company’s key strategic risks, as well as the company’s reputation and corporate social responsibility (“CSR”) efforts (which could also have been assigned to a separate board-level committee formed to oversee CSR), and oversight responsibility for certain other risk areas were assigned to other committees of the board (i.e., the audit and finance committee would handle financial reporting, internal controls and financial risks; the infrastructure and investment committee would handle risks related to the company’s capital expenditures, major expense commitments and infrastructure needs; the human resources and compensation committee would handle compensation incentive-related risks, organizational talent and culture, and management succession risks; and the nominating and governance committee would handle governance structuring, board succession and public policy engagement risks).

It is common practice to break out the description of the scope of duties and responsibilities in the committee charter into compliance and risk management.  With respect to compliance matters, the compliance and risk management committee should be charged with overseeing the company’s activities in the area of compliance that may impact the company’s business operations or public image, in light of applicable government and industry standards, as well as legal and business trends and public policy issues.  The mandate of the committee can be quite extensive, especially for companies operating in highly regulated industries and markets, and generally includes establishing, in conjunction with the senior management of the company, programs regarding operational and legal compliance and sound business ethics for the company; overseeing the company’s relationships with its principal regulatory authorities; reviewing matters relating to the education, training and communications to ensure the company’s compliance and ethics policies and procedures are properly disseminated, understood and followed; and monitoring and reviewing the company’s activities to ensure that legal requirements and high standards of business and personal ethics are communicated within the company and are being met by the company, its officers and employees and the company’s business partners.

As for risk management, Deloitte suggested that the committee should be concerned with overseeing the company’s risk exposures and risk management infrastructure; addressing risk and strategy simultaneously, including consideration of risk appetite, and advising the entire board on risk management strategy; monitoring risks; and overseeing and supporting the efforts of the CRO, the company’s management risk committee and other groups within the organization formed to monitor risks and implement risk programs.  Deloitte noted that it was important to determine how the risk committee will stay informed on developments in risks so it can evolve in its response to them and suggested that such committees develop procedures to ensure that members stay abreast of leading practices as risks evolve and understand the new risks associated with new businesses and locations and how changes in regulations increase or decrease risk.  The committee should also benchmark risk governance practices of peers, remain current on risk-related disclosure requirements and conduct annual evaluations of committee performance.

Among the items in a comprehensive list of duties and responsibilities with respect to risk management included in the committee charter of Brierty were the following:

  • Maintaining an up-to-date understanding of areas where the company is, or may be, exposed to risk and compliance issues and seek to ensure that management are effectively managing those issues;
  • Providing input to the board and senior management regarding the company’s risk profile and tolerance,
  • Assessing and monitoring appropriate risk management and internal control systems to ensure that risk is managed at levels determined to be acceptable by the board;
  • Reviewing the adequacy and effectiveness of the company’s policies and procedures which relate to governance, risk management and compliance and updating these policies and procedures where required;
  • Making recommendations to the board on the appropriate risk and risk management reporting requirements to the board and the committee;
  • Providing advice to the board and the CEO on relevant corporate level performance indicators and targets for risk management and compliance activities;
  • Undertaking an annual review of risk management policy and underlying strategies and procedures to ensure its continued application and relevance;
  • If considered necessary by the committee, establishing a periodic and independent review of the implementation and effectiveness of the risk management policy to provide objective feedback to the board as to its effectiveness;
  • Receiving and considering reports on risk management and compliance programs and performance against policy and strategic targets;
  • Providing the board with advice and recommendations regarding the appropriate material and disclosures to be included in the section of the company’s annual report which relates to the company’s risk management and compliance policies;
  • Ensuring that the board, before it approves the company’s financial statements for any financial period, is provided with declarations from the CEO and the CFO that in their opinion, the financial records of the company have been properly maintained and that the financial statements comply with the appropriate accounting standards and give a true and fair view of the financial position and performance of the company and that this opinion has been formed on the basis of a sound system of risk management and internal control which is operating effectively;
  • Reviewing the adequacy of the company’s insurance coverage; and
  • Ensuring that management has embedded an appropriate risk management culture in the organization and that risk management is an integral part of the company’s decision-making process.

Sources for this article included The Essential Role of the Corporate Secretary to Enhance Board Sustainability Oversight: A Best Practices Guide (United Nations Global Compact, September 2016).

This article is adapted from material in Sustainability and Corporate Governance: A Handbook for Sustainable Entrepreneurs, which is prepared and distributed by the Sustainable Entrepreneurship Project and can be downloaded here.

Alan Gutterman is the Founding Director of the Sustainable Entrepreneurship Project, which engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the aspiration to create sustainable enterprises that achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business.  Visit the Project’s Library of Resources for Sustainable Entrepreneurs to download handbooks, guides, articles and other materials relating to sustainable entrepreneurship and keep up with the Project’s activities by following Alan on LinkedInTwitter and Facebook.

ERM and Sustainability-Related Risks

A joint report published as a preliminary draft in February 2018 by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) and the World Business Council for Sustainable Development (“WBCSD”) included a telling comparison of the results of surveys conducted by the World Economic Forum (“WEF”) that showed that the prevalence of risks related to environmental, social and governance (“ESG”) steadily increased from 2008 to 2018 while the more traditional economic, geopolitical and technological risks became less dominant.  For example, in 2008 only one societal-related risk (“pandemics”) was reported to be among the top five risks in terms of impact in that year’s “Global Risks Report”; however, by 2018 four of the top five risks in the report were either environmental- or social-related: extreme weather events, water crises, natural disasters and failure of climate change mitigation and adaptation.  Apart from the WEF survey, news reports have made it clear that companies all around the work have been suffering severe, and sometimes enterprise-ending, adverse financial and/or reputational impacts from events commonly placed under the umbrella of environmental and social responsibility including product safety recalls, worker fatalities, the discovery of illegal child labor in their supply chains, polluting and delays in the delivery of materials due to climate-related disasters suffered by suppliers.

For COSO and the WBCSD all of this was clear evidence that companies needed to make fundamental changes in their ERM strategies and systems to ensure that they were effectively expanded to include ESG-related risks.  From their perspective this means companies must identify and prioritize a new set of risks and build them into their ERM strategies, processes and practice and also realize that there new opportunities associated with dealing with these risks that can create real value for their investors and other stakeholders.  COSO has defined ERM broadly as “the culture, capabilities and practices integrated into strategy and execution that organizations rely on to manage risk and in creating, preserving and realizing value”.  COSO and the WBSCD illustrated their point as follows:

  • Environmental issues include energy use and efficiency, climate change impacts and use of ecosystem services. Associated risks include higher-than-average energy costs that cause companies to miss profit targets and greater frequency of extreme weather events that adversely impact operations; however, companies can take advantage of opportunities such as an internal carbon pricing scheme to reduce greenhouse gas emissions and energy costs and using byproducts in waste processes to create new income streams in adjacent industries.
  • Social issues include employee engagement, labor conditions in the supply chain and poverty and community impacts. Associated risks include increased costs and missed profit targets due to low engagement and high turnover and challenges with local governments to maintain operating permits due to lack of support for local communities; however, companies that can successfully engage with employees and create a diverse workforce will enjoy greater loyalty among their workers and be able to attract top talent and companies that can provide education to members of the local community can improve their standard of living, build stronger bonds with the community and strengthen opportunities to sell goods within the community and recruit local workers.
  • Governance issues include codes of conduct, accountability and transparency and disclosures. Associated risks include negative company performance due to poor board oversight and reduced access to financing due to limited transparency; however, proactive embrace of ESG issues and risks as a focal point of the board’s oversight responsibilities will satisfy the new expectations of institutional investors who are demanding that their companies consider ESG-related risks and opportunities as core to their business.

COSO and the WBSCD expressed concern that while companies appear to understand the importance of ESG-related risks, they have been slow to integrate them with traditional risks.  For example, they pointed to evidence of significant misalignment between risks deemed material in sustainability reports prepared by companies and the risks that the companies disclosed in their traditional financial and legal reports.  Among the possible reasons for this misalignment were the following:

  • The challenges of quantifying ESG-related risks in monetary terms due to the fact that they were often long-term risks with uncertain impacts over an unknown time period. The inability to place a “cash value” on these risks makes it difficult for companies to prioritize them and determine the amount of resources that need to be addressed in order to manage and mitigate those risks.
  • A lack of knowledge of ESG-related risks and poor communication and collaboration between risk and sustainability professionals, a situation that has often led to ESG-related risks being viewed as separate and less important than traditional strategic, operational and financial risks.
  • The lack of a mainstream practice for integrating reporting of ESG-related risks into traditional financial reports and the difficulties of determining which of those risks is sufficiently material to require reporting.

The problems mentioned above are being addressed in a number of ways including organizational structures that embed sustainability throughout the organization, rather than in a separate unit, and continuous improvements to reporting regimes that make it easier for companies to align strategic, operational, financial and ESG-related risks in their disclosures to regulators and other stakeholders.  In 2017 COSO released an initial draft of an updated framework for ERM that reflected the evolution of enterprise risk management and the need to integrate ERM with strategy and performance and incorporate ESG-related risks and opportunities.  The framework consisted of the following five components and associated principles that included establishing governance for effective risk management, understanding the business context and strategy, identifying, assessing and prioritizing ESG-related risks, responding to ESG-related risks, reviewing and revising ESG-related risks and, finally, communicating and reporting on ESG-related risks.  COSO and WBSCD argued that integrating ESG-related risks into their ERM would allow companies to enhance their resilience, develop a common language for articulating risk, improve resource deployment, enhance pursuit of opportunity, realize efficiencies of scale and improve transparency and disclosure to address the expectations of investors.

Sources for this article included Enterprise Risk Management: Applying enterprise risk management to environmental, social and governance-related risks (Committee of Sponsoring Organizations of the Treadway Commission and the World Business Council for Sustainable Development, Preliminary Draft published February 2018).

This article is adapted from material in Sustainability and Corporate Governance: A Handbook for Sustainable Entrepreneurs, which is prepared and distributed by the Sustainable Entrepreneurship Project and can be downloaded here.

Alan Gutterman is the Founding Director of the Sustainable Entrepreneurship Project, which engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the aspiration to create sustainable enterprises that achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business.  Visit the Project’s Library of Resources for Sustainable Entrepreneurs to download handbooks, guides, articles and other materials relating to sustainable entrepreneurship and keep up with the Project’s activities by following Alan on LinkedInTwitter and Facebook.

Creating Your Environmental, Health and Safety Policy

It is essential for top management of the company to define the company’s environmental, health and safety (“EH&S”) policy in a manner that is appropriate to the nature, scale and environmental impacts of the company’s operational activities.  Among other things, the policy should include a commitment to continual improvement and prevention of pollution and creating and maintaining a safe and healthy workplaces and facilities for employees and customers; a commitment to comply with applicable legal and other requirements to which the company subscribes and which relate to its EH&S aspects; and a framework for setting and reviewing EH&S objectives and targets.  The policy should include an explicit commitment by the company to promote a safe and healthy environment for employees, contractors, agents, customers and other visitors to the company’s facilities; to comply with state and federal laws and regulations relating to workplace and environmental health and safety; to operate an EH&S management system aligned with the requirements of a recognized standard that ensures continuous improvement through risk assessment, risk minimization and performance reporting; and assuring that managers and employees are trained and accountable for preventing work related injuries and illness and that appropriate wellness programs are available to contribute to the productivity, health and well-being of employees.  The policy should include a list of the steps that the company intends to take in order to further its stated EH&S goals and objectives such as creating safety committees, which are discussed below; promulgation and enforcement of work rules to promote best environmental health and safety practices; compliance with laws, regulations, policies, and the company’s own EH&S procedures and rules; and supporting an EH&S culture throughout the organization.  The policy should be documented, implemented and maintained; communicated to all persons working for or on behalf of the company; readily available to the public; and subject to periodic review to ensure that it remains relevant and appropriate to the company.

One useful illustration of an EH&S policy began with a simple statement that the organization embraced EH&S objectives as core business values and that providing a safe and healthy workplace for employees and caring for and protecting the environment and the communities in which the organization operated were fundamental beliefs of the organization.  The policy went on to assert that the organization was committed to developing and implementing management systems that protected the environment and safeguarded the health of employees while allowing the organization to provide for employee livelihood, customer needs and shareholder returns.  The policy then listed specific commitments including the following:

  • Demonstrating visible and active leadership in all of the organization’s business activities by providing resources necessary to manage and communicate EH&S commitment, expectations, and accountability in the same manner as any other critical business function
  • Establishing and enforcing appropriate systems and procedures to ensure compliance with the policy and the principles described in the policy
  • Educating employees on safe work behaviors
  • Implementing proactive hazard identification and following through with elimination and control of identified hazards
  • Implementing and auditing continuous EH&S improvement processes
  • Promoting a positive “Safety Culture” lifestyle both on and off the job
  • Complying with applicable laws, regulations, and statutory obligations
  • Ensuring open lines of communication to employees, subcontractors, and visitors to our work sites regarding the organization’s workplace health and safety arrangements
  • Developing processes that facilitate continual improvement in the health and safety management system and the organization’s health and safety performance
  • Including measurable EH&S targets in the organization’s business plans so that everyone who performs work for the organization is responsible and held accountable to help achieve these targets

his article is adapted from material in Sustainability and Corporate Governance: A Handbook for Sustainable Entrepreneurs, which is prepared and distributed by the Sustainable Entrepreneurship Project and can be downloaded here.  The Project website also has examples of EH&S policies that can be used as tools for drafting such a policy for your company.

Alan Gutterman is the Founding Director of the Sustainable Entrepreneurship Project, which engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the aspiration to create sustainable enterprises that achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business.  Visit the Project’s Library of Resources for Sustainable Entrepreneurs to download handbooks, guides, articles and other materials relating to sustainable entrepreneurship and keep up with the Project’s activities by following Alan on LinkedInTwitter and Facebook.

Assessment of Sustainability Risks and Opportunities

In order for directors to understand the scope of their responsibilities with respect to overseeing sustainability and determine how to best focus their energies, an assessment must be conducted of the issues, risks and opportunities that are material to the company’s operations, environment and communities.[1]  KPMG called on boards to conduct assessments, but conceded that identifying the strategically significant ESG risks and opportunities for a company is complex, as they vary by industry and sector, and even within industries, and that there is no standard approach that companies can take.[2]  However, KPMG recommended a two-step process described in the following paragraphs that most companies could easily use as guiding principles during the assessment stage.  The first step would be to identify and assess all the ESG and CSR issues that are material to the business and/or its stakeholders.  The second part—“material to stakeholders”—is important because it will assist the board in anticipating and understanding questions and pressures that the company may receive from the environment in which it is operating.  Admittedly, the list of potential issues is long and should generally start with the following:

  • Climate change impacts
  • Waste generation and management
  • Water and other natural resource scarcity
  • Environmental degradation
  • Product and worker safety
  • Supply chain management
  • Workplace diversity and inclusion
  • Labor practices, talent management and employee relations
  • Health and human rights
  • Executive compensation
  • Political contributions
  • Board independence, composition and renewal

This article is adapted from material in Sustainability and Corporate Governance: A Handbook for Sustainable Entrepreneurs, which is prepared and distributed by the Sustainable Entrepreneurship Project and can be downloaded here.

When assessing each issue, the company needs to analyze the likelihood and magnitude of the associated risks and opportunities and realize that weights and measures may change as time goes by and that assessment has to be a continuous process and not a one- time exercise.  In order to align the assessment with strategy, reference should be made to the issues that peer companies have cited in their sustainability reporting and to feedback from stakeholders collected during the assessment process.  While the directors do not have the time or skills to do the assessment on their own, they should nonetheless understand the steps that management is taking and use the process as a means for improving their own awareness of key economic, social and environmental sustainability issues that are engaging governments, businesses, other organizations and individuals in the worlds in which the company is operating.

The second step acknowledges that companies, regardless of their size and available resources, do best when they focus their attention on issues, risks and opportunities that are “strategically significant”.  While it is common for the initial assessment process to generate a list of six to eight issues that could affect the operating efficiency of the company, KPMG recommended that the directors themselves select and concentrate on just two or three issues that will fundamentally affect the company’s ability to remain competitive and which customers, suppliers and other stakeholders agree will be key to the company’s long-term success.  Selection is often difficult and choices will vary depending on factors such as the company’s principal basis for competing in the marketplace.  For example, a company dependent on strong branding needs to focus on issues that might adversely impact the company’s reputation and a company competing on price will be interested in initiatives that have the potential to further decrease the cost structure or provide protection from unexpected price increases in inputs.

While identifying risks is an important part of the assessment process, and many companies conduct the assessment under the broader umbrella of their enterprise risk management systems, KPMG admonished directors to make sure that management also takes into account opportunities that may lie within ESG and CSR issues and which can be leveraged by the company to compete in the future on the basis of innovation and disruption.  A few of the examples mentioned by KPMG included solutions that would thrive in a low carbon world such as products that facilitate energy storage and efficient energy use; services that support greater access to education, affordable housing and financial products that reduce income inequality; products and services that promote health and well-being and healthy lifestyle choices; and technology that accelerates the sharing economy.

Once the board has selected the most strategically significant issues, it needs to work with management to create specific goals and “commitments”, a process described further below, and establish metrics and key performance indicators that the board can use to measure progress.  The directors should also be sure that these issues are highlighted in communications to stakeholders that demonstrate how the company is integrating them into its long-term strategy for overall value creation.  Finally, the board should be sure that management is prioritizing the issues when making decisions about allocation of resources and that information regarding the issues is being disseminated throughout the organization so that different functions can develop their own systems and practices to make the best contribution to the new product and services that may be necessary in order to create a competitive advantage.

It is important to emphasize that KPMG and others recommend that boards focus on just two or three issues because directors have limited time and their attention needs to be carefully managed so that they can have the biggest impact.  This does not mean that management should adhere to the same limitations and, in fact, the board should task management with continuously monitoring a wider range of material issues using internal and external resources allocated by the board for that purpose.  Directors should expect regular reports from management on the evolving portfolio of ESG and CSR issues, risks and opportunities so that the board can, if necessary, make changes in how it goes about exercising oversight in this area.  Material, although not strategically significant at the present time, issues also need to be managed as part of the company’s enterprise risk management system and will need to be discussed and disclosed in reports to regulators such as the Securities and Exchange Commission and in stakeholder communications.

Sources for this article included S. Taylor, Seven Steps to Implementing Board Oversight of Sustainability (February 21, 2017); and ESG, Strategy and the Long View: A Framework for Board Oversight (KPMG LLP, 2017), 8-9.  KPMG recommended that the provisional sustainability standards developed by the Sustainability Accounting Standards Board, which cover a broad range of industries in numerous sectors, can provide a reference point for identifying industry-specific sustainability factors that are reasonably likely to have material impacts.

This article is adapted from material in Sustainability and Corporate Governance: A Handbook for Sustainable Entrepreneurs, which is prepared and distributed by the Sustainable Entrepreneurship Project and can be downloaded here.

Alan Gutterman is the Founding Director of the Sustainable Entrepreneurship Project, which engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the aspiration to create sustainable enterprises that achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business.  Visit the Project’s Library of Resources for Sustainable Entrepreneurs to download handbooks, guides, articles and other materials relating to sustainable entrepreneurship and keep up with the Project’s activities by following Alan on LinkedInTwitter and Facebook.

Developing a Privacy and Data Security Compliance Program

 

Developing a privacy and data security compliance program requires a substantial investment of professional and managerial time and financial resources to acquire, install and operate the necessary technological systems that serve as the foundation for collecting, using, transferring and discarding nonpublic personal information. It is common to refer to privacy and data security as a top-level corporate governance issue that involves the board of directors and senior management and as companies grow they are likely to recruit and appoint experienced professional to serve as chief privacy officers with their own dedicated personnel and budget to oversee the element of the compliance program. While there is no single template for the privacy and data security compliance program it is important to address the following:

  • Defining and identifying nonpublic personal information handled by the company and documenting how the information flows into, within and outside the organizational structure of the company;
  • Establishing managerial responsibility and control over the compliance program and allocating sufficient cash and other resources to the program;
  • Establishing and enforcing all necessary policies and procedures with regard to privacy and data security;
  • Establishing focused programs to deal with specific privacy-related risks such as online collection of information and collection and use of information during the course of customer relationships;
  • Establishing programs for educating all company employees and business partners about privacy- and data security-related requirements, including continuing education of new developments and threats for executives and managers directly responsible for the compliance program;
  • Understanding and monitoring all applicable privacy- and security-related laws and regulations including emerging trends that may change the regulatory landscape in the foreseeable future;
  • Establishing and administering procedures for oversight of vendors with access to nonpublic personal information for which the company is ultimately responsible;
  • Establishing procedures for data retention and destruction;
  • Establishing and administering privacy incident response and breach notification procedures;
  • Establishing and enforcing disciplinary policies with respect to failure of employees and business partners to comply with the privacy- and data security-related policies and procedures of the company;
  • Communicating the company’s privacy- and data security-related practices to relevant stakeholders including employees, customers, business partners, financial markets and regulators; and
  • Providing regular reports on the efficacy of the program to the board of directors and members of the senior management group.

Responsibility for administering the privacy program should be vested in a single person, generally referred to as the chief privacy officer, who will be given authority to establish privacy policies and procedures and oversee personnel in each department of the company who will be responsible for privacy-related issues in their functional area. The importance of have an executive-level position responsible for managing the risks and business impacts of privacy laws and policies is reinforced by the fact that most of the Fortune 100 companies now have a chief privacy officer or an equivalent position. The chief privacy officer, with the support of the chief executive officer and other members of the senior management group, should be prepared to implement privacy policies and practices for the entire company and coordinate the compliance activities of disparate departments such as marketing, communications, customer service, information technology, human resources and legal. The privacy officer and his/her staff should begin by making an assessment of the nonpublic personal information that the company collects and how it is used and otherwise handled by the company. Once policies and procedures are in place the privacy officer should conduct privacy impact assessments and audits of the handling of nonpublic personal information and should create training and educational programs for employees and company agents. Various resources are available for developing a privacy program including the materials that are readily available from privacy seal organizations and from privacy advocacy groups.

Achieving adequate data security and privacy protections for customers, employees and other parties requires a strategy and like any other strategy it is important to identify relevant metrics that can be used to assess performance.  Unfortunately, there is no single strategy that will be entirely successful in each instance and even companies that have thoughtfully developed and implemented data protection regimes can suffer security breaches.  When creating a data protection program companies should be mindful of the stories they might need to tell if and when problems occur and this means being able to demonstrate that the program was based on recognized industry standards and applicable regulatory guidelines.  In addition, companies should have a record of their consultation processes that includes the names and backgrounds of the technical and legal specialists that were involved.  Companies should also be able to explain how their data security framework work and when and how decisions were made among various alternative solutions.  For example, companies typically have a limited budget for their data security programs and the record should describe how and why dollars were invested in addressing particular risks.  While all this information cannot eliminate potential liability for security breaches it can help mitigate potential penalties and punitive damage awards.

Chapter 230 of Business Transactions Solution (§§230:1 et seq.) on WESTLAW covers the development and administration of policies and procedures to comply with laws, regulations and industry standards relating to privacy, data security and overall collection and use of nonpublic personal information. The materials include a large library of illustrative policies and related practice tools such as checklists for developing a privacy and data security compliance program (BTS §230:130), negotiating information security issues in outsourcing contracts (BTS §230:131) and privacy and data security issues in acquisition transactions (BTS §230:132).  The chapter also includes valuable communications vehicles for clients including client executive summaries regarding privacy and data security laws (BTS §230:133), security requirements for nonpublic personal information (BTS §230:134) and implementation and management of privacy programs (BTS §230:135).