Commitment made, now to implement: embedding ESG best practice

By Rachel Nicolson, Jillian Button, Dora Banyasz
Climate Change Environment, Social, Governance Human rights obligations Risk & Compliance

Practical steps for setting policy

We have previously discussed the potential to use international law frameworks as a tool to set an organisation's policy on ESG issues. In terms of achieving this practically, we strongly recommend using these frameworks to audit the commitments the organisation has made, and:

  • consider gaps as between those commitments and the prevailing high-water mark international law standards. Consider conducting multi-functional workshops to establish the company's policy position on relevant ESG issues using these international law standards as a key data point. A recent topical example is commitments around consultation and engagement with Indigenous Peoples and the achievement of the international human right of Free Prior and Informed Consent of relevant Indigenous Peoples to certain project activity; and
  • equally, consider gaps between international standards to which the company has committed and what is actually happening on the ground. As we've discussed above, a failure to align with public policy commitments made has the real potential to result in allegations of misleading conduct and we are seeing increased regulatory interest in both greenwashing (in relation to environmental commitments not met) and bluewashing (in relation to social or human rights related commitments not met).

Embedding an ESG risk and compliance culture

Once ESG policy positions are established, the next question is how to best embed a leading ESG risk and compliance culture that ensures the organisation is meeting the standards set out in its policies in its day-to-day operations. Setting a culture that embraces the organisation's ESG commitments and also works to comply with the controls aimed at meeting those commitments is an ongoing, material challenge faced by the majority of businesses and governments.

Ensuring there is a shared understanding of the expectation that the organisation aligns its practices with the policy standards it has set means that employing the right people is key, but what is also key is embedding these standards into all elements of your existing risk and compliance framework. You want to avoid these standards being policy commitments and nothing more. They need to be a part of your risk and compliance culture.

Markers of an effective risk and compliance culture

There are several key markers of an effective risk and compliance culture on any ESG issue. These are well understood by stakeholders (including investors) and increasingly expressly required by regulatory frameworks. Such markers include:

Tone from the top


Tone from the top is absolutely critical. We know from a range of recent high profile risk and compliance failures that tone from the top is essential to a strong compliance framework, and regulatory expectations are that the board and executive set a very firm and clear position on ESG or regulatory risk and compliance issues including for instance in the areas of anti-money laundering compliance, anti-bribery, cultural heritage, sexual assault and harassment, discrimination, diversity and inclusion. This applies not only to each subject matter within ESG, but also to shaping a robust ESG culture more generally. Other senior executives and leaders in a company, including from teams covering risk and compliance, legal, and sustainability, also have a role to play in setting this tone, monitoring emerging trends and supporting the board and executive in shaping ESG culture.

Governance and internal reporting


Governance and internal reporting: ensuring there is a clear framework, accountability and transparency for ESG management and decision-making is key. This is the structure you rely on to set the parameters for embedding a strong ESG culture across the organisation. It may include steps such as elevating ESG within a company's risk taxonomy or risk frameworks, and assessing the frequency with which ESG issues are considered by the Board. Effective internal reporting in line with that governance structure, one that ensures appropriate and effective information reaches key decision-makers, is key.

Corporate policies


Corporate policies: policies covering the gamut of ESG and related issues are important as a clear articulation of the company's expectations and standards. We have discussed already the value of ensuring they align with the high watermark of international law and standards. Policy owners within the company's governance framework should be responsible for upkeep of these documents to ensure they are underpinned by the right information and standards. In some cases policy development will require a wider discussion, as it may involve a company considering and making a call about how it wants to position itself on certain topics. It is also essential that policies are not siloed and are cross-functional to ensure appropriate coverage and embedment.

Risk assessments


Risk assessments are key to ensuring all relevant ESG and other compliance risks are on your radar on an ongoing basis, and that the perspectives of key stakeholders are truly understood. Risk assessments are an essential underpinning of most other components of your ESG risk and compliance culture and frameworks – the information gathered through them will drive your approach on issues like resource allocation and where (and to what extent) mitigating controls are implemented.

Due diligence


Due diligence on proposed transactions, new products and on third parties with whom you are doing business is essential and expected as a risk mitigant. It should also be risk-based (ie informed by the outcomes of your risk assessment work). A blanket approach to due diligence is not needed and not helpful to mitigating risk. Practical due diligence tools, such as checklists, can be a valuable in generating verifiable evidence that the standards the company has committed to are being met.



Training across relevant parts of an organisation is a key component of building a strong ESG culture and ensuring expected standards are well understood by the people making day-to-day operational decisions in the company. It is important that training is underpinned by a clear understanding of the standards the company is striving to uphold. It is also important for it to be engaging – a six minute training session that hits home is far more valuable than an hour-long generic session that does not resonate with your personnel. 

Internal grievance mechanisms


Internal grievance mechanisms are also an essential component of an effective ESG culture. Establishing an accessible and respected speak up and whistleblower program that is endorsed at the highest levels of the business is a vital source of information on what is happening on the ground and an effective means of identifying hot spots where culture may be deficient. For example, in addition to general internal mechanisms for reporting breaches of company policy or the law, we are seeing an increasing number of clients explore and implement sexual harassment hotlines as a means of flushing out and dealing with this problematic safety and culture issue.

External reporting and stakeholder engagement


External reporting and stakeholder engagement: stakeholder expectations on disclosure continue to evolve rapidly, matched by a global trend in regulation requiring increased public reporting across a range of ESG issues (for instance environmental and human rights-related reporting). The alignment of that reporting with the policy commitments and high watermark international standards, in form and substance, is the approach that stakeholders expect companies to take. Stakeholder engagement, and external reporting in particular, are increasingly pinned to these international best practice standards.

None of these elements can be static. Rather, they need to be updated as risk and compliance approaches evolve. And while each one alone is important; it is in combination that they are most powerful in embedding a strong ESG culture. Each element also facilitates oversight, by allowing the board and other parts of the organisation to have insights into how ESG standards are being implemented and rectify issues before they become large-scale corporate failures.

The role of in-house legal, risk and compliance and HSE/sustainability teams in forging this healthy culture

Beyond the details of an ESG risk and compliance framework set out above, there is no 'one size fits all' approach to shaping and embedding a strong ESG culture in your organisation.

Who should be responsible for driving the cultural improvements that will enable the organisation to thrive in an era of ESG scrutiny? And who is best placed to ensure this culture is continually maintained and evolved as needed? In reality, it will be a number of parts of an organisation – from the board and senior executives through to risk and compliance teams, in-house legal teams and HSE and sustainability teams.

These in-house functions increasingly need to position themselves as a go-to for not 'can I?' but 'should I?' questions and, if needed, to be part of leading a shift in the mindset in organisation – both with board and senior management, and at the operational level – to achieve this kind of culture. The commitment to best practice standards is not a one-off event – it's an ongoing process to assess where the organisation sits against its commitments and expectations.

Key questions to ask 

Those who are responsible for shaping and embedding a strong ESG culture can use the risk and compliance toolkit discussed above to test the organisation's approach and maintain accountability over time. Each element of the toolkit allows targeted questions to be asked about how best practice standards are being implemented on the ground. For example:

How are the standards to which we have committed reflected in our policies?
How are our commitments around protecting cultural heritage reflected in our risk assessment processes?
How are our commitments on climate change embedded in our due diligence approach?

Rather than being seen as a further burden on in-house teams, this should be seized upon as an opportunity to drive real change and accountability across the organisation and be a key player in forging and leading a robust ESG risk and compliance culture.