Embedding ESG

Risk assessment process

Andrew Wilcock: Stakeholders expect businesses to have a clear-eyed view of where their ESG risks lie and have controls in place to mitigate them. In this context, it's critical that businesses have clearly defined risk assessment procedures in place. We've assisted many clients to develop risk assessment methodologies and implement them across a range of different subject areas. And there's no ‘one size fits all’ approach to doing ESG risk assessments.

Some businesses have a standalone ESG risk assessment process, while others incorporate ESG risk assessments into their enterprise-wide risk assessment framework. Some businesses assess baskets of ESG risks together, while others conduct deep dives on individual ESG risk areas. And some businesses assess ESG risk through a centralised group function, while others do so on a business unit-by-business unit basis or on a country-by-country basis.

That said, however ESG risk assessment processes are structured, they should all share certain fundamental characteristics. First, for each subject area under consideration, a compliance baseline should be established with reference to relevant laws, regulatory guidance, stakeholder expectations and your company's values. Second, ESG risks inherent to a business arising from its geographical presence and the nature of its activities and operations should be considered.

And third, the efficiency of a business' compliance controls in light of the inherent risks it faces should be considered. Risk assessment processes and outcomes should be clearly documented. They should also be repeatable and repeated in light of material changes to your business or the environment in which you're working. When conducted well, ESG risk assessments can have a number of benefits.

The first is identifying the activities within your business that expose it to risk and the magnitude of those risk exposures. A second is supporting the effective deployment of compliance resources and reducing your compliance costs. A third is supporting the design and operationalisation of policies and procedures that target key risk exposures. And a fourth is aligning with regulatory requirements and community and stakeholder expectations. These benefits are realised on a day-to-day basis, and they can provide clarity and confidence when navigating evolving stakeholder expectations.

Institutionalised third party due diligence

Caroline Marshall: Many ESG risks are driven by third party engagements. Even if a business’ people have a strong understanding of ESG exposures and strong internal processes, third parties acting on a business' behalf like joint venture partners, distributors and suppliers can create ESG exposures.

Accordingly, it is important to have robust due diligence procedures in place for higher risk counterparties and to apply those processes before engaging with a third party. This is as true in the M&A context as it is in your broader supply chain. Historically, many businesses have had in place processes for assessing legal risks arising from environmental, health and safety and for bribery laws.

Currently, however, we are seeing an expansion of these processes to assess a wider range of other ESG risks, including modern slavery, business human rights, employment laws and sanctions. We've helped a range of clients set up third party due diligence processes and controls, and we've provided outsourced due diligence services. We've also advised on associated contractual clauses to help mitigate ESG risks in engagements with third parties in general.

Setting up and conducting third party ESG due diligence processes usually involves, one, defining the circumstances when due diligence is required; two establishing protocols for obtaining and reviewing information about third parties; three, defining potential red flags and establishing circumstances in which diligence findings should be escalated within a business; and four, establishing standardised record-keeping processes and repositories. Effective third party due diligence ensures that businesses choose a counterparty that is aligned to its long-term ESG objectives and has a range of benefits, including identifying and understanding the potential impacts of legal and commercial risks associated with your relationship with a particular third party.

Managing ESG risk and complying with regulatory requirements and stakeholder expectations; and providing a basis for an effective regulatory response should a compliance incident ever occur. Effective due diligence processes also help to enhance understanding of ESG risks within a business and signal the importance a business attributes to ESG compliance to its counterparties.

Summary

Andrew Wilcock: In conclusion, ESG is no longer an emerging concept. It's a material point of business risk that affects almost every way in which you do business. Over the coming decade, the objective for every business will be not just to meet but to exceed best practice standards. By embedding ESG risk assessment and due diligence processes within your business, you’re one step closer to doing this.