Thoughts on Managing Sustainability Risk

Interesting news on the framework front: COSO has agreed to work with the World Business Council for Sustainable Development to develop guidance on how to embed sustainable business practices into COSO’s forthcoming framework for enterprise risk management.

The two groups announced their partnership last Friday; the guidance should arrive sometime in 2018. I hadn’t heard of the WBCSD until now, but it does have numerous heavy hitters on its management team and advisory council, and the idea of integrating sustainable business practices into ERM is a good one. Let’s hope they succeed.

Sustainability issues are on my mind lately because I’m working on a project looking at how large organizations assess and audit their environmental risks. I was speaking to the chief audit executive of a large agribusiness, privately held at the moment but planning an IPO eventually. Understanding the company’s environmental footprint and food handling practices will be critical, the CAE told me, because “as soon as we’re public, investor groups will be on us about this.”

That agribusiness is not alone. Yum Brands announced last week that by 2019, its KFC restaurant chain will stop using chickens fed with human antibiotics. Consumer groups and the FDA had been needling food businesses to cease that practice by this year, and many other restaurant businesses (Chick-Fil-A, McDonald’s, Subway), have already been doing so. Critics say feeding human antibiotics to animals we ultimately eat can give rise to antibiotic-resistant bacteria.

Those examples are only fragments of a larger risk management picture here. Concerns about sustainable business practices have been rising for years. Exactly what counts as a sustainability business issue is a bit fuzzy around the edges, but questions around food safety, environmental damage, and carbon emissions certainly do. Corporations have a multitude of regulators taking stabs at sustainability oversight, from the EPA to the FDA to the USDA; and that’s just at the federal level here in the United States.

One theme to all these efforts is that they are largely reactive: regulators reacting to public outcry; companies reacting to regulatory decrees or investor activism.

Getting Ahead of the Curve

What we should want to see is something akin to how the Sarbanes-Oxley Act transformed corporate accounting 15 years ago. SOX forced the oversight of corporate accounting into the boardroom. It came complete with close regulatory oversight from the Securities and Exchange Commission; which recommended that companies use the COSO framework for internal control; which audit firms could then use as a blueprint to perform their audits against U.S. Generally Accepted Accounting Rules adopted by the Financial Accounting Standards Board.

sustainability riskI’m not saying SOX compliance was ever easy. But strong internal control over financial reporting became a core principle of corporate governance. We developed a regime to police against sloppy accounting more effectively. Even if the current administration in Washington has little appetite for that, regulators still have the ability to do it. We have a clear body of knowledge about how ICFR should work. (And the goal of SOX was to reduce the frequency of financial restatements. That happened too.)

Corporate America needs a similar transformation for sustainability issues: something that binds structure and substance together, so all stakeholders (investors, corporations, regulators, standard-setters) can understand what their rights and obligations are, amid all the sustainability risks we face.

The pieces are all there. If anything, right now we have an abundance of pieces: frameworks for integrated reporting, groups pushing sustainability standards, agencies enforcing specific regulations, investor groups adopting benchmarks and demanding that corporations adhere to them. We can’t fault boards and CEOs if they feel overwhelmed. Collectively, the world isn’t asking too much of companies. Individually, however, too many voices are asking.

Boards and CEOs don’t deny the need for attention to sustainability. Heck, the advisory group for the World Business Council for Sustainable Development is crammed with CEOs from global companies. They want—and need—all those pieces arranged in a logical sequence, so they can think about and manage sustainability risks with the same ease as financial reporting or anti-corruption risks. (Which, I know, aren’t easy either. But they’re better articulated as boardroom issues than sustainability.)

Something Like This

For example—and only an example; I’m not making recommendations here—we could create a COSO-driven sustainability framework, that companies could then use to achieve standards set forth by the Sustainability Accounting Standards Board. Those efforts could then be audited (this is the part where CFOs curse my name and audit firms send me bottles of VO), and if you pass the audit, you have “effective” sustainability. Could investors still challenge you? Sure, in the same way that short-sellers or hedge funds needle a company for accounting practices they don’t like.

Admittedly, the missing link of this chain is the regulatory authority. Ideally, the SEC would step up with sustainability disclosure standards, much the same as the SEC promulgated rules for SOX compliance (and cited COSO as a good framework to use). And ideally those regulations would be more clear than the vague climate change disclosures the SEC mumbled in 2010. We’d also need Congress to support thoughtful corporate sustainability so the SEC feels confident enough to act.

I don’t see any of that happening with the crowd in Washington today. But if we look further down the road, this is the sort of collective effort the body politic and body corporate will need to pull off, if the planet wants to keep itself together into the 21st century and beyond.

Now, before you dismiss all my utopian musings, let’s posit one more scenario where Washington does support putting more muscle behind managing some business risk. What might that look like?

It might look like the growing consensus to use the NIST framework for cybersecurity risk.

The Trump Administration is continuing the Obama Administration’s old idea to have government agencies implement the NIST framework into their cybersecurity operations. Critical infrastructure sectors (banking, telecom, electricity) are adopting NIST, too. Jay Clayton, our looming next chairman of the SEC, said during his confirmation hearing that “I question whether that disclosure is where it should be.”

A risk management framework, a regulator open to taking action, and the corporate world eager for structure and guidance on what their obligations are: those are the ingredients to take a useful, intelligent step forward.

We’ll take that step on cybersecurity soon enough. We’ll need to take it on sustainability eventually.

Leave a Comment

You must be logged in to post a comment.