By Gerry Zack, CEO of Society of Corporate Compliance and Ethics® (SCCE) & Health Care Compliance Association® (HCCA)
Environmental, social, and governance (ESG) issues have been around for many years under a variety of different names (e.g., sustainability, etc.). Until recently, ESG was often considered to be a public relations function, as corporations sought to enhance their reputations by serving as good corporate citizens, mostly through environmental or social causes. But consideration of ESG as a set of compliance issues is a more recent development fueled by several circumstances.
Traditionally, the compliance, or compliance and ethics, function has been thought of as one that focuses on preventing, finding, and fixing problems stemming from violations of laws and regulations. In some cases, the scope is narrower, dealing only with specific areas of the law, like corruption or antitrust. In others, a program may address a wide array of applicable laws. Either way, the focus is on laws and regulations that an organization is required to comply with as a result of the nature of business it is in.
Compliance and ethics programs also sometimes address other requirements that come along as conditions of engaging in certain types of activities—conditions that don’t emanate from laws or regulations. For example, compliance with provisions of contracts or with professional, but non-statutory, standards that may apply to parts of its operations. Conflicts of interest is another area commonly addressed in compliance and ethics programs, even when they are not considered to violate any laws.
Regardless of whether the scope of a compliance and ethics program is defined narrowly to address only certain laws and regulations or more broadly defined to also include other non-statutory requirements, the profession has evolved to a point that a consistent framework can be applied to successfully manage these compliance risks. This framework, when properly applied, can be very effective at managing compliance risks and contribute to the value that an organization strives to achieve.
At the same time that the compliance and ethics profession was evolving and maturing, the field of ESG was going through its own maturation, and astute companies were recognizing its importance and value. Suddenly, what started out as goals that an organization would voluntarily announce, became expectations and commitments to which external stakeholders would hold them. ESG became much more than a public relations function. There could be real consequences for failures.
It’s no coincidence that this development coincided with the increased level of collaboration between ESG and compliance functions. Most often, ESG remains a separate function, but it works closely with or at least consults with compliance. In some cases, ESG and compliance are part of the same team. And in other cases, compliance actually is in charge of ESG.
There isn’t really a universally correct or incorrect way of structuring the relationship between ESG and compliance. Several models can work well. However, application of the same framework that compliance has developed and used to manage compliance risk makes a lot of sense. For many years, compliance has utilized a framework involving the performance of a risk assessment, development of policies and procedures, training and communications, monitoring and auditing, creation of a culture of compliance awareness, and utilization of a governance structure to manage risk. These same elements, when applied appropriately to ESG risks, can result in a similar level of effectiveness.
The compliance team is not always subject matter experts on every last detail of the underlying compliance requirements. That expertise is likely found in the legal department, or in some cases the business unit, in which the risk is prevalent. The strength and value of the compliance team is in taking that expertise, disseminating it, and ensuring that there are proper processes in place to effectively manage the risk. To use the example of anti-corruption law, the compliance team’s focus is on ensuring that the requirements of the UK Bribery Act and other applicable laws are understood by the business unit and there is a framework of adequate controls in place to help prevent and catch any wrongdoing.
This same logic often applies to ESG risks. The people who are in the ESG department possess the technical expertise on each ESG risk that the organization has. But the compliance team possesses the requisite skills and knowledge for applying the compliance framework to these ESG risks. Thus, collaboration makes sense. And this trend towards varying levels of collaboration between ESG and compliance will continue and most certainly increase.
The next steps in the evolution of ESG and compliance will likely see a continuance and increased pace of some of the developments we have seen in recent years. Two such developments, in particular, warrant the attention of organizations.
First, many aspects of ESG will become required by law. ESG goals usually begin with organizations desiring to abide by an expectation that goes above and beyond what the law requires. But, governments, seeing what organizations are capable of and the benefits to society that can be achieved, have begun putting some of these same expectations into the law. What began as a voluntary commitment to certain goals become law. A good example of this is the law passed in 2021 in Germany requiring many companies to incorporate human rights and environmental considerations into the due diligence within their supply chains. This is something that some companies had already begun doing as part of their ESG commitments, and now it has become law. The German law is one of several that have done similar things and this trend will continue.
The other trend that is likely to continue is litigation aimed at companies associated with ESG issues. Some of these cases are consumer protection actions taken by governments focused on deceptive marketing practices, mostly involving dubious or outright false claims about ESG-related achievements. For example, in 2020, the Advertising Standards Authority found that Ryanair violated the United Kingdom Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing with its advertising claims about CO2 emissions.
Other cases, such as the September 2021 cases brought by a German environmental organization against BMW and Mercedes-Benz AG, focus on basic human rights—in this case a fundamental right that citizens have to climate protection which is infringed upon when a company falls short of agreed-upon carbon goals.
Whether it’s environmental, social, or governance issues, the direct financial and non-financial risks that companies are exposed to is likely to continue increasing. And these risks will exist not only with respect to the direct activities carried out by companies, but also as a result of their relationships with suppliers and other third parties. No approach to managing these risks is better suited for the job than the well-established compliance framework that has been successfully applied by so many organizations.
About the Author
Gerry Zack is the CEO of Society of Corporate Compliance and Ethics® (SCCE) & Health Care Compliance Association® (HCCA). He leads the global strategy and activities of SCCE & HCCA and its 18,500 members across 100 countries. He has more than 35 years of experience providing preventive, detective, and investigative services involving fraud, corruption, and compliance matters. He has worked in more than 25 countries with businesses of all sizes and in many industries, as well as with nonprofit and nongovernmental organizations and government agencies. Prior to joining SCCE & HCCA in 2017, Gerry held positions with global accounting and consulting firms and founded his own forensic investigations and advisory firm. He also served as global chair of the Board of Regents of the Association of Certified Fraud Examiners.