Compliance and ESG – opportunities for improvement

Share this post
Compliance and ESG – opportunities for improvement

Compliance teams and in-house counsel have been searching for their ‘home’ within the business landscape for several years. Initially, compliance teams latched onto the concept of governance, risk and compliance (GRC) as a way to develop the industry of compliance. GRC developed but seemed to steer into the direction of software that tracked policy deviations and, while useful, was not a real focus of most compliance practitioners.

In more recent times, another concept has emerged. Compliance teams are now aligning with environmental, social and governance (ESG) or, more specifically, the ‘G’ in ESG: governance. While the ‘G’ in ESG continues to be evolving and therefore cannot be clearly defined by most practitioners, it does appear that the expansion of ‘governance’ would include elements of compliance.

Several global initiatives are at play to create standards that companies can follow to measure and report out their disclosures according to ESG principles. There is some clear alignment between these standards; however, there are also areas of misalignment that need to be understood. If compliance practitioners can influence the continued development of standards, compliance and ESG principles can be aligned to drive an impactful change before it is too late.

Developing a standard and metrics for ESG reporting

At the 2020 Annual Meeting in Davos, the World Economic Forum indicated an agreement to develop a core set of common metrics and disclosures for sustainable value creation. This initiative was led by the International Business Council, a community of over 120 global CEOs, and sought to ‘improve the ways that companies measure and demonstrate their contributions towards creating more prosperous, fulfilled societies and a more sustainable relationship with our planet’. That appears to be ‘speak’ for developing some common standards for ESG reporting.

The core and expanded set of ‘stakeholder capitalism metrics’ and disclosures were developed to be used by companies to align their mainstream reporting on performance against ESG indicators and consistently track their contributions towards the United Nations Sustainable Development Goals (SDGs). The report, known as a ‘white paper’, was released in September 2020. The report adds that the metrics were aimed to accelerate convergence and are an attempt to bring greater comparability and consistency to the reporting of ESG disclosures.

The stakeholder capitalism metrics are drawn wherever possible from existing standards and disclosures, rather than reinventing the wheel. Companies are encouraged to report against as many of the core and expanded metrics as they find material and appropriate, on the basis of a ‘disclose or explain’ approach.

The ‘G’ in ESG, as described by the report

Before we start to analyse the report in more detail from a compliance perspective, it is important to analyse what it says about the ‘G’ in ESG.

The stakeholder capitalism metrics have been organised into four pillars – principles of Governance, Planet, People and Prosperity – which are aligned with the essential elements of the SDGs. Governance is defined as foundational for a company in setting purpose and provides oversight for a company’s activities that contribute to a prosperous, sustainable society. Without good governance, companies lack the supportive context within which to make progress on the other three pillars.

Under the pillar of Governance, there are five key elements, four of which have expanded metrics and disclosures.

Table describing the five key elements of Governance, with their metrics and disclosures

Where is the word ‘compliance’?

The word ‘compliance’ appears only twice in the 96-page document. The first time is in an innocuous reference to the ‘costs of compliance’ in determining the costs associated with failures of a safe workplace. The other appearance is more interesting, however, as it appears in the Governance section under the ‘Ethical behaviour’ theme, and says:

A key principle for good governance is the effective oversight of corporate decision‑making to ensure compliance with relevant laws and regulations, as well as meeting stakeholder expectations for ethical behaviour.

How do the Governance metrics stack up from a compliance officers’ perspective?

There is no doubt that there are some good initiatives in the Governance pillar.

A commitment to being a purpose-led company and an alignment to ESG are good and commendable things. They may not be earth shattering in terms of value, but they certainly won’t hurt. Making sure that the board has the time, experience and competencies specific to ESG areas is also a positive initiative. The remuneration metric, while detailed, does not seem particularly important, unless that remuneration is specifically directed at achieving ESG goals.

The stakeholder engagement metric is standard. Creating a list of material issues impacting stakeholders would be easily achieved for most companies but it remains to be seen how effective it is. Companies could easily comply with this section with a simple spiel on their website. Again, while this metric is not contentious, it is not of significant value.

The ethical behaviour metrics, however, are more interesting and achieving them would be challenging for almost every compliance officer of a major company. What is clear from a quick review of this section is that the title ‘Ethical behaviour’ might be misleading. Compliance teams refer to ‘ethical behaviour’ as behaviour that happens when no one is watching, which is not documented in a clear law or policy. It is the way that people should behave when there is no clear guidance and is about ‘doing what is right’.

The theme really is not about ‘ethical behaviour’, but rather ‘creating a culture of compliance’. Compliance teams would rather see this heading. Creating a culture of compliance is more what governance is all about. If you create that culture of compliance, then you would already be achieving some form of ‘ethical behaviour’. While ‘creating a culture of compliance’ is much broader than ‘ethical behaviour’, it is more aligned to what companies are trying to achieve.

The inclusion of only two core metrics under this element is also rather curious. It suggests that anti-corruption and whistleblowing are the only two areas that are important enough to be focused on as part of a governance commitment. There are many matters that could have been included here, not the least of which could be management of conflicts and personal dealing, protection of human rights (including workers’ rights, trafficking, harassment, discrimination, gender and racial equality), protection of a safe workplace, protection of data, protection of competition policies, and the protection of quality products and services.

With the two areas that are mentioned, the emphasis seems to be on training and proving the value of training. This approach was taken 20 years ago and has long been superseded. In fact, in current times, it is not about training and more about a wholistic anti-corruption and anti-bribery compliance system. We know that training isn’t enough and it is naïve to equate training as substantially managing a risk.

It is also incredibly difficult to set a metric for anti-corruption. What is clear is that ‘the percentage of people trained’ mentioned in the report is not a useful metric. If there is a need to keep the current sub-topic of anti-corruption, then I would recommend for it to be worded like this:

The existence of a comprehensive anti-bribery and corruption compliance programme that covers employees, suppliers and business partners that constantly seeks to reduce the incidence of non-compliance by setting clear policies, procedures, awareness, communication, training and controls. Such a system should use technology solutions to measure the effectiveness of the programme and analyse its results for continual improvement.

While the inclusion of an obligation to have a compliance reporting or whistleblowing programme is admirable, it also misses a few key issues. It should be stated that the system should be independent and allow anonymity if allowed by law. There should also be a specific mention that such a system should be subject to obligations of non-retaliation and guarantees that reporters are protected, and is open to anyone, not just employees.

In relation to the specific metrics of ‘ethical behaviour’ mentioned, this is also rather odd. The direct references to lobbying appear unnecessary and overly specific. The inclusion of ‘monetary losses from unethical behaviour’ also appears out of place. It is unfair to try and measure loss in terms of financial losses only. This would ignore other types of loss, for example to people, the community or our planet. It is very difficult to compare such ‘losses’ and it would need to be a percentage of revenue or some other form of percentage to reflect the different sizes and complexity of companies. Again, there seems to be an attempt to place metrics and measurement on these initiatives, which is admirable and understandable, but the chosen metrics are insufficient and add little value.

Does the theme of ‘Risk and opportunity oversight’ provide any clarity to a compliance officer?

This section is more aligned to what a compliance officer would like to see, as they are fully supportive of linking risk and opportunity into the business and the business process. The challenge is with the metric: ‘How the highest governance body considers economic, environmental and social issues when overseeing major capital allocation decisions, such as expenditures, acquisitions and divestments.’ This metric does not really work alongside the obligation. Again, this metric looks at things from a pure governance perspective (meaning the perspective of the board). If the board considers these risks in its duties, then the obligation is met. This is simplistic and doesn’t really reflect the obligation, which is much broader and across the business. The obligation is about whether risk and opportunity programmes are integrated into the business – either they are or they are not. The test is whether the ownership, responsibility and accountability are with the business and whether there is a continual improvement of integration and management of these initiatives.

Recommendations for improvement

There was a strong attempt in the white paper to define ESG and create a de facto standard. The governance pillar still needs some work to genuinely reflect the meaning of a governance system in a company. Compliance officers would certainly like to see more enhanced governance requirements in addition to those already indicated. The report could be significantly improved with some key changes and additions principally associated with compliance and the management of compliance, such as the following:

Changing the theme of ‘Ethical behaviour’ to ‘Establishing a culture of compliance’
Adding another three obligations under the above heading:

  • That the company appoint a trained and experienced compliance officer (who may be part time) and appropriate resources to manage the compliance programmes, monitor and measure their success with stated objectives and improve them at regular intervals
  • That the company applies a compliance framework to conduct risk assessments annually for all but minor risks, and develops and maintains a comprehensive compliance programme that is embedded in the business with sufficient board and management oversight to manage each of the risks identified within, with a focus on continual improvement of the programme in line with corporate and ESG goals
  • That the company works towards developing a culture of compliance, where the company, its employees and its stakeholders continue to develop the culture to one that establishes ethical leadership and compliance with laws, regulations and customer and community expectations concerning ESG

Some changes to the risk and opportunity section to expand the value of a risk and opportunity framework for not only the board to work within, but the entire company. It is possible that this section could be included in the 'culture of compliance' section rather than being its own separate section.

The above improvements, with some additional editing of the current wording, would bring compliance into the governance framework as defined by the report. It expands the areas covered by the report and focuses more on establishing a framework, a risk assessment and the development and operation of the resulting compliance programmes. This allows for the flexibility for companies of all sizes to apply this governance pillar and is less focused on measuring governance based on anti-corruption training and whistleblowing.

Share this post