In recent years, I've described my research area as sustainability -- with a focus on how IT can help an enterprise
become more durable to economic and ecological pressures. I've written previously about IT governance and the role of IT in enterprise risk management, governance and regulatory compliance (GRC). The progression of interests seemed natural to me, but I’ve seen confusion among IT management about the relationships among GRC, sustainability and corporate social responsibility (CSR).
In one case, a manager told me unequivocally that GRC is part of sustainability, and drew a chart to prove his point. Another drew a similar chart but showed sustainability as part of a GRC program. CSR was dismissed in both of these discussions.
A starting point for understanding the relationships is to recognize that although GRC has become an important industry term, it’s meaningless in the debate about the relationship between sustainability and CSR. There is a complex, context-based network of relationships among governance, risk management, compliance, sustainability and CSR.
Sustainability, broadly defined, includes any operational aspect that affects the long-term viability of an entity. Using scarce resources without replenishing the supply is not sustainable.
Some aspects of sustainability, particularly greenhouse gas (GHG) management, have direct links to reputational risk and operational risk -- both components of risk management. Of course, in the future more regulations will constrain GHG-producing activities, so the bonds will continue to get stronger.
For example, while carbon management may be a sustainability goal in one context, it may be a regulatory compliance requirement in another. Within the same firm, certain actions and controls may be mandated by law in one region and ignored in the interest of cost control in another.
Looking at sustainability from an IT perspective, one may be concerned with green IT or the use of IT to lower the environmental impact of non-IT operations (such as using software to monitor and manage vehicle fleet operations more efficiently). Some of these activities or projects may be initiated because there is a green goal in place. Others may be adjuncts to normal business operations to enhance their green impact. In the first case, sustainability is primary; in the second case it is secondary. Increasingly, as energy becomes a regulated commodity, the same choices that were once made to improve sustainability may be pushed down to compliance-level decisions.
Enterprise or corporate governance can be viewed as a process or as a goal, which confuses things further. When you add in the subtleties of compliance, the problem is compounded. Failure to comply is a risk, and failure to maintain governance processes -- whether mandated by regulation or by good practice -- can result in a range of undesirable results, from simple internal noncompliance issues to civil or criminal liability, and loss of shareholder confidence or customers. Regulatory compliance is, at its core, an ongoing exercise in risk management. If we accept the premise that most complex businesses cannot afford or manage to be 100% compliant with applicable regulations 100% of the time, allocation of resources to compliance activities is a special case of risk management.
To take things a step further, anything that threatens viability, or even performance, may be viewed as a risk. Risk management, then, may be viewed as a higher-order concern than governance or compliance.
Failure to comply is a risk, and failure to maintain governance processes -- whether mandated by regulation or by good practice -- can result in a range of undesirable results.
Finally, corporate social responsibility is a catchphrase at the moment, but as nongovernment organizations and public sentiment influence government regulators, what is good practice today may become mandated practice in the future. As each of these concepts vie for management attention, budget and staff, and as new roles emerge, we must understand the relationships to avoid duplicated efforts and missed opportunities.
Recommendations for balancing GRC, sustainability and CSR
Now that we understand some of the contextual sources of confusion, we can devise a strategy that prioritizes relevant activities.
- As a general rule, use the following ordering as a starting point: sustainability > risk management > governance > compliance. Remember to treat CSR as a special case of sustainability, concerned with the enterprise ecosystem.
- Recognize that although these constructs are presented as a hierarchy -- with sustainability as the most strategic and compliance as the most tactical -- execution strategies are best started at the bottom (i.e., get your compliance efforts in order before focusing on higher-level issues).
- Make sustainability, risk management, governance and compliance assumptions and decisions visible at the beginning of project portfolio management by establishing project acceptance criteria based on enterprise priorities.
- Look for overlapping/common requirements in terms of control objectives and data collection to avoid redundancies and reduce operational costs.
Adrian Bowles has more than 25 years of experience as an analyst, practitioner and academic in IT with a focus on IT strategy and management. He is VP & Principal Analyst at Constellation Research and the founder of SIG411 LLC, a sustainability consulting firm in Westport, Conn.