Manage Learn to apply best practices and optimize your operations.

Best practices for risk management and sustainability convergence

As the term ”sustainability" has become popular in business, some have questioned its relationship with GRC. But risk management and sustainability are not mutually exclusive.

Sustainability is fast becoming a catchall phrase, and the basis for a cottage industry populated with well-meaning but misguided advisors and activists. The term has been weakened to the point where it means something different to everyone who encounters it. It’s time we focus on clarifying meaning when referring to sustainability, and making sure our actions are consistent with these definitions and goals.

John Weathington
Adrian Bowles

As Bill Ford of Ford Motor Co. observed in the McKinsey Quarterly, "For us, sustainability in its broadest sense is about economic sustainability. It’s not just about sustainability for environmental reasons -- if you don’t have a sustainable business model, none of the rest matters.”

In other words, going green while putting your company in the red is not sustainable.

Competing views on GRC and sustainability

Today’s business landscape is filled with competing views of the relationship between sustainability and governance, risk management and compliance (GRC), all being advanced with equal conviction. Some believe that GRC is part of a larger goal of sustainability. Others posit that sustainability is a special case of risk management. The problem is that people often take a narrow view of sustainability focused on environmental impact because that’s what gets the most press coverage.

ISACA, the leading provider of IT controls for risk management, produced a white paper earlier this year that identifies four forces driving IT action:

  • Economics (cost)
  • Environmental concerns
  • Social responsibility
  • Legislation/regulations

It's important to focus on the interdependencies of these areas, rather than just the impact of each item. For example, some environmental concerns such as the use of specific chemicals are, or will become, regulatory concerns. They will also be seen as social issues if it’s revealed that these chemicals are being used in a way that harms the workforce, and that will have an effect on the cost of doing business.

How risk management and sustainability fit together

So, where does this fit with enterprise risk management? There are two major concerns when we talk about sustainability in terms of a commercial enterprise or a society. One is the environmental impact, or ecology concerns. The complementary dimension is a concern with economic sustainability.

The common thread is stewardship, or a responsibility to preserve options for the future through responsible action today. The triple bottom line of people, planet and profits is emerging as the critical or defining characteristics of true sustainability programs. Enterprise risks to be monitored, mitigated and managed can also be classified along these three dimensions.

At the highest level of concern for risk management, we’ll need to focus on the traditional measure of business success: activities that produce effective economic returns. To be truly sustainable – or viable in perpetuity -- we need to consider the firm itself, as well as its individual ecosystem.

Any serious enterprise risk management and sustainability effort should start by examining the supply chain. For example, there are several stakeholders with an interest in reducing an enterprise's carbon footprint, with regulators and nongovernmental organizations (NGOs) exerting influence over carbon management decisions. But suppliers, competitors and customers are increasingly making demands surrounding carbon management that require risk management decisions.

As a result, IT auditors will increasingly be compelled -- by law, custom or competitive pressure -- to monitor sustainability metrics and manage according to a set of appropriate controls. These will likely vary by geography and politics for several years, but we will see a convergence that lifts the standard of practice for everyone. For now, competitive pressure should suffice. In particular, it means sustainability controls should be in place throughout the lifecycle and supply chain, with an emphasis on infrastructure.

One note of caution: Focusing too much on compliance is a mistake. Market forces regulate businesses faster than governments. This simply can’t be overemphasized. Most professionals with whom I talk focus on the C (compliance) in GRC, but many businesses are, or will be, governed more harshly by consumers and participants in their supply chain than they will ever be regulated by governments. More businesses fail due to problems with customers, competitors and supply chain than due to regulatory issues. And no business has ever succeeded simply by being the best at pleasing the government.

Wal-Mart Stores Inc., for example, has developed its own Sustainability Index, which is driving the behavior of its suppliers (and perhaps driving some of them crazy). Basically, customer concern led Wal-Mart to develop a supplier sustainability assessment given to more than 100,000 global suppliers to evaluate their own sustainability.

Now the company is working with NGOs, universities and other organizations to drive research into lifecycle analysis (LCA). LCA provides the full environmental impact of products from, raw materials selection and procurement to end-of-life disposal. Wal-Mart will use LCA as a basis for decisions on inclusion and shelf space. Ultimately, this research will result in a publicly available database that provides information on product lifecycles.

One firm, a household name in appliances, showed absolutely no interest in understanding its carbon footprint or doing LCA until Wal-Mart indicated that the company could lose prime store exposure unless it complied with these requests. In effect, Wal-Mart did what no government had done for, or to, this manufacturer. The manufacturer now measures everything, and is becoming more efficient and profitable in the process. Finally, Wal-Mart is committed to making this information available to the consumer, with tools to enable informed decisions based on environmental impact.

As a global retailing force with a history of attacks based on corporate social responsibility issues, it might be easy to dismiss Wal-Mart's efforts as green-washing. But Wal-Mart is convinced that while initial changes for its suppliers may be costly or painful, the result will be a better business ecosystem, with positive ecological results as ancillary benefits. Few firms have the resources of a Wal-Mart to study these impacts, but all would be advised to study their conclusions and results.

Risk management and sustainability best practices

The following risk management and sustainability tips can be applied to organizations, regardless of your industry or current efforts:

First, make your supply chain the focal point of your sustainability and risk management efforts. All the key risks you have to manage will be found there if you map your complete ecosystem.

Second, do a lifecycle analysis on your products. Know before you are asked what goes into them, and what comes out of your processes, from wastewater to usable byproducts. Every interaction probably has a risk that should have a control point.

Third, start to look for tools that can help. Consider how you might use a common set of analytics for risk and sustainability. Also, examine what firms like SAP AG, SAS Institute Inc., Oracle Corp. and IBM are doing with both risk management and sustainability, and how you might bring them together in your organization. Don’t rule out point solutions, and possibly prepare for integration in the future.

And finally, monitor emerging regulations that may soon govern your behavior, and also examine how organizations that show sustainability success do business. Look at the Wal-Marts of the world, driven by their ecosystems, to see how you can benefit from their research and practices.

Adrian Bowles has more than 25 years of experience as an analyst, practitioner and academic in IT, with a focus on IT strategy and management. He is vice president and principal analyst at Constellation Research Inc.and founder of SIG411 LLC, a sustainability consulting firm in Westport, Conn.

Dig Deeper on Risk management and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.