Alphabet soup could be the panacea CIOs and compliance officers need to help reduce risk as well as bolster the...
The integration of environment, health and safety (EHS) projects with governance, risk and compliance (GRC), blended with sustainability and corporate social responsibility (CSR) programs, can prove to be the cure for both problems.
EHS requirements are regulatory issues that should be dealt with at the lowest cost that doesn’t incur risk. That strategy, when executed without regard to other regulatory requirements, can result in increased complexity, excess costs and higher risks for enterprises.
The costs of compliance failure -- including reputation risk, brand damage and loss of shareholder value -- are too great to ignore, but they can be controlled by focusing on integration.
This integration effort makes sense because environment, health and safety requirements sit at the the intersection of sustainability, GRC and CSR domains. The key to leveraging EHS efforts from an IT and C-suite level perspective is to look at the entire spectrum of EHS, CSR and GRC requirements across all current and anticipated jurisdictions, and create an integrated plan that leverages these overlaps in data and intent.
The C-level suite to the rescue
Individual rules are often seen as the province of one department that may not see value in sharing information with others. It's up to the c-suite level to make those connections. Why? Because the commonality here centers on data management, and the CIO and compliance officers are best positioned to solve this problem.
Environment, health and safety requirements come from a variety of agencies and legislatures. In the United States, EHS enforcement is the province of federal and state agencies. For example, the Environmental Protection Agency (EPA) regulates materials, chemicals and activities that could have a negative environmental impact. The EPA is responsible for data-intensive regulations like the Toxic Substances Control Act (TSCA), which requires reporting when substances are found to pose a risk to health or the environment.
In August, the EPA proposed changes to the TSCA that would require electronic reporting. Rather than treating this new requirement as a new project, it would be better to have the relevant data captured by existing enterprise IT systems that already manage materials throughout the organization.
Even firms that operate entirely within the United States have to deal with different EHS requirements, much as they have to account for different privacy and security rules for personal data when municipalities override federal mandates. The California Environmental Protection Agency goes further than the EPA, for example, by promoting a vision for requiring that 33% of the state's electricity come from renewable energy sources by 2020.
The data required to ensure compliance, and even to plan for compliance, will require IT support and data management. Some of this data may also be regulated under governance regulations, such as the Sarbanes-Oxley Act, so there is clearly an opportunity to integrate efforts and rationalize data management.
EU regulations may affect the U.S.
Environment, health and safety directives from the European Union directly affect firms doing business in any of the 27 EU member states, but more importantly they foreshadow similar regulations in the United States. For example:
• The Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH) directive, administered by the European Chemicals Agency, requires firms that manufacture or import chemicals in the EU to be able to specify the chemical content of their products, and to respond to consumer requests for this information within 45 days. There are specific notification and registration rules that require a firm to promptly respond to a new restriction for a particular chemical. Like most regulations, this one requires new data to be monitored and managed, so it's a good candidate for integration with enterprise systems that already track products through their lifecycle. It’s no surprise then, that ERP providers like SAP AG have added REACH management to their GRC offerings.
• The Restriction of Hazardous Substances regulates the use of specific hazardous materials in the manufacturing of electronic equipment, including computers. This imposes new constraints on manufacturers that want to sell products in the EU, regardless of where they are manufactured. Again, proof that compliance is a data management issue.
Compliance with EHS standards is becoming a requirement for project financing. The International Finance Corporation, a member of the World Bank Group, developed its own EHS guidelines that delineate examples of “good international industry practices (GIIP) for pollution prevention and abatement.” Want IFC financing? You’ll need to comply, even if you're building or deploying your systems in an emerging country with no such EHS regulations.
The costs of compliance failure -- including reputation risk, brand damage, loss of shareholder value -- are too great to ignore, but they can be controlled by focusing on integration.
This is similar to the Equator Principles, a set of guidelines for “determining, assessing and managing social and environmental risk in project financing.” More than 60 banks -- from Bank of America to CitiCorp to Wells Fargo -- have adopted the principles as criteria for financing projects in excess of $10 million. CIOs and compliance officers should consider the criteria when prioritizing project requests. The trend is definitely toward more widespread adoption, so a low score today could be a red flag in the future, even before a project is complete.
The following are some strategic recommendations for a course of action:
• Integrate and consolidate data management across requirements: Use common systems for capturing, analyzing, managing and reporting EHS and other compliance data. Software is available from specialty firms, like Imtek N.V., which focuses on sustainability and EHS data management, and as add-ons to existing enterprise applications.
• Anticipate and prepare for change: What’s unregulated today may be regulated tomorrow, and practices that are acceptable in one jurisdiction may be felonies in others. Firms need to look at bellwethers, like the EU and California legislature in the U.S., and plan to meet the most stringent requirements from the outset, rather than reacting to the changes that are virtually inevitable.
• EHS compliance: This must be part of the process for evaluating every new project proposal. Even if outside funding isn’t required and the system will operate in an unregulated environment, question whether it would pass the tests because one day the regulatory requirements or the deployment location may change.
• Leverage emerging standards: ISO 14001 is the leading international standard, providing generic requirements for environmental management systems. The ISO reports that it has been implemented by approximately 200,000 organizations in 155 countries, and there’s no reason to start from scratch. The Global Reporting Initiative is a nonprofit organization that publishes the GRI Guidelines, the de facto standard for carbon accounting and reporting. Using the GRI Guidelines allows for meaningful comparison of results within an organization over time, and among enterprises.
Adrian Bowles has more than 25 years of experience as an analyst, practitioner and academic in IT, with a focus on IT strategy and management. He is the founder of SIG411 LLC, an advisory services firm in Westport, Conn., and director of the Sustainability Leadership Council.