Ресурсний центр
Категорії

5 кроків, які можуть зробити корпоративні Ради директорів задля просування ESG

 Екологічні, соціальні та управлінські питання (ESG) набувають все більшого значення для зацікавлених сторін. Ради директорів повинні відігравати вирішальну роль у […]
  •  Екологічні, соціальні та управлінські питання (ESG) набувають все більшого значення для зацікавлених сторін.
  • Ради директорів повинні відігравати вирішальну роль у забезпеченні відповідності бізнесу вимогам багатостороннього капіталізму.
  • Ці п’ять кроків можуть допомогти організаціям відповідати цілій низці очікувань і вивести їх на шлях до успіху

Інвестори, працівники, споживачі та широка громадськість все частіше закликають компанії зосередитися на екологічних, соціальних та управлінських цілях (ESG). Відповідно, роль ради директорів у забезпеченні сталого розвитку бізнесу стала більш важливою. Ради директорів несуть повну відповідальність за стратегії та дії своїх організацій, спрямовані на задоволення потреб широкого кола зацікавлених сторін. Вони не можуть просто делегувати відповідальність за ESG.

Виконання цих вимог покладається на ради директорів, які повинні знайти правильний баланс між короткостроковою прибутковістю та довгостроковою сталістю. Невиконання обов’язків з належної турботи може вплинути на бізнес (судові ризики, ерозія акціонерної вартості, втрата вартості бренду та проблеми із залученням та утриманням талантів), а також спричинити наслідки для самих директорів, які можуть втратити свої посади.

5 actions corporate boards can take to advance ESG

Shai Ganu

Managing Director, Executive Compensation, Global Practice Leader and ASEAN and South Asia Talent and Rewards Business Leader, Willis Towers Watson

  • Environmental, social and governance (ESG) is increasingly important to stakeholders.
  • Boards of directors must play a critical role in ensuring businesses meet the demands of multi-stakeholder capitalism.
  • These five actions can help organizations meet an array of expectations and set them on the path to success.

Investors, employees, consumers and the broader community are increasingly calling on companies to focus on environmental, social and governance (ESG) goals. Consequently, the role of the board of directors in ensuring business sustainability has grown more critical. Boards are ultimately accountable for the strategies and actions their organizations take to meet the needs of such a wide range of stakeholders. They can’t simply delegate responsibility for ESG.

Demands of multi-stakeholder capitalism

Stakeholders are calling on companies to adopt the ethos of “do good, do well, do right.” Investors want a business to generate sufficient returns (do well) but they also want the organization to do so in a way that aligns with their values (do good) while addressing the needs of all constituents (do right). Regulatory requirements have also grown, especially in terms of disclosures.

Employees are increasingly seeking companies with values that are more consistent with their own. And customers are “voting with their wallets” – purchasing products and services from businesses with values more like their own. Regardless of whether the focus is decarbonization, ensuring diversity, equity and inclusion within the workforce, or treating employees and business partners fairly and ethically, multi-stakeholder capitalism sets high expectations for businesses.

Have you read?

Meeting these demands falls to boards of directors, who must find the right balance between short-term returns and longer-term sustainability. Failure to discharge duty-of-care responsibilities could impact the business (litigation risks, erosion of shareholder value, loss of brand equity and challenges attracting and retaining talent) as well as create consequences for the directors who could lose their seats.

How boards of directors can get ESG right

Though boards may be challenged to meet a wide array of rising expectations, there are several steps boards can take to meet an array of rising expectations and set their organizations on the path to success:

  1. Embed ESG into the overall business strategy

Rather than treating ESG as an initiative or an activity, make it central to everything the organization does. And understand that ESG is not corporate social responsibility (CSR). CSR is what an organization does with profits, while ESG relates to how the profits are earned in the first place. Boards must ingrain ESG and sustainability into the fabric of the organization.

  1. Acknowledge that sustainability is one of the board’s specialist responsibilities

Board members need to quickly get up to speed on the science behind ESG and sustainability. Directors need to be climate literate if not climate experts. Just like audit, risk management, remuneration, nomination and governance, consider setting up ESG or sustainability committees to deep dive into these complex issues.

  1. Set science-based, meaningful and ambitious targets

This is an evolving discipline, but it’s important for companies to start evaluating their current state and set improvement targets. You can set aspirational 10 year goals, and also establish short-term targets to keep you on track. Don’t let perfection be the enemy of the good.

  1. Build support across all levels of the organization, starting with the C-suite

Share the company’s ambitions internally as well as externally and use that to rally the organization to align behind ESG goals. For example, carbon emission reductions or increasing the proportion of women in leadership roles. Be transparent about initiatives and realistic in the external narrative. Link ESG targets to executive and general employee compensation. Establish clear expectations for management and hold them accountable – a proven way to accelerate change. What gets rewarded gets done.

  1. Recognize that ESG is much more than disclosures and regulatory compliance

Companies should meet the evolving disclosure requirements and standards (e.g. Task Force on Climate-Related Financial Disclosures and the Securities and Exchange Commission’s climate disclosure requirements). It’s also important to focus on the considerable opportunities for financial and non-financial benefits, including higher valuations, lower cost of capital, better customer retention and a better employer brand, to name just a few.

ESG is a critical business imperative

Meeting ESG and sustainability goals can be challenging, requiring the commitment and focus of the board as well as management. Successful companies will be those where management sees ESG as a critical business imperative and drives the change agenda with strong support from the board.

Indeed, one of the more important responsibilities of the board is to assemble a management team that is committed to the business benefits of a well-defined ESG agenda. ESG is clearly a business imperative, and the board plays a critical role in holding management accountable, advancing ESG, and balancing risks and opportunities – both in the short and long term.

https://www.weforum.org/ 

Конфіденційність даних і ризики ESG: 7 ключових запитань, на які має відповісти кожна компанія

Питання, пов’язані з конфіденційністю даних та кібербезпекою, стали значними факторами бізнес-ризиків, оскільки компанії переходять на цифрові технології, а бізнес-моделі зміщуються в бік складних, керованих даними продуктів та послуг. Широке розповсюдження збору та використання персональних даних означає, що конфіденційність даних та кібербезпека стали суттєвими питаннями ESG (MEI) для компаній у широкому спектрі підгалузей.

Ось список із семи питань, на які кожна організація повинна відповісти для ефективного управління питаннями ESG, пов’язаними з конфіденційністю даних та кібербезпекою.

Data Privacy and ESG Risk: 7 Key Questions Every Company Needs to

Ivan Rumynin

Senior Analyst, Corporate Solutions

Data privacy and cybersecurity-related issues have become significant drivers of business risk as companies digitize and business models shift toward complex, data-driven products and services. The widespread collection and use of personal data means that data privacy and cybersecurity have become material ESG issues (MEIs) for companies across a broad range of subindustries.

Here is a list of seven questions every organization should address to effectively manage data privacy and cybersecurity-related ESG issues.

Question One: Digitization is one of the key drivers of the transition to a greener economy. How can my company balance digitization with data privacy and cybersecurity risks?  

For most companies, management of cybersecurity as a MEI involves strong performance across three key elements: 

  1. Data privacy and security policy: A company’s public-facing statement which signals its high-level commitments to privacy and cybersecurity. 
  2. Data privacy program: Provides evidence that a company has implemented controls that reflect applicable privacy laws, regulations, and industry standards.
  3. Cybersecurity program: Provides evidence that a company has implemented industry-standard security safeguards to mitigate the risk of incidents and breaches. 

Best practice dictates that organizations looking to build robust cybersecurity programs should align with the standards outlined in ISO/IEC 27001, which provides requirements for an information security management system. For some companies, such as telecoms, banks, and tech companies, a robust data request management program is also considered best practice for dealing with government data requests. 

Question Two: How can my company act now to position privacy as an ESG priority? 

Companies can take immediate action on ESG issues related to cybersecurity by setting a few achievable short-term goals related to employee training and governance. 

Where cybersecurity is concerned, a company’s employees are both one if its greatest assets and one of its greatest vulnerabilities. One study showed that 82% of breaches in 2021 involved “the human element” such as stolen credentials, employees falling victim to phishing, and misuse errors. With that in mind, one step companies can take to make cybersecurity an ESG priority is to educate employees at all levels of the firm about common risks and how to report them, as well as conduct ongoing awareness exercises to maintain vigilance. 

In addition to employee training, companies should also focus on developing and implementing 

governance structures for data privacy and cybersecurity, creating the necessary policies and structures for data subjects, and conducting risk assessments.  

These assessments should continuously review, document, assess, and mitigate the company’s risks related to privacy policies, contractual privacy obligations, dataflows within the organization, potential threats and vulnerabilities, and safeguards for data and organizational protection.

Question Three: What key questions should our leadership be asking about our organization’s cybersecurity? 

Cybersecurity is ranked as the top threat to growth by global CEOs,1  yet many organizations still aren’t sure how to manage this MEI in a world of rapidly evolving technology. Corporate leaders should start by asking questions related to their organization’s exposure to threats, governance practices, and plans in the event of a breach or other cybersecurity incident. Below is a short list of questions as a starting point. 

Exposure to Threats

Questions related to vulnerability might include, “How exposed is our organization to cybersecurity threats? Where are our key weak points? And which of our peers have had incidents related to data privacy and cybersecurity, and what was the impact?” The answer to these questions will vary by business model, sector, and region. 

Governance Practices

Where governance is concerned, corporate leaders should ask questions such as, “How does our data program and cybersecurity program implement best practices? What is our leadership’s role in the event of an incident?” As outlined in question four below, governance plays a significant role in the management of cybersecurity as an MEI, and leaders should aim to create a culture of data privacy and protection. 

Incident Response 

With cybersecurity and data privacy threats only continuing to grow in number and complexity, corporate leaders cannot afford to ignore implementing a pre-emptive response plan. Some key questions to ask include, “What are our business recovery plans in the event of a cyber incident? And what are the layers of protection we have put in place?” 

Question Four: What is the role of corporate governance in managing cybersecurity risks?

Fostering a culture of data privacy and protection means building strong cybersecurity and cyber resilience programs from the top. Companies following best practices will establish a dedicated role for assuming responsibility for privacy issues and cybersecurity. The role should be at the C-level or someone directly reporting to a C-level executive, such as a chief privacy officer or chief information security officer.  

It is important for boards of directors and senior management to understand technology, develop a practical knowledge of cybersecurity best practices, and act as leaders in supporting and advocating privacy and cybersecurity risk management. Additionally, they need to understand how the cybersecurity strategy of the firm fits into its overall business risk management. 

Furthermore, corporate leadership needs to ensure that their employees are empowered to spot and respond to cybersecurity threats. This involves establishing a formal process for reporting incidents, developing a robust response plan, and ensuring employees at all levels understand how breaches will be dealt with. 

Question Five: What are some key elements of effective privacy, data and cybersecurity policies and programs? 

As outlined in question one, effective management of cybersecurity and data privacy issues consists of a strong data privacy and security policy, data privacy program, and cybersecurity program. 

Data Privacy and Security Policy

An effective data privacy and security policy demonstrates a commitment to notify data subjects in a timely manner when there has been a data breach or policy change. Collection and processing of user data should be limited to the stated purpose, and there should be clear terms involving the collection, use, sharing, and retention of user data. Corporate leaders should ensure their data privacy and security policies also demonstrate a commitment to implementing the latest data protection standards, obtaining user data only through lawful and transparent means, and ensuring third parties with whom data is shared comply with the company’s policy. 

Data Privacy Program

A robust data privacy program should implement governance structures for privacy management, regular employee training on data privacy management, and clear and accessible mechanisms for data subjects to raise concerns about data privacy. This includes implementing mechanisms that allow data subjects to access their accounts and erase, rectify, complete or amend personal information. Additionally, all data privacy programs should include regular privacy risk assessments or audits on your company’s technologies and practices affecting user data. 

Cybersecurity Program

Aside from aligning with the standards outlined in ISO/IEC 27001 as mentioned in question one, strong cybersecurity programs should include governance structures for cybersecurity management and operational measures to monitor and respond to data breaches and cyberattacks. These elements should be subject to regular internal and external security audits, assessments, and penetration testing. Additionally, all employees should receive regular training on cybersecurity issues. 

Question Six: What are the long-term risks of a data privacy breach or cyberattack and how can my company recover after experiencing one?

A growing number of companies are acknowledging that they will inevitably experience cyberattacks, whether directly to their own data infrastructure or through their supply chains.  

As with other controversies, risks from data breaches and cybersecurity incidences range from operational and business interruptions to reputational damage and legal ramifications. Recovery usually takes time and requires investing resources into the policies and programs outlined in question five. Organizations that prioritize creating this essential infrastructure will be able to more effectively manage the fallout from heightened cybersecurity and data privacy risks. 

Question Seven: How does cybersecurity impact my ESG risk profile? 

In general, Morningstar Sustainalytics considers approximately 20% of the risks related to cybersecurity to be unmanageable, due to the fact that part of the risk pertains to actions taken by individuals external to the company, such as hackers. 

Source: Morningstar Sustainalytics. Data as of January 26, 2022. For informational purposes only.

Some industries, such as banking, have a heightened risk to cybersecurity threats. Companies operating in such industries will be given a higher default exposure score which will be added to their ESG Risk Rating assessment

Some organizations will have their exposure scores raised above default levels for their industry due to operational factors, such as processing a large volume of personally identifiable information (e.g., mobile gaming companies), high levels of revenue generated from user data monetization (e.g., social media companies), or processing financial transactions (e.g., credit card companies). For certain industries that have few risk areas or MEIs, such as commercial services or banks, cybersecurity becomes very important and makes up a large portion of their risk assessment. 

Interested in learning more about the management practices companies can use to address ESG risks related to data privacy and cybersecurity? Download our recent ebook, Data Privacy, Cybersecurity and ESG: Managing Risks in a Changing Business Environment, or learn from our experts about the ESG ecosystem.  

References 1 PwC. 2022. “PwC’s 25th Annual global CEO Survey.” https://www.pwc.com/gx/en/ceo-agenda/ceosurvey/2022.html

https://www.sustainalytics.com/ 

Інші статті
Переглянути більше

Нові тенденції у практиці директорів (переклад)

Переклад фахівців Професійної асоціації корпоративного управління та Українського інституту корпоративного управління за матеріалами Recent Developments for Directors, Posted by Julia […]

Як сучасні ради споживчих ринків готуються до завтрашнього дня

Переклад фахівців Професійної асоціації корпоративного управління та Українського інституту корпоративного управління за матеріалами How today’s consumer markets boards are preparing […]