Transcription

Robert Bateman:

Hello. Welcome back to PrivSec Focus Enterprise Risk. I’m Robert Bateman, head of content here at GRC World Forums and your host for today’s event. So just before we start the next session, a big thank you again to our sponsors, OneTrust and ServiceNow. And also a reminder to please comment, ask questions, and interact with the panel, using the chat function that you’ll find in the menu bar on your left. Really great to get audience participation. We’ve had some excellent questions for our first session, and I hope we get some for this one too.

So, our next panel is titled How Does ESG Inform ERM? So they’ll be looking at the impact of environmental, social, and governance issues on enterprise risk management. This session is sponsored by our friends at OneTrust, so a big thank you to them. And to host the panel, here is David Harper who’s head of enterprise risk at Fidelity International. Over to you, David.

David Harper:

Thanks, Rob. And welcome everyone to today’s session. And as Rob mentioned, today’s session is going to focus on how does the changing expectations of our customers, of investors, and regulators, how do we embed those expectations in our enterprise risk frameworks to ensure that we get the right outcomes? And I’m very pleased to be joined on the panel today by Lori, Michal, and Aruna. And I’m going to shortly hand over.

Robert Bateman:

Hi everyone. David, we actually can’t hear you. You don’t appear to be on mute, so I’m not sure what the issue is. Perhaps Lori, would you mind stepping in just introducing yourself, perhaps while David sorts his accounts?

Lori Baker:

Sure, no problem. Happy to. Thanks, Robert. My name is Lori Baker. I’m the director of data protection and vice president of legal affairs at DIFC Authority, that’s the Dubai International Financial Center here in the UAE. And we deal with all sorts of issues regarding enterprise risk management, compliance and regulations. So looking forward to this discussion. It looks like David may have tried to rejoin, so let’s give him a momentum, I suppose, pass over to one of the other panelists to introduce themselves.

Robert Bateman:

Thank you. And now Michal, would you like to introduce yourself to the audience please?

Michal Jezierski:

Yes. Thank you very much. My name is Michal Jezierski, and I am a risk ESG and compliance specialist expert. I’ve spent almost 10 years in Big Four and in house. So I was focusing mostly on risk management, and I would say merging gig with compliance, and later with ESG. Thank you very much.

Robert Bateman:

Thank you. And now, Aruna would you like to tell us who you are and what you do please? You’re on mute, Aruna.

Aruna Vaz:

Hello? Can you hear me? Yeah. Okay. So hello to all my co-speakers. Nice to have you back. David, hopefully you can hear us and we can hear you as well. And thank you to all those who’ve joined our session today. My name is Aruna Vaz, and I come with over 18 years of experience in enterprise risk management, compliance and internal controls. I currently lead the enterprise risk management function at Astra DM Healthcare’s global network, across seven countries in India and the Middle East of over three 50 hospitals, clinics and pharmacies. And I’m based out of Dubai. So nice to meet you, Lori. Hopefully should be able to catch up somewhere in Dubai, I think. And I’m really looking forward to this session, and with respect to how ESG basically informs ERM, so that’s a little bit about me. Thank you.

Robert Bateman:

Thanks so much. Now, the moment of truth. David, could we see if your sound is back? Could you say a few words?

David Harper:

Yeah, hopefully it’s working now. I can hear you all again, so that’s great.

Robert Bateman:

There we are.

David Harper:

Sorry about that.

Robert Bateman:

I can exit now and leave it to you. Thank you.

David Harper:

Cool. Thanks, Rob. Yeah. And welcome everyone to today’s session. Sorry about the technical issue. But today’s session, we’re going to focus on how are the changing expectations from our customers, from investors and from our regulators, and how we’re embedding those in our enterprise risk frameworks to ensure that we have achieved the right outcomes. And I see everyone introduce themselves. So I’ll just quickly introduce myself as well.

My name’s David Harper, I’m head of enterprise risk at Fidelity International, and I’m responsible for our global enterprise risk framework, which covers things like our taxonomy, our governance, our risk appetite, risk culture, et cetera. And the way that we structure our risk types is we put it into full big buckets, operational, non-financial risk investment risk, which is our fiduciary risk led to our funds, corporate financial risk, and strategic risk. And I also oversee our corporate financial risk and strategic risk, and that’s where ESG sits within our firm.

And so the way we’re going to run this panel is I’m going to throw out a series of questions and the panelists are all going to share their different perspectives. And then like I said, if anyone has any other questions they’d like to ask, just add them to the chat. And we’ll make sure we cover those as we go or at the end. So the first question for our panel is just, how do you all manage ESG within your firms and what teams are involved in managing ESG? So I don’t know if Lori, you want to kick off?

Lori Baker:

Sure. I mean, from our side, we’re an authority and a regulator. So we’ve got a dual role of managing it ourselves in terms of who we partner with and work with, in terms of enterprise risk management, but also externally in terms of evaluating companies that come into the DIFC. And it’s not necessarily a specific ESG kind of target, let’s say, that we have or anything like that. But it’s been evolving over time, I think generally in the region and within various companies around the DIFC that to assess risk, you can’t just look only at financial factors. It’s getting that holistic view and understanding that there’s so many other, sometimes very subjective factors, but sometimes just general, are they nice people, as a company? Are they contributing in the way that we would imagine a partner or a company we’d want to license, would contribute? Can we say that our name could stand behind our authorization of that company?

So it’s kind of looking at it from both lenses. How do we, as a organization, want to portray ourselves in terms of international partners, other regulators that we work with, other companies that we work with and so on? But also who are we looking to give that DIFC authority piece to it? And as I say, there’s nothing specific. And I can’t say that I’m speaking specifically for DIFC, but I know in designing some of the programs that we do that look at risk, these are factors that we definitely build into our methodology.

David Harper:

Cool. Thanks, Lori. And I don’t know if Michal, you want to go next?

Michal Jezierski:

Yes. Thank you very much. I think that in Poland, the ESG is something quite new. So it has shown up last year, I would say. Because in 2020, it was only a topic of some auditors companies. And in fact, only the biggest companies in Poland were focusing on ESG. And what we can see now, how it is managed, it is mostly in house. So the big companies are creating now ESG divisions, and they are looking for some support. But the big problem is that, this is new, so this is a new topic also for consulting companies. And they are looking for specialists from other countries, like for example, from UK or US, where they have an experience in ESG. So this is the first thing.

The second thing is that, I think that we have still the problem that many people are misunderstanding, ESG as CSR plus. So many people think that this is in fact, some kind of CSR, and the companies are using the previous departments, the CSR departments to handle ESG. So, this is also causing some risks that we need to see these risks and to manage them. Because this approach is not a good approach to manage ESG in fact, yes. So, from this perspective, this is first of all, something new. So we are all learning how to handle ESG, how to build the in-house teams. And we are looking on markets for the specialists for ESG. Thank you.

David Harper:

Cool. Thanks, Michal. And Aruna, do you want to go next?

Aruna Vaz:

Sure. So, also for us, what we’ve done, David is we’ve devised what we call a sustainability strategy, and addressed on four pillars for us. So that’s environment, social governance and economy. So that’s basically the ESG for us. And there are a number of teams within each of these pillars. So for example, if I take environment, so we’ve got energy efficiency, water optimization, waste management, so on and so forth. If I look at social, it’s diversity and inclusion, employee volunteering and engagement. If I look at governance, it’s our whistle blowing and our non-discriminatory policies. If I look at economic, what job creations and transparent and ethical procurement practices do we have? So, we do have a corporate social responsible committee.

And as Michal rightly said that it is mistaken, that corporate social responsibility is ESG. But actually ESG is much, much, much wider than that. And that is something that we’ve started communicating within the organization. So although we have a CSR committee, which is responsible for devising the sustainability strategy and driving the integration of sustainable practices across our operations, what we’ve done is we’ve integrated our organizations goals, linked them to ESG goals and to individual KPIs. So it’s not that only the organization needs to manage ESG. It’s a responsibility of every employee within the organization to manage ESG.

We also have a CSR and an ESG policy, and both are distinct and separate from each other. So we get employees to read the policy, understand the policy, sign up to the policy as well. And we have an overall committee, which is a CSR committee, and we may very soon rename it to an ESG committee. But the committee is responsible for finalizing the budget and activities related to ESG initiatives. At the ground level, we have something called as an ESG task force. It’s a group of team members from across various verticals within the business. So we have people from HR, finance, facility management, risk, et cetera. And we are responsible at our ground level to ensure that we carry out ESG related initiatives. We plan them appropriately, monitor them if there’s any expenses et cetera, and report back to the committee frequently. So that’s the work that we doing in the ESG space, within the organization at the moment.

David Harper:

Cool. Thanks, Aruna. And just from our perspective, I think ESG is one of these topics there where, where it really does touch every aspect of the organization. So as a result, there’s a number of different teams involved. And so within our firm, we’ve split it into two big buckets. We have one bucket, which is focused on our sustainable investing. So this is all our investment management teams and all our fund managers, et cetera. And we have a big initiative around the activities in that space. And then we have a corporate sustainability group as well, and committee, et cetera, that brings together all the oversight functions, whether it’s finance, compliance, risk, et cetera, and tries to coordinate also our collective approach from a corporate perspective as well.

And I’ve also now been brought in the last couple of years to also then how do we bring that all together as a corporate and be able to speak with one voice? Because I think there’s obviously expectations on the investment side, but there’s also expectations on the corporate side. And we need to be consistent across both, and we need to be able to communicate how we are managing it internally in a consistent way as well. So in the last year or so, my team has brought that all together and put it in a central policy to help ensure that we are having that consistent messages, et cetera. But there’s one of those topics where there’s multiple teams, and obviously everyone across the company involved.

Great. So then the next topic that we were going to move on is just around risk taxonomies or risk libraries. So these are how we structure and think about risks within our firms. And I just wonder again, if it would be interesting to hear how each of us are attacking that perspective from an ESG lens. So again, maybe I go the opposite way this time. Aruna, do you want to kick off with that one?

Aruna Vaz:

Sure. Yeah. So even before thinking about risk taxonomies or risk libraries, the first thing that we did last year, David, was putting together what we call an ESG risk framework together. And we got it approved by the executive risk committee that we have within the organization.

Now, there are three broad dimensions that this framework looks at. One is, ESG risk from inside out. Basically, what are the operations or what is the business impact that our operations internally create on the society and the society and the planet at large. So that’s the inside out dimension that we look at. The second dimension is the outside in. Basically what are the external factors that are happening outside that impact our organization internally, and ensuring that we have a real time response aligned to our positioning on ESG. And the third dimension is our reputation, our ability to meet a range of key stakeholders’ expectations on sustainability and ESG issues, while ensuring that we maintain our brand value. So those are the three main dimensions that our ESG risk framework talks about.

And then we looked at the risk taxonomy or the risk library as we’d like to call it, where we have a separate ESG risk category available that we focus on when we are discussing risk, monitoring risks, or putting together risk registers for our business. So to give you an example, earlier you had, for example, a code of conduct risk, was categorized under human resources or people risk. So now what we do is, although it’s categorized under people risk or human resources risk, we provide a further classification category, which is that ESG dropdown, and you can kind of report and record code of conduct issues within ESG risk. Why do we do that? We are trying to understand from a group perspective, how much ESG risk are we onboarding? And are we equipped with the right mitigation strategies to kind of able to reduce the impact or minimize the impact of these risks on our business? So that’s basically what we’ve done or the progress that we’ve made with respect to risk library.

David Harper:

Cool. Thanks Aruna. I don’t know if Michal, you want to go next?

Michal Jezierski:

Yes. Thank you very much. I think that it starts with strategies. Because I’m always looking from the project management perspective to [inaudible 00:18:17] implementation of strategy. And if we are talking about ESG and about big companies or medium size companies, we are talking about ESG strategy. Because I understand that first of all, we should focus on strategy on some commitments on having a vision, how we would like to implement ESG in each of factors. So when we set up a strategy, I always like to start with risk assessment. Because this is something natural. So ESG is like any other projects in company. So every new strategy is rising a new risks. And of course, ESG will rise a new risk to our taxonomies and libraries. But I think that in a good shaped company, this is not different from any other process.

So you are starting with setting up strategy, then you are reviewing your normal semiannual or annual review process, you are reviewing your risks, and then you are focusing on the new factors. So the new factor in this, this moment it’ll be an ESG strategy. And from that perspective, I think that this is also very important to say that the main problem with ESG risks is that, mainly we are identifying them on the board level or top management level. So in many cases, only top managers are involved in risk review in this area, because on this medium level, there is no… In normal way, if you are setting up strategic goal, you should cascade it to the medium level managers, to line managers, and explain them why you are setting a new strategy goals.

And with ESG, I think that the problem is that in many times, this is not like this. So many times the board is setting up the strategy, they are focusing on it, but the medium level managers doesn’t know why we are doing that. So they are not used for our review risk review assessment. So, this is something that for me is very important. And I wanted to highlight it here. But in general, yes, of course, ESG is addressing new risks. And we need to make our risk taxonomy review whenever we are implementing an ESG strategy. Thank you.

David Harper:

Cool. Thanks, Michal. And Lori, I don’t know if you want to go next.

Lori Baker:

Sure. Thank you. Again, we come at it from a slightly different perspective. Because very often we’re not only looking at who would be permitted to have a license in the D to operate a business, but also we look quite externally. And I’ll go down this path a little bit. I hope it’s not too much of a tangent, but I think it’s quite interesting in terms of guidance that we give as a regulator for data protection, our strategy, something that we’re consulting on right now, in fact has been very much based on just in this perspective, understanding the risks that exist in other countries when it comes to sharing personal data, just as an example.

And there are many, many ESG related elements in that assessment, such that we’ve been able to develop an index that tells us what, not only are the risks when it comes to data protection law in a particular country or the lack of a data protection law in a particular country, but also what is the culture like? What how do businesses behave in that jurisdiction? And we look at those kinds of ESG factors as part of the overall assessment of risk in that country for sharing personal data, for example. And that is becoming quite synonymous, if you ask me, with kind of the ESG related matrix, let’s say. Data is what business does these days. Everything about data, not just personal data, but information, confidential information. And can you send information to a business in a country where there is a particular type of environmental risk?

That’s what this kind of index looks at. Do they understand, is governance a thing very much in this region, still governance compliance a more formal structure to those sorts of things. It’s there yes, certainly with global companies. But with local companies, it’s still quite new, it’s developing. And looking at those factors as well. When you do something like send data. And again, I’m drilling down into a particular function, but that kind of overall risk assessment and index that we’ve created in the context of data protection law, could be applied in so many other ways, using those kinds of ESG factors that we’ve looked at from this index perspective. What is it like, what’s the culture like in that country? How do businesses go about their day? Can they be trusted with particular information? Can they be trusted with confidential information? Again, going back to what I said at the outset, how do we partner with them? Do we partner with them at all? And what kinds of things do we need to be aware of when it comes to actually interacting in other jurisdictions as well?

So again, that’s kind of the perspective that we come at it from a regulation point of view or a regulatory point of view, not necessarily in terms of implementation in our own ERM structure. I mean, we have enterprise risk management as part of our overall business structure as well, organizational structure. And we also keep registers basically of each department’s own risks, and what kinds of things we think, not only from an ESG perspective, but just all sorts of other factors that we consider in terms of what poses the biggest risk to the organization. But again, it is things like lack of governance. How do we improve those things? What controls do we put in place? So it’s always been there, if you ask me. We have a new terminology for it, focusing on those specific factors. But when you think about how broad each of those factors could be. ERM, if you’ve had an ERM system in place, you’ve probably already been doing this for some time. It’s just, now you’re drilling into the specifics of what you want to see in those factors. And that’s up to each organization.

So for us, it’s very much around, from a regulatory perspective, what kind of guidance would we give to our own companies, as well as ourselves when it comes to interacting with other jurisdictions.

David Harper:

Cool. Thanks, Lori. And just from our perspective, in terms of our taxonomy, our taxonomy obviously creates is like the backbone of our whole global risk framework. And it feeds into our risk assessments, into the reporting that we do to our different committees, et cetera. It’s how we track risk events, issues, et cetera. And as I mentioned, we bucket them into those four broad buckets. But then we have quite detailed taxonomy underneath each of those ,and actually goes down four different levels. And so ESG, as a single risk type, we’ve always had under our strategic risk bucket. And it used to be at level three.

So it used to be fairly well down in our taxonomy two years ago. But what we’ve done two years ago is, we brought it up in the taxonomy to what we refer to as our level two. And level two means that the aggregation of all the different assessments, et cetera, around that thing, pops up as a single line item on our risk reports. So that means it gets a lot from a couple of years ago, it was getting a lot more visibility in our committees and our boards, et cetera. So that was the first step that we did a couple of years ago. And now we’re actually planning to bring it right up, from level two to level one. So going from four risk types or four big buckets to ESG being a fifth big bucket, to give it even more prominence in our boards and reports and stuff that we give to different committees.

But then within our risk types, ESG is one of those risks that overarching. It does touch all our different risk types. So what we also doing is, across all of those buckets, we’ve had to go and tag all the different risk types that have an ESG lens. And we’ve actually had to go into the definitions of those risk types as well, and see if we need to tweak them or adjust them to capture some of those ESG factors as well. But that’s how we’ve structured it. And I think the evolution and the greater focus that it’s getting, I think just reflects the changes from external expectations. But also our internal focus and the needs that we need to take or actions we need to take to better manage it.

But in terms of, I guess given the changing expectations and higher focus on this, obviously it has impacts on different processes that we have within the firms. And I could say it does touch different risk types as well, for things like people risk, or supplier risk, or even financial related risks in terms of bonds or instruments that we as a company might want to invest in as well. So I just wonder in terms of, again, just interested to hear at that more granular detail, how processes and activities around different risk types are evolving as well. So I don’t know if Aruna, do you want to go first again on that one?

I think it’s-

Aruna Vaz:

Can you hear me?

David Harper:

Yeah, you’re get back on.

Aruna Vaz:

I think each of us covered that ESG is no new risk. So I believe no longer you can silo it into, or any risk for that matter, can be siloed into categories like financial health and safety, people risk, et cetera. There are overlaps between these. Environmental risks collide with financial capital risk, as investors in inspect the long term viability of companies with regards to climate change. As companies continue to expand their digital footprint, issues such as privacy and Lori covered that, and social responsibility are entangled with the already significant challenge of digital crime and cyber attacks. So organizations over the last two years have learned so much about resiliency, what it takes to survive or even thrive in times of disruption and uncertainty.

So, I think it’s no longer a siloed approach. It’s more an overlapped approach that we have. For example, organizations revolutionize themselves by leaning hard on technology during the pandemic. So we were spinning up virtual solutions ranging from healthcare services to social gatherings. At one point in time, at least in countries like India, work from home was something that was never looked at previously because it came with a lot of data privacy risks, given that physical premises controls wouldn’t operate. So there are a number of examples which shows that those are things of the past. For example now, what I have seen in my current practices, due diligence of suppliers, for example, for supplier risk, they include a lot of ESG related questions as a part of their request for proposals. Similarly, organizations have zero tolerance on sexual harassment incidents. That sends a very strong message across employees on the board with respect to our policies on human rights.

So while we are evaluating and discussing every risk, I think we need to look at it from an ESG lens as well. And whilst we just keep talking about ESG, ESG, I think awareness around ESG and ESG risk is also very important and very key within the organization. Also with external interactions, for example, with our suppliers and other stakeholders or shareholders. So I think one of the good ways of ensuring that even before you embark the journey of embedding ESG risk expectations with other risk types, one of the important things that we need to do is create risk awareness and ESG awareness within the organization. Whilst it’s not a new terminology, the World Economic Forum has been talking about it, and there are a lot of other forums talking about it since 2018, 2019, etcetera. And I remember earlier, we used to talk about climate risk as a more firm risk in the future when we would do our emerging risk exercises, for example. But it’s now right here hitting us.

So, I think it’s important that we create awareness around this entire piece. Because ERM is looking at risk as managing risk within organizations and ESG risk, as Michal said earlier, is one of those risks itself. It’s nothing different. So moving away from the siloed mindset that we have and integrating it all into one, would be a way of kind of moving forward to embed that. So, that’s a little take from my end.

David Harper:

Cool. Thanks, Aruna. Michal? Do you want to go next?

Michal Jezierski:

Thank you, David. From my perspective, we should take a look on tools standpoints. So first of all, you have investors who wants you to be ESG friendly and follow some things. But this is only part of investors. Some part of investors doesn’t care about ESG. And maybe this is becoming more and more popular, but still most of investors doesn’t look on ESG factors. And the second standpoint is authorities standpoint. I don’t know how it works outside of European Union, but in European Union, we are now implementing new directive. So the companies, not only public listed companies, but also big companies, will be obliged to report, first of all, your business strategy plan for ESG, your ESG strategy. And you will be reporting, how do you handle with ESG.

So on the beginning, it was something like, investors want to see our E ESG approach, but now this will be authorities approach. So, I think that we are going to create, in European Union, we are going to create some standards of ESG reporting. And that means that what we were saying about taxonomy risk libraries, we will need to adjust that to European Union expectations. For example, you have environments taxonomy. Now you have draft of social taxonomy. And we all are waiting for governance taxonomy. So I think that this will change everything in our processes. Because now ESG is not obligatory for most of companies on the markets. This is something that they can develop, they can include in their approach. But without that, it’ll be fine and it will be okay. But in the nearest future from 2023, they will have to incorporate ESG factors, these risk factors in their disclosures. So this will change an approach also to risk management.

And until that, I think that we are in the middle of the period that the companies are thinking about ESG, but they don’t know what should be the proper approach. Because this is what we are all the time saying. We have many teams that are involved in some parts of ESG, like Aruna says, that there are many, many, many things in her company that are considering ESG factors. But they are not called, I think ESG, every process is not called that this is the part of ESG process. But this is some process that is standalone. But in future, we will have this bottom line, which will be called ESG process. And this ESG process needs to include this and this and this in financial processes, people processes, et cetera.

So I think that we are now during this switch and this will be outside big switch for risk management. Thank you very much.

Lori Baker:

David.

David Harper:

Sorry. Thanks, Michal. And Lori, do you want to go next?

Lori Baker:

Sure. Yeah, no problem. And again we’re coming at this from a view of a regulator, a supervisory authority. These are the things, what Michal and Aruna were speaking of, these are the things that we look at in companies when licensing them, when evaluating them for things like AML risk or understanding their operations in the jurisdiction where they’re registered, the jurisdictions where they’re registered multiple ones very often. We want to understand, for example, one of the things that we ask in our application process is for AML assessment is, do you have compliance programs in place already? Do you have governance programs in place? If you’re a new company, do you know that you need to have governance programs in place? We have an awful lot of innovation hub FinTech and startup companies that maybe haven’t thought of these things.

So we kind of see the sense in raising the conversation with them now during the application process, to say at the outset, you’re going to have to think about this right away, because we don’t want to leave you in a situation without guidance as a new company or support to understand that governance is important. Who you hire and deal with and who you partner with is important. Who you distribute to, where your services are provided, to who invests in you is important to know. We need to understand your source of funds. We need to understand who the people are, and what the vision is behind your product, your business, so that we know we’re confident in saying that you will work as a company. You aren’t setting up for nefarious purposes, certainly that’s the main objective. But it also gives us a lot of information about assuming, in most cases, that we’re talking about lower risk companies and we’re not getting people coming through for nefarious purposes. Also setting them up for you need to keep thinking about these things, going forward about the ESG type elements that our risk methodology and assessment process that we’ve built looks into.

So, as I said, you can see it from a regulatory perspective. It again, has been there for some time. It’s got a name now. And I think from a regulator’s perspective, that’s what we’re doing. We’re trying to implement those things through drilling down into our methodology, just exactly what is important for companies to tell us from the beginning, before they even get a license. What do you intend to do in respect to these elements?

David Harper:

Cool. Thanks, Lori. Sorry. And I think in terms of, from our perspective, I think it’s also about how do we embed ESG into our thinking across all the different processes that we’re running, whether it’s our investment processes or our supplier processes. And so, like I said, there’s a number of different teams thinking about that, thinking about the philosophy that we’ve put in place, thinking about the commitments that we’ve signed up to, and how do we embed all of those different expectations into our different processes and frameworks and policies, et cetera. So lots of work. And just, I see on the chat, there was some questions around the fact that there’s obviously been a huge focus on environmental related areas or sustainability related items. But how do we ensure that there’s that right balance between also thinking about the social aspects and the governance aspects as well? So I don’t know if anyone wants to jump in and share some initial thoughts on that.

If not, I could start and then feel free to chip in after, but I mean, in terms of the way we’ve tried to do that. Well, within our investment process, we’ve obviously set assessment criteria and things that investment teams think about from all of those different perspectives, and criteria that they think about and ask companies when they’re doing their due diligence, et cetera. And then within the corporate side, we’ve got set an overarching policy, which very clearly breaks down each of those different areas, and clearly defines also what we mean by those things. Because I think that’s also sometimes an area of confusion because there’s a lot of different terms that different organizations, different regulators are using in this space. So we’ve intentionally put a lot of effort into defining what we mean by those different components. So that again, we can all be saying the same thing, talking about the same thing, and also ensuring that we focus on each of those different components separately.

But that’s how we’ve tried to structure it. And then obviously, we have different commitments linked to each of those different components, and different philosophies and also controls around how we manage each of those different components as well. But I don’t know if anyone else wants… Sorry. Lori, you want to jump in?

Lori Baker:

Yeah. I think that’s important. And to build on that, I mean, something that, again, we do through our process we’re onboarding companies, but also as an organization is turn it over as well to not only our own objective assessment with subjective elements in it, but turn it over to the development team. And I think in terms of every business that’s going to have an organization, will have some team that looks at how well the business is doing, how it’s developing strategy and so on. And we ask them when discussing risk, would you feel comfortable? Have you done a fair assessment, and do you feel comfortable with this project, this company coming in? Do you know them well enough? Have you done your homework basically? And can you sign off on this? If it was down to you to make the decision, would you sign off on it and would you take responsibility for whatever could go wrong?

And it’s again, based on personal liability or put any disciplinary factors into play. It’s just, how do you feel about this action, activity, whatever it is with this is that you are asking us to take? And what is the risk that it could present? Because it’s one thing to have your ERM team sitting there, kind of overarching looking for all of this and asking for feedback as doing internal auditing, even to a certain extent or what have you, but to make it part of everyone’s process. I think everyone needs to take that personal responsibility for it and literally sign off. And that’s, again, what we do when we’re ongoing companies. We kind of say, look, you’re the guy that brought these people in. Sign off on them. And that gives us an amount of confidence that you’ve looked at those factors, their governance structures. You’ve gotten to know what they’re like in terms of the business environment, and so forth.

David Harper:

Cool. Thanks, Lori. Yeah. Good insight. Aruna or Michal, do you want to chip in on that one, or we can move to the next one?

Michal Jezierski:

Just one comment, because I think that it is not only that environment factors are recognized well, and social factors are also very well recognized. For example, you have this big movement, this is also an answer to one of the questions about CSG certifications. Because in fact, the [inaudible 00:43:34] is one of the certifications that companies can make or cradle to cradle. This is another one that is very, very, I would say, near of ESG. But these factors, I would say that from the ’90s, that they are highlighted for many of companies. Because everything has changed in last 30 years. Approach to employee, because as factors are not only about society, but are also about employees, about approach to how do we handle our employees issues. This is what Aruna said before, about code of conduct, about sexual harassment.

So all factors are very well recognized. And I would say that if we are talking about regulatory bodies that are now implementing some things, I would say that they’re focusing on ESG and they are setting new rules. But in fact, they are only gathering all the things that we were developing for the last 20 years. So, this shouldn’t be anything new for the companies. This should be the part of our policy, the compliance policy, risk policy, our approach to code of conduct. So, this is something that we were developing for 20 years. Thank you.

Aruna Vaz:

David. You’re on mute.

David Harper:

Sorry. Thank you, Michal. Aruna, I see you’ve come off mute. Do you want to chip in as well?

Aruna Vaz:

No, I was just wondering, we could take another question, David, because there’s a number of questions that have come on.

David Harper:

Yeah. So, okay. Let’s move on to another one. So another question that I saw came up was like, how are people communicating ESG priorities within your firms? And how are you linking that to also employees rewards or compensation, et cetera, to ensure that things are embedded within organizations?

Aruna Vaz:

Yeah. So I’d like to address that one, and I mentioned this earlier as well. So we do have our individual key performance indicators that are linked to the overall strategic goals of the organization. And these are linked to our ESG goals as well. So it’s very important that every employee within the organization realizes that it is their responsibility and our collective responsibility to ensure that we make a change and we protect the climate and our earth. So, basically reward and recognition is something that is bundled into this. What is in it for the employees? Whilst we clearly understand that this is for protecting the environment, the climate, and we are doing all the right things to be a sustainable business, we also need to ensure that we bake reward and recognition program for employees to kind of encourage and motivate them.

We also do a lot of awareness sessions for employees, and these are not only like computer based trainings, but also sessions that we could do together, like breakout sessions, et cetera, which really help employees understand various aspects. We also have a very big volunteering program. And we have a number of volunteers who kind of not only form the organization, but also outside the organization who partner with ASTA, for our volunteering program. So we use this volunteering program to create a lot of messages and pass on key messages as well to people on ESG environment, as well as the other initiatives that ASTA kind of does during the course of its business.

So I think reward and recognition is key. But as I’d said earlier, awareness is key as well because people can really mistaken CSR to be ESG. And we shouldn’t kind of get there. So, it’s important that we create awareness and a lot of awareness around this. And you could use multiple ways to create awareness because one size does not fit all. So it’s just about creating awareness, rewarding people. I think motivating people to kind of come up. And of most recently, like on Friday, if you are aware, south guru is doing like this two across various nations to kind of raise awareness on safe soil. And this Friday he’s going to be in the bay where he’s going to be talking about the safe soil initiative. So I think things like this, so it’s not only organizations, but I think individuals in their own capacity, as well as governments and regulators are doing a lot in the ESG and their environment and the climate space to kind of create awareness. So, that’s the key message that I would like to leave everybody with.

David Harper:

Cool. Thanks, Aruna. And I think we’ve just got a couple more minutes or a few more minutes. So I just want… There’s one other good question that I just wanted to put out there. So, obviously there’s a lot of regulatory change and a lot of regulatory expectations out there. And what are one of the, the challenges associated with that, which I thought was a good question. So maybe if I just kick off with that one. And I think we’re, it’s a very fast moving and evolving space, I think ESG. So I think we have to expect that expectations and regulatory developments are going to evolve, and they’re not necessarily going to all evolve in a consistent manner.

So, I think that causes one of the biggest challenges is that, how do we deal with that different stages of different regulators. But also because it’s evolving, there’s a lot of areas that there’s no clear, this is how you shall do it. And so I think each of our firms, and that’s, I think one of the biggest challenges, each of our firms have to come up and define it for ourselves and be very clear about what do we mean, just like I was saying before around ESG. But then also how do we assess ESG, whether it’s from an investment perspective or from a corporate perspective or from a project perspective. I think it is going to take us all, I think a few years still to just fully figure that all out. And I think over time there will become more and more consistency on how we all talk about it, how we all assess it, how we all view it. But I do think at least from my perspective, I think that’s going to take some time. But interested in others’ thoughts on that as well.

Aruna Vaz:

I just have one thought to shed, David. So apart from the numerous regulations that are coming in this space, one of the main challenges that I see is also the data correlation and putting it all together. So, as Michal explained earlier that this is not something new that we are doing, we’ve been doing it from the past 20 years. And some organizations have historic data as well. So there’s so much of data lying there and what’s the data, where is it lying? How do you kind of bring it all together, and talk about your ESG story? That is one piece which I find really challenging.

So just to give you a very classic example. In India, we have something called the business responsibility and sustainability reporting that’s come up by the Securities Exchange Bureau in India. It’s basically a reporting list, just like how you have the TCFD reporting, et cetera. And it’s going to be made mandatory across the top 1000 listed companies in India. Now for that reporting, there is tons and tons of information that you need to kind of collate and put together. So the information is out there, but it could be in different pockets, et cetera. And we’ve just been talking about ESG. So you don’t have the right tools, the right systems in place where your data will be. Just a pop, click off a button and your data kind of pops out in a report. So that’s not going to be there. So I see another challenge is with respect to data, how much data we have, and how do you kind of put that data together? How do you collaborate with various people within your business to kind of have the data in one central repository, and then talk about your ESG story, which is going to be meaningful, impactful, and tells about what your message is as a sustainable business. I think that’s also going to be a key challenge for organizations.

David Harper:

Cool. Thanks, Aruna. I think we’ve just come up on time. So just want to thank Aruna, Michal, and Lori, for all your interesting insights in the discussion today. And thanks for everyone’s questions as well. And I guess I’ll hand it back to Rob.

Michal Jezierski:

Thank you very much.

Robert Bateman:

Thanks so much to the panel there. A great discussion. So interesting how awareness of ESG as a risk factor is increasing, and how

PrivSec World Forum   
Park Plaza Westminster Bridge, London: 7-8 June 2022

PrivSec World Forum is a two-day, in-person event taking place as part of the Digital Trust Europe  series. 

PrivSec World Forum will bring together a range of speakers from world-renowned companies and industries—plus thought leaders and experts sharing case studies and their experiences—so that professionals from across all fields can listen, learn and debate.

The event is a must-attend for data protection, privacy and security professionals who are keen to network, learn more, discuss and add expertise to how these sectors are interconnected.

FIND OUT MORE & REGISTER TODAY!

PrivSec World Forum

How Does ESG Inform ERM?