Achieving ESG Success: Leveraging Data and GRC for Sustainable Business Outcomes

Topics: #esg, #esgdata, #sustainability, #csr, #grc, #datastrategy, #datagovernance

Environmental, Social, and Governance (ESG) factors have have gained significant importance in the corporate world, driving investment considerations and organisations' commitments to their customers. Governance, Risk, and Compliance (GRC) frameworks and data-driven insights play a vital role in ESG success towards sustainable value creation.

In this article, we explore how GRC frameworks and data can help organisations to achieve their ESG goals, how this is best supported with a data strategy, and which data capabilities to typically focus on and why.

ESG, CSR, and Sustainability – how do they fit together?

ESG, CSR, and Sustainability share common elements and ideas. All emphasise the importance of a long-term perspective and the need for companies to consider their impact on society, the environment, and their stakeholders. By integrating ESG, CSR, and sustainability principles into business strategies, organisations can drive positive change, environmental impact, create value, and ultimately enhance their reputation and competitive advantage.

For more details on how Sustainability, CSR and ESG fit together, here's an overview and an article on how ESG and sustainability fit together. We also recommend reading the HBR article on the Triple Bottom Line.

ESG and GRC

GRC is an integration of capabilities that help organisations attain their objectives and goals, analyse uncertainty, and conduct actions with integrity and honesty.

Multiple GRC frameworks exists. Examples include OCEG GRC Capability Model (Red Book), the Three Lines Model, and the ISO 31000 Risk Management Framework. Others, for more specific domains like IT or technology include NIST, COBIT and multiple ISO series.

Note: OCEG has developed a series of infographics to illustrate how ESG fits into each of the four components of their GRC Capability Model and to integrate ESG risks into corporate overall risk management plans.

ESG Reporting frameworks like the Global Reporting Initiative (GRI) and the Integrated Reporting Framework (IFRS Foundation) provide standards, metrics and approaches to measure and communicate the sustainability performance of an organisation to her stakeholders. There are overlaps between the principles and standards of IR and GRI, but both frameworks benefit from the use and integration into formalised GRC.

In one of their recent Perspective papers (January 2023), GRI has outlined that ?...effectively managing business risks and ESG issues go hand-in-hand...“, and ESG is about proper risk management. Data Management is included as one of the topics for Enterprise / ESG value creation together with Governance alignment.

Benefits of using a GRC framework with ESG

Governance plays a crucial role in driving ESG success, as it covers aspects such as corporate structure, management accountability, and transparency.

GRC frameworks provide toolsets to manage and mitigate risk and threats to the organisation in a structured way, including environmental, supply chain or global political risk in ESG.

With new ESG reporting standards just introduced or in the pipeline to be introduced, new regulations for technology, data, operational resilience across industries being prepared or enforced with very substantial fines, compliance should be high up on the list for executive management in most organisations.

Adopting a GRC framework for ESG can help organisations to achieve their sustainability goals more effectively, reduce risks, ensure compliance, and enhance their reputation with stakeholders, ultimately leading to improved financial performance and long-term success:

• Holistic approach: GRC frameworks offers comprehensive and structured approaches that can also be applied to managing ESG-related risks, compliance, and governance. This helps to ensure that all aspects of ESG are addressed in a coherent and integrated manner, allowing organisations to better align their strategies with ESG objectives and enabling them to achieve their sustainability goals more effectively.
• Improved transparency and reporting: Implementing a GRC framework for ESG enables organisations to establish clear reporting structures, roles and processes. This enhances transparency and accountability, building trust and ensures that relevant stakeholders have access to accurate and timely information.
• Enhanced decision-making: GRC frameworks provide a standardised approaches to identify, assess, and manage ESG-related risks and opportunities. Together with proper data governance and management this helps organisations to make better-informed decisions by considering the potential impact of ESG factors on their operations and overall performance.
• Regulatory compliance: GRC frameworks can help organisations to meet the growing number of ESG-related regulations and disclosure requirements by establishing repeatable processes for identifying, monitoring, and managing compliance risks with measurable and comparable outputs.
• Risk management: GRC frameworks facilitate the identification and assessment of ESG-related risks in a formalised and consistent way, enabling organisations to develop strategies for mitigating or managing these risks more effectively.
• Stakeholder engagement: The use of a formalised GRC framework that incorporates ESG factors can enhance stakeholder engagement by demonstrating the organisation's commitment to sustainable business practices.
• Operational efficiency: By streamlining and standardising ESG-related processes, GRC frameworks can help organisations to reduce inefficiencies, duplication of efforts, and costs associated with managing ESG risks and compliance.
• Competitive advantage: Companies that effectively implement a GRC framework for ESG can differentiate themselves from competitors by demonstrating their commitment to sustainable practices and strong governance. This can lead to improved brand reputation, increased investor interest, and better access to capital.
• Continuous improvement: GRC frameworks together with reporting standards provide mechanisms for organisations to monitor and review their ESG performance regularly, enabling them to identify areas for improvement and drive continuous progress toward their sustainability goals.

There is no one-size-fits-all GRC framework approach. Factors such as industry, size, geographical location, and regulatory environment should be considered when selecting a GRC framework for ESG. It might also be necessary to adapt the chosen framework for unique ESG challenges and objectives of the organisation. Some organisations have combined elements from different frameworks to create a tailored approach that meets their specific ESG requirements.

ESG and Data

Data-driven insights and trusted data are critical in driving ESG initiatives, as organisations need accurate, reliable, and timely information to make informed decisions and report on their ESG performance.

The Data Strategy and Key Data Capabilities

Data governance and data management play a crucial role in the successful implementation and integration of ESG, GRC, GRI reporting and / or Integrated Reporting frameworks for an organisation by assuring accuracy, reliability, comparability and trustworthiness of the data these frameworks are built upon.

Within the following diagram we used our Digital / Data Transformation framework with 4 pillars (Technology, Data, Process, People / Organisational Change) to group key data capabilities for ESG.

Note: We based this diagram on a large global manufacturer. The company is using GRI and Integrated Reporting, hence the 6 categories with the business strategy and business operating model on the left.

Your data journey starts with the development of a data strategy tailored to the requirements, objectives and use cases of your organisation.

To be able to successfully operationalised a data strategy, it must be driven and linked to the business strategy. In this context the sustainability and ESG goals, objectives and use cases drive and tailor elements, scope and objectives of the data strategy.

A data strategy focusing on integrating ESG, GRC, GRI and / or Integrated Reporting should aim to establish a strong foundation for data governance and data management. Key objectives for such a data strategy include:

• Data Analytics and Reporting: Develop analytical capabilities to derive insights from data and support decision-making related to ESG, GRC, GRI, and Integrated Reporting objectives. Implement reporting tools and dashboards to communicate performance to stakeholders. Overall these data capabilities enable informed decision making, monitor performance, demonstrate transparency, benchmark against industry standards, and help to ensure regulatory compliance.
• Data Scalability, Adaptability, Architecture: Design data capabilities to be scalable and adaptable, allowing for the incorporation of new data sources, changing business needs, evolving regulatory requirements, growing data volumes, and to handle increasing complexity and integrate with existing systems.
• Data Integration, Interoperability and Accessibility: Facilitate the integration of data from various sources, both internal and external, to provide a comprehensive view of the organisation's ESG, GRC, GRI, and IR performance. Make data easily accessible to relevant stakeholders. Assure that different systems, applications, and data formats work together seamlessly to effectively share, exchange, and analyse data across different platforms and tools. These capabilities enable organisations to have a comprehensive understanding of their performance across various dimensions, improve collaboration, and demonstrate transparency to stakeholders.
• Data Standards, Master Data Management (MDM), Reference & Metadata: Data Standards provide a set of rules, guidelines, and best practices that govern how data should be collected, stored, and managed. MDM is the process of creating, maintaining, and ensuring the quality and consistency of an organisation's core data assets. MDM helps to maintain a single, authoritative source of truth for key data elements (e.g. customer, product, supplier information). Reference data provides context and meaning to other data elements by defining the allowable values, categories, and relationships. Metadata is data that describes other data, providing information about its structure, meaning, and usage. It enables data lineage tracing, allowing to track the source, transformation, and usage of data throughout its lifecycle. Metadata is also important for data quality efforts by providing information about data validation rules, data types, and other constraints. By adopting common data standards, definitions, and taxonomies organisations can ensure consistency and comparability of data across the organisation, with external benchmarks and reporting.
• Data Quality: Data quality is a critical component of effective data governance and the key enabler for various other data capabilities like Data Analytics, Data Integration, MDM, Metadata Management, Data Architecture, Data Security & Privacy.
• Data Protection, Security and Privacy: Protect sensitive data from unauthorised access, disclosure, or misuse while complying with applicable data protection regulations. Implement robust access controls, encryption, and data anonymisation techniques.
• External Data: Integrate external data and augment internal data for data analytics, benchmarking, risk management, ESG reporting. External Data can provide valuable / additional insights into industry trends, risks, and opportunities.
• Data Governance & Data Management: Establish a robust data governance framework, including clear roles, responsibilities, policies, and procedures, to ensure effective management and oversight of data-related activities. In this context Data Governance is the process, policies and procedures of managing the availability, usability, integrity, and security of data in an organisation, ensuring that high-quality data is available for decision-making, reporting, and compliance.
• Continuous Improvement: Regularly assess and improve data governance and management practices, incorporating feedback from stakeholders and staying up-to-date with evolving best practices and regulatory requirements.
• Data Stakeholder Engagement & Data Culture: Drive towards a culture of data-driven decision-making and collaboration by engaging stakeholders in the development, implementation, and improvement of the data strategy. Promote a data-centric culture to improve accountability, collaboration, alignment and transparency within the organisation.

By focusing on these key objectives, a data strategy can effectively support the integration of ESG and GRC together with GRI and Integrated Reporting standards, enabling organisations to leverage data as a valuable asset in achieving their sustainability and reporting goals.

Note: The list includes typical data activities for organisations within the ESG context. Overall, the key capabilities to focus on depend on the current Data Maturity of the organisation. Organisations with low data maturity might have to first address additional foundational capabilities within their data strategy.

Sequence of Data Activities

Note: The diagram outlines typical data activities for organisations within the ESG context. The actual sequence can vary and also depends on the current Data Maturity of the organisation. Organisations with low data maturity might have to focus also on other foundational capabilities within their data strategy.

Various data capabilities depend on each other or require to have foundational data capabilities in place first. Data Analytics / AI, reporting, or data-driven decision making, for example, are strongly influenced by the maturity of the data quality capability.

Furthermore, the gap analysis for the identified data capabilities and use cases, new business requirements or executive management priorities might require to prioritise in another sequence, rationalise or add further use cases to the roadmap for implementing the strategy.

In this example we have clustered multiple data capabilities together. The analysis might identify that the focus should only be on one or some of them.

Another frame for the data strategy and on which capabilities to focus is the "data risk appetite" of the organisation, the balance of the risk capacity, tolerance and appetite, leading to more defensive or offensive approaches.

Data Governance guiding principles for ESG

By incorporating the following guiding principles for data governance, organisations can create a robust data management framework that supports the integration of their ESG, GRC, GRI, and IR initiatives while ensuring compliance, data quality, security, and transparency:

• Alignment with organisational goals: The scope of data governance should be driven by the organisation's sustainability goals and related objectives, ensuring that data management practices fully enable effective decision-making and reporting on ESG and GRC initiatives.
• Stakeholder involvement: Across the organisation, relevant internal and external stakeholders need to be engaged in data governance processes, from defining their data needs, to establishing data quality standards and reviewing data management practices.
• Accountability and ownership: Clear roles and responsibilities for data governance have to be defined together with data ownership, ensuring that individuals and teams understand their responsibilities and are held accountable for maintaining data quality and compliance with data policies and regulations.
• Data quality: Establish and enforce data quality standards, including accuracy, completeness, consistency, timeliness, and relevance with data governance, to ensure that data used for decision-making and reporting is reliable and trustworthy.
• Data security and privacy: Implement robust data security and privacy measures to protect sensitive information and comply with relevant regulations, such as GDPR or CCPA.
• Transparency and accessibility: Data governance needs to assure that the right data is accessible to relevant stakeholders while maintaining appropriate security and privacy controls. At the same time it should promote transparency in data management practices and reporting processes.
• Continuous improvement: Agile practices, regularly reviews and updates to data governance policies, procedures, and practices should ensure that they remain effective and responsive to changing business needs and regulatory requirements.
• Integration and interoperability: Ensure that data systems and infrastructure are supporting the integration and interoperability of data for ESG, GRC, GRI, and IR processes, and enable seamless data sharing and analysis across the organisation.
• Legal and regulatory compliance: Align data governance practices with applicable laws, regulations, and industry standards, ensuring that the organisation remains compliant in its data management activities.
• Education and training, data culture: Provide education and training to employees on data governance policies, procedures, and best practices, empowering them to manage data effectively, make informed decisions, raise awareness and create a data culture within the organisation.

About the author:

Florian Prem has until recently served as the first Chief Data Officer (CDO) for Deloitte Technology and before that as the CDO for 德勤 Switzerland. A practitioner with more that 20 years hands-on experience in Data & Analytics, Digital Transformation, IT, AI and Change Management, he is well recognised as leader and expert in these fields for his deep and broad knowledge across industries, business and technologies.

Florian is currently developing the data strategy for a mid-sized financial institution in Switzerland and completing his book on data transformation and leadership.