Environmental, social and governance issues can be extremely broad and entail many different types of risk. So how do you prioritise the right issues for your security intelligence team to focus on? Joseph Briefel, Senior Associate on our advisory team, provides a framework.
Over the past few months, you’ve handled a string of ESG requests from senior leadership. These range from data governance breaches in Ukraine to human rights compliance risks in Vietnam and environmental issues in India.
You’re eager to get your security team more involved with ESG issues and deliver even more value to your organisation. But ESG seems to cover a huge range of issues, and your team needs focus. With operations in many corners of the world, it can be overwhelming to sort through complex risk types and balance different approaches, especially as workloads are already high and budgets are limited.
So, where do you even begin?
E-S-G: A popular catch-all
The term ESG has gained in popularity over the past few years, especially since the UN announced its 2015 Sustainable Development Goals or SDGs. Heightened public awareness of corporate responsibility and a drive for stricter levels of transparency have added greater scrutiny to wider business practices.
But ESG is a highly broad term, making it difficult to work out which aspects of environmental, social and governance policies to prioritise. ESG may relate to a whole range of factors, from managing complex relations with local communities at operational sites to ensuring compliance with the latest international financial standards or assessing the strength of your human rights policies in your supply chains. And ESG issues encompass many of your organisation’s departments, from senior management to HR and legal teams – it is a holistic business practice.
As a security professional, it is clear that ESG must be intrinsically linked to your security plans and policies. Neglecting them can put staff and physical assets in danger and incur significant reputational and financial implications. But how do you begin to prioritise these issues, allocate resources effectively and ultimately answer your senior leadership’s many questions?
Three-tiered approach
The good news is that you have – to some extent – been here before. Every day, you prioritise risks and make value judgements about physical assets. Environmental issues around seasonal adverse weather or governance issues in autocratic states will undoubtedly feature in your risk assessments. But in order to really integrate ESG holistically within your security framework and get to grips with it on a more granular level, there are three key steps to take.
1) Align with your company’s ESG priorities
Your company’s own ESG strategy is your first port of call when prioritising ESG policies. It will provide clarity on the wider business strategy and synergise your potential approaches with those taken by other departments in your organisation. Naturally, each company’s priorities will differ depending on the sector and organisational size, but larger companies tend to have sustainability and social responsibility reports and policies that list these areas.
For example, if you are part of a large tech company, the focus may be on data security and privacy risks. For retail companies or brands, the focus may be on supply chain due diligence or waste management, particularly around up- or recycling goods. If you work within professional services, your organisation may focus on labour rights and anti-discrimination policies.
The important point is to gain an in-depth understanding of what your organisation is prioritising and why. Is there a specific ESG strand that the organisation is working towards or looking to achieve within a specific timeframe? And is your organisation using a recognised reporting framework, such as the GRI standards, to show greater visibility on specific sectoral standards?
2) Focus on the most impactful issues
Once you have identified your company’s priorities, you need to start prioritising your own approach. Regardless of whether there are 10 or 100 organisational priorities, you should start with those that are most impactful. This usually means areas where you can have the most influence or effect the most change. But one key area to consider is ensuring ‘high materiality’ when deciding how to integrate ESG indicators into security and risk management plans.
This means not only focusing on traditional areas of impact but ones that are of material benefit to the business. This goes beyond traditional ESG ratings as it strays away from placing specific worth on certain indicators. Instead, it makes the approach more bespoke to you: it analyses the tangible, material impact of ESG risks on the company and its wider business operations.
3) Focus on where you can add the most value
Finally, assess your team’s strengths and weaknesses around ESG, identifying where there is potential expertise or gaps in capacity, competencies and backgrounds. This will allow you to identify where your own team is best placed to start tackling ESG risks and where you can add the most value with limited resources.
For example, you may have a strong regional APAC focus but a minimal presence covering South America, where your organisation is attempting to improve relations with local communities at operational sites. Or you may have a good awareness of physical risks to your infrastructure but lack the internal capacity to assess the strengths of your cyber policies and ensure adherence to the latest international standards.
While you should be driven by your organisation’s priorities, putting forward your team’s strengths will give you ‘easy wins’ where you can find synergy in specific ESG areas, which you can, and ultimately should, target in your security plans. It will also tell you where you need to build or contract additional capacity. This is particularly salient when we consider the end goal here: to reduce and mitigate risks to people and assets as you are ultimately seeking to capture emerging risks holistically.
This will help to make your work more effective and targeted, and improve your influence within the business as you showcase ongoing and additional value. It will also improve your personal standing with senior management and potentially give you better access to key decision-makers, including at the board level.
How can we help you?
Dragonfly has long-standing experience making sense of an increasingly complex and complicated risk and threat landscape, with staff that work across different ESG risk categories. Whether you are starting out with ESG frameworks, working out how to enhance your existing operations around specific risks or identifying and prioritising key areas of high materiality, we can support you in tackling ESG risks and enhancing your existing security management and risk plans.
As we all know, how you manage ESG risks affects your organisation’s exposure to a variety of threats. And those risks are going nowhere.
Joseph Briefel is a Senior Associate in Dragonfly’s Advisory team.
Image: Solar power station in Fujian, China. Photo by Zhihao via Getty Images.