Print
E-MailAmy Rojik is Director and Founder of the BDO Center for Corporate Governance. This post is based on her BDO memorandum.
Amid ongoing volatility, boards are continuing to address an evolving risk landscape and contend with pushback on how environmental, social, and governance (ESG) risk factors should be addressed. While oversight of enterprise risk management is part of the board’s mandate, executing that remit has become a delicate balancing act.
As Blackrock CEO Larry Fink wrote in his 2023 letter to investors, many clients “want access to data to ensure that material sustainability risk factors that could impact long-term asset returns are incorporated into their investment decisions.” However, companies have also faced an increase in anti-ESG shareholder proposals, and Fink stated in June, “I’m not going to use the word ‘ESG’ because it’s been misused” for political gain. Despite “ESG” perhaps becoming a loaded term, it’s critical that directors not overlook material ESG risk factors.
BDO conducts periodic surveys of public company board directors to understand what they’re seeing in terms of emerging trends, significant risks, and opportunities, as well as how they are preparing to address them. Our latest Spring 2023 BDO Board Pulse Survey highlights several evolving risk areas during ongoing economic uncertainty.
We asked directors to identify the single greatest risk to their businesses in the months ahead. Two of their top three answers relate to simmering recessionary pressures, while the other stems from the persistently tight labor market:
- 37%: Recessionary declines in demand.
- 21%: Liquidity and access to/cost of capital.
- 14%: Talent acquisition and retention.
Although macroeconomic headwinds understandably remain the top overarching concern, directors differ on how to prioritize and address other salient sustainability risk management challenges: climate risk, data breaches, and human capital management (HCM).
Climate risk remains a priority among shareholders
Nearly a quarter of directors (23%) say that meeting targets for net-zero carbon emissions is one of the ESG focus areas that will provide long-term value to their organization. By some estimates, nearly half of the world’s largest publicly traded companies (47%) have made public net-zero commitments, whether in strategy documents, pledges, or proposals.
Regulators in the U.S. and elsewhere are increasing disclosure requirements for climate-related risk to help enhance transparency and provide material information to investors. The SEC’s Spring 2023 Regulatory Agenda shows the climate change disclosure proposal in the final rulemaking stage. The SEC’s proposed rule on climate change disclosure would require information on registrants’ “climate-related risks that are reasonably likely to have a material impact on its business, results of operations, or financial condition,” as well as disclosure of greenhouse gas emissions and certain climate-related financial metrics. At the same time, global rulemaking on climate is taking shape quickly, and the International Sustainability Standards Board (ISSB) issued its initial IFRS S1 and IFRS S2 standards in late June.
Proactive U.S.-based companies have already done a climate risk assessment and are not waiting for final rule-making by the SEC. They are assembling the right team, considering the prioritization of identified risks, establishing processes and controls around data gathering, developing risk mitigation programs, and setting objectives and goals to hold themselves accountable to their stakeholders. They are further developing the rigor within their control infrastructure to provide integrity to the reporting process and prepare for requests and/or requirements for attestation — under both domestic and global standards, as applicable.
Demands for cybersecurity transparency are ramping up
Nearly four out of five directors (79%) say that a data breach poses at least some risk to their business, and virtually all of them (99%) expect to maintain or increase investment in cybersecurity this year despite ongoing economic volatility. A cyber incident can introduce serious operational and reputational risks as well as potential compliance issues related to data privacy and reporting.
With the adoption of the SEC’s new cybersecurity risk management, strategy, governance and incident disclosure requirements in July, both management and boards need to be educated on the scope of the new rules and ensure their policies, processes, and procedures are updated to reflect new reporting and disclosure requirements.
There are multiple specific steps for companies to take, including continued monitoring of the risk landscape specific to a company’s business, developing updated response policies and protocols, and understanding and implementing new regulatory disclosure requirements, including aligning with both federal and existing state cyber breach reporting requirements. Coordinating these actions takes time, so companies should address them promptly and work with advisors to continue to enhance cyber threat prevention, detection, and remediation plans.
Attention on human capital
Although 92% of board directors say that talent shortages pose some risk (59%) or a significant risk (33%) to their businesses this year, only 14% view talent acquisition and retention as their biggest business risk. Further, just 3% identify corporate culture, HCM, and diversity, equity, and inclusion (DEI) as the board’s primary strategic priority for the next 12 months. While that could indicate many companies have already taken some significant steps to address HCM and DEI considerations, regulators also continue to introduce new requirements in these areas to address continuing inequities.
It’s important for companies to take a strategic approach to their HCM practices, as employees are often one of the most — if not the most — significant assets for a company. This area has been and continues to be a focus for the SEC, as evidenced by the enhanced risk factor disclosure requirements introduced in 2020. Additional proposed HCM disclosures appear on the SEC’s rulemaking agenda for 2023 and have been espoused in speeches by SEC Chairman Gensler. With that regulatory focus in mind, it’s especially important for compensation and human capital committees to review their companies’ HCM policies, as well as practices for director elections and board refreshment.
The proactive approach to ESG risk
As directors seek to address climate risk, cybersecurity threats, and HCM challenges, the specific risk mitigation tactics will vary to a degree based on the board’s structure and the resources available to management. Boards should consider proactive steps to address these risks. Key steps include: assessing risk prioritization; developing or updating risk mitigation programs; developing or updating corresponding policies, processes, and controls; reviewing reporting processes and data collection; and reviewing compliance programs to ensure they are sufficiently resourced to evolve with new regulations and guidance.
The evolving risk landscape will continue to elevate certain ESG risks as priority areas for boards. Identifying and addressing such risks proactively can both mitigate risks and add long-term value for an organization.
