The public outcry over Facebook’s misuse of data and 3M’s water pollution scandal are just two prominent cases that have recently exposed weak links in many companies’ risk management processes and highlighted the potentially enormous costs that companies can face when supposedly remote, but very real risks are ignored for too long. Both Facebook and 3M are paying billions in damages, are struggling to restore their reputation and may have triggered tougher legislation through their behavior.
This alone should prompt companies to establish risk frameworks that enable them to not just control the hazards they face today, but to also foresee outlying risks that have been omitted from traditional risk management and risk reporting. In addition, companies are under growing pressure from sustainability-oriented investors. Given the increasing prevalence and potential magnitude of sustainability risks – for example those related to climate change – investors are now calling for a more holistic risk management approach with timely identification and transparent communication of these risks and the ways in which companies address them.
The assumption on which these demands are based is that companies are better positioned to respond to changes in the external risk landscape when they have a comprehensive risk management process in place that emphasizes the early identification of longer-term eventualities.
The SAM Corporate Sustainability Assessment (CSA) addresses these concerns. Each year, it asks participating companies about significant emerging risks, defined as known, distant threats that may cause damage to the company in the long term. These can include major unknowns like impacts of climate change as well as uncertain outcomes of upcoming political decisions, legislation changes, or market dynamics. The CSA also asks companies whether they conduct materiality analysis to identify the most important material sustainability issues that will impact their ability to generate long-term value – and, over time, many emerging risks develop into material issues that pose significant danger to a company’s growth and profitability. Finally, the CSA process includes a Media and Stakeholder Analysis (MSA) to identify controversies and damages that are linked to poor corporate policies, structures and practices on a range of sustainability issues.
In this way, the CSA helps companies identify weak links in their risk management processes and adopt a comprehensive risk management and reporting sequence that includes 1) the identification of emerging risks; 2) management of material issues, and 3) avoidance and mitigation of controversial issues.
Based on historic CSA data, SAM analyzed the risk reporting sequences of companies during the period 2015-2019 for two key risk areas – climate change and data security & data privacy. The aim was to test whether companies that first identified emerging risks and then managed them as a material issue were able to avoid or mitigate later controversies and damages.
The results of this high-level analysis are encouraging and support SAM’s initial intuitions for both risk topics: that companies with a comprehensive risk identification and management process that includes early identification of potential risks together with targeted strategies for mitigating material and present risk are better equipped to avoid controversial risk events altogether or at least minimize their adverse impact – an outcome that is fully aligned with the interests of their shareholders and other stakeholders.
SAM’s data demonstrate that, over time, emerging risks fall as companies and industries recognize these as being financially material issues that deserve more attention through robust risk management frameworks. More importantly, the data show that as more companies accept and manage material issues for climate strategy and data security & privacy, the overall proportion of controversial risk cases declines. And in more than two-thirds of cases where a controversial risk event was experienced with respect to climate strategy, the ultimate impact was minimized when comprehensive risk management structures were in place and the appropriate risk reporting sequence had been followed (the respective results for data security and privacy risk are inconclusive due to lack of available cases).
SAM’s analysis clearly shows that climate strategy and data security & privacy risks are at different stages in their lifecycles. While the urgency of climate-related topics has accelerated dramatically in recent years, the impact of data security and privacy issues still remains largely unknown for many industries. Moreover, rapidly evolving dynamics and technological developments in the digital space make these risks a moving target for many companies. In addition, identifying and reporting on data security breaches is complicated and overwhelming for many companies.
More time is clearly needed to allow what are now seen as emerging risks to mature into material issues. SAM will continue to accompany and support this process through its CSA, continuously refining the CSA methodology to reflect new and financially relevant sustainability trends that are likely to impact companies’ competitive landscape and future viability.