Governance, Risk and Compliance

9 Proven Dos and Don’ts of ESG in a GRC Context

Posted March 2, 2023 by Resolver

This content was created as part of our Top 5 Strategic GRC Capabilities Report. Download our free report now!

Rising in interest from consumers and investors alike, ESG stands for Environmental, Social, and Governance (ESG) factors and programs. With $17 trillion invested in 2023 ESG funds — and a forecast of $53 trillion globally by 2025 —the ESG label matters now more than ever.

With this push to create positive change in organizations that filter to customers and investors, perhaps your company has already begun to deliver on ESG. But how do you ensure you’re not just “ESG-washing” to meet those pressures but actually providing a meaningful program that positively impacts the bottom line, the planet and its inhabitants, and your corporate brand over time? 

Passionate about talking all things ESG, Kroll’s Managing Director of Compliance Risk and Diligence, Mariellen Davies-DeMarco, recommends creating guiding principles and ensuring you are aligned with how your goals (like KPIs and OKRs) will be measured and defined, letting due diligence be your guide. “Apply a risk-based approach and establish proactive due diligence requirements across all operations.” In this article, Davies-DeMarco shares her recommendations and best practices for delivering a meaningful ESG program as part of an overall GRC strategy.

ESG-washing: The problematic dark side of ESG

The problem with ESG, says Davies-DeMarco, is that many investors have grown increasingly skeptical about the trend. “They see it as a lot of show. It’s shiny, no substance, and really open to abuse.” ESG-washing occurs when companies falsely overstate the positive impact of an investment on environmental causes, labor rights, human rights, or social issues. Davies-DeMarco explains how this highlights a huge disconnect between the policy and the practice, “Even when there’s action because those that are affected by the corporate abuse don’t see the practical applications or the expected improvement of that action.”

With the ESG-washing, funds raised can be used to cast a positive spotlight on the image of an organization rather than actually making true investments and projects to help combat climate change or make a difference in people’s lives. Davies-DeMarco says ESG leaders and companies focused on ESG need to show that they’re going beyond putting out statements, engaging in low-impact activities, or box-ticking exercises. “They really need to better understand and make good on the environmental and social impacts of their investments, of their activities, and on the activities of their third parties.”

Dos and don’ts for an effective ESG program that avoids ESG-washing

Davies-DeMarco explains that while it sounds like a lot of work, there are some straightforward ways to ensure you are not ESG-washing.

1. DO complete an ESG ratings agency score evaluation

“There are so many agencies that have set frameworks for ESG standards and disclosure, and that’s a great place to start. But Davies-DeMarco also cautions that there can be a real divergence between ESG ratings, “so you’ll have to look at the different frameworks to better understand what inputs were used, what reports were leveraged within these frameworks and how they’re scored. And once you have a better understanding of those differences, then you can decide which scoring you might want to take a look at and compare to what you’re doing.”

2. DO look at your investor disclosures

“Understand what representations your organization is making and test them,” DeMarco recommends. “See if you’re actually taking the right action. And then seek outside experts.” Risk advisory experts with a specialty in ESG, like Resolver’s parent company Kroll, can help you ask the right questions, and will help you align to the correct framework, then gather the best data to be able to demonstrate that you are taking effective steps.

3. DON’T take a top-down approach to ESG

ESG needs to be a shared responsibility of buyers and suppliers. “This is really a reductive approach that leads to a lack of being able to prescribe, or even monitor, compliance to ESG needs. This also comes into play with business supply chains, shifting responsibilities to the suppliers.” Davies-DeMarco cites what happened to Hyundai in 2022 as an example of the problems that can arise with a top-down approach to ESG.

Authorities had launched a child labor probe into two of Hyundai’s regional supply plants and found migrant child workers, some as young as 13, allegedly hired by regional recruiting and staffing firms. “So it was almost two layers removed,” says Davies-DeMarco. Shortly after this issue became public, an investor group sent a letter to Hyundai warning of the possibility of reputational damage. The use of child labor violated international standards that the company had committed to, and it also violated the company’s code of conduct for its suppliers.

Learn more about how to build an agile GRC strategy.

4. DO own your mistakes and be agile in remedying them.

For many organizations, it can be challenging to see errors coming until they happen. But resiliency can’t take effect until the situation is addressed. “Hyundai’s global COO stated that the company would sever ties with the employment supplier companies and undertake a broader investigation into Hyundai’s entire network, which is exactly what they should be doing.” To ensure compliance and be stringent that there were no other potential labor law violations, Hyundai also stated that it would stop using third-party suppliers and oversee hiring directly. “That’s absolutely the right response to something like this,” says Davies-DeMarco. “They saw that it was a real failing that they had, and so they took steps to remedy it.”

5. DON’T rely solely on social audits

Social audits are independent reports companies use to determine whether their suppliers (again, in the third-party chain) meet ethical norms or standards. “The problem is that the social auditing model is very limited, and there’s a lot of questioning as to when a social audit is conducted. Who’s paying for the social audit? Is there a certain expectation of what the findings might provide?”

Davies-DeMarco uses the manufacturer Top Glove as an example. Based in Malaysia, Top Glove underwent approximately 30 social audits in two years before an independent investigation found widespread forced labor in their supply chain. “They kept pointing to the social audit, saying, ‘Look, everything’s great, and everything’s fine,’” says Davies-DeMarco. “And yet that independent inquiry found that that was, in fact, not the case.”

Social audits are not due diligence, DeMarco cautions. “They ultimately do not work to improve outcomes for the people that ESG is supposed to be helping. And it’s a particular failing. It looks pretty, but ultimately, it doesn’t work.”

6. DON’T misrepresent your ESG program

In April 2021, the SEC had to issue a risk alert that specifically addressed management misrepresentation in ESG investing. “This alert calls on participants that are promoting ESG investing to really assess whether their public statements and their claims relating to ESG are accurate and consistent,” DeMarco describes, stating she expects the SEC to push this further and counter falsehoods with proper disclosure. Public companies will be expected to include their response to climate change threats with detailed reporting on their actions.

“This is most likely being put into place to counter greenwashing. If you want to talk about ESG-washing, there are other components too, says Davies-DeMarco.

Greenwashing exaggerates or misrepresents environmental credentials
Bluewashing uses the UN affiliation to confer undeserved sustainability credentials
Pinkwashing represents false LGBTQ+ claims
Rainbow-washing reflects the inappropriate use of the UN’s sustainable development goals logo

7. DO understand that transparency is as important as performance

A simple and great start for doing the right thing in ESG management is taking brave steps toward transparency when evaluating current state practices. “When thinking about your next risk assessment, look beyond the financial misstatement risk and start to think about environmental and societal misstatement risk,” Davies-DeMarco recommends. Be very honest about where you are now before deciding where you’d like to be and why it matters, and before moving straight into action plans needed to bridge that gap. Communicating your current state transparently and giving context to the “why” of implementing ESG programs at all will significantly impact getting buy-in from employees, customers, and vendors alike.

8. DO start with a gap analysis

To get to that desired state of transparency and self-assessment, you first need to understand the industry benchmarks. Who around you does ESG well? What do you have to do to get there? “Take a look at your ESG reporting and compare it with competitors in your field,” Davies-DeMarco suggests. “Or better yet, compare it with the ESG standards of the relevant regulatory bodies. It’ll give you a great understanding of where you compare.”

9. DO clean up your data

“Many companies struggle to gather data to calculate ESG metrics and even turn that into action,” explains Davies-DeMarco. Data can be complicated to collect, incredibly when siloed in different departments and without a central way to capture it before moving to analysis. Social data is even harder to define, says Davies-DeMarco. When compared to environmental issues — where data like carbon footprints or pollution provide us with well-understood comparable metrics — measuring social impact can often be subjective without adequate frameworks to help you assess.

Ensure you align with how your goals (like KPIs and OKRs) will be measured and defined, letting due diligence guide you. “Apply a risk-based approach and establish proactive due diligence requirements across all operations,” she recommends.

Don’t let the risk of ESG-washing deter you from pursuing a meaningful ESG program. With the right risk intelligence software that provides a centralized, accessible, and flexible GRC solution to capture, analyze and communicate your ESG risk data and program milestones, you can confidently contribute to impactful environmental and social change that will benefit your organization.

If you’re ready to explore how Resolver can help you avoid ESG-washing and deliver on your ESG goals, register for an upcoming ERM product showcase or talk to our knowledgeable Sales team to request a custom demo that addresses your specific needs around risk management.

While an effective ESG program ensure benefits to both the planet and your organization, it’s just one part of a holistic GRC strategy. From the desire to move towards digital transformation and GRC agility, we’ve designed a Strategic GRC Capabilities Report to help start the conversation on improving and maturing your GRC processes and strategy. Our industry experts will guide you through thought-starters and actionable goals to help maximize your team’s efficiency, agility, and resiliency in 2023 and beyond.

Download our free report on the Top 5 Strategic GRC Capabilities now!

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
BIGipServersj13web-nginx-app_https	session	This cookie name is associated with the BIG-IP product suite from company F5. Usually associated with managing sessions on load balanced servers, to ensure user requests are routed consistently to the correct server. The common root is BIGipServer most commonly followed by a domain name, usually the one that it is hosted on, but not always.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
datadome	session	This is a security cookie set by Force24 to detect BOTS and malicious traffic.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
XSRF-TOKEN	6 months	This cookie is set by Wix and is used for security purposes.
_mkto_trk	2 years	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__resolver-ref	session	This cookie is set by Resolver to ensure visitors receive unique content after submitting a form on our website.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
sp_landing	1 day	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
sp_t	1 year	The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
ADRUM_BT1	past	This cookie is set by AppDynamics and is used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
ADRUM_BTa	past	This cookie is set by AppDynamics and used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.

Cookie	Duration	Description
ajs_anonymous_id	never	This cookie is set by Segment.io to check the number of ew and returning visitors to the website.
ajs_user_id	never	The cookie is set by Segment.io and is used to analyze how you use the website
CONSENT	16 years 2 months 17 days 10 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_4655365_4	1 minute	Set by Google to distinguish users.
_gat_UA-4655365-4	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_ga_VCHH3SM1QW	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_omappvp	11 years	The _omappvp cookie is set by OptinMonster to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie set by OptinMonster, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_uetsid	1 day	This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
sa-user-id	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
sa-user-id-v2	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps in differentiating between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_uetvid	1 year 24 days	This cookie is set by Bing to store and track visits across websites.