How ESRM Principles Can Help Security Leaders Support ESG Initiatives
Environmental, social, and governance (ESG) initiatives are daily becoming more important for boards of directors, shareholders, stakeholders, and investors. Soon, socially responsible companies of all sizes will adopt ESG-driven management and metrics. As a result, organizations—many of which have a global presence—will look at ESG as a business opportunity for cost reduction, increased investment, improved reputations, and higher resilience. To move forward, though, accurate metrics that measure these changes are necessary.
ESG contains a variety of possible elements:
Environmental. This can involve carbon emissions and climate change, pollution, deforestation, and how organizations handle waste disposal.
Social. This category involves labor relations, human rights, customer service, mental health, diversity and inclusion, and how communities are impacted by an organization.
Governance. This can include hiring and talent acquisition, the makeup of boards of directors, executive compensation, business ethics, legal compliance, and how the organization is meeting the needs of external stakeholders.
It can be challenging for security leaders to determine where risk mitigation and security fit into ESG and where individual programs can enable an organization’s socially responsible initiatives. However, a different security acronym can help—ESRM.
ESRM, or enterprise security risk management, is an approach to managing security risk that is thoroughly integrated into the organization’s processes, structures, and goals. ESRM helps security professions tie security more closely to the company’s mission, partner with stakeholders, and holistically manage risk.
There are four pillars to ESRM:
Holistic risk management. Security professionals should consider all types of risks—not just security risks.
Partnerships with stakeholders. Security professionals are positioned as trusted partners who can advise asset owners, like internal consultants more than corporate cops.
Transparency. Security professionals should be transparent about identified risks—as well as how they are identified, prioritized, and mitigated—with stakeholders.
Governance. ESRM-driven governance should include a committee to lead risk tolerance discussions and make top-level decisions so multiple viewpoints can be heard and considered.
So, where does this overlap with ESG? ESRM can help organizations effectively adopt an ESG strategy in a bottom-up approach for all members of an enterprise.
Imagine you are a security manager for a large dairy enterprise. During the past five years, you were able to make the C-suite aware of the great benefits of implementing an ESRM strategy within the organization, top management bought into the plan, and the program is currently working at moderate maturity.
Context is essential to ESRM, because understanding the environment in which the organization operates drives all conversations around risk appetite, acceptance, and mitigation strategies. So, you made an analysis of where ESG goals affect three key categories in your organization—physical, nonphysical, and logical. Your ESRM approach here (knowing the business, considering risk holistically) already puts you ahead of many ESG novices, who focus most often on physical effects and sometimes neglect issues of privacy or reputational risk.
At your dairy company, you assessed all security risks upstream and downstream—from acquiring cows to be milked to delivering products to store shelves. In adopting an ESG lens in addition to your ESRM lens, you will also be examining your processes and supply chain for tangential environmental issues, such as how much of a carbon footprint your cattle emit every day, how much water is needed to produce a quart of milk, or how much gasoline is needed for trucks to transport your product along the supply chain. These are elements that the organization must consider today, especially as investors and consumers are making more environmentally informed decisions that could affect your organization’s bottom line. But as a security manager, considering the risk environment and other factors is nothing new for you—especially if you have already implemented ESRM practices and learned how to communicate with others effectively about multilayered risks.
Beyond environmental factors, social criteria also come into play. ESRM’s focus on stakeholders encompasses all individuals who interface with the organization. Security leaders need to understand what is important to those stakeholders.
As the dairy enterprise security leader, you made an analysis of key stakeholders and their interdependencies within the organization—including employees, vendors, contractors, clients, and people in the nearby communities who could be affected by the organization’s decisions. Understanding their needs and their risk insights improves your ESRM approach.
One of the most important relationships a company has is with its employees—ESG policies boost these relationships.
You have already developed security and risk management functions such as preemployment screening, background checks and investigations, sexual harassment prevention, active shooter response training, and workplace violence prevention and intervention training. These are all social protections for employees and the organization—people are your most valuable assets, and your ESRM experience will be helpful when examining ESG needs. For instance, you developed a holistic risk prevention plan—including internal stakeholders, contractors, and outsourced services—to avoid child labor, human trafficking, sexual exploitation, and animal abuse in dairy operations. In addition, your company has strong policies requiring all business units to promote diversity, equity, and inclusion (DE&I), human rights protections, and anti-discrimination.
Consider how going a step further could demonstrate the organization’s dedication to supporting employees’ priorities or show how valued the community is. For example, consider whether the organization could donate money or product to charitable causes that are important to employees. Does the company periodically provide a free, splendid buffet lunch for employees? Could the company donate a percentage of its profits to the local community?
Each organization exists in a unique context, and a decision that works for one business might be a misstep for another. Evaluating the organization through an ESRM lens can help security leaders determine the most appropriate route to take.
Governance is a shared criterion across ESRM and ESG, and its design focuses on transparency, accountability, fairness, and responsibility. As a security manager, you deal with ESRM as a subset of corporate governance. Because you already earned top management’s commitment to ESRM, you enhanced your relationships with all business unit leaders across the dairy company. You understand the role of the board of directors, the need for audit and oversight, the roles and responsibilities of stakeholders, the organization’s decision-making procedures, and the need for transparency. ESG is just another factor to roll into these relationships and ongoing conversations.
Consider the following questions: How does your company avoid conflicts of interest? Is your company involved in corruption and bribery investigations? Does your company use political contributions to obtain unduly favorable treatment? Is any board member or executive under an ethics investigation? Understanding where your organization stands on these sensitive issues can help a savvy ESRM-minded manager address potential reputational or regulatory risks.
Governance maximizes ESRM’s impact on the entire organization—it enables the security manager to know exactly what other business units do and informs them about what security does. This knowledge and trust enable ESG strategy to be understood and promulgated easily.
Implementing an ESG strategy is becoming more important than ever due to global challenges such as climate risk, data security and privacy concerns, and globalization. ESRM offers great support to companies interested in adopting an ESG strategy because the two concepts overlap when it comes to mapping out nebulous risks or social priorities.
ESRM advantages go beyond the business benefits—the value of the program is in ensuring that the organization avoids harm and adopts global standards more easily. Security managers are in a unique position to use their ESRM expertise to steer ESG conversations in productive and effective ways.
Jaime Alejandro Pulido Pardo, CPP, retired as a major from the Colombian Army following 20 years of active-duty experience in combat, instructing, evaluating training, and leadership. He worked as a security contractor in the United Arab Emirates. He managed Colombian teams for executive protection for movie stars like Tom Cruise, Penelope Cruz, Javier Bardem, and Peter Sarsgaard while filming in Colombia.