ERM and sustainable supply chains

Enterprise risk management (ERM) has become a top priority for corporate boards and management over the past two decades. What many skeptics initially considered a passing fad has evolved into a global standard and regulatory requirement for managing risk.

Recent surveys indicate that ERM has replaced accounting issues as the top board agenda item, while chief risk officer (CRO) appointments and ERM initiatives have become commonplace at complex, risk-intensive organizations.

Regulators have also set aggressive minimum standards in statutes and rules, such as Sarbanes-Oxley, DoddFrank, Solvency II, Basel III, and ORSA. Beyond regulatory compliance, ERM has produced business benefits—one of the first empirical studies showed firms that have
implemented ERM enjoy an average 16.5% premium in market valuation.

Over the same period, sustainability has worked its way up to the top tier of management priorities for a similar reason— it’s good for business. Once little more than statements of environmental stewardship supported by corporate donations to environmental conservation projects, sustainability has become a critical strategic objective.

Although many companies now recognize how important sustainability is, few have yet to incorporate it in their ERM frameworks. However, as illustrated above, sustainability does involve significant strategic, business, and operational risks.

Assessment is only the first step—a company cannot manage a risk until it has determined how much of that risk it is willing to bear. It needs to make business decisions within the context of a risk appetite statement, prepared by risk professionals but reviewed and approved by the board.

How to integrate sustainability into the ERM framework?

1. Governance and policy—How should the board and management be organized to provide effective risk governance and oversight? What policies should be established to communicate expectations and risk tolerance levels?
2. Risk assessment and quantification—How should the company make more informed, risk-based business decisions?
3. Risk management—What strategies should the company implement to optimize its risk/return profile?
4. Reporting, monitoring, and feedback—How should board and management reports be structured to provide effective monitoring of risk, including objective feedback loops?