Rethinking Risk Management - Moving Beyond ESG and GRC

The once-revered concepts of environmental, social, and governance (ESG) and governance, risk, and compliance (GRC) are now subjects of intense debate and re-evaluation. As businesses grapple with the complexities of modern risk management, there's a growing recognition that the traditional ESG and GRC frameworks, while groundbreaking in their time, may no longer suffice in addressing the nuanced and multifaceted risks of the 21st century.

This shift calls for a recalibration of risk management strategies, steering towards more dynamic, integrated, and precise approaches that resonate with global business leaders’ current and future demands. My journey from a financial services executive in the early 2000s to head of risk management research at a leading global firm and now as the CEO of Wheelhouse Advisors has given me a unique vantage point on the genesis, transformation, and current state of these controversial terms.

The Distortion of ESG and GRC over the Years:

During my early career as a financial services executive, I observed the initial coining of ESG and GRC. These terms provided a structured approach to specific corporate responsibilities: ESG focuses on sustainable and ethical practices, and GRC ensures compliance and manages risks. However, these terms have morphed significantly over time, often extending beyond their original scope and intent.

In a recent article by Vinson & Elkins titled "ESG Is Over — As We Know It," the authors highlight how ESG evolved from a focused concept into a broad and often misused term. This evolution mirrored my observations in the financial sector. ESG began as a guiding principle for sustainable and ethical practices but gradually expanded to cover many corporate initiatives, leading to confusion and dilution of its original intent. As a lead analyst for a leading global research and advisory firm, covering risk management technologies for more than ten years, I witnessed the transformation of ESG and GRC. Tech marketing organizations began adapting these terms to suit their unique solutions, leading to many interpretations.

This period also marked the beginning of the shift from specific, functional concepts into broader, more ambiguous terms. The Wall Street Journal's recent article, "The Latest Dirty Word in Corporate America: ESG," echoes this sentiment, noting that many companies and executives are now avoiding the term ESG due to its complexity and the political and legal controversies it has attracted. This has led to a shift in messaging, with companies now favoring terms like “sustainability” and “sustainable business."

Norman Marks, a well-known authority on internal audit and risk management subjects, in his editorial "Is It Time We Retire the GRC Acronym?", presents a critical view of GRC, noting its journey from a concept intended to unify governance, risk, and compliance to one that signifies confusion. Marks points out that the 'G' in GRC is often silent, as few platforms or departments support governance activities, reflecting the broader issue of the dilution of these frameworks' effectiveness. His advocacy for focusing on individual responsibilities rather than an expression that signifies nothing aligns with the need for a more targeted approach in corporate risk management.

Integrated Risk Management: A Focused and Effective Framework:

Recognizing the growing disparity between these terms and the actual needs of end-users, my research in 2016 was pivotal in defining Integrated Risk Management (IRM) in 2017. This research led to the creation of a new technology marketplace aimed at meeting the modern challenges of risk management. At Wheelhouse Advisors, I have designed a structured IRM framework addressing the core corporate objectives of performance, resilience, assurance, and compliance.

The IRM Navigator™ Framework, born out of this research, offers a clear and actionable pathway for organizations to align their risk management strategies with critical objectives:

1. Performance and ORM: The shift from ESG to sustainability narrows the focus to tangible environmental stewardship and sustainable business practices, aligning with overall business performance strategies informed by operational risk management (ORM) applications.

2. Resilience and ITRM: Emphasizing business continuity and adaptability, the role of information technology risk management (ITRM) within the IRM framework highlights the importance of resilience in the face of disruptions.

3. Assurance and ERM: Aligning assurance risks with enterprise risk management (ERM) within IRM emphasizes the effectiveness of risk management processes in disclosing accurate risk data and providing necessary stakeholder assurances.

4. Compliance and GRC: Managing compliance risk through GRC applications under IRM ensures alignment with relevant legal and regulatory requirements.

My experiences, from a financial services executive to an independent advisor, have demonstrated the necessity for precision in the language and frameworks used in corporate governance and risk management. The evolution of ESG and GRC into broad, ambiguous terms underscores the need for a more targeted approach, as embodied by IRM. This shift enhances understanding, streamlines risk management processes, and reinforces commitments to transparency and accountability. In the face of modern business complexities, adopting focused and integrated practices in risk management is essential for success.

Source References:

1. Solorzano, J., Morgan, S., Dobbins, M., & Schmergel, C. (2024). ESG Is Over — As We Know It. Vinson & Elkins. Retrieved from Westlaw Today

2. Cutter, C., & Glazer, E. (2024). The Latest Dirty Word in Corporate America: ESG. The Wall Street Journal. Retrieved from WSJ.com

3. Marks, N. (2021). Is It Time We Retire the GRC Acronym? Information Management. Retrieved from CMSWire