Integrating EHS and ESG into GRC: FAQs

To build an effective GRC strategy, companies need to embed EHS and ESG compliance — but how?

During a recent webinar, founder of GRC 20/20 Research, Michael Rasmussen, SVP Client Solutions and Success at CoreStream, Paul Cadwallader, and Enhesa’s Expert Services Strategy Director, Mary Foley, discussed the role EHS and ESG compliance play in GRC strategies. If you missed our article summarizing their key takeaways for executives, check it out here.

Within this discussion, our experts answered audience questions: sharing their insights on building a business case, integrating disparate roles in the organization, and the future of this evolving regulatory landscape. Read on for a breakdown of the top four FAQs from the event.

1. How do you build a business case for investing in technology for GRC and compliance?

For Michael Rasmussen, building a business case begins with identifying your “current state and future state.” Understanding where your business stands today is all about discovering the cost of “what’s not getting delivered,” Rasmussen

Companies typically have a number of systems and data streams all contributing data to GRC, EHS, and ESG. This can risk disparity and confusion, and even things being missed — while bringing the systems together can save money and overhead as well as free up time from valuable resources to focus on more strategic issues.

The future state, by contrast, is “the ideal state we’re aiming towards” — consisting of a robust, clearly defined strategy that includes:

  • Aspects of EHS and ESG already happening within the organization
  • A clear view of the different departments and functions involved, including how they’re going to work together
  • Who’s going to lead the strategy

The business case is therefore built “on that delta, that quantification of value between the current state and future state.”

It’s helpful to break a business case down into four areas, Rasmussen said. He recommends efficiency, effectiveness, resilience, and agility:



Efficiency is “traditional ROI,” Rasmussen explained. With around “80% of staff time spent managing documents”, he said, it’s vital that organizations implement methods that can cut down on administration time and dedicate more staff attention to higher prioritized tasks. By way of example: “Before,” Rasmussen said, “it’s taken us 200 hours to build this report. But now, it can be done in an hour — and that’s huge.”



Rasmussen defined this as “more getting done, better insight, and less things slipping through the cracks.” Without implementing strategies like those posed by CoreStream and Enhesa, for example, the inherent risk is high: since companies aren’t always aware of the requirements and regulations that apply to their sector. Effectiveness works as a “risk reduction”, Rasmussen said, and after employing Enhesa solutions, companies can identify  “residual risk” as compliance gaps are found and resolved.



“Improving the organization’s ability to find EHS and ESG issues and contain them while they’re still small” is vital for managing risk, Rasmussen explained. Resilience is about your ability to reduce and ‘bounce back’ from any risk it incurs. Some level of risk is inevitable: but the ability to manage it, mitigate it, and — when it happens — recover from it is how an organization reveals its level of resilience.



Rasmussen said that it’s important to ask yourself: “will this strategy and this approach enable us to keep up with the volume of business change, regulatory change, and risk change?” It helps a company evaluate methods of implementation that will help you to anticipate changes in the industry and act before mandates are enforced. This knowledge improves organizational agility, to help you ensure you’re always ahead of the curve, rather than running the risk of being “six months to two years behind,” he said.

2. ESG involves a lot of different roles across the company. How do we get them all working together?

Getting to this ideal future state — delivering on the value promised in a business case — involves transforming the business by better integrating the functions that support EHS< ESG, and GRC; closing organizational gaps; and assuring collaboration between all stakeholders and teams involved.

As we know, there’s a number of organizational roles involved in EHS, ESG, and GRC. Under ESG, “you’ve got environmental roles, health and safety roles, supply chain procurement roles,” Rasmussen noted — as well as human resources and privacy fitting under the social factor. For governance, “you’ve got internal controls or financial reporting, transparency, [and] anti-bribery corruption.”

To bring together these various roles into a single, collaborative framework, he said, you need to identify:

  • The different roles that need to actively be part of the strategy
  • The primary roles for overall strategic planning
  • Who will run the program and how they will coordinate with other roles

One of the key elements of success, in his opinion, is for the lead strategist “to be very collaborative across these roles and functions and be able to address them and get different departments working together.” It’s vital that internal siloes are broken down to remove the barriers that can impede open cooperation, so this lead strategist needs to be able to integrate a variety of perceptions, rather than just “their view of things”, to foster that collaboration across a potentially disparate set of teams.

3. What practical steps should I take if I haven’t begun to look at integrating ESG and GRC?

As a first step, Paul Cadwallader pointed out that companies need to understand ESG and GRC from a regulatory perspective, by “mapping [their] existing policy framework and identifying gaps” — to understand where remedial action is initially required, he said.

It’s imperative that companies understand and adhere to the regulatory frameworks around ESG and EHS, especially when it comes to reporting. Not only does the changing regulatory landscape make this a requirement for businesses, but, as Cadwallader iterated, there’s a “need for that transparency in reporting, but also consumer behaviors and societal expectations in terms of shareholders, stakeholders, and investors shaping the conversation at the C-level.”

That level of transparency needs to now withstand the same level of rigor and scrutiny as financial data. ESG and sustainability are progressively being embedded into financial reporting requirements, such as the IFRS Sustainability Disclosure Standards, reflecting how seriously it’s being taken by businesses and the regulatory boards that govern best practices.

Leadership may realize, during this process, that a lot of the required information is already being covered and reported on — some 60% of EHS topics Enhesa covers globally contribute to fulfilling ESG requirements, meaning it’s likely your teams are already collecting it. From here, he said, the next step is to “operationalize some of those elements, particularly gaps,” by leveraging “existing reporting outputs.”

Cadwallader summarized the steps to achieve this as follows:

  1. Understand what you need to do from a regulatory requirements point of view
  2. Check those requirements against what your teams already comply with
  3. Leverage existing systems for reporting, like financial systems and GRC platforms – using what you already have, “so you’re not reinventing the wheel”

Businesses should identify where they’re “going strategically as an organization, in terms of objectives, so you can map the practical steps you take into that long-term approach,” Cadwallader said. From there, an organization will be in a good place to go beyond addressing what needs to be done now, and start looking forward to what will need to be done in the future.

Centralized, strategic reporting can be the bedrock from which to build that future-focused, resilient system of GRC that incorporates EHS and ESG for a comprehensive overview to equal the robustness of financial reporting.

4. Where do we see the regulatory environment going next?

Enhesa’s expert Mary Foley anticipates that the future landscape will be heavily influenced by the CSRD and CSDDD, with the requirements and applicability set to evolve each year from 2024 onwards. This means that, while the first year under the CSRD only applies to the absolute largest of EU companies, it will expand to cover more and smaller organizations and organizations outside the EU, doing business in the EU, as the years progress.

Additionally, Foley anticipates “a lot more guidance being released.” For instance, EFRAG are “releasing at least five different guidance documents related to CSRD.”

And it’s not only the EU where these changes are occurring. In the US, the SEC’s Climate-Related Disclosures are incorporating similar frameworks and parameters to reporting requirements. Additionally, with the CSRD, the full supply chain of a company is under scrutiny — so even partners that operate elsewhere or are too small to be required to report themselves, will need to ensure compliance indirectly.

Currently, Foley notes that we’re “already seeing a lot of interoperability from a reporting point of view between the likes of EFRAG, IFRS, GRI, and CDP.” This will only become more integrated over time. Further, Foley suggests that “ESG topical related compliance requirements at the jurisdictional level” will surge as organizations embed these into their approaches.

“Something to look out for,” Foley noted, is that the IFRS have received “agreement from IOSCO to start embedding the sustainability reporting requirements from their S1 and S2 into jurisdictional financial reporting frameworks.”

This is just one prime example of how, as the regulatory environment evolves, more legislation will come to light. And within those, businesses will need to work on embedding the biggest pieces of legislation into their existing frameworks and policies to maintain compliance across jurisdictions. Additionally, having EHS and ESG integrated into current GRC reporting frameworks will make it easier to maintain transparency and remain agile in order to adapt to the next emerging requirements — whether they’re solely focused on sustainability or incorporated into financial reporting, as reflected by recent trends.

Integrating EHS and ESG into GRC

Bringing EHS and ESG in under GRC might be a relatively new concept for many companies, but EHS compliance isn’t. There’s an excellent opportunity in the years of experience held by EHS specialists in the organization. Involving them in the conversation from the start is a vital linchpin to making sure sustainability can be effectively incorporated into GRC frameworks.

While EHS has conventionally been managed in a distributed, facility-by-facility way, sustainability legislation and regulations are bringing it into the spotlight, requiring transparency and confidence in the data being reported. Consolidating EHS and ESG into a company’s GRC framework means getting a firm grip on the still evolving regulatory changes before they get beyond a company’s capacity to manage and begin to incur further risks of non-compliance.

Companies therefore need absolute confidence in their EHS and sustainability compliance and regulatory knowledge. Enhesa’s EHS Intelligence and Corporate Sustainability solutions provide up-to-date access to the latest regulatory updates and the means to track compliance against them, together with clear insights into what they mean for your organization, across jurisdictions — both now and in the future.


For more in-depth insights into the role EHS and ESG play in establishing a successful GRC framework, read our summary blog and watch the webcast below.

Find out more

Regulatory content and sustainability intelligence

Article: The central role of EHS and ESG in GRC strategy

Expert insight into how EHS and ESG are integral to a company’s GRC (governance, risk management, and compliance) programs.

Regulatory content and sustainability intelligence

Webcast: The role of EHS and sustainability compliance in GRC

Explore how better EHS and sustainability compliance management can enhance GRC with guest speakers Michael Rasmussen and Paul Cadwallader.