The central role of EHS and ESG in GRC strategy

As today’s global EHS and sustainability regulations continue to evolve, and new legislation emerges almost daily, companies need to adapt — quickly and repeatedly — to maintain compliance. Non-compliance, even when it’s unintentional, brings with it hefty consequences: legal, financial, and reputational. But finding and gathering the data needed to meet sustainability reporting requirements can be tough — especially when that data is distributed across various teams, technologies, and resources throughout a company.  

GRC is a strategic framework that helps companies mitigate risk by defining and managing the intersection of organizational governance (G), risk (R), and compliance (C). And with the increasing impact of EHS and sustainability requirements on companies, a robust GRC program must consider EHS and sustainability requirements as central to its purview.  

So how will companies get there? During a recent Enhesa webinar, lead analyst and founder of GRC 20/20 Research, Michael Rasmussen, together with SVP Client Solutions and Success at GRC platform provider CoreStream, Paul Cadwallader, and Expert Services Strategy Director at Enhesa, Mary Foley, discussed the critical role EHS and ESG have in GRC. Their insights on three key dimensions of that relationship are captured below:  

• Renewed focus from the C-suite 
• Leveraging existing GRC frameworks to realize EHS and sustainability compliance 
• Best-case “future state” scenarios – and how companies will achieve them 

To see the full discussion, watch the webinar: The role of EHS and sustainability compliance in GRC. 

Renewed focus on EHS and sustainability from the C-suite

GRC is “how ESG gets done,” Michael Rasmussen said. As for why ESG and EHS are central to GRC? Rasmussen explained:  

“The modern organization is chaotic, changing minute by minute,” said Rasmussen. With around 1,200 regulatory developments related to ESG topics identified in the first six months of 2024, and an estimated 297 EHS regulatory changes identified globally each day, the EHS and ESG legislation companies must maintain compliance with are shifting rapidly, he said.   

GRC is beginning to be “utilized to support ESG and EHS initiatives.” As Rasmussen observed: “I see this on a regular basis, and in fact … there’s board-level attention and oversight in this area. I’m seeing a lot of interaction and activity, specifically with senior executives, C-level, and people on the board.” 

In addition to engaging on broad aspects of governance, risk, and compliance, there’s engagement “particularly around EHS and the driver of that: ESG.”  

The role of worldwide sustainability regulations 

EHS, ESG, and GRC are all being impacted by recent regulatory drivers — such as the EU’s CSRD and CSDDD — pushing companies toward board-level oversight of the overall ESG program. 

And while the EU is leading, the US is not far behind. “In the US, it’s a little more fractured,” Rasmussen pointed out. But with so many companies doing business globally, US firms are clearly affected. 

“There’s 50,000 firms having to comply with the EU CSRD — 12,500 of them by 2025 — so they need to start collecting information and working on this now if they have to start reporting in January. That’s a critical concern, and it definitely requires board-level involvement. A significant amount of those firms having to respond to EU CSRD aren’t headquartered in Europe or the EU; they could be headquartered in the UK, US, or even Australia. 

“This isn’t something to approach tactically but strategically,” Rasmussen said.  

The requirement for transparency 

Paul Cadwallader of CoreStream emphasized the need for transparency in business operations. “You’ve got the … need for that transparency in reporting, but also consumer behaviors and societal expectations in terms of shareholders, stakeholders, and investors shaping the conversation at the C-level.” 

As for the “G” in GRC — Governance — that’s all about defining objectives and what it takes to meet them. That need for transparency “has led organizations to define their objectives,” Cadwallader continued, “which now intrinsically — from a strategic point of view — have ESG and EHS built into them. 

“An organization’s customers are demanding information, intelligence, and an understanding of the risk they’re going to pose as a supplier or business partner to that organization. [All of that is] coming together with the C-level’s desire to have the holistic and integrated information so they can make decisions,” he added.  

According to Cadwallader, these decisions include:  

• Are we achieving strategic objectives? 
• Which way do we need to pivot? 
• How do we use ESG as a competitive advantage?
   

The substance of regulatory developments 

It’s clear C-suite priorities are shifting to include EHS and sustainability. But what’s the substance of those changes?  

Mary Foley brought an overview of the content of those requirements to the conversation:  Based on requirements from the CSRD and the ESRS, Foley explained, “under the E of the ESRS reporting standards, there are five reporting standards relating to environmental topics: 

1. Climate change 
2. Pollution 
3. Water 
4. Biodiversity  
5. Resource use 

“And in the social elements, there are four reporting standards, two of which specify health and safety metrics,” Foley said. 

So where are companies coming by this information today? And where does the leadership find the data they need? 

“A lot of companies will already have some really good compliance information embedded in their businesses,” Foley said. “A lot of GRC and ESG is about pulling together data that’s already in place, maybe in disparate parts of the business. And we’re seeing that companies are now building this internal infrastructure and embedding their sustainability objectives at the highest level — not just in their own businesses, but also into their supply chains.”

Leveraging existing GRC frameworks to meet EHS and sustainability regulations

Rasmussen encourages companies to use existing policies, processes, and centralized systems to meet the ever-changing demands of EHS and sustainability regulations — and especially to avoid a complete overhaul of their existing infrastructure. 

About the GRC framework 

”Organizations think of GRC as technology,” Rasmussen pointed out, “but a framework is something broader that involves the strategy and process. From a framework point of view, I personally love the OSEG GRC capability model, with its four components of: learn, align, perform and improve.” 

He went on to summarize the model: “We need to understand [and continuously] learn our external and internal environments; align and work together across our different objectives, different groups, departments and functions; identify [and understand the risk of] our ESG objectives; analyze those risks and develop a treatment program; implement controls, monitor, assess, respond; and then improve our program over time.” 

Getting the technology right 

Technology is a key component, but “you have to be selective,” Rasmussen said. “You need to make sure you have technology that’s highly agile, that can adapt to your organization instead of forcing your organization to adapt, and that can be delivered to encompass EHS and ESG.”  

With so many GRC options on the market, Rasmussen pointed out that “some GRC technology and platforms are built for IT security and they’re very rigid. They don’t provide a robust view into the world of EHS and ESG.” 

If you’re evaluating current or future solutions, he advises “you need to make sure you have agile solutions that can deliver on that framework appropriately.” 

Paul Cadwallader expanded on that capability, describing how technology should be “leveraging the ability to map your regulatory information to your policies and then understanding adherence to those.” With that information, Cadwallader said, “you’ve got really great mechanisms to push out policies across your employees and your third parties.”  

Leveraging what you have 

And when it comes to reporting — a significant internal and external requirement for GRC, EHS, and ESG programs — “organizations will have many controls that have been matured and embedded over time to cover financial reporting,” Cadwallader said. “Some of this is not dissimilar in terms of capturing information around an organization when you come to carbon reporting dimensions and leveraging those controls and that understanding.”  

His advice is to apply financial reporting workstreams, technologies, and process rigor inherent in GRC to EHS and sustainability goals:  

“Don’t reinvent the wheel,” he said. “You’ve got something already embedded, so just expand it and align it.”  

If you don’t, you risk “uncertainty in achieving your objectives, around achieving some of these sustainability aspects. You’ve already embedded those aspects as a business from a GRC point of view. It’s about seeing how you use your existing processes and framework over that new set of topic areas.” 

Mary Foley pointed out the number of team members engaged in all three initiatives at a company, making internal collaboration critical, together with leveraging “what you already have. If you’ve got a solid GRC or ESG sustainability infrastructure, you’re already going to find it less of a challenge to incorporate all of these newer requirements. Look at what you have, make sure that you can access it in an agile way, and identify any gaps,” she advised. 

The “future state” for managing GRC, EHS, and ESG — and how companies will achieve it

Companies need to establish goals, build a framework, and work collectively to integrate effective EHS and sustainability compliance management into their existing GRC framework, the speakers agreed.  

Start with strategy

From a strategy point of view, Michael Rasmussen pointed out that the first step is for organizations “to really define what their strategy is and get the different departments and functions involved. That includes their overall vision [and] how they’re going to work together. Who’s going to lead the strategy? From there, define your processes around EHS and ESG, and how that fits into the broader GRC context, and then the information technology environment that’s going to support that.” 

Evaluating what you have today — and working with that to converge the initiatives successfully is key: “There’s aspects of EHS and ESG that are definitely happening in the organization” already, Rasmussen said. “It could be rather mature in some organizations, but in a lot of organizations it’s this ‘wild west’ activity where there’s a lot of different departments [going] in a lot of different directions.” To reduce redundancy, gaps, and overlap, he said, “You need a good understanding of what your current state is, what your future state is, your roadmap to get there, and the business case of why this is valuable.” 

On the collaboration required to achieve a coordinated future state, Rasmussen concluded that “you need to make sure the right team is on board and willing to work together. You need to make sure you have the right technology foundation that can deliver on that future state, and that you’re not building on something [that can’t deliver] on EHS, ESG, and GRC implementation. From there, you need to break your program up into achievable components — because for a lot of organizations, this is not a small project… You also need to be ready for change because that’s the one thing that’s apparent in this world.” 

Close organizational gaps 

Paul Cadwallader emphasized the need to close the gaps: “Today most things are siloed within the E, S, and G across an organization, but also between some of the GRC functions — and definitely between ESG and GRC in the majority of businesses.”  

His future vision for organizations? “The ‘tomorrow’ is really that integrated capability.” Getting there means “organizations having objectives now which will be part of their transformation, their restructure, and their reapproach to things as they move towards that net zero transition. 

“Those focusing on objectives,” he said, “and managing all the dimensions together in an integrated way, will come out of that process with better performance. And that’s all got to be wrapped into that business case — that executive buy-in — in terms of those multidimensions.” 

Collaborate with new stakeholders and teams 

Executives aren’t the only organizational roles to consider in this transformation. The supply chain and other partners must be considered, too: “From a supply chain point of view,” Cadwallader added, “there’s organizations [that have] become much more integrated with their supply chain and with their partners.”  

These third party stakeholders will be part of that ‘future state’, Cadwallader said. “For me, this is a journey, and that journey has to move in terms of the integration of the various functions and capabilities at the same pace that the organization aims to move.” 

Mary Foley also emphasized the collaboration and integration needed to reach a ‘future best case scenario’, including “integration with financial reporting. We’re going to see a lot more of the sustainability and financial reporting functions becoming more and more integrated as well. The fact that a lot of the data we’re talking about will need to be tagged is [an overlooked element] of the CSRD at the moment… Each piece of data that is used in the reporting will need to be tagged so it can go into a European single access point — now that brings transparency to a whole new level.”  

Building the infrastructure it will take to get there, in Foley’s experience, is about “realigning their current separate pieces of infrastructure. They need to start thinking about how that’s going to look in the future in terms of this topic of transparency.” 

GRC, EHS, and ESG: An essential convergence

More and more companies and their stakeholders are going to scrutinize EHS and sustainability compliance data in light of emerging global regulations. Which is why it’s so important they know what’s necessary for compliance — everywhere they operate in the world.  

These new requirements will generate a lot of additional data — which companies will need the right infrastructure to manage successfully. This data must be harmonized, transparent, and available for examination by external stakeholders as well as internal ones. With the right technology, teams can achieve efficiency, letting personnel resources focus on more high-value, strategic initiatives.  

EHS and sustainability compliance data is taking a more central role in the established world of GRC. With EHS and sustainability data as part of the institutional knowledge managed in a GRC framework, it can be instrumental in reducing organizational risk and compliance gaps — making businesses more resilient, more prepared, and more strategic.