By Karl Viertel Managing Director Mitratech’s

Operational resilience and ESG risks are arguably some of the hottest buzzwords in today’s RegTech industry. Operational resilience of course refers to the discipline of enabling an organization’s services to remain resilient as well as prevent, adapt and respond to, recover and learn from operational disruptions.

ESG risk management and associated reporting have equally gained in importance over the past two years with the objective to prepare organizations for anticipated seismic shifts in their operating environments. Today, there are few jurisdictions that don’t require some sort of ESG consideration. But what do the two topics have in common?

Mainly that your organization’s services cannot be truly resilient if you do not understand your ESG risk exposure. Resilience without ESG consideration could only address the short term horizon.

Understanding potential threats to your organization need to be the foundation of operational resilience. ESG risk management is the context needed to understand the threats to the organization beyond traditional threat modeling. Analyzing ESG impacts will likely not reveal risks but also opportunities that can be realized through new strategies. New business areas may have different resilience profiles and as such will influence your operational resilience program.

What are key elements to consider when shaping a second line encompassing both ESG and operational resilience?

• Integrate with existing methodology

Do not try to reinvent the wheel from a process perspective. If you have sound and comprehensive ERM processes in place, leverage these to address ESG risks as well. This reduces friction in business lines, people consuming the reports, and your auditors. Your ESG GRC does not need to be a fundamentally new capability.  Additionally, operational resilience relies on understanding the complex dependencies between your people, processes, and technologies supporting the delivery of a specific service. With these dependencies mapped, the impact of ESG risks – and the required mitigants will be evident.

• Develop a comprehensive view of ESG.

Extend your ESG scope beyond the environmental factor. ESG is defined more broadly. Taking too narrow a view on the topic will lead to rework, audit findings, and lost effort. In the case of ESG financing, this may also lead to misinformed investment decisions.

• Account for ESG risks and opportunities.

Make sure to account for both opportunities and risks within a certain megatrend. Let us assume your organization produces battery technology. Resource scarcity might be a risk. However, increased demand and technology innovations might be an opportunity.

Strategize on how your organization can best utilize information gathered from identified ESG risk analyses. The nature of the mitigation strategies may differ from traditional BCM planning. Adverse effects may not be preventable. Strategies must be defined more broadly.

For most organizations, addressing ESG impacts and increasing operational resilience will require investment. The decision of where to invest must be based on the quantified risk exposure of the affected asset.

Determining your success factors

Both analyzing ESG risks and building resilience strategies are attempting to predict the future and will be inherently flawed. Start now, review, improve.

My prediction is that regulators will increasingly require ESG risk analyses to be incorporated into operational resilience planning and strategies. I believe this is the clear path that regulation will follow. I further predict that ESG risks will become what cyber risks are today: a decade ago, cyber risks were a separate category of risk management, far off in the CISO’s office. Today, cyber risks are a key consideration in operational risk management. I am convinced ESG considerations will be part of all enterprise risk considerations within five years.

So what does that mean for businesses today? Start now and don’t wait. Going down a smart path with an integrated second-line function will ensure your investment pays off in light of future requirements to ESG risk management and operational resilience.

About the author

Karl Viertel is responsible for Mitratech’s global GRC business as Managing Director of the business unit.  After working in the technology and risk divisions of Accenture and Deloitte, Karl co-founded one of the first RegTech companies – Alyne, in 2015. In late 2021, Alyne was acquired by the legal and risk software leader Mitratech.