- Most compliance leaders already see alignment between ABC and ESG, but find it difficult to embed ESG in existing compliance programmes.
- New corporate ESG regulations are emerging along similar lines to existing ABC regulation adopting a non-prescriptive, risk-based approach with a strong focus on third-party risk.
- Companies ahead of this regulatory curve that successfully integrate ESG with ABC have the opportunity to streamline and standardise governance and risk management across their business and value chains.
Most multinationals have invested significant resources and money into developing and implementing mature anti-bribery and corruption (ABC) programmes, but to what extent can these programmes be used to manage environmental, social and governance (ESG) risks? This was the question addressed in Steering the Course III—Navigating Deep Waters, a report recently published by Hogan Lovells based on in-depth research conducted among 600 chief compliance officers, heads of legal, or equivalent compliance leaders across the world.
This research found that ABC and ESG management are already widely seen as co-existing: 70% of compliance leaders view ABC and ESG risk management as aligned programmes, rather than competing priorities, in their organisation, but 82% are struggling to embed ESG in existing risk practices. Despite the challenges, there are many reasons why corporates can, and should, adapt existing ABC programmes to cover ESG, particularly because corporate ESG regulation is developing along very similar lines to existing ABC regulation, and also because third-party risk is central to both ABC and ESG.
ABC & ESG risk
Well-implemented ABC programmes can positively promote a culture of good governance and transparency generally, and corporates should exploit these benefits when approaching ESG matters. Many established ESG standards and initiatives explicitly refer to ABC. For instance, Principle Ten of the UN Global Compact states: ‘Businesses should work against corruption in all its forms, including extortion and bribery.’ Similar references can be found within the Global Reporting Initiative (GRI) and OECD Guidelines for Multinational Enterprises. Many large corporates voluntarily report under the GRI which already requires ABC and ESG to be reported together on a standardised basis.
Not only does this overlap reflect that ABC is central to the ‘G’ of ESG, it also reflects the fact that ABC and other ESG risks are often connected and arise in similar contexts. For example, sectors and transactions at higher risk for ABC are often at higher risk for human rights abuses. Bribery and corruption are often the means by which human rights, environmental crime and other violations are facilitated and concealed. A company’s existing ABC (and also anti-money laundering) risk assessments can often be used to highlight the specific sectors, jurisdictions and types of operations and transactions that may be of concern from both a financial crime and ESG perspective—particularly around human rights impacts.
That said, there are still differences in the typical profile of activities, transactions and third parties that pose an ABC risk versus other ESG risks, and so corporates will still need to look at third parties and relationships with different lenses. A company with a relatively simple value chain may for instance be at less risk of bribery or corruption, but what suppliers or customers that there are could present significant human rights and environmental concerns.
Regulatory developments & parallels
In the last few years ESG has dominated discourse around corporate culture and citizenship, and is key to boardroom discussions and company strategy. Notwithstanding that, corporate ESG regulation is still emerging in the form of new disclosure requirements (including the EU Corporate Sustainability Reporting Directive) and due diligence obligations (most notably the proposed EU Corporate Sustainability Due Diligence Directive). A number of countries, including the UK, France, Australia and Germany, have adopted national regulation of similar types. In the US, the Securities and Exchange Commission (SEC) has introduced new disclosure requirements, which will require public companies to enhance their climate-related disclosures.
In order to comply with these regulations, corporates will need to identify, analyse and mitigate ESG risks in their business operations and third-party relationships in much the same way that financial crime regulation has required for some years. The proposed EU Corporate Sustainability Due Diligence Directive will require companies to identify, prevent and mitigate human rights and environmental adverse impacts in their own operations, the operations of their subsidiaries, and the entire value chain (which is not limited to suppliers only). This reflects a regulatory trend, seen also in relation to financial crime, by which governments transfer responsibility for investigation and compliance from under-resourced regulators to corporates.
There are clear parallels between the development and approach of corporate ABC and ESG regulations. The proposed EU Corporate Sustainability Due Diligence Directive requires companies to be held liable for damages that could have been avoided by appropriate due diligence measures. This is similar in effect to the defence to corporate offences under the UK Bribery Act 2010 where a corporate can show that it had in place ‘adequate procedures’ designed to prevent bribery from occurring. The UK Law Commission has recently suggested a new corporate offence of failing to prevent human rights abuses, which would mirror the main corporate offence under the Bribery Act 2010.
Corporate ABC (and other financial crime) regulation and ESG regulation are founded on the concept of risk assessment/due diligence—this means that it is ultimately up to corporates to identify and assess relevant risks and tailor their policies and procedures accordingly. It is not for regulations or regulators to prescribe exactly what corporates must do. A culture of good governance and continuous improvement is essential in order to respond effectively to non-prescriptive regulation of this type (exactly the same thing could be said of occupational health and safety, which has been regulated in the UK using a non-prescriptive approach for decades). Corporates with mature ABC programmes should be well placed, from both operational and cultural perspectives, to identify and assess ESG risks.
Third-party risk
Relationships with suppliers, joint venture partners and other third parties present the potential for reputational and regulatory risk in relation to both ABC and ESG. Historically, environmental regulation in particular was focused on a corporate’s own operations and direct impacts, but this is now changing. As noted, corporates are, and will increasingly be, responsible for identifying and mitigating third-party ESG risk and determining what measures are appropriate in order to do that.
Our research showed some complacency in respect to third-party risk in respect to ESG. Strikingly, only 1% believe that this risk is great while two-thirds believe that it poses minimal risk.
Most compliance leaders (56%) anticipate their levels of third-party ESG risk increasing in the next 12 to 18 months. This may be due to impending regulation (or because this is the timeframe they hope to have to prepare). Organisations with more established ESG management protocols appear more likely to recognise the possible impact and ramifications of third-party risks: 32% of those with high-maturity schemes (vs 23% with low-maturity schemes and 28% with medium-maturity schemes) believe they pose a ‘fair amount’ or ‘great deal’ of risk.
Challenges & opportunities
ESG risk management is largely uncharted territory, with a lack of established frameworks on which to build organisational processes and standards. This is making it difficult for compliance teams to develop their ESG programmes. As we noted above, the Navigating Deep Waters research found that 82% of compliance leaders are struggling to embed ESG in their existing programmes. 78% of compliance leaders cite a lack of established ESG knowledge and skills as a limitation, and 74% are hindered by the complexity of ESG risk management in different markets in which either they or their third parties operate.
A core issue is the complexity of ESG management. Expectations and requirements are still being realised, and there is a diverse patchwork of ESG regulation on a regional, national, international and industry level. These various frameworks have different legal effects, with some legally binding and some not. This unsettled landscape—with many moving parts that are not always moving in the same direction—can be difficult to navigate. The proposed EU Corporate Sustainability Due Diligence Directive may introduce a greater degree of consistency and legal certainty, and its effect it likely to extend beyond the EU (in perhaps the same way that EU data protection law has done). But neither the proposed Directive, nor guidance which the European Commission has committed to publish, will provide corporates with all the answers. Corporates will have to exercise judgement in determining what measures to implement, and also in how they respond to any adverse ESG impacts that are identified.
The road ahead
Despite the challenges compliance leaders are facing in terms of incorporating ESG into current practices, four in five (81%) compliance leaders recognise that integrated programmes can positively impact their organisation. It is clear that as with ABC, a simple box-checking exercise will not suffice for ESG.
The implementation of a risk-based approach for both ABC and ESG with a strong focus on third-party risk will become the norm, and for many companies may well be mandatory as a result of emerging regulation. Companies ahead of that regulatory curve that can successfully integrate ESG with ABC have the opportunity to streamline and standardise their management across their business and value chains.
Liam Naidoo & Kevin O’Connor, partners at Hogan Lovells (www.hoganlovells.com).
