CORPORATE SUSTAINABILITY AND 'NONFINANCIAL RISK'
Consequence of missing ‘nonfinancial risk’
During the past two decades (prompted by concern for climate change as well as an increasing number of catastrophic collapses of large and small enterprises) there has been a move from reporting information regarding Financial Risk only, to reporting Economic Sustainability.
As this topic of interest has evolved, clarity regarding a split between financial and ‘other risks’ has been gained – weighted disproportionately in favour of the other risks. For this discussion we will therefore refer to the ‘other risks’ as ‘nonfinancial risks’.
It is important to realise that the concept of ‘non-financial’ risk in no way reduces the losses (financial and other) that result from risk events – irrespective of what we call them. The differentiation between financial and other types of risk is only made to highlight the deficiency that results from a myopic focus on financial risk only. The more holistic stance now taken by commerce and industry regarding management of risk is dealt with under the subject of Enterprise-Wide Risk Management. However in many organisations the view of those reporting the risks to the board is still largely restricted to financial matters.
The increased pressure from various stakeholder groups over time resulted in the Global Reporting Initiative (GRI) being established in 1997. GRI provides standards for Sustainability Reporting. These have enabled worldwide standards for sustainability disclosure which is the focus of the concept called the ‘triple bottom line’. Triple bottom line reporting presents reports that combine commercial, social and environmental information, material to the context within which the organisation operates.
More recently the International Integrated Reporting Council, IIRC, was established (2010). Professor Mervyn King, Chairman of the King Committee on Corporate Governance and former Chairman of the Global Reporting Initiative is also chairman of the IIRC. In South Africa, we know Professor King and his team for their work in developing the most recent iteration of the King Report and Guideline, a prerequisite for JSE listed entities.
In December 2013, the IIRC published its International Integrated Reporting Framework, taking the concepts of disclosure even further – with a revision released in 2020. According to the IIRC web site: “Integrated Reporting is a process founded on integrated thinking that results in a periodic integrated report by an organization about value creation over time and related communications regarding aspects of value creation.
An integrated report is a concise communication about how an organization’s strategy, governance, performance and prospects, in the context of its external environment, lead to the creation of value in the short, medium and long term.”
It may be argued that it is because the magnitude of the ‘nonfinancial risks’ has for so long been underestimated by business leaders that integrated reporting is now centre stage. This statement is justified by the long list of businesses that have collapsed with significant knock-on to a wide range of people and their families. Many of these catastrophes have been as a result of matters that would previously not have been disclosed.
As an indication of how severe the mismanagement of nonfinancial risks can be and how significant the related brand damage and other losses can be, a few examples are listed in Table 1.
Discipline | Event | Result |
Environment | 1980’s Thor chemicals mercury contamination | A criminal charge of culpable homicide (out of court settlement $2.1m) |
Health | 1984 Union Carbide methyl isocyanate gas leak and subsequent contamination in Bhopal, India | Caused 20,000 deaths and left almost 600,000 people with permanent physical damage |
Social | NIKE during 1990’s employing forced and child labour | Spent $1.13 billion 1998 recovering its reputation |
Quality | Firestone & Ford (2000) recall 13m tires | Cost of $2.1 billion ending 100 year supply relationship |
Food safety | Cadbury Schweppes 2006 salmonella incident | Cost in excess of £20m |
Table 1 – Losses resulting from ‘nonfinancial risks’ exposures.
These examples are made all the more pertinent when considered against a backdrop of South Africa having promulgated what is considered to be some of the foremost legislation in the world.
Table 2 provides a few examples of such legislation but is not an exhaustive list for each of the disciplines concerned. It should also be noted that many of these acts are further supported by Regulations, regional and local legislation.
Discipline | Legislation |
Environment | National Environmental Management Act, National Water Act, National Environmental Management: Air Quality Act, … |
Occupational Safety and Health | Occupational Health and Safety Act |
Social | Labour Relations Act, Basic Conditions of Employment Act, Employment Equity Act, … |
Quality | National Consumer Protection Act |
Food Safety | Health Act Foodstuffs cosmetics and disinfectants Act |
Table 2 – List of legislation applicable to a few business-relevant disciplines
This legislation not only directly requires performance but also places an obligation on directors to consider their common law duty of care and the need to protect themselves and other stakeholders from potential liability.
The relationship between governance and international standards of best-practice
As a result of the aforementioned disasters and other similar events, the international community has been developing a myriad of standards for assurance of their varying concerns. These represent consensus decisions contributed to by 161 member countries and 3368 technical bodies under the guidance of the International Organization for Standardization (ISO). To date, ISO has published over 19 500 International Standards covering almost all aspects of technology and manufacturing. More than 50 of these deal specifically with governance, and more importantly, focus on a range of matters that expose organisations to significant risk. It will therefore come as no surprise that ISO is a global strategic alliance partner of GRI. In fact, ISO already has standards published that deal with most concerns that the international community has identified as drivers for the IIRC Integrated Reporting Framework.
The first of these international standards was published more than four decades ago during the 1970s to address product quality, namely ISO 9001. ISO 9001 was initially associated with the protection of the citizens of the European Community, applicable to regulated products that have the propensity to harm people or the environment. This standard was followed by the publishing of ISO 14001 to address increasing concerns about environmental matters, in particular climate change. Since those early days, the number of available standards has become prolific. Another two ISO standards worth mentioning because of their relevance to integrated reporting, both published in 2010, are ISO 26000 which deals with social responsibility, and ISO 10668 titled: Brand valuation – Requirements for monetary brand valuation
Against this backdrop, South African business leaders are having to ensure that their internal business records provide proof of due diligence whilst simultaneously protecting against inappropriate performance. A sensible means of achieving ongoing legal compliance is by developing and implementing a management system that conforms to the relevant ISO standards. These, when implemented for the correct reasons, provide a framework for business sustainability with a focus on relevant disciplines.
Typically, their content currently addresses, amongst other topics:
- Information management (business rules and records)
- Preventive action (risk avoidance)
- Monitoring and measurement (assessment of compliance)
- Control of nonconformity and corrective actions (rectification of non-compliance)
- Emergency preparedness
- Audits…
Until 2015, compatibility was a concern amongst ISO standards. Organisations had experienced difficulty conforming to multiple standards as well as integrating their requirements with business systems. All ISO technical work, including the development of standards, is now managed by a Technical Management Board (TMB) and directed by a Strategic Advisory Group (SAG) for strategic advice on standards development. Furthermore, a Joint Technical Coordination Group (JTCG) has been introduced for compatibility and alignment of management system standards.
This new structure has released the following directives:
- ISO/IEC Directive, Part 1 – Procedures for the technical work (2013)
- ISO/IEC Directive, Part 2 – Rules for the structure and drafting of international standards (2011)
- Part 1 contains an annexure (SL) titled Consolidated ISO Supplement to ISO Directives. Its aim is to improve the alignment and consistency of management system standards. Accordingly, it provides
- High-Level Structure (HLS) for all management system standards
- The identical core text, common terms, and core definitions
- The framework for individual discipline-specific requirements to be inserted into HLS
All-new, as well as current, management system standards, will now follow these directives and the Annex SL using the new HLS. Examples of standards already in this format include
- ISO 39001 – Road Traffic Safety management
- ISO 22301 – Business Continuity management
- ISO 20121 – Event Sustainability management
- Standards currently under development or currently under revision that will also follow the HLS
- ISO 9001 – Quality management
- ISO 14001 – Environmental management
- ISO 27001 – Information Security management
- ISO 45001 – Occupational health and safety systems
To explain how these standards work in support of Enterprise Risk Management (ERM) and Corporate Sustainability terms. The Management System Standards demand that legal requirements are satisfied. This necessitates that arrangements be made by the organisation to identify and access relevant legal requirements, as well as control these documents. The requirements for these mechanisms include interpretation of the legislation and definition of business arrangements.
Therefore the content of legislation, applicable to the organisation, is interpreted and the interpretation used to describe the combination of controls needed for compliance. Typically such information is formalised within policies and procedures.
Internal audits, as demanded by all ISO Management System Standards, generate records to prove that reasonable consideration has been given to all legal and other pertinent requirements. The conclusions are used to drive compliance to legislation and to implement sensible actions that prevent operational failure and other types of risk events.
The document control requirements of Management System Standards, demand that policies and procedures are regularly reviewed, including where changing circumstance is evident. This mechanism can therefore assist in protecting directors from potential liability on a continuous basis.
By developing a management system using a preventive approach, working arrangements that are aligned with responsibility and authority are intentionally allocated after careful consideration by management. In fact, the new High-Level Structure, in this regard, demands a connection of strategy to a business process with a view to defining the context in which the organisation operates. Furthermore, these standards demand risk and opportunity assessment and management. It is clear when reviewing the content of the IIRC Integrated Reporting Framework that there is distinct synergy in the management system design required by ISO and the reporting design required by the IIRC.
Without a mechanism to control all business-critical documents and records, there is no assurance that a business will be able to produce the correct information when required to do so. ISO standards use both controls of documentation and control of records as basic tenets in their construct. The requirements deal with all types of media including electronic and hard copy documents and records. If we review the King 3 requirements, GRI, or IIRC requirements, none will be achievable without first introducing this type of arrangement for document control.
Whilst previous versions of ISO standards simply promoted preventive action, the HLS now demands that risk and opportunity form the pillars of the management system. If risks have been identified and mitigating actions designed, the communication systems demanded by Management System Standards will ensure that the arrangements are shared with those responsible for their implementation and kept up-to-date. Furthermore, competence in their application is measured and consistent application of the arrangements monitored. Communication processes will also cover communication in the event of an emergency or disaster. Thus, protection of shareholder interests such as brand damage, potential liability, and other forms of loss can be better mitigated.
As previously stated, Management System Standards demand regular audits, both internal and external, these form part of the monitoring regime that assures consistent control of mitigating actions associated with each process, product, service, facility, piece of legislation, financial and governance risk, dependant on the related discipline being addressed.
Another example includes where physical measurements are carried out. For example, where the Trade Metrology Act applies to instruments used for the sale of goods, or where water quality is measured to satisfy the National Water Act. Proving performance in a court of law after an event could be difficult unless the Management System Standard has been satisfied to introduce arrangements that ensure measuring traceability is connected to national or international physical master standards.
Management System Standards have, inherent to their design, requirements for continual improvement of the system. Therefore arrangements to identify, record, and correct management system errors are mandatory. Such systems add value through addressing processes, products, and services, as well as failures in equipment and facilities, lapses in legal and financial compliance, and deviations from governance systems. Furthermore, arrangements to identify root causes, instead of simply removing symptoms, ensure that failures identified are addressed in such a way as to prevent a recurrence.
Why the right arm of the board can be a “one-arm bandit”
With these factors in mind it is fair to say that although many organisations have discipline-specific departments to address a particular Management System Standard, the individuals in these departments often have limited business experience. More importantly, the majority of audit committees almost exclusively comprise a constituency of financial gurus. The two groups, on the one hand, the discipline specialist and on the other the financial guru, will seldom communicate.
This not only leaves the audit committee ‘light’ on matters associated with the more commonly dealt with disciplines but misses many other disciplines that also need addressing.
If the internal audit function is poorly positioned to deal with disciplines that they are not yet competent in, they certainly will not be able to judge the related risk exposures. Consequently, the organisation and its stakeholders are left vulnerable because the audit committee is gambling on those non-financial risk exposures being unworthy of consideration.
The process-based systems approach to managing enterprise-wide risk
It may be argued that risk is always benign unless there is action. In other words, it is in our effort to seek commercial or other forms of reward that we take action and it is in taking action that we expose ourselves to risk. Without the actions, there would be no exposure to risk.
Action is the smallest component into which a process may be divided and therefore we can use business processes as an ideal framework to analyse and quantify risk. In fact, the IIRC Integrated Reporting Framework demands the use of a business model. In its ‘Value creation process’ diagram it portrays that as follows.
Extract from the IIRC Integrated Reporting Framework: Value creation process
Those familiar with the Quality Process Model conceptualised in the ISO 9001:2000 standard will recognise the distinct similarity between the two models. This concept is further expanded and used in the new standards adopting the HLS.
Conceptually an organisation can be represented by a collection of its business processes. These may be categorised into management, operational, and support processes. Using this concept an organisation may be represented by a business model at a strategic level and by process maps at an operational level. Various diagrams have been used to represent this thinking and there is an entire body of knowledge known as Business Process Modelling Notation (BPMN) to deal with the concept.
What is important to this presentation is simply that this framework provides a solid foundation for the employment of enterprise-wide risk management. Furthermore, this line of thought resonates with the changes apparent in the new versions of ISO standards as well as the requirements for integrated reporting.
Clause 4, of the new HLS, demands we understand the context within which an organisation operates and use this to define its scope, processes, and their interaction. Clause 6 demands we use this information to understand the risks and opportunities, within the context and the organisation’s business model, to prevent risk events relevant to the discipline in focus.
Adopters of this approach have plenty of evidence to quantify the business benefit available. This benefit is achieved through the reduction in process and other types of failure. By doing so the organisation improves its ability to deliver products and services consistently within the identified governance requirements. Consequently improving the value of the brand as well as the attractiveness to the market and investors.
The framework of Management System Standards controlling business processes provides a sensible structure to protect the organisation and its directors against potential liability whilst simultaneously removing loss, both actual and potential, from the organisation.
Examples of reduced costs and improved risk profile may be obtained through:
- Improved product reliability
- Better process control and flow
- More accurate documentation of processes
- Greater employee awareness
- Reductions in product scrap, rework, and rejections
- Fewer and less significant environmental impacts
- Improved and more consistent employment practices
- Fewer occupational-related injuries and improved health
- Reductions in energy consumption
- The reduced road accident rate
- Greater data security
- …
Conclusion
A well-implemented business management system that conforms to the requirements of (a) Management System standard(s), whilst adding profits through increased efficiency and access to markets, can simultaneously reduce overall business risk and prevent potential liability. It can also be audited and certified by a third-party certification body. Providing independent assurance of the arrangements in place.
ISO themselves state: “In a very small organization, there may be no “system”, just “our way of doing things”, and “our way” is probably not written down, but all in the head of the manager or owner.”
The larger the organisation and the more people involved, the more the likelihood that there are written procedures, instructions, forms, or records. These help ensure that everyone is not just “doing his or her own thing”, and that the organization goes about its business in an orderly and structured way. This means that time, money, and other resources are utilized efficiently.
To be really efficient and effective, the organization can manage its way of doing things by systemizing it. This ensures that nothing important is left out and that everyone is clear about who is responsible for doing what, when, how, why, and where.
Large organizations, or ones with complicated processes, could not function well without management systems. Companies in such fields as aerospace, automobiles, defense, or health care devices have been operating management systems for years. Using the latest thinking, these management systems will not only prevent risk events but also provide assurance to interested parties through third-party audits.
ISO’s management system standards make this good management practice available to organizations of all sizes, in all sectors, everywhere in the world.
Finally, by adopting the writer’s proposed approach the business will have a structured set of arrangements to deal with the areas under consideration of its Integrated Report.