Risk management procedures are intended to protect a company’s long-term viability amid dynamic markets and regulatory changes. In today’s economy, companies face a rapidly growing challenge—and opportunity—to expand their businesses and create value. The increasing physical, regulatory, reputational, and financial impacts of sustainability issues, including environmental, social, and governance (ESG) concerns, are compelling companies to take a broader view when identifying and managing risks. CPAs are grounded in a pragmatic and multidimensional risk management approach and therefore well positioned to assess ESG issues and help organizations make more informed operational and strategic decisions.

The Changing Landscape

According to Ocean Tomo’s “2015 Intangible Asset Market Value Report” (http://bit.ly/23I35mo), only 16% of the market value of the S&P 500 can be traced to physical and financial assets. The remaining 84% of corporate value is tied to intangibles such as intellectual capital, human capital, brand and reputation, and relationships with suppliers, customers, and other external stakeholders. A broader corporate perspective on value protection and value creation is integral to business success in the 21st century.

Corporate risk management is evolving to respond to the needs and requests of various stakeholders, such as investors, employees, customers, suppliers and regulators, as well as the local communities in which the company operates. Stakeholders seek to understand the broad spectrum of complex risks that companies face in order to confirm that such risks are effectively managed across the enterprise. Enterprise risk management (ERM) provides a consistent framework for identifying, assessing, mitigating, and monitoring risk across the business by taking risk management out of siloed functions, aligning processes and procedures across the organization, and incorporating internal controls. This approach equips companies to address risks and opportunities more proactively and may protect and create value for stakeholders.

Risk Registers

While some organizations have advanced their risk procedures with ERM, their risk registers have not necessarily matured at the same pace. A risk register formalizes the identification, assessment, and management of risks and opportunities in a way that facilitates wider consideration by management and the board. Risk registers also allow management to compare disparate risks on like terms (e.g., monetary impact). Nonfinancial environmental and social risks are often unintentionally omitted from risk registers or masked by more traditional risk categories and thus are often not included in key risk management discussions. While organizations may communicate environmental and social activities externally to the public, the internal lack of an integrated risk approach may indicate that sustainability and corporate responsibility activities are “bolted onto” rather than “baked into” company strategy and operations, preventing functional managers from securing the necessary resources to effectively manage these associated risks and realize opportunities.

Organizations with more mature risk management practices outperform their peers financially.

Shareholders are now taking notice of this. According to a 2015 global Ernst & Young report (“Tomorrow’s Investment Rules 2.0,” http://bit.ly/1qecoNz), most investors factor ESG information into their decision-making. A notable 71% of the 211 institutional investors participating in the survey considered ESG data essential or important when making investment decisions, up from 61% in 2014. Furthermore, 62% considered nonfinancial information relevant to all sectors. Finally, more than one-third of respondents reported cutting their holdings of a company in the last year due to ESG risks, and an additional quarter of respondents planned to monitor ESG risks closely in the future.

Integrated Risk Management Frameworks

The confluence of risks and opportunities associated with environmental, social, and economic performance has made sustainability a strategic business priority. A 2013 Ernst & Young report (“Turning Risks Into Results,” http://bit.ly/1se6uxY) found that organizations with more mature risk management practices outperform their peers financially. The leading companies from a risk maturity perspective implemented on average twice as many of the key risk capabilities as those in the lowest-performing group. In addition, companies in the top 20% of risk maturity generated three times the level of earnings before interest, taxes, depreciation, and amortization (EBITDA) as those in the bottom 20%.

Integrating sustainability into the components of the ERM framework established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was detailed in a 2013 Ernst & Young report with Miami University (“Demystifying Sustainability Risk,” http://bit.ly/1T5qhJI). COSO has historically provided a good ERM starting point for organizations by enabling them to understand key risks across the business and helping them to identify, address, and monitor those risks. The COSO framework also provides valuable guidance to organizations in managing nonfinancial risks.

COSO identifies the following competitive advantages for including sustainability in an ERM framework:

  • Alignment of sustainability risk appetite to the organization’s corporate strategy and the new world view of company value
  • Expanded visibility and insights relative to the complexity of today’s business environment
  • Stronger linkage of company values and nonfinancial impacts to the organization’s risk management program
  • Better ability to manage strategic and operational performance
  • Improved deployment of capital


In a recent World Economic Forum survey (“New Models for Addressing Supply Chain and Transport Risk,” 2012, http://bit.ly/1VTvqXE), more than 90% of respondents indicated that supply chain and transport risk management has become a greater priority in their organizations over the last five years. In addition, there has been an increase in supply chain regulations around product stewardship, human trafficking, and conflict minerals.

In recent years, there has been an increasing international focus on conflict minerals emanating from mining operations in the Democratic Republic of the Congo (DRC) and adjoining countries. Armed groups engaged in mining operations in this region are believed to subject workers and indigenous people to serious human rights abuses and are using proceeds from the sale of conflict minerals to finance regional conflicts.

On July 21, 2010, in response to these concerns, the U.S. Congress enacted legislation requiring certain public companies to disclose the use of specified conflict minerals originating from the DRC and nine adjoining countries. Known as section 1502 of the Dodd-Frank Act, the intent was to make transparent the financial interests that support armed groups in the DRC area. By requiring companies using conflict minerals in their products to disclose the source of such minerals, the law aimed to dissuade companies from continuing to engage in trade that supports regional conflicts. Section 1502 is applicable to all SEC issuers (including foreign issuers) that manufacture or contract to manufacture products where “conflict minerals are necessary to the functionality or production” of the product. The industries most likely to be affected include electronics and communications, aerospace, automotive, jewelry, and industrial products.

Where to Start

CPAs and accounting and advisory firms are well positioned to offer guidance and independent assurance on sustainability issues for their clients. By aligning traditional organizational priorities with ethical and responsible corporate practices, they can help clients achieve tangible financial returns while mitigating critical ESG risks. Questions CPAs can present to the audit committee include:

  • When did the company last revise its risk register?
  • Is the chief sustainability officer involved in making the risk register?
  • How is the risk register revised?
  • Does the risk register take into account the material risks of key stake-holders such as primary investors, core suppliers, and customers?
  • How is the risk register made complete?
  • What types of nonfinancial risks are considered?
  • How does the ERM process drive operational excellence?
  • Does the ERM approach consider all material nonfinancial aspects of the business?

Sustainability issues have significant, lasting impacts on inventory management, supply chain procurement risk, resource availability, price volatility, and human well-being. Re-engineering processes and restructuring organizations to provide expanded visibility and insights in the complexity of today’s business environment can be messy. By broadening the risk management perspective, improving risk registers, and integrating sustainability with traditional risk areas, organizations can improve functional leadership and realize opportunities to manage strategic and operational risks and performance more effectively.

Brendan LeBlanc, CPA, CIA is a partner at Ernst & Young LLP.
Jacob Kislevitz is a manager at Ernst & Young LLP.