As investors are busy flipping pages of companies’ annual reports in the current reporting season, one of the key statements in an annual report is the statement on risk management and internal control.

The statement gives assurance to stakeholders that risk management and internal control system are operating adequately and effectively in all material aspects.

It also gives assurance that it is in line with the requirements set out within Paragraph 15.26 (b) of the Main Market Listing Requirements and the ACE Market Listing Requirement issued by Bursa Malaysia, as well as the Malaysian Code on Corporate Governance 2021 released by the Securities Commission.

In running a business or an organisation, risk management is a key element in determining the success or failure, especially when a catastrophic event strikes a company and the company is ill-prepared to handle the risk factor.

Prior to the once-a-century pandemic that hit all of us, not many companies had pandemic as a risk factor as it was never seen or thought to be able to bring down a company to its knees.

Well, today, from the experience of the past two years, practitioners are now including pandemic risk as one of the added risk factors when designing an enterprise risk management (ERM) framework.

Another recent example is when Malaysia adopted Section 17A of the Malaysian Anti-Corruption Commission Act 2009 with effect from June 1, 2020.

All companies are required to have in place adequate procedures to ensure they are able to capture corruption risk in the ERM.

Hence, within the ERM, there are now three broad sources of risk and they include business risk, financial risk and hazard risk.

To recap, business risk encompasses risk associated with compliance risk, operational risk and strategic risk.

Compliance risk is risk associated with government regulation and legal framework, as well as internal policies and guidelines.

Operational risk includes risk related to the business operation of the company and is mainly internal.

This includes human resources/labour risk, information technology and cybersecurity risk, safety risk, environmental risk and risk related to product/services offered by a company, and quality risk.

Under the strategic risk, this may include political risk, regulatory risk, culture risk, currency risk and even country risk.

When one is referring to financial risk, the risk here relates to market risk, credit risk and liquidity risk as well as cost controls, while hazard risk encompasses risk related to corruption, fraud, misconduct, litigation risk, property or fire risk as well as morale and reputation risk.

As ERM is an evolving framework and is not a static directive as to how a corporate should embrace risk, questions are being asked among companies and even among practitioners as to where does environment, social and governance (ESG) fit in?

ESG, being the flavour of the most talked-about single factor that determines where investors put their money in or pull their bets away, is being the focal point of compliance among companies today as sustainability issues take precedence.

However, with so much focus on ESG, where does ERM go? Is ESG part of ERM or is ESG now the mother of all ERM frameworks that companies can now abandon the latter and focus on just sustainability and ESG issues?

We are indeed at a crossroads and a clear path is needed to ensure companies are not misguided in terms of where the focus should be.

Introduced in 2014, the FTSE4Good Bursa Malaysia Index (FAGBM) is an index developed by FTSE Russell and highlights companies that are able to address ESG risks.

The ESG rating is derived by looking at the three key pillars within the ESG and companies are rated based on an objective assessment.

To be an index member, a company would need to score at least 2.9 or higher for index inclusion, in addition to passing certain additional screens which are negative screens.

Within the environment pillar, five key themes are included and they are climate change, water security, biodiversity, pollution and resources, and supply chain environment.

Under the social pillar, the five key themes are health and safety, labour standards, human rights and communities, customer responsibility and supply chain social.

Under the governance pillar, the four key themes are anti-corruption, tax transparency, risk management and corporate governance. Hence, we now have 14 different themes under the ESG-based F4GBM which some 79 companies have been able to pass with flying colours and included in the index.

On the other hand, under the ERM framework, which has three main sources of risk and perhaps more than 30 different risk factors, is a framework design for all companies and not just listed ones or those aspire to be included in the ESG-based index.

While the F4GBM ESG-based index does cover risk management as well as corporate governance and anti-corruption as some of the key themes, whereby the ESG ratings are then derived, the 14-theme assessment disregards other key risk factors.

This among others include all the financial risk factors, and some of the risk factors defined in the ERM framework under the business risk and hazard risk, which include political, country, catastrophic, property and fire risk, litigation risk as well as moral and reputation risk.

Clearly, the ERM framework is larger than what the ESG-based assessment is all about.

In addition, the ESG rating is calculated based on a company’s exposure (medium, low, high) and scores of between zero and five are given for each applicable ESG theme.

For ERM, the objective is not about “what is the score” but rather to identify the risk factors, measure them as to how the risk factors may impact the company and the likelihood of occurring, implement control measures, and monitor the risk parameters.

In essence, an ESG-based rating assessment has a very different objective than what an ERM framework does for a company. Hence, ERM is the overriding framework for the survival and sustainability of an organisation.

ESG permeates the framework and compels a corporate to view its risk from the external environment and its impact on the external environment.

With this, directors of companies should be aware embracing the ESG theme does not mean that their responsibility via the statement on risk management and internal control in the annual report is extinguished, but rather a greater responsibility is now bestowed upon them to ensure full compliance.

Pankaj C Kumar is a long-time investment analyst. The views expressed here are the writer’s own.

The article was first published here.

Photo by Nour Betar on Unsplash.

Photo by Lily Banse on Unsplash.