Companies manage risk on a continuing basis, striving to achieve effective business operations while allocating resources to manage risk and performance. From an environmental, health and safety (EHS) perspective, risk is often focused on managing compliance, while more significant business risks extend well beyond statutory EHS compliance.
This article examines EHS and carbon risk and performance management from an enterprise risk management perspective. With an understanding of risk and the traditional ways in which EHS risk is managed, selected business risk frameworks are presented along with examples of how EHS and carbon risk and business performance can be achieved.
What is Risk?
If you ask different managers or executives about their most critical risks, they will have different opinions on the type and significance of corporate risks. Their views reflect a combination of the perceived impact a risk might have on the company (i.e., inherent risk), how prepared the company is to address the risk (i.e., residual risk), how much risk the company is willing to assume (i.e., risk appetite), and how variable the consequences of the risk may be (i.e., risk tolerance).
Effective management of risk requires consideration of several factors, as well. Companies often take risks to grow, to improve performance, and to achieve business objectives. But risk has an alter ego—opportunity. Consider the energy company that explores for and produces oil and gas. It is taking a risk that sufficient resource is available to justify the substantial investment required to locate and develop the resource, as an asset and as a source of revenue.
We all observe and experience risks every day of our lives. One just needs to read a newspaper or periodical, or watch the news to glean a perspective on risk, which can include commodities (oil prices), finance (global economic uncertainty), weather (frequency and severity of storms), data security (commercial security breaches), chemicals (impact of discarded pharmaceuticals) and others.
Several benchmarking studies shed light on the veracity of companies’ risk management activities and how EHS and carbon risk is viewed. A 2010 survey by the Federation of Risk Management Associations concluded that companies believe risk management activities are correctly embedded in reporting to the Board of Directors (i.e., 78% of respondents; this is a healthy view of ultimate corporate accountability). Additionally, legal/regulatory/compliance requirements and catastrophic events (i.e., bad things happening) were identified as the primary external factors triggering risk management. The top risk concerns from an AON 2009/2010 Australasian risk management survey were brand and image, corporate governance, human resources and business interruption, with natural disasters/climate change and environmental impact in 18th and 19th places, respectively.
While functional risks like EHS need to be managed, they are a component part of a company’s business risk universe and are not mutually exclusive. These statistics suggest that there is a need for a broader view of risk, and how EHS and carbon risk fits into the picture.
Traditional Approaches to EHS Risk Management
EHS professionals are keenly aware of the EHS risks that companies face in the course of conducting business. The nature and extent of these risks vary, based on industry- and facility-specific operations, and encompass a broad spectrum of multimedia environmental and health and safety risks. The typical sequence followed by companies to embrace more robust risk and performance management is illustrated in Figure 1 below:
Legislative and regulatory means are first used to manage identified risks to society, which has resulted in a formidable and complex EHS regulatory framework in the U.S. and globally. In response, companies seek to systematically identify and mitigate compliance and other risks through the development of EHS management system frameworks and standards (e.g., ISO 14001: 2004, OHSAS 18001: 2007) that enable a structured, process-driven approach to EHS compliance and risk management. These systems are built around a commitment to compliance, with the intent to identify aspects/ impacts or risks/hazards, to manage significant (or material) risks, and to achieve continual improvement.
Companies aspire to performance beyond compliance by integrating EHS management into the fabric of their operations, programs, and even strategy through participation in voluntary regulatory programs (e.g., OSHA’s Voluntary Protection Program), or voluntary initiatives related to sustainability and carbon performance (e.g., Dow Jones Sustainability Index, CDP’s Carbon Disclosure or Carbon Performance Leadership Indices, Global Reporting Initiative). Some companies choose to implement operational excellence/integrity systems as well, that integrate EHS management with operational and business risk management.
The operational excellence approach explicitly links EHS and carbon risk management into business performance management. By doing so, risk management is addressed across the business’s processes, operations and value chain, as illustrated below:
Thus, companies can manage EHS, carbon, and business risks as inexorably linked, such that it is not possible to manage EHS and carbon risks and performance independent of enterprise-wide business risks. We will briefly examine three business risk frameworks as one basis to better understand this linkage.
Business Risk Management Frameworks
There are numerous frameworks and standards for managing business risks, individually and collectively, a sampling of which is listed below.
The following discussion provides a brief overview of selected frameworks/standards.
ISO 31000 Risk Management-Principles and Guidelines – This ISO standard includes three integrated elements: principals, risk management framework, and risk management process. It is built around the plan-do-check-act model as a basis for achieving continual improvement. The process addresses risk identification, analysis and evaluation of risk, and treatment of residual risk within tolerable levels. The standard advocates the development of formal risk treatment plans to document how selected risk treatment options will be implemented. This standard is supported by ISO/IEC 31010, Risk Management – Risk Assessment Techniques, which provides guidance on selection and application of systematic techniques for risk assessment, many of which are used by EHS professionals (e.g., HAZOP, environmental risk assessment, Monte Carlo, cost/benefit analysis).
COSO Enterprise Risk Management – The Committee of the Sponsoring Organization of the Treadway Commission developed this framework for enterprise-wide risk management. It is a process designed to provide reasonable assurance around a business entity’s ability to achieve their business objectives, categorized as strategic, operations, compliance, and reporting (financial and non-financial). Risks are identified and assessed, with responses intended to address risk within an entity’s risk appetite and risk tolerance. The framework applies across the entire enterprise (e.g., corporate, divisional, business unit, facility, functional) and comprises eight interrelated components which must be in place to ensure achievement of business objectives. Several of these components should be familiar to EHS professionals, particularly those involved in EH&S management systems and risk management. The framework can be implemented at the corporate, facility or functional levels.
ISO 22301 Business Continuity Management Systems – This new ISO standard addresses societal business continuity management (BCM) systems. It has its roots in the British Standards Institute’s BCM standard BS 25999 and addresses business continuity, disaster recovery, and crisis management. The ISO standard specifies requirements for organizations to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to prepare for, respond to, and recover from disruptive events. It incorporates an emphasis on setting objectives, monitoring performance, and using metrics; providing clearer expectations for management; and enhanced planning for and resource preparation needed to ensure business continuity. Key components of BCM include business impact analysis, risk assessment, and response planning that includes development of incident management plans, business continuity plans, and business unit recovery plans.
Considering these risk management frameworks, there are several common attributes represented by each:
- Full integration into the entity’s governance structure
- Full accountability for risks, controls, and risk treatment/management
- Setting and measuring performance against objectives
- Explicit consideration of risks and the application of risk management in all decision making
- Effective communication with internal and external stakeholders
- Continual improvement
And because these frameworks are all built on setting and achieving business objectives, business performance is integral to each of them.
Managing EHS & Carbon Business Risk and Performance
In order to effectively manage risk and performance, one must understand how EHS and carbon risks integrate within business risks. A few simple examples are illustrated below:
Each of these business risks includes specific EHS and carbon elements, however, their implications extend well beyond just EHS considerations.
Let’s consider an example of disaster recovery and contingency planning. There are many contingency planning requirements within U.S. EPA, OSHA and other regulations including SPCC Plans, Stormwater Pollution Prevention Plans, Risk Management Plans, Facility Response Plans, and others. EPA provides a mechanism to integrate these and other plans into an Integrated Contingency Plan so that the requisite response to an event can be more effectively managed to protect human health and the environment. This relationship is illustrated below.
However, consider whether events that would require response under any of these plans might result in a disruption of a company’s business continuity (e.g., IT systems, operations, supply chain), such as from a massive oil spill, off-site chemical or waste release, or serious industrial accident that may affect human health, the environment, and assets within and beyond the boundaries of a facility. Integration of these considerations in a company’s (or facility’s) Business Continuity Plan would seem to be necessary.
It is interesting to note that business continuity planning for many universities already encompasses environmental safety and occupational safety and health considerations, including:
- Campus emergency response
- Investigating accidents, incidents, exposures and discharges
- Emergency communication equipment and vehicles
- Secure radiation facilities
- Access to PPE, MSDSs, chemical inventories
These considerations, along with other critical business processes, can be classified as high priority for recovery with no allowable downtime, and are explicitly integrated into the Business Continuity Plan.
Consider an example that leverages the ISO and COSO risk standards to evaluate a selection of business risks. A tabular summary of each risk, the associated rationale, relative likelihood and impact is provided below.
A traditional assessment of EHS/carbon risk would typically examine the first three risks, and possibly the fourth from an EHS data management perspective. In this case, the risk of GHG legislation/regulation is the most significant, given the cited circumstances.
However, if broader business risk is considered, the landscape of this assessment changes, as illustrated in the heat map below.
With limited resources to improve management of and reduce these risks, items (1), (2) and (6) are the top priorities. Workforce turnover/retirement is the highest risk. Note that potential retirees will include experienced employees involved with plant operations, as well as those in environmental operations and maintenance of environmental control and monitoring equipment. The potential for GHG legislation/ regulation is self evident; we now have the GHG/Title V Tailoring Rule and U.S. EPA is likely not yet finished. Lack of a monitoring system on the process waste line does not allow for immediate detection of a release. While these scenarios are hypothetical, they illustrate that EHS and carbon risks may not be the most significant risks across this enterprise, but they can be affected by broader business risks.
Effective management of EHS and carbon risk and performance must consider the broader implications represented by a company’s business and thus can only be assured through:
- Tone at the top, with executive and Board ownership and accountability
- Effective corporate governance
- A clear understanding of the risk environment within which the company operates
- Engagement with internal and external stakeholders
- Use of a wide-angle lens to assess and prioritize risks
- Performance measurement against defined objectives
- Effective communication, internally and externally
These tenets apply whether one considers risk and performance at the corporate, facility or functional level, as business complexity creates numerous linkages within and between operations and functions.