ESG
Implementing Double Materiality
Double materiality is a foundational principle in successful ESG programs.
Jason Doel
January 8, 2024
Organizations should consider linking ERM and incident tracking programs together, in order to improve the effectiveness of both.
Risks are uncertain events that may or may not happen in the future. They are assessed based on the likelihood they will occur and the impact they would have if realized.
“Enterprise” risks are simply risk events that, because of their nature or their magnitude, would have a meaningful impact on an organization’s strategic objectives. In many cases, organizations take steps to lower risk levels by identifying the root causes of risks and taking preventative steps to reduce risk likelihood and impact.
This is an uncertain exercise that requires judgement. Fortunately, it can be improved with structured qualitative analysis methods (e.g. risk bow tie diagrams) and by leveraging data from past experiences.
Figure 1. Example risk analysis using a Risk Bow Tie diagram in Essential ERM®
Incidents, in contrast, can be thought of as risk events that have actually occurred. Risks are uncertain. Incidents, for the most part, are concrete. Within an incident, something has happened - or at least come close enough to happening (i.e. a “near miss”) - for a more definitive analysis of the root causes and impacts of a specific business event.
Processes and nomenclature for incident management are more clearly defined within IT, Cybersecurity, and Health and Safety practices. Incidents in these areas are often managed in separate organizational silos.
In reality, however, disruptive events can occur across a wide range of business areas. Examples of incidents include that could harm a business and its stakeholders include: the loss of key services (to clients, partners, and staff), cyber attacks, data losses, injuries, accidents, theft, fraud, environmental spills, lawsuits, loss of important clients, defection of key staff members, confidentiality breaches, negative press, discrimination, harassment, assault, bullying, policy violations, legal violations, labor violations, human rights violations and many more.
Incidents can also include near misses and impending threats, such as narrowly avoided accidents, exposure to hazards and dangerous materials, unsafe acts and conditions, and general staff concerns.
Finally, some practitioners take an even broader view, considering events that have a positive impact on an organization and its objectives. They make use of their event tracking processes and tools to capture staff suggestions, extraordinary contributions, acts of kindness, andother beneficial events.
Incident management is the process by which organizations seek to identify, track, analyze, and respond to business events that harm (or help) the organization and its stakeholders. The process typically includes steps for short term response and recovery, as well as root cause analysis and corrective actions for improved performance in the future.
Linking and analyzing data from past incidents (quantitative analysis) within current enterprise risk assessments (qualitative analysis) can improve assessment quality and subsequent decision making. Business users often find enterprise risk assessments to be an abstract exercise, especially when attempting to predict the likelihood of future potential risk events. This task gets even trickier when trying to assess the effectiveness of controls designed to reduce likelihood and impact (e.g. assessing inherent risk versus residual risk).
This is where data and past experience can help. Drawing upon quantitative data from related incidents creates a closed loop process that can reduce the guesswork and subjectivity of qualitative likelihood and impact assessments when assessing future potential risk events.
While it is true that most individual incidents will not directly affect an organization’s strategic objectives, they may have a material impact when grouped together through proper analysis and when effectively linked with risks in the ERM program. At the very least, incidents often serve as early indicators of brewing problems or emerging opportunities.
Business managers and front-line users typically understand and accept their responsibility for preventing and managing incidents. Creating a linkage between incident programs and ERM can help extend that sense of responsibility to the ERM program as well. After all, enterprise risks are just potential future incidents that are also owned by the business. In this way, linking incidents and ERM can help improve organizational buy-in for ERM.
Finally, linking incidents with enterprise risks can help to elevate the visibility and demonstrate the business value of incident management programs. Instead of being seen as merely an operational activity, an incident program can be recognized for what it really is - a valuable source of quantifiable data that can improve decision making, strategy execution and ERM.
The challenge, however, in effectively linking incident management with ERM is dealing with high numbers of incidents and separating the “signal from the noise” to draw meaningful insights.
