October 4, 2023

What is ESGBottom Line: ESG is becoming more important to donors, employees, partners, and other stakeholders. Non-profit risk managers need to be prepared to answer tough questions about how their organization is managing critical ESG risks.

ESG Basics for Non-Profits

ESG refers to environmental, social, and governance factors in an organization’s operations. There is no universal definition that quantifies every element of ESG, which gives each organization the flexibility to focus on the aspects that are important to them. Common ESG elements are noted below.

  • Environmental – carbon emissions, water consumption, waste management, biodiversity
  • Social – diversity, equity, and inclusion (DEI), workplace safety, human rights, data security
  • Governance – risk management, board independence, data privacy

How is ESG different from initiatives I already have?

Environmental, social, and governance issues are often at the core of a non-profit’s mission. Many non-profits have already committed to diversity, equity, and inclusion (DEI) initiatives through a values statement on their website or annual report.

The current focus on ESG is different in that it is accompanied by an expectation of accountability and transparency. There is a strong emphasis on measuring and reporting the organization’s progress on its chosen ESG metrics. This makes active management of ESG risks critical for non-profit organizations.

Is ESG Relevant to Non-Profits?

Corporations are under increasing pressure to take ESG seriously, given the U.S. Securities and Exchange Commission’s proposal for a climate change-related disclosure and the European Commission’s Corporate Sustainability Reporting Directive. While non-profits do not face these same regulatory pressures, ESG is relevant for many non-profit stakeholders:

  • Partners and Communities – Your partners and communities may benefit from increased transparency, especially surrounding issues such as safeguarding.
  • Donors – Reliable reporting on ESG metrics can make your organization more attractive to donors.
  • Employees – Talent management is more challenging than ever and employees – especially millennials and Gen Z – want to work at organizations that care about ESG.
  • Media – Proper governance and organizational ethics (such as a whistleblower program) can help your organization limit or stay ahead of privacy breaches or scandals.

Identify ESG Risks

An ESG risk assessment can start with your organization’s current risk register, as ESG risks are often closely related to other types of risks that your organization may have already identified. It can be helpful to add an ESG classification to existing risks, in addition to their usual risk taxonomy. For example:

Identify ESG Risks

Environmental Risks
Non-profits that cannot demonstrate a commitment to emissions reductions or other environmental goals could risk missing funding opportunities. Risk managers could categorize this risk as both a funding risk and environmental risk.

Social Risks
Many non-profits identify employee turnover as a key risk. If attrition is due to workplace issues such a pay inequity or lack of diversity, turnover could be considered both an operational risk and a social risk.

Governance Risks
A cybersecurity attack that compromises private information from donors, beneficiaries, or partners could be categorized both as an IT risk and a governance risk.

The next step in your ESG risk assessment is to identify any additional ESG risks to your organization. For example:

  • Reputational Risks – Has your organization made a public pledge to meet an ESG goal by a target date? If so, what are the reputational repercussions if the goal is not met?
  • Greenwashing Risk – Is there a risk that your organization will present misleading ESG data to stakeholders? Can your organization ensure that the ESG data included in your annual report complete and accurate?
  • Third-Party Risks – Is your organization using third-parties to track emissions or other ESG data? If so, your organization should incorporate these third-parties into your evaluation of third-party risk.
  • Compliance Risks – While it is unlikely for a non-profit to be subject to the same regulatory requirements as public companies, your organization may need to comply with data privacy laws or other types of ESG regulations. Has your organization performed to review to determine whether there are any new regulations that it will need to comply with?

Once your organization has developed a list of ESG risks, risk managers can help their organizations prioritize these risks and develop action items to address top ESG risks. ESG is a rapidly evolving area, which means that risk managers will want to re-evaluate their inventory of ESG risks on a frequently basis to ensure that all relevant risks are captured in the risk management process.

GRF Can Help

GRF’s Enterprise Risk Management practice can help your organization incorporate ESG risks into your existing risk management process. Or, help you create and implement an overall risk management program if you’re just getting started. We work with non-profit organizations of all sizes.

If you would like to speak with us, please reach out to us directly at the contract information below.

Kristen Ocampo, CPA, CIA, CFE

Kristen Ocampo, CPA, CIA, CFE

Risk & Advisory Services Supervisor

Melissa Musser, CPA, CIA, CITP, CISA

Partner and Director, Risk & Advisory Services