When we think about the Environmental, Social and Governance (ESG) obligations of companies, the focus is often on climate risk and social responsibility (or the ‘E’ and the ‘S’). Governance issues are critically important to the health of the business, and for transparent, well-rounded reporting.
Governance issues include things like:
- How decisions are made
- The role and make-up of the board of directors
- How responsibilities are distributed
- The purpose of the company
- Risk management
- Evaluating performance
- Remuneration and incentives.
If your business needs to publish ESG reporting, then all of these issues need to be considered.
But there are a few issues that you need to be particularly careful with, which can sabotage your credentials around governance.
Data protection issues can cost you financially in fines, but more importantly they cost you heavily in reputational damage.
We need only think about Facebook’s ill-advised decision to allow Cambridge Analytica to access private data of millions of users. Or, more recently, the damaging leak of personal details about police officers in the Police Service of Northern Ireland. These incidents have wide-ranging negative impacts on the organisations themselves, and on the innocent people whose data was shared.
Keeping a tight grip on your data protection compliance is paramount to good governance. That means:
- putting in place processes and tools for data encryption
- Having a robust policy in place for the use of personal data
- Responding promptly to Data Subject Access Requests
- Monitoring the practices within your organisation
- Considering policies to deal with Artificial Intelligence tools like Chat GPT. Employees should not be inputting any confidential data or personal information that could be used to answer other user’s questions.
Back in June 2023 we saw a high-profile cyber incident that exposed personal data to hackers from the likes of the BBC, British Airways, Boots and Aer Lingus. This was a targeted attack on a particular piece of software and demonstrates that businesses need thorough controls over their cyber vulnerabilities.
While there is no one-size-fits-all failsafe solution, a few practices can demonstrate good governance:
- Get certified by Cyber Essentials
- Create plans to respond to and recover from a cyber security attack
- Enlist the help of an independent expert reviewer to test and probe your cyber security
Diversity and Inclusion
Another high-profile governance issue in recent years is the make-up of the board of directors and the decision-makers in the business. While it may be going too far to promote positive discrimination, the board should be reflective of the organisation and wider society. Do you have women on the board, and people of different ethnicities?
Your D&I mission and strategy should form part of your reporting, including your current metrics and the programmes you have in place to promote diversity. Keep track of your gender pay gap and measure things like pay, recruitment, retention, advancement and representation.
If you’d like any help with updating your practices and policies relating to governance, please get in touch with us at SME Comply.