The Big Four released a set of metrics today for companies to use for environmental, social and governance reporting internationally. It includes 21 core and 34 expanded metrics and disclosures ranging from climate change and nature loss to dignity and equality.
According to the white paper released by the World Economic Form’s International Business Council (IBC), “IBC members reaffirmed the significance of environmental, social and governance (ESG) aspects of business performance and risk in creating long-term value.”
The authors flagged “the existence of multiple ESG reporting frameworks and the lack of consistency and comparability of metrics as pain points preventing companies from credibly demonstrating to all stakeholders their progress on sustainability and their contributions to the SDGs.”
The existence of numerous competing ESG reporting frameworks and the lack of consistency and comparability of metrics have no doubt posed problems as ESG has moved into the mainstream. But more standardized reporting alone will not lead to better risk management tools that can help investors maximize the value creation potential and minimize the value destruction potential. This requires not just standardized metrics but metrics in dollar terms. As Cyberhedge has done with cyber risk, this is what will help investors actually transparently price ESG risk rather than primarily make normative statements about current and future performance.
A second issue is the positioning of cybersecurity in the framework. We’ve made the case that cyber is the most important governance issue today. Yet Boards of Directors and senior management find it challenging to manage in part because it is not reported on in financial terms like all other key business risks.
The new framework places cybersecurity under the ‘Principles of Governance Pillar’, but it is framed as a data stewardship issue. Though the paper correctly refers to the ‘material and even existential’ consequences of data loss and system failure and calls for more early engagement from boards on cyber risk, the framework does not appear to capture cyber risk metrics in a manner befitting of the degree of impact it has on value creation. This starts with dollar-based metrics for cyber as Cyberhedge has already proven through our indices that such metrics are predictive of market performance.