The recent survey by The Conference Board of 750 CEOs and other C-suite executives finds that the combination of the war in Ukraine, supply chain shortages, inflation, and the prospect of recession are moving cybersecurity, crisis management, and risk management to the head of the line for CEOs. Addressing these three issues, which are traditionally grouped under the “G” in ESG, is a far higher priority than addressing “E” topics such as renewable energy and “S” topics such as suppliers’ respect for human rights. Indeed, some may read the results of the survey and be discouraged that only about a quarter of CEOs are stepping up their efforts on renewable energy or environmentally and socially responsible supply chains.
But those who are concerned that environmental and social issues may be taking a back seat should instead take heart. As CEOs and boards focus on issues such as cybersecurity, crisis and risk management, supply chain resilience, and energy price volatility, there is an opportunity for them to do so through a broader ESG lens. That broader perspective can improve companies’ response in the short run and prospects in the medium and long term.
Insights for What’s Ahead
• As companies grapple with energy shortages and supply chain disruptions, they should consider how a broader ESG perspective can help shape solutions. While 55 percent of CEOs cite energy price volatility as the number one impact of the war in Ukraine, just 28 percent of CEOs globally (and 36 percent of C-suite executives) say their organizations are accelerating progress toward the use of renewable energy. While renewable energy does not provide a complete or immediate solution to the current energy shortages, companies should consider how they can make it an integral part of their response.
Similarly, 53 percent say they are focused on making their supply chains more resilient, but only 27 percent say they are focused on making their supply chains more environmentally responsible, and 22 percent are addressing the social responsibility of their supply chains. Research from The Conference Board suggests that companies should consider shifting to regional and domestic suppliers and diversify supply sources away from high-risk areas and China.
In so doing, companies can allow resilience and responsibility to work hand in hand. It won’t do much good to shift a company’s supply chain to an environmentally vulnerable area or to start doing business with suppliers with weak human rights records in countries without a strong rule of law. That is just setting the company up for needing to pull up stakes and relocate its supply chain yet again in the not-too-distant future.
• As companies enhance their risk management programs, they should be sure to take sustainability and compliance into account. Over half of CEOs say they are focusing on enhancing their risk management programs because of the war in Ukraine. As we discussed in Aiming for Alignment in Compliance, Risk Management, and Sustainability, the war presents an opportunity—and, indeed, a responsibility—to ensure that both the compliance and sustainability functions have a seat at the table when reassessing the company’s risk management program. The engagement of compliance is critical because of the likely enduring nature of sanctions against Russia and others. Twenty percent of CEOs cited compliance with sanctions against Russia as a key impact on their business; even more tellingly, 62 percent of CEOs support “secondary sanctions” that put pressure on third parties to stop their activities with Russia.
Further, sustainability can, among other things, help ensure that companies view risk through a multistakeholder lens. As we discussed in Sustainability During a Geopolitical Crisis, a robust sustainability program can help during a crisis. By their very nature, effective sustainability programs require a high degree of horizontal collaboration across an organization, openness to ideas from unconventional sources, and an ability to “look around the corner”—all of which can speed the response and spur innovation during a time of crisis.
• Cybersecurity risk now promises to be met with action and should be viewed as an ongoing ESG priority. CEOs rank cybersecurity as the third most important direct effect of the war in Ukraine on business operations. Notably, the 47.1 percent of CEOs citing cybersecurity risk as a key area of impact is just about matched by the 44.8 percent who say they are stepping up their crisis management efforts and the 52.6 percent who are focused on enhancing their risk management efforts. This is a good sign, as we’ve seen cybersecurity rise to the top of a company’s agenda after incidents such as the SolarWinds hack, only to fall off the radar as things settle back to normal or as other crises take their place.
CEOs’ views on the impact of Ukraine war and actions they are taking:
As we recently outlined in How Companies Can Address Cybersecurity in a Sustained Way, cybersecurity deserves ongoing board and CEO attention for several reasons. After focusing its cyberattacks in support of its war in Ukraine, Russia is likely to redirect its attacks elsewhere; beyond state-sponsored attacks, unpredictable and volatile players are aggressively using ransomware; and there is increased regulation in both the US and Europe focusing on disclosure and resilience.
Boards need to ensure that the company has the essential components of an effective cybersecurity program, including (among others):
• Effective risk management, including an inventory of all software assets; due diligence in the vendor supply chain; constant surveillance to detect threats; ongoing simulation of attacks; adequate cyber insurance; and training for all staff on how to avoid, detect, and act during cyber incidents.
• Effective incident and crisis response plan, including a playbook for ransomware attacks; and protocols for communicating about cyberattacks (including complying with proposed SEC disclosure requirements and the US Cyber Incident Reporting for Critical Infrastructure Act).
Beyond those essential steps, boards should view cybersecurity as an ESG priority. Cyberattacks can have far-reaching social and environmental consequences, and they can call into question the board’s governance capabilities. As with other ESG priorities, boards should ensure that C-suite executives are fluent on cybersecurity topics and focused on key risks and opportunities as part of ongoing discussions of business strategy.
The war in Ukraine is causing CEOs to take a fresh look at a whole host of business issues. As CEOs do so, they would be well advised to look at those topics through a broader ESG and multistakeholder lens. While companies often need to make difficult choices—including temporarily increasing reliance on fossil fuels or less socially responsible sources of key business inputs—at least being aware of the broader ESG implications of a company’s actions can help improve decision-making in the short run and can position the company for a better future.