Home > News > Risk > Due Diligence: Using ESG as a Risk Mitigator

RiskJune 1, 2023

Due Diligence: Using ESG as a Risk Mitigator

Although seldom apparent in financial statements, environmental, social and governance deficiencies can come out of nowhere and slam investors.

By Larry Light

Art by OYOW

ESG has become controversial as an investing thesis, with critics—mainly politicians in red states—arguing that only standard financial data, meaning earnings and revenue, should be employed when making investment decisions.

Politics aside, a strong argument exists that investors are well served if they tap an extra source of information to detect any hidden problems within a company in which they are investing that could end up harming their stakes. Using an environmental, social and governance lens can help scrutinize companies for weaknesses that may harm their portfolios.

Pity the poor stockholders in Enron, the ill-fated energy and commodities company, where accounting fraud masked significant financial vulnerabilities. While a short-seller warned that Enron’s accounting was sketchy, many investors ignored the admonishments and bought the company line that its operations were too sophisticated for small minds to comprehend. Its 2001 bankruptcy filing cost investors an estimated $74 billion.

For more stories like this, sign up for the CIO Alert newsletter. 

The term ESG was not known then. The concept now is widespread and gaining ground despite the controversy surrounding it. Ashby Monk, the executive and research director at Stanford University’s Long-Term Investing Research Initiative, sees ESG as a good investment risk minimizer.

“You’re not trying to prevent your portfolio from all harm in the world through expensive hedging,” he told an Australian conference in March. “You are making your portfolio and your organization better at dealing with the harm that seems to be increasingly inevitable.”

Measuring ESG qualities involves analyzing information disclosed in compliance with the Sustainability Accounting Standards now overseen by the nonprofit IFRS Foundation, but it goes beyond statistics. This is often a qualitative exercise.

If a chemical plant long ago buried barrels of toxic waste on its property and the poison seeps into the community’s groundwater, it will be a tragedy for residents. At the same time, the factory’s corporate owner and its shareholders could face financial liabilities. The presence of those barrels is not something listed on a P&L statement. The same goes for corporate risk stemming from sexual harassment in the workplace and poor management oversight.

Looking Beyond the P&L

The rap on ESG, in its opponents’ eyes, is that it is a pact among tree-huggers who want to push companies into money-losing practices that torpedo earnings and share prices. “ESG is a direct threat to the American economy and individual economic freedom,” read a state press release supporting Florida’s ban on the practice in state government investing. The anti-ESG devotees tend to ignore the other side’s protests that the concept is an extra level of due diligence and that nobody wants to hobble profitability to satisfy some left-wing fantasy.

ESG “has become a political piñata,” says Rick Funston, CEO of Funston Advisory Services. “There is tremendous confusion about what it means.” He advises pension fund clients to explain to beneficiaries how their review of ESG factors meets fiduciary duties and bolsters the fund’s long-term well-being.

For political leaders in energy-producing states such as Texas and Oklahoma, ESG is synonymous with prohibiting investing in fossil fuels, which they argue would cost the states jobs and lead to energy shortfalls. A number of endowments and public pension programs—notably the University of Michigan and three New York City employee retirement funds—have divested (or are in the process of divesting) from fossil fuels.

Nevertheless, other allocators and asset managers insist they are not against carbon-based investments. Scott Barrington, CEO of North Sky Capital, a private equity and infrastructure investment firm, says that when officials from Texas and the like ask if his firm excludes energy investments, “the answer is, ‘No.’” Yet there is another dimension to the firm’s investing strategy. North Sky has put money into projects that “displace fossil fuels,” like biodiesel and renewable natural gas.

Plus, North Sky holds portfolio companies responsible for cleaning up ecologically damaging practices. One example is ensuring that pharmaceutical companies do not release untreated water used in making drugs, which Barrington says can create “a toxic stream.”

At its core, ESG is about performing in-depth questioning of companies as a means of “making smarter investments by screening them for potential risks and opportunities,” he says. Examples: Do companies “have good morale” and “allow employees to have input”? His firm scans social media and the news media and performs other background checks. “Has there been fraud or bankruptcies or unfair labor practices?” he asks.

“More information is better than less information,” says Andrew Siwo, the director of sustainable investments and climate solutions at one of the nation’s largest public pension programs, the New York State Common Retirement Fund (assets: $241 billion). “It is doubtful that the best investment decisions are made with less information. There is potential materiality in non-quantitative factors, which aren’t necessarily equivalent to nonfinancial factors.”

New York Common (which is divesting from some energy stocks) is an allocator with a strong commitment to assessing its investments in ESG terms. The fund is on the lookout for what its strategy statement calls “sound ESG practices at the companies in its public equity portfolio.” This involves checking out a company before the fund invests and afterward keeping tabs on the business.

Siwo’s team at the New York state plan regularly talks to company managements and directors and often backs proxy resolutions to push ESG goals. A notable victory was the 2021 campaign to elect two environment-minded directors to Exxon Mobil’s board, spearheaded by hedge fund Engine No. 1. Backing the challenge against the oil giant, New York Common joined forces with two other pension behemoths, the California Public Employees’ Retirement System and the California State Teachers’ Retirement System.

The Negative Examples

Unpleasant surprises have pounced on investors in recent years, all because no one was alert for weaknesses. “If management pays attention, they are prepared for” problems, says John Quealy, CIO of Trillium Asset Management, which sponsors ESG-oriented mutual funds and avoids fossil fuel investments.

That approach has led to decent returns, although as with anything else in the market, seldom smooth ones. “Sometimes we will be out of favor,” as when energy stocks are doing well, Quealy notes. Over the past five years, for instance, the firm’s ESG Global Equity Fund Institutional has trailed the S&P 500, albeit not by a wide margin: returns have been 10.9% yearly for the index, versus 8.8% for the fund. The fund has major positions in tech and financial stocks, and none in energy. The important point is that Trillium’s holdings have been largely free from scandal and business debacles.

The same cannot be said for several of these notorious cases, in which investors suffered as bad news surfaced:

Environmental. BP ended up paying an estimated $65 billion in fines and restitution costs after its epic oil spill from an offshore rig named Deepwater Horizon in the Gulf of Mexico. Judged the largest petroleum spill in history, the drilling platform’s 2010 accident fouled beaches, wetlands and fisheries. A White House commission blamed BP, along with rig operator Transocean and builder Halliburton, for cost-cutting and inadequate safety procedures.

Likewise, in 2015, U.S. regulators charged Volkswagen with installing software in its diesel cars that allowed it to cheat on vehicles emissions tests. The carmaker paid more than $25 billion in settlements. The U.S. Environmental Protection Agency discovered that VW’s autos emitted 40 times the amount of nitrogen oxide in real-world driving as they did during official testing.

Social. A sex discrimination lawsuit, based on documents dating back as far as 2018, charges that Nike is a “boys’ club” and a nest of gender discrimination and sexual harassment. A judge last year overturned a motion for class action status, leaving only 14 female plaintiffs, but that is under appeal. The sneaker maker denies any wrongdoing. Although no financial judgments have been levied, this conflict is a reputational headache for the company, which some say could have addressed complaints earlier.

By the same token, a federal jury in 2021 ordered Tesla to pay a Black former contractor $137 million over charges of racial discrimination. He charged that other Tesla employees had called him the N-word, told him to “go back to Africa” and drew racist and derogatory pictures that were left around the factory. The company denied the claims but said it had “come a long way” since the alleged incidents in 2016.

Governance. Scandal engulfed Wells Fargo, the nation’s fourth largest bank by assets, over accusations that its employees opened unauthorized accounts for customers, who were then charged fees. The customers later found they had credit card, checking and savings accounts they never asked for. Beginning in 2016, the bank was charged some $7 billion in settlements for behavior that lasted more than a decade. Then in mid-May it paid another $1 billion to settle a class action suit accusing the lender of overstating its progress fixing the unlawful practices.

Regulators found that the illicit practices stemmed from unrealistic sales goals that management imposed. Partly owing to the scandal, two CEOs departed over the past seven years, along with numerous executives, including one who was convicted of criminal behavior and faces up to 16 months in prison.

Similar reputational damage emerged about lax supervision in connection with an imbroglio involving Facebook (now Meta Platforms) and data privacy. In the 2010s, personal data belonging to 87 million Facebook users was collected without their consent by British consulting firm Cambridge Analytica, mainly to be used for political advertising.

The social media company paid $725 million last year to settle lawsuits. It denied wrongdoing and said it had “revamped” its approach to privacy. Then in late May, Meta was fined $1.3 billion by the European Union for illegally storing data about European users on its servers. The company said it would appeal the ruling, which it called “flawed.”

In some cases, deficient ESG behavior leads to immediate loss in stockholder value. In others, the harm may be more subtle, tarring a reputation with long-lasting effects. But harm does ensue. Société Générale in 2020 released a study stating that, two-thirds of the time, companies encountering ESG troubles saw shares underperforming the broader market by an average of 12% over the subsequent two years.

Essential Prevention: Cybersecurity Has Never Been More Important

Allocators, money managers and regulators are realizing cybersecurity processes need continual updating.

By Bailey McCann

Art by OYOW

The U.K.’s The Pension Regulator, the regulatory group that protects workplace pensions, earlier this year put more than 300 pension plans on notice that their plans may have been compromised by a data breach at London-based Capita, a third-party administrator for the plans.

While it appears no participant data was impacted, an investigation is ongoing. Capita has data on hundreds of thousands of U.K. pension plan participants, and the potential impact of a breach is significant.

The attack—and another in the U.S. against retirement account portability platform The Retirement Clearinghouse that took place in March—highlights the need for institutional investors to pay special attention to cybersecurity, not just internally, but also at vendors and in their investments.

Cyberattacks are on the rise, and allocators, investors and retirement plans all make for high-value targets. The way adversaries target organizations is also becoming more sophisticated. In some cases, organizations may not even be aware their systems are compromised if an attacker has tricked someone into giving information away voluntarily.

Want the latest institutional investment industry news and insights? Sign up for CIO newsletters. 

Financial regulators are trying to catch up to the growing threat: In the U.S., the Securities and Exchange Commission and the Department of Labor have recently issued new cybersecurity guidelines and proposals for allocators, asset managers and broker/dealers.

When it comes to cybersecurity, institutional investors need to be thinking on multiple levels. Internally, the organization itself must be protected, and its employees trained to minimize vulnerabilities. At the vendor level, allocators have a tendency to herd into the same vendors, and that tendency could work against them, as with Capita, if they all face the same attack at the same time. Finally, allocators need to consider risk in terms of due diligence on their investments.

“The issue, to date, has largely been misanalyzed as a technical/operational issue,” said Larry Clinton, president and CEO of the Washington-based Internet Security Alliance, speaking at The Forum by CIO in May. Cybersecurity “is an enterprise-wide, risk management issue.”

More than strong passwords

In day-to-day operations, cybersecurity practices are often maligned. Everyone knows and hates the process of having a “strong” 14-character password that is impossible to remember, then getting a text with a code, then telling a robot you aren’t a robot before finally being allowed to login. Biometrics might be easier, but does anyone really want to give biometric data over to an employer?

So everyone ends up back at password, code, puzzle, login. Even with all of that, data from PwC says only 14% of companies made it through the past three years without a data breach. Perry Carpenter, the strategy officer at cybersecurity training firm KnowBe4, says much of the problem lies in the approach to cybersecurity.

“All we have to do is look around and see that this is not a solved problem by any means,” he says. “A lot of our procedures work against human nature, and it makes people want to opt out. Many times, organizations aren’t invested in regularly updating and patching systems, which makes them vulnerable. If you focus on patching and work on the human level, you could thwart 90% of attacks.”

According to Carpenter, working “on the human level” involves more than basic cybersecurity training that reminds people to watch out for phishing emails; it also includes thinking through the variety of ways people access systems and making it as easy as possible to secure that environment.

“Heaping steps on people is going to make them look for ways to get around the steps,” he explains. “Once they do, they’ll be happy, but they have also just found a vulnerability in your system. It’s likely adversaries have or will find it too.”

Carpenter adds that technologists tend to think new technology will solve everything. Cybersecurity staff might focus on getting the newest security technology in place, but doing so means that old systems are quietly falling out of date, creating new entry points for digital adversaries. “Patching is an important practice, because all it takes is one point of entry, and a system can be compromised,” Carpenter says. “You might hope that the new system will catch it, but they often don’t until it’s too late.”

Clinton, whose organization, along with the National Association of Corporate Directors, has published cyber-risk guidance for global corporate boards, advised: “Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts. They should discuss cybersecurity risks and preparedness with management and consider cyber threats in the context of the organization’s overall tolerance for risk.”

Vendor diligence

Process and patching are just as important for vendors. Allocators should be asking firms they work with about their approach to cybersecurity. Jack Tamposi, associate director for the U.S. Institutional practice at consultancy Cerulli Associates, says cybersecurity is one of the most frequently outsourced services, and cybersecurity vendors also provide advice on compliance and regulatory issues. This means allocators need to ask if their administrators and other third-party vendors—like Capita—are contracting out their cybersecurity and, if so, what that process looks like.

Kristopher ‘Kriffy’ Perez, a co-founder of Global PayTech Ventures and a senior advisor at the Future Today Institute, recently experienced first-hand what it means to apply due diligence to vendors. Perez advises on cybersecurity from an investor perspective through his work at Future Today and also makes investments in financial services companies through his work at Global PayTech Ventures.

Perez recently overhauled the third-party process at Global PayTech after an adversary gained access to the system and impersonated a member of the investment team via email. The adversary got close to adding themself as a contact with Global PayTech’s bank and even created fake partner email addresses to make it look like everyone was on board.

This type of attack, called business email compromise, is often targeted at investors and financial firms because it is hard to detect and can result in successful wire transfers to the adversary before anyone recognizes the breach. Recovering those transfers, if they’ve been voluntarily authorized by someone appearing to work for the investor, is difficult. In Perez’s case, the attack was caught by third-party security systems before any money changed hands, but it did lead to an internal examination of vendor relationships.

“When someone tells you it was caught and it won’t happen again, you say, ‘OK, but this was a pretty elaborate attack,’” he says. “We felt it was necessary to look at what we could do to increase the complexity of our protection.”

Perez’s staff also took a deep-dive cybersecurity training program provided by the company’s bank to make sure its staff was on the same page. “There’s an opportunity when something happens to reinforce the process,” Perez says. “People care more; they aren’t complacent.”

Legal ramifications

A core part of any cybersecurity program is compliance. Without it, investors can end up with failed investments or fiduciary issues if adequate protections are not in place.

Gerry Stegmaier, a partner in the tech and data group at law firm Reed Smith, says from a fiduciary perspective, it is important to operationalize cybersecurity supervision.

“The distance from the server room to the board room is getting very short, and everyone from investors to regulators is starting to realize that cybersecurity isn’t a tick-the-box exercise—it’s a material governance issue,” he said.

Clinton’s remarks stressed similar points. He said it is crucial for boards of directors to understand “cybersecurity is not an IT-centric appendage issue, but rather needs to be woven into the full breath of business decisions on an enterprise-wide basis,” adding that “boards should expect management to be able to assess cyber-risk in empirical and economic terms consistent with the business plan.”

To that end, Stegmaier says investors—whether looking at their own process, vendors’ processes or doing diligence on a potential investment—should look for the formal adoption of a cybersecurity program; regularly benchmark that program; and look for adherence to specific standards like ISO/IEC 27001, which is an international standard to manage information security.

“You want to be able to look at the repeatability, sustainability and demonstrability of a cybersecurity program,” he says.

That framework should apply even if an allocator is just looking at becoming a limited partner in an investment fund, not making direct investments in specific companies.

“Often the way an asset manager approaches cybersecurity in their fund is a proxy for how they will do it downstream in portfolio companies or other investments,” Stegmaier explains.

Putting such processes in place can also help mitigate fiduciary risks.

“Perfect security doesn’t exist,” Stegmaier says. “So there is a tendency to focus on resiliency: How fast can we respond when something does happen? But if you do that, you’re going to build into your program an under-investment in prevention, detection and remediation response. You’re going to have many more incidents that are otherwise easily preventable. And from a legal perspective, there’s a much greater probability that your performance will be deemed inadequate.”

Tags: Cerulli Associates, cyber risk, Cybersecurity, data breach, Gerry Stegmaier, Global PayTech Ventures, Internet Security Alliance, Jack Tamposi, KnowBe4, Larry Clinton, National Association of Corporate Directors, Perry Carpenter, Reed Smith, Securities and Exchange Commission, Special Coverage: Risk Management, The Pensions Regulator, The Retirement Clearinghouse, United States Department of Labor (DOL)

« Paper From Japan’s GPIF Proposes New Way to Compare Alts With Traditional Assets