While The Economist may have characterised Environment, Social and Governance (ESG) investing in a July 2022 special report as having “turned from an investment craze attracting trillions of dollars on promises to make the world a better place into a source of eye-rolling cynicism”, it seems ESG-related risks are now firmly on the radars of the Chief Risk Officers of South Africa’s biggest listed enterprises.
Aprio Credence’s annual review of the published risk reports of JSE Top 40 companies shows that ESG risks only featured as a principal, standalone risk for one in six (16%) major enterprises last year. This year the figure is up by more than 20% – the biggest upward shift for any of the 78 different categories of risk featuring in our research. 37% of JSE Top 40 companies identified ESG issues as one of their leading risk concerns in their most recent integrated reports.
Not surprisingly, the Covid-19 pandemic risk saw a marked decrease in prevalence in the latest research, down 23% from the 2021 review, when 70% of the JSE Top 40 companies had this as one of their priority concerns.
It should also come as little surprise, that cyber security concerns remain the most common source of risk for South Africa’s leading public companies.
Our 2021 research showed that 86% of the JSE Top 40 companies had cyber security as one of their principal risks, with that figure slightly down to 81% in the 2022 research. Our view is that while cyber-attacks and breaches are still increasing across the globe, leading companies are increasingly feeling better prepared, and traditional media are paying less negative attention to incidents because they are becoming so commonplace.
The Institute for Crisis Management’s (ICM) most recent report into global media coverage of reported crises, appears to support this view. In its annual review released in August 2022, the ICM reports that media coverage of cyber incidents was at its lowest level in 2021 since the ICM began tracking this category in 2014.
“The percent of cyber stories we tracked in 2021 decreased by nearly half, despite reports that cyber-attacks were on the rise during the year,” says the ICM, noting that ransomware has emerged as the top threat, as hackers have figured out that it is an easier, more profitable venture than other forms of cyber threats.
Following closely behind cyber risk in terms of the Aprio Credence 2022 research into the JSE Top 40 companies’ risk registers, was regulatory and compliance risk. 76% of companies reported regulatory and compliance risk as a major concern, followed by macro-economic risk at 63% prevalence.
Perhaps of some surprise – albeit not to the executive heads of People/Human Resources, no doubt – is that people-related risks were ranked as the fourth most common source of articulated risk for these JSE Top 40 companies. This risk, which primarily relates to finding and retaining the right skills, is up by 11% from our 2021 research – arguably demonstrating that the ‘war for talent” is a major concern in the South African boardroom.
Of personal disappointment to Aprio Credence, given our focus on reputation risk and resilience, is that reputation risk appears to be slightly dropping off the risk radar as a standalone, principal risk. Only one-in-five companies identified reputation risk as a primary concern in our 2022 research, the lowest prevalence for this category of risk since we started the review three years ago. It could be argued, however, that reputational risk is being accounted for in the higher ranking for ESG factors, as an outcome of environmental, social and governance issues.