Technology's Impact on Risk and Stakeholders
Attention and inaction around technology is a strategic choice
It seems a badge of honor to add a letter to ESG for some companies. For example, in an attempt to transition away from harmful products (or marketing, if you are cynical), some tobacco companies have added an “H” at the end of ESG for “Health.” While this might seem to sit in the S and relates to customers as stakeholders, it is so material to their long-term transition that they added it as a whole other consideration.
For me, it’s less about the letters a company adheres to and more about its approach to material ESG topics. However, I believe one additional letter impacts all modern companies. You guessed it, T for Technology.
90% of the S&P 500’s value is intangibles, much of which resides in intellectual property, products, and services built on technology. When you hear cloud companies and consultancies talk about the power of digital transformation, its technology’s ability to be a core part of business and accelerate new opportunities that they are driving at.
The world sits in a “Fourth Industrial Revolution,” where accelerating technologies impact our businesses and lives in new ways. So it is no surprise that technology is being used to solve core ESG challenges and cutting across ESG as a new pillar with its own risks and opportunities.
Recently, I spoke at the University of Maryland’s ESG Conference about ESG and technology. So imagine my surprise and delight in uncovering back-to-back podcast episodes with three people I often turn to for leadership on this topic.
Clara Durodié is the author of Decoding AI in Financial Services (recommended) and hosts the Decoding AI podcast.
Dr. Andrea Bonime-Blanc is the Founder and CEO of GEC Risk Advisory LLC and the author of the book “Gloom to Boom” (recommended). In her book, she coined ESGT (check episode 4).
Charles Radclyffe is the CEO of EthicsGrade, which considers technology a measurable business risk across various companies (check episode 5).
Let’s frame this newsletter with a quote from Andrea:
The whole point of ESG+T is that we have a series or a portfolio of both risks and opportunities that fall into these really big categories. The environmental category, the social category, the governance category, and the technology category that business leaders must consider it part of their strategic thinking, risk management, and product and service development.
And with that, let’s get into two reasons why, built around these two podcast episodes.
Cybersecurity Risk
Having spent a long career in IT, I can attest that many boards, leaders, and managers view cybersecurity as an insurance policy. In many unfortunate cases, the cybersecurity team is left with a minimum budget and poor tooling to uncover a breach. Still, this material risk looks an awful lot like a climate risk with similar consequences. Cybersecurity is an unknown risk, like an extreme weather event brewing in the background, hitting suddenly, and leaving stakeholders dealing with the fallout. In fact, cybersecurity insurance is now facing constraints similar to those caused by extreme weather in the global reinsurance markets.
In her interview, Andrea coincidentally called out an example I presented at the University of Maryland, the Colonial Pipeline ransomware attack. The Colonial Pipeline is responsible for providing the east coast of the US with about 45% of its fuel. An attack on its billing system through an unsecured VPN system, which could have been prevented with Multi-Factor Authentication, caused the pipeline to shut down for the first time in its history.
The near-term result was constrained fuel availability in the northeast and a short price jump, impacting consumers and businesses downstream. However, the long-term effects are still playing out:
Within three days, we saw President Biden’s Cybersecurity Executive Order.
Several Security Directives from the Department of Homeland Security targeted at critical pipeline infrastructure providers followed.
A year later, the SEC recognized the materiality of cybersecurity and launched a draft proposal on reporting material incidents, risks, and disclosing board-level understanding of the topic, if any.
Let’s restate all of this through the lens of ESGT:
Because of a lack of technology investment, specifically around cybersecurity modernization, one company impacted regulations for an entire industry, country, and disclosure regime.
Yikes!
As Andrea put it, in today’s “continuous risks and crises,” it is no longer enough to rely on your cybersecurity team’s best efforts and provincial view (and budget) to keep you safe. Charles echoed this point, explaining that issues like this can’t necessarily be solved through the singular lens of compliance and regulations either. Instead, this is tied to good governance practices, which investors look at because it is material.
NOTE: I’m not going to cover it here, but it is worth checking out IBM’s annual Cost of a Data Breach report for more understanding of the financial impacts of cybersecurity.
The Importance of Stakeholders
As I wrote previously, it is no accident that the S is in the middle of ESG. Stakeholders (i.e. people) are in the middle. When adding on the T, it is no different. Technology impacts your stakeholders in various ways and even puts stakeholders at odds with each other, just like with many ESG issues.
When Charles and his team analyzed the animosity towards big tech in 2019, or the brewing ‘tech-lash’ (a material risk for big tech and social media companies), what was failing wasn’t the lack of compliance and risk from technology. Instead, it was the inability to integrate stakeholder needs into the technology product design.
When you look at the negative news stories from 2016 through to today…it was a breakdown of stakeholder engagement.
Charles is spot on here, and it doesn’t only apply to tech companies. For example, in 2019, Nature reported that a major healthcare software provider’s algorithm used in most US hospitals was inadvertently discriminating against black people because of how the system was designed.
Examples like this abound across technology, even in low-technology solutions and innovations. For example, consider how the seat belt, initially designed for men, put pregnant women at risk. When deploying any technologies and innovating, considering all stakeholders and their needs is an absolute must, and looking through the lens of ESG can help.
Charles has observed that the best organizations integrate these thinkers alongside their technology teams. After all, this can’t be the function of some centralized compliance organization that doesn’t understand the issue or the technology. He gives us an encouraging push forward, calling out that it isn’t necessary to reinvent new processes for these issues. Businesses likely already have processes they can apply to technology in their existing application of ESG practices. It must be an integrated partnership across stakeholders who understand the risks, the technology, and the material challenges being solved. From here, the impact on stakeholders as the technology consumer can be better managed.
Innovation and technology at the intersection of growth and scale
As we’ve seen, when deploying technology, stakeholders must be considered; otherwise, the opportunity that innovation presents can become a risk. To the first point, cybersecurity helps protect stakeholders and your business.
But what about inaction entirely?
For years, my job was to sell companies on digital transformation. The idea was simple: Move your business workloads to the cloud, take advantage of new capabilities to modernize, and serve your downstream customers better and more efficiently. Like anything in sales, it was presented as a panacea (even though there is no such thing). But, over time, the cloud’s flexibility has become table stakes. It allowed companies to modernize processes to compete in a constantly shifting world that expects never-ending growth.
With that in mind, let’s turn to a recent news item that shows the power of technology inaction, but first, a story.
This Christmas, I listened to a relative tell a story about a significant life change he is considering. He is leaving a steady, life-long military job for the private sector to be a pilot. As he weighed his options on which airline to choose, a couple of considerations came to mind.
The company that would give him the most time possible with his family
The company that had weathered recessions without massive layoffs
The perceived stability and profitability of the company over time
What did his connections at the prospective airlines think
While career growth was table stakes, these other factors weighed heavily on his mind to the point where they led to his decision. ESG practitioners will recognize these as S and G issues that can help attract and retain talent. It was no surprise that the company he landed on was Southwest Airlines.
If you check Southwest’s ESG scores, they are pretty decent. While every airline struggles with the environment, there is no doubt that Southwest’s management of one of their most important stakeholders (employees) earns them high marks.
Still, last week Southwest canceled thousands of flights. The reason wasn’t an environmental risk, as we often see with extreme weather and flying. As the Dallas Morning News reported:
Southwest CEO Bob Jordan said in recent months that the company needs to make large improvements to technology infrastructure to prevent large-scale cancellations, particularly those that reschedule flight attendants and pilots.
In a memo sent to employees Sunday, Watterson said Southwest’s systems are “overmatched in situations of this scale.”
This was no cybersecurity risk, compliance issue, or massive cloud outage but a simple lack of investment in technology modernization. As a result, the legacy systems could not scale to the pressures of modern travel, leaving Southwest’s most valued stakeholders in the lurch. Per CNN’s interview with US Transportation Secretary Pete Buttigieg:
"From what I can tell, Southwest is unable to locate even where their own crews are, let alone their own passengers, let alone baggage," said Buttigieg, adding that he also spoke with leaders of the airline's unions representing flight attendants and pilots.
Now, Southwest is using technology to mitigate the situation with a website designed to help customers deal with the challenge. Like Colonial Pipeline, this could have ripple effects across the airline industry, but it is too early to see the long-term impacts.
Still, it’s an unfortunate example of how technology’s intersection with stakeholders, here in the form of inaction, damaged the brand’s reputation.
Adding the T is warranted
Technology and innovation have similar risks and opportunities to the rest of ESG, but ignoring it seems only fraught with risks. It needs closer attention since technology is core to businesses and stakeholders. Since the release of “Gloom to Boom” in 2019, I’d say the uptake in the T is slow or non-existent, but let’s face it, companies are still struggling even to get their hands around ESG issues, let alone the T. ESG was first coined in 2004, so it has been quite some time.
Here it’s worth noting that 2004 was three years before the first iPhone, so who knows if the T would have been added on had ESG been coined just a few years later?
Considering technology alongside ESG is still a nascent idea, and groups like the Center for Long-Term Cybersecurity (CLTC) at UC Berkeley are researching it and asking great questions like, “How could digital security sit beside climate and workplace safety as mainstay elements of corporate responsibility?”
To learn more about the first two topics and the thought leadership coming out of CLTC’s working groups, I recommend checking out Dr. Jordan Famularo’s latest article.
But let’s close out this week with a quote from Andrea, who brings the G back in with a clarion call for all leaders. She reminds us all that inaction isn’t an option.
The time of sitting on the board is over, the time of serving on the board is now necessary.