7th October 2022

By Dr. Antonius Alijoyo

5 minutes reading

Driven by SDGs (Sustainable Development Goals), organizations around the world and across industries are pursuing their credentials of implementing ESG (Environmental, Social, & Governance). SDGs are global goals set out by the United Nations, whereas ESG is a rating system used by companies to measure their environmental, social, and governance credentials (https://crmsindonesia.org/publications/sdgs-and-esg-overcoming-the-sustainability-risks/) The goal of organizations to implement ESG is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice.

However, understanding ESG is complex. Some focus on the E for the environment, others are focused on the S, and others on the G. Despite this, all three are critical and intersect with each other, whereby:

  • Environment: It covers and addresses the organization’s credentials of environmental performance, such as climate change, natural resource utilization, pollution and waste, biodiversity, carbon footprint, or emissions.
  • Social, it covers and addresses the organization’s credentials of social performance such as child labor, forced labor, socio-economic inequality, privacy, personal data use, diversity and inclusion, working conditions, health and safety, and product liability.
  • Governance covers and addresses the organization’s credentials of governance performance and practices, such as anti-fraud, anti-bribery and corruption, anti-money laundering, internal controls over financial reporting, security, corporate conduct and behavior, anti-competitive practices, tax transparency, ownership, and structure.


Although there is no single global standard for ESG, some reporting guidelines could help the organization provide more visibility of their ESG performance and credential to their stakeholders. The most popular is the Global Reporting Initiative (GRI) which was introduced at an early stage, and what is now widely used, the Value Reporting Foundation ((the merger of the International Integrated Reporting Council (IIRC) and the Sustainability Accounting Standards Board (SASB)). Despite their best efforts, however, nothing is complete as they each have their different perspectives.

Therefore, organizations must develop a strategy and process that delivers what they need to report to their respective and/or interested stakeholder groups. In that situation, organizations need more structured guidance on delivering on ESG strategy and processes across the diverse areas of ESG. As such, they need capabilities to perform ESG, hence to gain the credentials accordingly. As such, taking the capabilities, GRC comes up to the surface.

As originally introduced by OCEG, the definition of GRC is the integrated collection of capabilities that enable an organization to achieve objectives reliably, address uncertainty, and act with integrity (https://www.oceg.org/about/what-is-grc/). We start with the objectives (Governance) of the organization, which could be an entity, division, department, process, project, or asset level objectives, and from there, we have the context to manage the risks as the effect of uncertainties (Risk Management), and then acting with integrity (Compliance).

Organizations must set objectives for ESG overall, each component or area of ESG, and varying sub-elements. Once objectives are established, the organization can assess, monitor, and manage uncertainty to those ESG objectives. From there, the organization can provide assurance and report that it is operating with integrity in the context of stated ESG statements, commitments, and obligations.


In short, ESG is a rating system used by companies to measure their environmental, social, and governance credentials, whereas GRC is a set of capabilities to bring about such credentials into reality as the base of measurement and reporting.

Talking about capabilities, we could use the two most widely used references, i.e., the OCEG GRC Capability Model ( https://go.oceg.org/grc-capability-model-red-book) and the Integrated GRC using ISO-based series of standards and/or guidelines (http://theigrca.org/2021/08/05/integrated-grc-using-iso-based-series-of-standards-and-or-guidelines/).

The GRC Capability Model has four components: Learn, Align, Perform, Review, explicitly applied to ESG:

  1. LEARN: To understand the context and map the reporting requirements and relationships
  2. ALIGN: To document ESG objectives and related risks and design the overall program with appropriate policies, processes, monitoring, issue reporting, and assurance.
  3. PERFORM: To perform the designed program into operational, communicate and educate the stakeholder groups on their role and responsibilities in ESG.
  4. REVIEW: conduct ongoing monitoring and reporting on ESG to various stakeholders and continuously improve ESG in the organizations context and its broader objectives and operations.


Whilst the GRC Capability Model above emphasizes the fundamental cycle and logic of Learn-Align-Perform-Review in the ESG process, ISO-based GRC refers to a more practical reference and traceable process encapsulated into a standard-form alike. Both are worth considering, as OCEG GRC Capability Model refers to a more generic and fundamental approach, whereas the ISO Standards refer to more traceable and consistent practices. In short, both will help the organization accomplish their credentials of ESG performance.

GRC is something organizations do and not something they purchase. No one technology solution does everything needed for GRC, and there is certainly none that does everything for ESG. Performance and objectives did through actions, behaviors, and transactions of the organization. There can be a core reporting and monitoring platform, but it requires integration with other business systems internally and content providers externally


Hope this short article is useful.

Dr. Antonius Alijoyo, founder of Center for Risk Management and Sustainability (CRMS Indonesia) and Chair of supervisory board of Indonesia Risk Management Professionals Association (IRMAPA)