To be sustainable over the long term, a company needs to take into account the broader network of relationships in which it operates. This includes suppliers, customers and surrounding communities.
Stakeholders can have a positive or negative influence on a company depending how effectively they are managed. Their impact could be acute and negligible over the short term, but could also be long-term and substantial. It is therefore important for companies to have an enterprise risk management framework that helps them identify their major stakeholders, understand the associated risks and opportunities, and prioritize them for engagement and management.
2021 engagement case studies
Cybersecurity risks are ever present and are a key risk for almost all businesses. Ensuring cybersecurity and data protection will only become more complicated and material to managing business risks. With this in mind, and with the expectation of more regulations to govern these issues, companies need to regularly review and enhance their cybersecurity and data protection. Board governance of the subject is becoming crucial.
American grocery store retailer The Kroger Company has seen two significant security breaches in the last two years. The most recent breach happened in early 2021 and was the result of a breach at one of the company’s third-party vendors.
Accellion, a third-party vendor providing secure file transfers, notified Kroger of an unauthorized access to its data in 2021, due to a vulnerability in Accellion’s file transfer service. We engaged the company to request better disclosure of the data breach, including efficacy of its vendor management program and the steps the company has taken to safeguard against similar issues.
Kroger informed us of some of the key elements of their data privacy and cybersecurity program and governance. Kroger shared that they are currently in litigation with Acellion and thus limited in the information they can share about this incident. The company has already discontinued the use of Accellion product. It conducted a forensic investigation to identify the full impact of the breach. It has also started to notify individuals whose data may have been compromised and has set up a monitoring program for individuals impacted by the breach.
We expressed our concerns for heightened cybersecurity risk at traditional retailers given their access to large volumes of data. In addition to the vast amount of sensitive customer data, which makes them a target for cyber-attack, their further entry into online sales and delivery has exposed them to new sources of cybersecurity risks as they collaborate to expand their online presence.
Outcomes and next steps
We expect Kroger to disclose key learnings from this incident and the steps they have taken to mitigate this risk in its next ESG reporting. We also encourage more disclosure around data ownership and control when the company enters into collaborative relationship.
InterContinental Hotels Group (IHG), UK
InterContinental Hotels Group (IHG) was the focus of a cyberattack in 2017. The incident involved customer payment card-stealing malware. We have continued to engage the company around its cybersecurity procedures since the incident.
In 2017, attackers installed malware on the company’s servers, compromising the hotels' payment card processing systems, which in turn ingested information contained in credit card tracks such as cardholder names, card numbers, and internal verification codes. The leaked information enabled cards cloning and fraudulent payments.
In 2021, we engaged the company to ask for an update of their cybersecurity program, including the new measures being taken to alleviate cybersecurity risk and the governance of the board on this subject. The company reported that, on average, each employee spends two hours annually on cybersecurity risk training. IHG further reported that it has adopted the latest best practices for managing cybersecurity talent, including regular performance checks, retention programs, and personal development plans. The Chief Information Security Officer is in charge of the implementation of the firm’s cybersecurity strategy and the Board receives cybersecurity risk metrics on a quarterly basis. IHG reported that the 2021 budget for cybersecurity was over $30m, largely in-line with 2020 budget.
IHG indicated that its global privacy program covers a wide range of responsibilities, including ongoing monitoring of new privacy developments, regular privacy reporting to the board’s audit committee and update of privacy notices. In 2021, the initiatives IHG focused on included data minimization and removal and compliance of new privacy requirements in different countries. The company has adopted KPIs for measuring cyber maturity, high-risk assets, resources and budget spend, external threats and other areas.
IHG has indicated that practices are internally and externally audited and reviews are conducted to ensure that the validity and stringency of their cybersecurity risk program is kept up to date.
Outcomes and next steps
We note IHG’s implementation of an enhanced cybersecurity risk platform and practices to manage cybersecurity and data protection.
All companies pursing sustainable growth have to consider the sustainably of their supply chain. There are many issues involved in the supply chain and companies should have measures to govern its direct suppliers. Among all settings, we view ethics and compliance as the most important attributes of suppliers that companies need to monitor.
Technology companies are particularly vulnerable to forced labor in their supply chains due to extensive use of migrant labor in the manufacturing of technology and electronics products in emerging markets, and the protracted supply chains of many ICT products. The sector has faced increasing scrutiny around its failure to adequately address labor abuses connected to products sold to millions of customers across the world.
We engaged Hitachi on how it addresses the risk of forced labor in its global supply chains and asked the company to enhance its management of this issue. Hitachi established a Human Rights Policy in 2013 that stated clearly their respect for human rights in their Sustainable Procurement Guidelines. The company explained that it had been briefing its suppliers to ensure they are aware of the policy and the guidelines. The company is seeking implementation of the guidelines by its major suppliers, requesting self-inspections using a check sheet, and providing feedback on the results to the internal procurement department. We asked the company to disclose the status and results of supplier audits, particularly regarding the on-site audits, and to disclose how the results would mitigate the risk of forced labor. We believe the number of reviews conducted was small, and that the scope of reviews had been limited and thus, the risk could persist in its supply chain.
Outcomes and next steps
We suggested the company increase the frequency and scope of its supplier monitoring program with regards to human rights and will check for improvements in 2022.
Voting on stakeholder engagement
Voting on stakeholder engagement issues is less common than other ESG factors. However, in certain cases where we believe a company’s leadership has not sufficiently accounted for the needs of their broader network of stakeholders, we will vote against board directors.
2021 voting case study
Voting issue: Community rights
Rio Tinto, Australia/UK
Mining company Rio Tinto Plc has been under scrutiny to strengthen its governance practices on the board and have a robust cultural heritage program since the events at Juukan Gorge. In 2020, the expansion of Rio Tinto’s iron ore mine at Juukan Gorge resulted in the destruction of a 46,000-year-old sacred site to the Traditional Owners. At this year’s annual general meeting, a resolution to re-elect the sustainability committee chair was up for review.
We have had extensive engagement with Rio Tinto since the events at Juukan Gorge. They have reviewed their internal processes and consulted with Traditional Owners and stakeholders, leading to strengthened internal practices, policies and governance practices, with additional disclosure. The company will establish an Indigenous Advisory Group (IAG) to ensure Rio Tinto has a better understanding of Indigenous culture and issues in Australia, including at the board level.
Outcomes and next steps
After deliberation, we elected to vote against the re-election of the chair of the Board's sustainability committee as there had to be accountability for the events that occurred at Juukan Gorge.
Certain client strategies invest on the basis of sustainability/Environmental Social Government (ESG) criteria involves qualitative and subjective analysis. There is no guarantee that the determinations made by the adviser will be successful and/or align with the beliefs or values of a particular investor. Unless specified by the client agreement or offering documents, specific assets/companies are not excluded from portfolios explicitly on the basis of ESG criteria nor is there and obligation to buy and sell securities based on those factors.