Personnel Security: The Missing Link in ESG Strategy

Prologue

Environmental, Social, and Governance (ESG) is now a decisive force in investment and corporate strategy. The Global Sustainable Investment Review 2022 reported that ESG investing has captured more than US$30 trillion in assets.

Setting aside debates about ideology and contemporary drivers, ESG’s practical purpose is to balance risk and return in external investment choices, while shaping how companies invest internally to preserve enterprise value whilst meeting ESG aspirations and obligations.

While the Environmental and Governance components have historically received most attention, the Social element may be less well-defined and mature. The Social components addressing human rights, occupational health and safety, and community relations can have strong linkages with Governance’s human capital, business ethics, and corporate governance. All of the human-centric elements present inherent personnel security risks which, in security jargon, reside under the label of ‘personnel security’.

The ESG reset: aligning purpose, performance and profitability

As the ESG landscape evolves, organisations must rethink their approach to sustainability, risk, and long-term value creation. Boards and executives face heightened pressure to integrate ESG into enterprise strategy without compromising commercial outcomes. With that objective, Boards and executives must seek activities that will deliver positive outcomes to more than one component of the enterprise.

This ‘rethink’ demands balancing stakeholder expectations, regulatory shifts, and opportunities for sustainable growth. For companies managing critical infrastructure assets the need to integrate personnel security into ESG strategy could be seen as central to safeguarding purpose, performance, and profitability.

The new ESG landscape: expectations and accountability

The days when ESG disclosures were largely voluntary are ending. Regulators, rating agencies, and investors now scrutinise disclosures with growing intensity. In Australia, mandatory climate-related reporting is in prospect, and in Europe and the U.S., ESG assurance is becoming standard. Stakeholders expect Boards to demonstrate not just environmental stewardship but also resilience against operational and security shocks.

Security failures now directly impact ESG scores. Downgraded ratings, higher insurance premiums, and investor withdrawal are the new consequences of poor workforce assurance. Directors must recognise that investors and regulators increasingly interpret insider threat, cyber security, and workforce controls as governance issues, matters of fiduciary responsibility rather than optional operational enhancements.

ESG and personnel security risks: the missing link

ESG performance is traditionally measured against an array of indicators, which are weighted 43% for environmental, 34% for social, and 23% for governance (Morningstar, 2022). Companies report on climate change, diversity and inclusion, and corporate governance structures. What is missing is a structured approach to security risks, particularly those risks posed by people, given that people span all the functions of the enterprise and also of its supply chain.

Personnel security is the management of risks associated with people for the purpose of protecting information, assets, and people.

Given the span of personnel security within an enterprise – people are connected with every facet of operation and asset management – it is clear that any focus on ESG performance should take into account the people that are enabling that performance and hence may pose a risk to achieving desired ESG goals.

Workforce risks, insider threats, and supply chain vulnerabilities are social (that is, “S”) issues that directly influence corporate governance, operational performance, and enterprise resilience. In an era where critical infrastructure underpins national security, ignoring the people-based dimensions creates blind spots in ESG.

A recent example is the cyber and supply chain compromises experienced by major telecommunications and energy providers worldwide. Beyond operational disruption, these events triggered downgrades in ESG ratings, reputational damage, and increased insurance premiums. Ratings agencies are recognising that poor personnel and supply chain controls weaken governance and social trust, leading to poor ESG-aligned performance. Boards cannot treat personnel security as residing outside the ESG conversation when security is integral to ESG performance.

Australian entities subject to the Security of Critical Infrastructure Act 2018 (SOCI Act) must address personnel security as part of their formal Critical Infrastructure Risk Management Program (CIRMP). SOCI entities with ESG programs should consider how best to capitalise on the risk mitigation efforts they invest in to uplift and maintain a high standard of personnel security and determine how these can bridge to add value to their ESG program.

The case for personnel security in ESG

Personnel security is about trust and assurance. It is the ‘human factor’ in risk management. Under the SOCI Act, entities are required to implement Critical Infrastructure Risk Management Programs which explicitly address personnel, cyber, physical, and supply chain hazards.

The legal framework set out in the SOCI Act aligns naturally with ESG obligations. Incorporating personnel security into ESG reporting offers three major benefits:

Materiality for investors and insurers: Investors increasingly scrutinise operational resilience. Insurers may price policies based on the likelihood and impact of human and insider risks. Companies able to demonstrate strong personnel security practices may gain preferential access to capital and insurance coverage.

Governance and accountability: Linking personnel security to ESG enhances board oversight. Directors are accountable under both corporate law and regulatory frameworks. Demonstrating workforce assurance through ESG disclosures mitigates liability and shows proactive governance.

Social trust and community expectation: Communities expect critical services to be safe, resilient, and trustworthy. Workforce failures, such as trusted insider sabotage or negligence, erode that trust. Integrating personnel security into ESG reporting shows a company values not just profits but its people and the communities it serves.

Prioritising investment through ESG

One of ESG’s greatest strengths is providing a framework for prioritising investment. Boards may struggle to allocate scarce capital between competing compliance and resilience demands, and so an ESG context can be of assistance.

By framing personnel security as an ESG issue, entities can:

Justify investment in personnel background screening, insider threat programs, and ongoing workforce assurance as measures that preserve enterprise value through security.

Demonstrate to stakeholders that capital is being directed towards risks that directly affect long-term sustainability.

Attract ESG-focused capital, where protective security is recognised as essential for credible governance as it underpins the effectiveness of many other enterprise initiatives and programs.

In practice, this means that decisions on whether to fund an insider threat program or to expand cybersecurity monitoring are no longer siloed operational debates that reside in the HR or cyber team alone. They become ESG-driven investment priorities with clear external validation and cross-enterprise value.

Challenges and risks to manage

Incorporating personnel security into ESG reporting presents unique challenges:

Balancing transparency and confidentiality: Certain security measures cannot be disclosed in detail without undermining their effectiveness. Companies must learn to report meaningfully without exposing vulnerabilities.

Avoiding security washing: As with “greenwashing,” superficial claims about workforce assurance risk reputational damage. Disclosures must be evidence-based and measurable.

Defining metrics: Reliable indicators are needed to measure personnel security performance. This might include the proportion of critical roles with completed screening, the frequency of insider threat reviews, or integration with CIRMP frameworks.

These challenges should not deter action. Instead, they reinforce the need for structured, thoughtful approaches to integrating personnel security within ESG.

Practical pathways for Boards

For directors, senior executives, and SOCI-governed entities, the pathway to integration of personnel security into an ESG framework is clear:

Use the CIRMP as a foundation: Leverage existing legal obligations under the SOCI Act to demonstrate compliance and resilience through ESG reporting.

Establish personnel security metrics: Develop reportable indicators such as pre-employment screening rates, insider threat investigations completed, and workforce assurance reviews.

Engage investors and insurers: Position and advertise the deployment of targeted and effective personnel security practices as a differentiator in capital markets and insurance negotiations.

Build governance structures: Ensure Board-level committees oversee security risks as part of ESG and enterprise risk management.

The upside: turning security into ESG value

When integrated effectively, protective security, especially personnel security, becomes a driver of ESG performance:

Improved ESG scores by evidencing resilience.

Reduced insurance premiums and better coverage terms.

Strengthened stakeholder relationships with customers, regulators, and partners.

Competitive advantage in tenders where ESG credentials are evaluated.

The message is clear: personnel security is not only compliance; it is strategy. Companies that elevate security within ESG build resilience, win trust, and position themselves for sustainable success.

Conclusion

Boards today are judged not only on financial returns but on their ability to manage risk responsibly. ESG has become the common reference for this. To exclude personnel security from ESG would leave a gaping hole in ESG performance and thereby risk credibility in the eyes of stakeholders, investors, regulators, and communities.

The SOCI Act provides a framework. ESG provides the reporting mechanism. Operating in concert, they allow Boards to prioritise investment in a way that is measurable, defensible, and sustainable.

ESG without personnel security is incomplete. ESG with personnel security is resilience in action.