How to make sense of the ESG conversation

What you need to know: the regulatory landscape

The SEC currently has two proposed rules between the comment period and issuance that are worth noting. First, new rules have been introduced for climate-related disclosures that require more comprehensive transparency around ESG initiatives and outcomes; and second, additional disclosures are mandated for certain investment advisors and investment companies. The Federal Reserve (Fed) is also performing a Pilot Climate Scenario Analysis Exercise in 2023 in relation to the six largest banks, with results and expectations due to be published by the end of the year. The results will provide insights that will have broader-reaching implications than just banking. The Fed is particularly interested in both model risk management and data quality, along with scenario analysis incorporating physical risk and transaction risk. For example, this could include modeling performed to estimate the environmental impact from Florida hurricanes or California wildfires; transaction risk might be a concentration of credit risk in a potential impact area or resiliency risk to key operating infrastructure.

What ESG factors create risk?

ESG risk factors exist both internally and externally to the organization. Environmental events such as hurricanes and wildfires that damage production or threaten worker communities can have real business implications in both the short and long term, as well as the ways organizations respond to crises. Bold carbon emissions goals and public statements without established processes and controls to achieve them may damage a company’s reputation and concern consumers.

Your corporate policies, workplace practices and governance can have broad impact on your ESG risk factors and your ability to mitigate that risk. Diversity, equity and inclusion are top employee demands, and organizations must enact supportive policies, recruitment practices, and report headcount and diversity numbers transparently. Failure to do so, poor health and safety policies, or questionable fair labor practices won’t be tolerated by employees or external regulators today. And overall industry-leading risk management practices, tied with quality governance structures, are essential for every organization to build trust in an ESG-driven future.

Building an ESG risk assessment approach

Mitigating risk, and especially ESG risk with its many variables, requires a clear understanding of your organization’s current position, climate-related activities and commitments, and all of that must be backed by complete and accurate data. Assuming your organization has mature, quality data practices in place, begin building a roadmap incorporating the most likely factors that will be included in regulation, and focus on physical and transition risk, including scenario analysis. In addition, it is likely that investment managers, and asset managers more broadly, will need to focus on the risk of greenwashing, or providing misleading green information, and complying with the Principles of Responsible Investing (PRI).

Next, it’s important to understand stakeholder views and current commitments to build a future ESG risk mitigation roadmap that is achievable and on an appropriate timeline. Review public disclosures and anything that has been shared by the board plus what is currently under development. Assess all stakeholders including investors, regulators, customers, employees and the general public to build a comprehensive current state view of your organization.

Then determine if your current climate commitments are attainable and based on current and accurate data. Banks, asset managers, fund managers and insurers all manage investment portfolios and look for verifiable, accurate commitments from organizations. As ESG takes a more central and influential role in corporate reputation, the promises your organization makes to stakeholder groups, public statements it issues and actions regarding ESG initiatives all affect investment decisions and your company’s ESG ratings and reliability. An inability to meet ESG commitments and public statements or to report appropriately in disclosures can all lead to investment community and customer concerns over either ineffectual ESG practices or greenwashing perceptions that will damage your business reputation in today’s climate.

Organizational ESG risk assessment: readiness, design and pre-implementation

As you begin your organization’s ESG risk assessment journey, it’s crucial to understand organizational impact. Companies must assess the impact ESG-related risks will have on their overall operations and reporting, and just as importantly, operationalize workflow and internal controls to mitigate ESG risk. These steps include:

• The design of key controls and setting key performance indicators (KPI) metrics that support continuous monitoring of the process
• The prioritization of enterprise-wide analytics and automated controls wherever possible
• Assessment of data quality and workflows across ESG processes
• Organizational endorsement of proper disclosure and statement vetting with thorough reviews by legal and executive management of any external disclosures that may have a material impact on reputation or business

The leadership role IA must assume

IA teams, well-versed in both risk assessment and reporting discipline, can provide a sense of order and calm for management and take a meaningful leadership role in ESG risk mitigation. This leadership begins with advocating for comprehensive end-to-end design of both internal ESG controls (ICEsgR) and reporting processes and standards. It also should include the building of a COSO framework and additional rigor applied to all future disclosures. While the regulatory landscape and reporting rules evolve, organizations have time and IA teams have a real opportunity to educate leadership and business unit leaders on ESG risk matters as well as marshalling the tools and processes to create assurance going forward.

The leadership role of IA must also cover three key areas of organizational preparedness: the provision of insights, updates and guidance to management; advocacy for ongoing end-to-end design optimization, including workflow design and the embedding of internal controls; and support for governance and implementation of ESG processes and transparent disclosures. Build the core ESG team within IA, and have team members lead the overall coverage and audit models.

As true advocates for ESG risk mitigation, IA must also monitor models and projections on ESG impacts and public comments such as carbon-neutral targets – and if needed, be prepared to challenge management on current assertions and projections that may not be supported by the data. Collaborating with ESG teams across the organization as well as with enterprise risk management (ERM) will also be critical for effective data collection, and for both ESG credit risk reviews of investment portfolios and product reviews that consider ESG liabilities.

The evolution of internal audit

True leadership requires vision and vigilance. IA must monitor and measure the landscape for changes in public opinion, customers and employees that could have material impact on business reputation and value. Leading effectively means staying current on market conditions affecting ESG, attending earnings calls with ESG topics and disclosures, and reading both peer disclosures and survey findings relating to the evolution of ESG issues. Only by having a broad understanding of regulatory change and consumer sentiment externally, as well as a true assessment of practices and policies internally, can IA help companies shape an ESG risk-averse future.

Takeaways

• ESG strategies are becoming integrated into business strategies.
  
• ESG is a priority for organizations and their boards – due in part to internal pressures from employees and external pressures from customers, the government and investors.
• ESG risk is here today and, on the rise, and organizations must prepare appropriately.
• IA and risk management must play pivotal roles in the build for ESG processes and reporting, proactively taking steps now to manage ESG risk, protect the organization and create long-term reputational and financial value.

IA and risk management can make a difference today. Start now with design and implementation reviews, along with assurance activities for stakeholders.