9 Nov 2022
playing-on-chair

Why should you mix insight with foresight in your ESG risk strategy?

Authors
Mundia Moola Buesser

Senior Manager, Consulting, EY Sustainability | Switzerland

Passionate about adding extra value to her work. A mom of two and a professional figure competitor.

René Bartholmess

Manager, Enterprise Risk Consulting | Switzerland

Risk Management Coach | Focused on Third-Party Risk Management | Risk Seeking in his Hobbies Sailing & Mountainbiking

David Sütterlin

Partner, Head of Risk Consulting | Switzerland

Passionate Risk Professional and SAP Consultant. Guides EY clients in building, redesigning and implementing risk functions to support greater trust and better decisions.

9 Nov 2022

As the ESG ecosystem grows more complex, sustainability needs to be embedded within enterprise risk management. 

In brief
  • Stakeholder demand for transparency on ESG aspects is forcing companies to rethink how they approach sustainability – from strategy and risk to reporting.
  • Leading organizations are adopting a “whole business” approach to ESG, incorporating it in their corporate strategy and enterprise risk management.
  • Engaging internal audit is a good use of resources to help establish robust ESG management and support the ESG strategy at every level of the organization.

Awareness around sustainability is greater than ever. Today, 70% of employees consider a company’s posture on social issues when deciding whether to stay in their current job and half of consumers think about sustainability when making a purchasing decision. At the same time, standard setters, governments and regulators are contributing to a rapidly evolving ecosystem, with new guidance and legal requirements emerging on environmental, social and governance (ESG) aspects. And institutional investors are following wider society in demanding that businesses help resolve societal challenges – and want companies to explain how they will deliver value to all stakeholders.

A “whole business” approach to ESG

So, how should you get started? Initially driven by external pressure to go greener, many companies focus first on ESG reporting and compliance. However, leading organizations are discovering ESG as a catalyst for rethinking strategic priorities, business processes, risks and opportunities. They understand the importance of a coordinated, strategic approach across people, processes and technology. They embrace ESG with a sense of purpose – and integrate it into their core business strategy and governance – to create long-term sustainable impact and financial value for all stakeholders. They also prioritize ESG at board level, sharing responsibility among the Chief Executive Officer (CEO), Chief Strategy Officer (CSO), Chief Financial Officer (CFO), Chief Operating Officer (COO), Chief Risk Office (CRO) and Chief Information Officer (CIO). This “whole business” approach covers six key areas:

  • Strategy and goals

    Create an ESG strategy supporting the overall corporate strategy, set ESG goals and targets and develop a roadmap to deliver on ambitions.

    Ownership: CEO

  • Governance

    Establish ESG governance through formalized operating model, leadership and board commitment and end-to-end scorecard for comprehensive ESG performance monitoring.

    Ownership: CEO

  • Purpose and messaging

    Develop branding and communications strategy to articular compelling narrative on delivering long-term financial and non-financial value through the ESG strategy.

    Ownership: CSP

  • Risk management

    Integrate ESG issues in to enterprise risk management framework to identify, assess and prioritize risks, and implement effective risk responses.

    Ownership: CFO and CRO

  • Reporting and disclosures

    Report ESG data in a reliable, objective and consistent manner with appropriate internal controls and processes in order to meet stakeholder needs and compliance requirements over time.

    Ownership: CFO

  • Operations

    Build business case and transformation program achieve ESG goals within each business function, facilitate communication across the organization and escalate key issues.

    Ownership: COO and CIO

This holistic approach contrasts with the central sustainability function often set up when sustainability first went mainstream. Today, though, ESG market and regulatory demands require rigorous, multi-channel reporting and performance updates – and a consistent governance approach across the organization, even if aspects of sustainability are managed in different departments. For example, diversity, equity and inclusion may be managed by HR, operations and supply chain. While it’s tempting to integrate ESG into existing governance and oversight models, companies often find that they fail to cover all risks across the company. The need for an ESG-specific framework is particularly relevant as ESG reporting becomes more regulated: an effective, mature, company-wide control environment will be needed to ensure non-financial data is transparent, accurate and complete.

Complex global regulations

600

ESG reporting standards around the world

Jurisdictions around the world are developing guidance on ESG disclosures. There are currently over 600 ESG reporting provisions globally, and they don’t all agree on ESG issues. Companies with international operations may also find themselves facing questions about voluntary disclosures, and ad hoc requests from investors, consumers and employees. Internal audit can play a key role in equipping a company to deal with these demands.

Internal audit – A valuable asset to support your ESG transformation

Organization need to consider how they leverage the changing role of the internal audit function as an important enabler of quality and consistency, and as a strategic partner for their organization’s ESG program. An effective internal audit function is already integrated across the entire organization so it makes sense to embed ESG into the audit plan. Engaging internal audit in ESG is also an effective use of internal resources, with many transferable skills already available from the area of financial reporting. Overall, proactive insights and assurance increase the level of confidence in managing ESG risks, measuring and reporting progress and achieving goals and targets. To get started, internal audit should focus on three key areas:

  1. Monitoring ESG controls: internal audit teams have a duty to regularly monitor control processes and activities throughout the organization and improve or comment upon their accuracy, efficiency and effectiveness. Internal audit can evaluate ESG reporting processes, increase the reliability of metric calculations and improve assertions on ESG metrics included in current or future sustainability reporting.
  2. Enhancing transparency and reliability of ESG performance data and disclosures: internal audit can support transparency and reliability of ESG data and information, enhancing the credibility of disclosures and identifying gaps for improvement. This in turn supports the governance structure as well as the data collection, collation and calculation processes needed for robust sustainability disclosures.
  3. Linking ESG to enterprise risk management: by linking the management and reporting of ESG to the company’s enterprise risk management system and processes, internal audit can ensure that ESG risks are not limiting the company’s achievement of strategic objectives. Understanding material ESG risks and associated controls is essential to enable monitoring and accurate reporting over time.

For more information please see our article Why ESG can help internal audit become more relevant

Next steps and recommendations

Given the importance of communicating ESG performance transparently and consistently, we close this article with our five recommendations for a more robust reporting setup:

  1. Understand which of the evolving ESG reporting requirements could be relevant for your jurisdiction and identify potential risk factors, specific ESG-related risks and ESG governance practices relevant to your industry, size, geographic footprint, etc.
  2. Identify relevant stakeholders such as investors, suppliers, customers or community groups and their ESG-related priorities, interests and information needs
  3. Decide how to address the ESG reporting and other related obligations, taking into account voluntary frameworks such as the Sustainability Accounting Standards Board (SASB), Climate Disclosure Standards Board (CDSB) and Task Force on Climate-related Financial Disclosures (TCFD)
  4. Design and deploy internal controls over sustainability reporting and develop a roadmap to embed ESG requirements as part of the business processes, including IT systems and data architecture
  5. Consider and integrate third parties in the ESG strategy through aspects such as attestation on international standard ISAE3000
  6. Engage and leverage the organizations internal audit function early in the ESG journey

Summary

All stakeholders are demanding more action and disclosures on environmental, social and governance (ESG) aspects. To meet these new expectations – and remain competitive and compliant in a shifting risk and regulatory landscape – organizations need to define, deliver and disclose their ESG efforts. Those who don’t are likely to lose access to capital investment and commercial opportunities with sustainable-conscious firms and consumers. Engaging internal audit, potentially with the support of an external provider, can be an effective way to integrate ESG into the company-wide enterprise risk management.

About this article

Authors
Mundia Moola Buesser

Senior Manager, Consulting, EY Sustainability | Switzerland

Passionate about adding extra value to her work. A mom of two and a professional figure competitor.

René Bartholmess

Manager, Enterprise Risk Consulting | Switzerland

Risk Management Coach | Focused on Third-Party Risk Management | Risk Seeking in his Hobbies Sailing & Mountainbiking

David Sütterlin

Partner, Head of Risk Consulting | Switzerland

Passionate Risk Professional and SAP Consultant. Guides EY clients in building, redesigning and implementing risk functions to support greater trust and better decisions.