Shot of a team of colleagues using a laptop together during a meeting at an outdoor cafe.

How to make sense of the ESG conversation

Organizations can take key action steps to prepare for ESG risk management.

In brief
  • ESG is a priority for organizations and boards due in part to pressure from employees, customers, the government and investors.
  • IA and risk management should be actively involved in building ESG processes and reporting.

Environmental, social and governance (ESG) momentum is all around us and at the top of almost every board and governance agenda. While pressures mount from investors as they demand greater transparency and sustainability from organizations, the regulatory landscape is changing rapidly too. The U.S. Securities and Exchange Commission (SEC) and other rule-making bodies are now compelling organizations to think through their ESG initiatives and reporting processes, as new disclosure requirements are imminent. At the same time, consumers and employees are becoming more socially and environmentally conscious. Consumer preferences have pivoted sharply toward those brands and businesses that can demonstrate sustainable practices and products. And employee consciousness is demanding better and more equitable workplace practices, which gains even more significance in a tight labor market. As these ESG forces and initiatives intersect, the rise of ESG-related risk is occurring in lockstep, posing considerable threat for organizations, their reputations and their long-term value. Organizations must fully prepare for ESG risk management – and internal audit (IA) teams can take a proactive approach in helping leadership do that. Here’s how.

What you need to know: the regulatory landscape


The SEC currently has two proposed rules between the comment period and issuance that are worth noting. First, new rules have been introduced for climate-related disclosures that require more comprehensive transparency around ESG initiatives and outcomes; and second, additional disclosures are mandated for certain investment advisors and investment companies. The Federal Reserve (Fed) is also performing a Pilot Climate Scenario Analysis Exercise in 2023 in relation to the six largest banks, with results and expectations due to be published by the end of the year. The results will provide insights that will have broader-reaching implications than just banking. The Fed is particularly interested in both model risk management and data quality, along with scenario analysis incorporating physical risk and transaction risk. For example, this could include modeling performed to estimate the environmental impact from Florida hurricanes or California wildfires; transaction risk might be a concentration of credit risk in a potential impact area or resiliency risk to key operating infrastructure.

What ESG factors create risk?


ESG risk factors exist both internally and externally to the organization. Environmental events such as hurricanes and wildfires that damage production or threaten worker communities can have real business implications in both the short and long term, as well as the ways organizations respond to crises. Bold carbon emissions goals and public statements without established processes and controls to achieve them may damage a company’s reputation and concern consumers.


Your corporate policies, workplace practices and governance can have broad impact on your ESG risk factors and your ability to mitigate that risk. Diversity, equity and inclusion are top employee demands, and organizations must enact supportive policies, recruitment practices, and report headcount and diversity numbers transparently. Failure to do so, poor health and safety policies, or questionable fair labor practices won’t be tolerated by employees or external regulators today. And overall industry-leading risk management practices, tied with quality governance structures, are essential for every organization to build trust in an ESG-driven future.


Building an ESG risk assessment approach


Mitigating risk, and especially ESG risk with its many variables, requires a clear understanding of your organization’s current position, climate-related activities and commitments, and all of that must be backed by complete and accurate data. Assuming your organization has mature, quality data practices in place, begin building a roadmap incorporating the most likely factors that will be included in regulation, and focus on physical and transition risk, including scenario analysis. In addition, it is likely that investment managers, and asset managers more broadly, will need to focus on the risk of greenwashing, or providing misleading green information, and complying with the Principles of Responsible Investing (PRI).


Next, it’s important to understand stakeholder views and current commitments to build a future ESG risk mitigation roadmap that is achievable and on an appropriate timeline. Review public disclosures and anything that has been shared by the board plus what is currently under development. Assess all stakeholders including investors, regulators, customers, employees and the general public to build a comprehensive current state view of your organization.


Then determine if your current climate commitments are attainable and based on current and accurate data. Banks, asset managers, fund managers and insurers all manage investment portfolios and look for verifiable, accurate commitments from organizations. As ESG takes a more central and influential role in corporate reputation, the promises your organization makes to stakeholder groups, public statements it issues and actions regarding ESG initiatives all affect investment decisions and your company’s ESG ratings and reliability. An inability to meet ESG commitments and public statements or to report appropriately in disclosures can all lead to investment community and customer concerns over either ineffectual ESG practices or greenwashing perceptions that will damage your business reputation in today’s climate.

Organizational ESG risk assessment: readiness, design and pre-implementation


As you begin your organization’s ESG risk assessment journey, it’s crucial to understand organizational impact. Companies must assess the impact ESG-related risks will have on their overall operations and reporting, and just as importantly, operationalize workflow and internal controls to mitigate ESG risk. These steps include:


  • The design of key controls and setting key performance indicators (KPI) metrics that support continuous monitoring of the process
  • The prioritization of enterprise-wide analytics and automated controls wherever possible
  • Assessment of data quality and workflows across ESG processes
  • Organizational endorsement of proper disclosure and statement vetting with thorough reviews by legal and executive management of any external disclosures that may have a material impact on reputation or business


The leadership role IA must assume


IA teams, well-versed in both risk assessment and reporting discipline, can provide a sense of order and calm for management and take a meaningful leadership role in ESG risk mitigation. This leadership begins with advocating for comprehensive end-to-end design of both internal ESG controls (ICEsgR) and reporting processes and standards. It also should include the building of a COSO framework and additional rigor applied to all future disclosures. While the regulatory landscape and reporting rules evolve, organizations have time and IA teams have a real opportunity to educate leadership and business unit leaders on ESG risk matters as well as marshalling the tools and processes to create assurance going forward.


The leadership role of IA must also cover three key areas of organizational preparedness: the provision of insights, updates and guidance to management; advocacy for ongoing end-to-end design optimization, including workflow design and the embedding of internal controls; and support for governance and implementation of ESG processes and transparent disclosures. Build the core ESG team within IA, and have team members lead the overall coverage and audit models.


As true advocates for ESG risk mitigation, IA must also monitor models and projections on ESG impacts and public comments such as carbon-neutral targets – and if needed, be prepared to challenge management on current assertions and projections that may not be supported by the data. Collaborating with ESG teams across the organization as well as with enterprise risk management (ERM) will also be critical for effective data collection, and for both ESG credit risk reviews of investment portfolios and product reviews that consider ESG liabilities.


The evolution of internal audit


True leadership requires vision and vigilance. IA must monitor and measure the landscape for changes in public opinion, customers and employees that could have material impact on business reputation and value. Leading effectively means staying current on market conditions affecting ESG, attending earnings calls with ESG topics and disclosures, and reading both peer disclosures and survey findings relating to the evolution of ESG issues. Only by having a broad understanding of regulatory change and consumer sentiment externally, as well as a true assessment of practices and policies internally, can IA help companies shape an ESG risk-averse future.




  • ESG strategies are becoming integrated into business strategies.
  • ESG is a priority for organizations and their boards – due in part to internal pressures from employees and external pressures from customers, the government and investors.
  • ESG risk is here today and, on the rise, and organizations must prepare appropriately.
  • IA and risk management must play pivotal roles in the build for ESG processes and reporting, proactively taking steps now to manage ESG risk, protect the organization and create long-term reputational and financial value.


IA and risk management can make a difference today. Start now with design and implementation reviews, along with assurance activities for stakeholders.

Example of likely impacted audits or reviews

  • Portfolio management – investment guideline compliance
  • Credit risk (ESG ratings) management
  • Model risk management
  • ESG-impacted model review
  • Pre-implementation design reviews for new ESG processes
  • ICesgR and disclosure controls
  • ICesgR data flows and key information to the source
  • Disclosure controls including Reg FD (Fair Disclosure)
  • ERM and governance
  • Marketing materials
  • Financial reporting
  • Human resources practices and reporting
  • Fed-like pilot readiness 

Questions audit committees will be asking

  • How is publicly reported nonfinancial information governed and controlled?
  • As the SEC and other regulators set new requirements, what is the company’s road to comply and establish internal controls over ESG reporting?
  • What is the plan for disclosing ESG-related information and what is IA’s expected role and coverage?
  • How will ESG be incorporated into the current audit plan to provide coverage of ESG risks?
  • What is IA’s opinion of the governance and control environment in place around ESG broadly?


With ESG risk on the rise, organizations must prepare with a proactive approach to protect themselves and create long-term reputational and financial value.

Related articles

Making sense out of the inflation conversation

Key inflation-related action steps for risk and internal audit. Learn more.

23 Jan 2023 Jessica Rodgers + 1