Corporate America faces growing pressure to anticipate and measure environmental, social and governance (ESG) risks and opportunities. A chorus of stakeholders is calling for complete, accurate and reliable assessments of everything from carbon emissions and employee diversity to labor practices and the composition of boards of directors.
The stakes are high. New and pending regulations from the US Securities and Exchange Commission (SEC) and the European Securities and Markets Authorities (ESMA) may impose penalties on companies that fail to disclose this data and have it assured by a third party. Investors are channeling billions of dollars to assets partly based on ESG data that they assume is reliable. Banks and insurers are using ESG information when making financing and coverage decisions. And customers and advocacy groups are seeking independent assurance that companies are making real progress on their much-vaunted ESG goals.
Unfortunately, many companies aren’t ready for this shift. Perhaps they’ve hired small teams of ESG subject-matter experts and published a few years of sustainability reports touting their programs and ambitious goals. But that’s no match for the growing array of reporting frameworks, financial regulations and stakeholder demands. Companies are struggling to devise and apply transformative and strategic ESG programs that mitigate risk even as they are also expected to collect data, produce regulatory reporting and identify ESG-related opportunities.
No wonder, then, that in a 2022 study of 300 US companies commissioned by KPMG LLP (KPMG), fewer than 15% of respondents said their ESG reporting had attained maturity in compliance, data controls, risk analysis and oversight.
ESG teams must be fully integrated with a company’s strategic leadership team and its risk management and compliance functions. Monitoring and following through on ESG commitments must be an enterprise-wide process, says Maura Hodge, ESG Audit Leader at KPMG.
“The crux of the issue is a lack of integration of sustainability teams and the rest of the business,” she says. “The goal is not simply a compliance exercise—to tick the boxes—but also to add or enhance value. That requires the ESG function to be integrated into strategy. And implementing strategy requires the entire enterprise.”
ESG, meet ERM
Assessing the full range of risks faced by corporations is a big task. Fortunately, many companies are already evaluating many of those risks as part of their enterprise risk management, or ERM, process. ERM takes different forms at different companies, but it generally helps identify, assess, prioritize, monitor and mitigate the most significant risks across an organization.
ERM teams often connect with internal ESG experts as part of the process of identifying significant risks to a company. But ESG-related risks such as extreme weather often appear in 10-Ks as generic or boilerplate language and take a short-term view, Hodge notes. In any case, identifying these risks is only the first step toward managing them.
As ESG Audit Leader, Hodge says that companies often ask for guidance on how to assess climate-related risks and opportunities using scenario analysis and want to know how to describe risks in the financial statements.
At many companies, Hodge says, ESG data collection and reporting suffer from a lack of integration across functions. For example, ERM practitioners may not be aware that the ESG team has submitted a CDP (formerly the Carbon Disclosure Project) questionnaire; large swaths of assets may be mistakenly left out of a footprint assessment; or executives may agree to an acquisition or equity investment without considering how it affects the company’s emissions footprint and therefore their progress towards a net zero goal.
In order to work effectively and collect the data companies need, “the ERM function must integrate technical sustainability knowledge into its daily operations—just as it must be integrated with other functions like financial planning and procurement,” says Hodge.
Most corporate sustainability and social responsibility functions were born at a time when the main intention of ESG initiatives was to burnish corporate reputations. Now that investors, creditors and regulators are banking on ESG numbers, conducting due diligence around data has become increasingly important. A new role is emerging: the ESG controller, who works side-by-side with the sustainability program lead. With their accounting and audit background, the ESG controller “brings rigor to the process of data collection around sustainability information,” Hodge says.
The ESG controller can drive change across the organization by directing how to properly document and organize data sources needed for ESG metrics and can help assure that proper controls are in place and that the data is reliable. The ESG controller is also familiar with novel methods of accounting for ESG metrics, such as carbon accounting.
ESG metrics sometimes require entirely new techniques for data collection and analysis, says Hodge, such as the use of drones to measure methane from oil wells or GPS to calculate carbon emissions from an agricultural crop. ESG controllers can work with ESG subject-matter specialists to learn about these techniques. Ultimately, ESG awareness should permeate the entire organization, so that all functions produce ESG data that can satisfy all stakeholders.
By helping the organization produce more reliable ESG data, ESG controllers help ERM to more accurately incorporate ESG risks into its process.By making ESG data collection and assurance a broader responsibility, companies can give ESG teams and senior leadership the time and information they need to focus not just on risks, but on ESG-related strategy and opportunities, as well.
The current backlash against ESG by some national and state leaders demonstrates the politicization of ESG. But risks such as severe weather or talent shortages can interrupt a company’s ability to perform effectively and are therefore better seen as business risks than as ESG risks, notes Hodge. Stakeholders of all kinds are demanding better and more reliable data on these risks for the sake of transparency and accountability. Providing that data is an enterprise-wide effort, with ERM leading the way.
The role of ERM going forward
ESG and stakeholder capitalism have become a “cultural and ecosystem game-changer” in recent years, says Ivor O’Neill, Managing Director of Internal Audit and Enterprise Risk for KPMG. The risks, impacts and opportunities inherent in such areas as climate and diversity, equity and inclusion (DEI) run across all parts of an organization and ripple out through the value chain.
“The challenge comes with companies talking about ESG as a long-term strategic initiative, but not treating it as such say O’Neill. “91% of Fortune 500 companies issued a Corporate Social Responsibility report in 2022, yet only 11% of the same companies have updated board charters to take into consideration responsibility for ESG. Until companies truly treat ESG as a strategic imperative, they are not going to connect the dots on risks.
“Even then, the world’s largest organizations have trouble thinking about risks that cross all of their functions,” O’Neill says. A sophisticated ERM function employs strategies such as scenario planning, pre-mortems and network theory to help companies identify and prioritize enterprise-wide ESG risks; further, internal auditors can derive insights from cross-functional investigations and report results directly to leadership.
The time has come for ERM to more fully incorporate ESG risks and opportunities, says Hodge, and the reason is simple: “The world is changing.” The purpose of ERM is to measure the risks to the execution of a company’s strategic objectives. However, in the past, ESG goals weren’t usually considered strategic; climate change was seen as too long-term a concern, for example, and diversity hiring was about “corporate citizenship.” Metrics and progress could be measured loosely.
All that has changed. Today, the time horizon has been compressed, even as the stakes have risen. Diversity in leadership or carbon reduction efforts are now being required by many business partners in contracts, and sometimes by regulators. In Europe, failure to comply is now an immediate risk to strategy—one that should be identified by ERM, Hodge says.
How can companies get started?
The above steps can help in beginning to integrate ESG and ERM into a company’s risk management and reporting efforts. With increased pressure from stakeholders, the need to integrate ESG into the fabric of ERM is paramount for a company’s ability to deliver on their risk strategy. A single view of risk will ultimately drive positive results through the brand, align management accountability, and support transparency and clarity of in the marketplace. With SEC rules coming, boards across the US are asking are asking ERM functions how they are tackling these critical risks. At minimum, coordination of company efforts, risk management, and board oversight should be a top priority. There is much work to be done.