Recent research shows internal audit functions are rarely involved in setting strategy for ESG or even in reviewing how goals are tracked and monitored. EY’s Kapish Vanvaria argues that ESG leaders should make friends with their internal audit colleagues — for everyone’s sake.
Companies are wrestling with the most urgent and complex issues our world faces today — environmental, social and governance (ESG). Internal audit (IA), internal controls (IC) and risk management should be at the hub, navigating the evolving regulatory requirements. At the same time, companies must meet the rapidly changing expectations of consumers, shareholders, employees and regulators — and show that they are a force multiplier for positive societal and environmental impact.
Managing ESG risks requires organizations to take a connected risk approach, while working closely with the third line of defense to assess specific key ESG controls.
Although most companies involve IA in some way with their ESG initiatives, a recent national survey also found that less than 30% of chief audit executives (CAEs) report that they are involved in one or more of the following:
- Providing advice on setting up ESG program goals and metrics
- Reviewing how the ESG goals and metrics are tracked and monitored
- Reviewing the implementation of the ESG program and related policy documents
- Reviewing the accuracy of the ESG reports provided to stakeholders
IA’s involvement in these activities needs to increase as ESG risk strategy becomes a business imperative. Looking across today’s landscape, the survey shows:
- 54% of companies have ESG reporting measures in place.
- 52% of companies have an ESG strategy.
- 49% of companies have established ESG goals and targets.
- 24% of companies don’t have an ESG program, but plan to implement one.
ESG-related requirements are driven from the top down, and their corporate ESG programs are diverse, with the most frequently included being diversity, equity and inclusion (66%) and environmental, health and safety (58%). Only 38% included climate risk — perhaps the most material across the ESG spectrum.
To navigate those challenges at speed, IA, IC and risk management need a dynamic capability that can provide timely information to avert or mitigate risks, embrace flexible people models that give businesses access to new skills and de-risk transformation programs. Those that embrace digital can gain a bird’s-eye view of information that may be invaluable to the business.
As federal rulemakers continue to shape guidance around ESG, corporate leaders have eagerly awaited the hint of clarity the rules are expected to bring. Too bad there’s the small matter of state lawmakers. ESG columnist John Peiserich sets the stage for the upcoming clash between federal and state rules.
Federal ESG Rulemaking Appears Set to Trigger Clashes With State Laws
As employing an ESG strategy becomes the norm, IA teams can, and should, help establish risk management programs; identify what the company needs to do to accurately identify and quantify environmental-related risks; track the organization’s progress to mitigate those risks, including appropriate escalations in real time when the organization is falling behind; and design a reporting system to update stakeholders on that progress.
As the second line of defense, risk management teams have much to gain from actively cultivating an alliance with IA, the third line. Why isn’t this happening? According to the survey, the obstacles to IA involvement most frequently include:
- Data to support ESG engagements is minimal or not readily available.
- ESG is not considered a priority in annual audit planning.
- ESG is not part of the organization’s culture.
- ESG is not included in enterprise risk management efforts.
- The IA function doesn’t have the resources to support involvement.
Additionally, many organizations still use informal processes and manual data collection for key ESG metrics, which will need to be enhanced as it comes under scrutiny in the market and from regulators. Fifty-four percent of CAEs provide some type of ESG reporting. That most often takes the form of a sustainability report. Only 25% include ESG metrics in their annual report.
When all three lines of defense work together with strong communication, an understanding of their shared ESG objectives and access to verifiable data, the whole organization benefits.
Four reasons why you should engage risk management in your ESG strategy
They read the fine print
Risk managers can help make sure your ESG strategy is aligned with the definitions, targets and evolving policy requirements of various external regulatory bodies and accrediting organizations. They can also assess whether your business units are operationalizing your strategy and, ultimately, meeting the requirements as defined both by your organization and those outside of it. Risk managers can be instrumental in evaluating whether environmental-related risk mitigation programs have been implemented and are operating effectively.
They understand adoption and know how to measure it
Claiming organization-wide adherence to changing ESG rules, policies, regulations and expectations is a major success metric for the C-suite. Risk managers and internal auditors can help establish the controls, tracking functions and analyses necessary to establish trust and reliability in the risk and value quantification.
They bring validity
The IA function is understood as the last frontier for company data, so IA professionals add the depth and confidence to build stakeholder and investor trust in your ESG strategy and risk mitigation plans by helping the organization build confidence in the data used to measure risk and progress.
They affirm a single source of truth
Because the first line of defense is often working across decentralized functions, it can be challenging for an organization to maintain a shared ESG strategy. Risk managers can help connect functions to enable communication and define ESG measures so that they are properly reported from valid data sources, quantified metrics or defined estimating methodologies.
Every organization, regardless of its size or industry, will feel the impact of the environmental, market and societal forces advancing sustainability. Companies that fail to adapt may suffer reputational damage and an investor backlash, including the loss of access to capital investment and commercial opportunities with sustainability-conscious stakeholders. But those that proactively manage ESG risks and opportunities, in concert with risk management, can create a sustainable long-term impact and financial value for all stakeholders.
Call it an opportunity to reimagine the way you do business and its role in your community, your industry and the world.
Kapish Vanvaria is risk markets leader at Ernst & Young. He brings cross-industry expertise across financial services, health & consumer products and technology, media & entertainment and telecommunications. Kapish has deep experience in internal audit, cybersecurity, compliance, third party risk, technology implementations and automation/analytics.
