In January, BlackRock CEO Larry Fink published an open letter to company CEOs warning them that if they didn't take immediate steps to help their businesses become more resilient to climate and environmental risks, they risk being dropped from pension fund portfolios. This kind of announcement has the ability to spark boardroom conversations during a time when the push for organizations to identify, mitigate, control, and disclose the myriad risks to their businesses to a wider range of stakeholders — not just shareholders — continues to gather pace worldwide.
Companies now report not only on the financial risks to their business, but also the nonfinancial risks they face. These risks include climate change, business ethics, human rights abuses, slavery and child labor, and their operations' impact on the environment — which fall under the realm of environmental, social, and governance (ESG) reporting. In fact, the current revision of the International Integrated Reporting Council's <IR> Framework aims to "further embed integrated reporting and thinking into mainstream business practice."
Yet despite such reporting progress, the consensus view of several experts is that many organizations are paying lip service, disclosing only the bare minimum of detail to comply or satisfy investors, regulators, and other stakeholders. Some organizations, meanwhile, are struggling to get their heads around what exactly they need to report — or how to do it, they add.
"Sustainability reporting is largely done as a paper exercise," says Lawrence Heim, managing director at audit and consulting firm Elm Sustainability Partners in Atlanta. He adds that "internal audit needs to be more involved in sustainability reporting, or become involved if it is not already part of the process." Such views are shared by other experts.
In the U.K., listed companies have a duty to disclose how sustainability risks may impact the long-term viability of the business and what steps management is taking to address them. But research from international accounting firm Mazars found that disclosures around carbon emissions in Financial Times Stock Exchange reports are "not fit-for-purpose" and are "in many cases a box-ticking exercise that does not appear to be integral to the way management runs the business." The Financial Reporting Council, the U.K.'s corporate governance regulator, and the European Union — where sustainability risk reporting has been mandatory for the past two years — have raised concerns about the quality of disclosures around sustainability risks.
Aside from nonfinancial reporting being voluntary for most organizations around the world, there are several reasons why efforts to improve sustainability reporting and risk management are failing. First, the bulk of all mandatory disclosures is still concerned with financial reporting and most of the effort goes into getting that right. Second, the term
sustainability has become an umbrella buzzword for every risk that doesn't have an immediate financial price tag attached to it. Many organizations are either overwhelmed by the scale of work required to report meaningfully on the array of risks included, or are simply confused by the term and the issues being covered under ESG reporting (see "ESG Metrics" below).
Experts have some sympathy, but they say that organizations — and internal audit — cannot be indifferent to the problem, and they stress the need for deeper audit involvement.
Heim says organizational sustainability is not clearly understood by either internal auditors or boards, and as a result, levels of assurance are decidedly mixed. Globally, he says there are more than 300 different ratings used by investors to assess ESG reporting, and it is unclear just what criteria they are using to base their assessments.
"There is no agreed on, single definition of what is meant by organizational sustainability," Heim says. "The term means different things to different sets of people, and to some extent, it's an umbrella term for a lot of nonfinancial risks. This is a nightmare for internal auditors."
An Exercise in PR
According to Heim, sustainability reporting is often done cheaply and usually by public relations (PR) or marketing people rather than anyone trained in ESG issues to provide an additional narrative to the financial figures. "These reports are not thorough, not validated, and contain inaccuracies, yet boards are happy to put their names on them," he says.
There are two trends in sustainability reporting that amount to PR and marketing exercises that Heim says internal auditors need to try to prevent their organizations from following. One is "greenwashing." This is when companies play up their environmentally friendly efforts and credentials, while downplaying — or ignoring entirely — the areas of their business that may be damaging to the environment, or that do not conform to stakeholder expectations of what constitutes long-term sustainability. The other is "greenwishing," where they talk about what they hope to achieve versus what they've actually implemented. This includes a reduction in carbon emissions, reduced waste, lower energy and water usage, increased telecommuting, cuts in air travel, and so on.
Robert Pojasek, senior strategist at risk and ESG consultancy Strategic Impact Partners in Boston, agrees that sustainability reporting leaves a lot to be desired. "The primary focus of the sustainability report is to improve its ranking in rating schemes, such as the Corporate Knights, Newsweek, Corporate Responsibility Top 100, and similar ratings," he says. To ensure accuracy and meaningful disclosure, he says, "auditors need to provide assurance to the board that the information meets their financial, risk, and ESG reporting requirements before it is released to the public."
Guidance Is Lacking
Organizations are using stand-alone sustainability programs with separate reporting, which means the claims made in sustainability reports cannot be independently verified or appropriately benchmarked, Pojasek says. As such, there is some reluctance to accept them because of a lack of rigor associated with the collection of the information, as well as a lack of internal auditing of the data-gathering activity. Many investment firms, for example, will not accept ESG information in their sustainability report because it is not complete and it is not independently verified.
Part of the problem, Pojasek says, is that there is little guidance for internal auditors because of the array of functions involved in collecting the data: sustainability teams, consultants, corporate social responsibility teams, and corporate citizenship groups, among others. "It is difficult for internal auditors to understand the sustainability program because there are few practice guides available and auditors are confused by the different kinds of stand-alone sustainability programs," he says.
Pojasek says internal auditors also may lack knowledge and experience in sustainability reporting because there is no mandatory requirement to do so in disclosures to the U.S. Securities and Exchange Commission, as such information is not often included in Form 10-K and 40-F. As a result, he says, "internal audit knowledge around sustainability programs is probably not as comprehensive as it could or should be as a result of not being involved in this activity."
Heim adds that voluntary reporting on ESG and sustainability issues often means that while the topics and risks are being discussed, they are not necessarily being audited. "Internal auditors are not looking at any figures around ESG because they're not related to financial results, so these figures are published without challenge or any real assurance," he says.
"It should be impossible for any company report to be made public without checking that the statements are accurate, so sustainability reporting is certainly an area where internal audit can get more deeply involved," Heim says. "Internal audit has the skills to question the basis of these reports — how they were put together, by whom, and using what information or evidence — and it should have a duty to flag up to the board the risks of publishing material or claims that have not been checked or may be false."
A United Front
Douglas Hileman, an internal audit, risk, and compliance consultant based in Los Angeles, agrees that internal audit is often excluded from reviewing sustainability strategies and reporting — mainly due to competing priorities and a lack of budget. "There's very little time, energy, or expertise to look at ESG risks, reputation risk, third-party risk management, human rights, slavery, health and safety, cyber risk, and so on," he says. "The audit committee decides internal audit's priorities, and at the moment, sustainability risk is not a top item on their agenda."
Internal audit can try to address this imbalance. First, Hileman says, internal audit should present sustainability in terms of current and long-term business risks. "Boards and management get risk — a lot of them don't get sustainability. If internal audit approaches sustainability like any other risk assessment, executives will take more notice."
Second, Hileman notes, internal audit should present a business case to incorporate sustainability into strategy. Executives need to be talked to in a language they understand, and they don't like making investments that don't pay off. "Provide evidence that shows that acting more sustainably adds value — operationally, in assuring compliance, reputationally, and even financially," he says. "The area is dynamic, so by acting strategically now they can get ahead of competitors and be better prepared and more resilient for future risks, including environmental risks."
Third, he says, internal audit should collaborate with other assurance functions — compliance, risk management, environmental, and in-house legal — to "push the case for better aggregated understanding and management of sustainability risk. Clear, concise communication of sustainability risk — and opportunities — can attract the attention and resources it deserves and can also offer a vehicle for internal audit to demonstrate how it can add value to the organization."
There will be greater scope for internal audit to provide assurance on sustainability issues going forward, says Vanessa Havard-Williams, partner and global head of environment at the London office of international law firm Linklaters. "As organizations — particularly large corporations — begin to integrate sustainability impacts at a detailed level into their enterprise risk management frameworks, internal audit will get more closely involved in reviewing them and providing assurance on their effectiveness to the board," she says.
"Executives are well aware of the damage that a tarnished reputation can have on the company's bottom line and customer base," says Fay Feeney, CEO of emerging risk strategy consultancy Risk for Good and a board member in Hermosa Beach, Calif. "So internal audit should make it clear that an organization's failure to commit to sustainable business practices will damage the corporate brand among a wide variety of stakeholders, including employees."
Feeney also warns that auditors need to be prepared to acknowledge that board members are overconfident about the organization's capability to manage risks, as noted in The IIA's OnRisk 2020 report. As a result, she says, "internal auditors need to assess their boards' understanding against their knowledge of sustainability risks as there are likely to be gaps in their knowledge and areas where they do not fully understand what needs to be done, and what impact these risks can have on the business, its operations, and supply chains."
Speak the Same Language
Paul Sobel, chair of The Committee of Sponsoring Organizations of the Treadway Commission, says internal audit needs to make sure the board — and everyone else in the business — speaks the same language around sustainability so the issues, risks, opportunities, and the organization's long-term goals are understood in the same way. If everyone involved is thinking about risk in the same way, he says, "it will be easier to discuss and appreciate the risks to the organization — and what responses are needed — in the same way, too."
Sobel adds that internal audit needs to think about the value proposition around sustainability and push the business case for change, rather than follow most boards' leads to consider it as a cost or compliance headache. "Internal audit needs to look at what future investor, regulatory, and stakeholder expectations are likely to be regarding sustainability risk management and reporting and push for management and the board to move in line — or ahead — of them," he says. "This means keeping up to date with best practice, reviewing ongoing trends, and engaging more robustly with stakeholders."
When 181 U.S. CEOs signed the Business Roundtable's new Statement on the Purpose of a Corporation last August, they committed to, among other things, "respect the people in our communities and protect the environment by embracing sustainable practices across our businesses." With support from major U.S. companies to adopt sustainable business practices and embed reporting — and practice what they preach — the expectation is that other organizations need to follow suit, if they aren't already.
Internal audit needs to get more involved and leverage sustainability to find potential business opportunities and use them to offset the business threats, Pojasek says. "Auditors need to look for the upsides of risk." To do that, he says auditors need to raise questions that can help their organizations enjoy enhanced value: Are there ways to turn what looks like a costly threat into sustained value for the corporation? Does this provide a better way to make sustainability a key part of how the business is operated to secure long-term financial growth? Does this structured form of sustainability and uncertainty risk afford a new opportunity to look at the supply chain?
There is little doubt of the need for organizations to review their long-term viability and resilience in light of external risks, particularly around the environment and climate change.
If threats such as BlackRock's do not make boards sit up and pay attention — nothing will. And if boards do not make a greater effort to consider sustainability as a key risk issue, it appears likely that shareholders will do so, as evidence shows investors are becoming increasingly activist about how they want companies to be run, and the priorities they want to see in the boardroom.