Integrated ESG Reporting: Lessons Learned From SOX

John Wheeler headshot
John Wheeler
Integrated ESG Reporting: Lessons Learned From SOX

The US Securities and Exchange Commission (SEC) estimates the proposed Environmental, Social, and Governance (ESG) related climate risk disclosure requirements may cost US companies in aggregate somewhere between $3.9 billion and $10.2 billion. For individual companies, the SEC estimates annual costs to range between $420,000 and $530,000. 

Naturally, many business leaders are drawing a comparison to the early days of the Sarbanes-Oxley Act (SOX) of 2002, when new financial control disclosure requirements were viewed as costly. While many business leaders predicted the demise of SOX due to increased costs, the disclosure requirements have stood the test of time — this year is its 20th anniversary. When comparing the anticipated climate risk disclosure costs to SOX, the amounts do not seem as burdensome. In fact, SOX compliance costs in 2022 can exceed $2 million annually for most companies. 

As we all know, SOX compliance is designed to improve the accuracy, transparency and completeness of financial reporting. The proposed climate risk disclosure requirements are designed to do the same for reporting operational metrics tied to environmental and sustainability performance. As such, the reporting controls are essentially the same for SOX and ESG. Companies should use this understanding to their advantage and effectively leverage the investment in SOX compliance for ESG purposes. 

“Most companies already have much of the infrastructure in place on which to build a highly successful ESG risk reporting program.”

Integrating SOX and ESG compliance efforts to meet the new SEC climate risk disclosure requirements is just the beginning. Other standard setters like the IFRS Foundation and its International Sustainability Standards Board (ISSB) are working to codify new reporting requirements for companies across the globe. Rather than reinventing the wheel, companies should reflect on SOX lessons learned as new ESG requirements are issued.  

Integrated ESG Reporting: Lessons Learned From Past Efforts

My own experiences from the early days of SOX emphasize the importance of getting the disclosure process right. At that time, I worked as an internal auditor within a large bank that, like many others, was struggling to comply with the new financial reporting requirements. Ultimately, we were one of the first companies to report a material weakness under SOX. The findings led to an SEC investigation, and several senior executives were fired. While the costs of compliance can be viewed as high, the costs of non-compliance are certainly much higher. Audit and risk professionals have learned a lot in the intervening 20 years. To help business leaders prepare for new ESG disclosure requirements, consider the following integrated risk management practices.  

Lesson 1: Use a Common, Business-Specific, Integrated Risk Framework

The number of risk frameworks in use by companies today can serve as a major factor in the lack of overall efficiency and effectiveness. Rather than relying strictly on individual risk frameworks for separate areas of compliance, it is best to adopt a common, business-specific, integrated risk framework that can serve the needs of all key stakeholders. No single framework can cover every situation, but using validated frameworks as a basis for building a single well-controlled process for reporting — both financial and operational metrics — goes a long way to helping your company operate with confidence. External auditors will also better understand your risk and control environment with an integrated framework. 

Lesson 2: Identify Relevant Risk Controls 

When SOX requirements were first issued, many companies identified and tested controls that did not specifically relate to financial reporting metrics. Including non-relevant controls in the disclosure effort slows testing and adds unnecessary cost to the program. When the disclosure team identifies controls to be verified, it is important to document how the controls relate specifically to the reported metrics. While it sounds like a simple exercise, implementing ESG controls can become a very complex and time-consuming task if not done with relevance in mind from the outset. 

Lesson 3: View Technology as an Enabler, not the Total Solution

Technology enablement is critical to disclosure effectiveness, but it does not replace management’s responsibility to design and implement a well-functioning disclosure process. Many organizations will seek technology as a total solution without creating a disclosure process first. Also, it is tempting to buy technology as a solution to a single problem, like climate risk disclosure, without understanding how best to integrate the new requirements. Before considering technology, always define the process first.

Bridging the Business Resilience Gap With the Connected Risk Model

Focus on Integrated ESG Reporting

While there will be added costs from new risk disclosure requirements, the biggest lesson learned from SOX is to integrate your risk management efforts for maximum utility and effectiveness. Whether they realize it or not, most companies already have much of the infrastructure in place on which to build a highly successful ESG risk reporting program.

John Wheeler

John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.

Related Articles