In response to rising prompts from regulators and internal and external stakeholders alike, more organizations than ever are now focused on environmental, social, and corporate governance (ESG) risks. As audit, risk, and compliance teams work to meet the challenges of identifying and staying ahead of novel ESG risks, they’ll need new ways of thinking — and new tools and tactics — to be successful.
Watch Richard Chambers (Senior Internal Audit Advisor for AuditBoard), Bob Hirth, (Senior Managing Director at Protiviti, former Co-Vice Chair of SASB, and COSO Chair Emeritus), Kristen Sullivan (Global Audit & Assurance Sustainability and Climate Services Leader at Deloitte), and Robert Zunt (VP of Internal Audit at U.S. Xpress, Inc.) discuss actionable best practices for companies looking to develop or mature their ESG programs, including:
- Key resources and ways to stay up to date as the ESG landscape rapidly evolves.
- How internal audit and risk leaders can layer ESG components into their audit plans and ERM strategy.
- Key opportunities for audit, risk, and compliance around ESG during the current voluntary phase — and the upcoming mandatory one.
Watch the full conversation, and read the can’t-miss highlights below.
If you are just getting started on your ESG journey, what are some good resources?
“When we come in as external advisors helping a company, regardless of where they are on the ESG maturity, one of our first questions is: “what is the role of internal audit?” There might be different entry points when internal audit gets pulled in, but I think it’s so important as we’re starting to see this emphasis on ESG — climate in particular — the translation that climate risk is financial risk. When you think about the role and remit of internal audit, it’s so critical in drawing that intersection with risk as well as compliance as the market, regulatory, and policy developments continue to evolve.” - Kristen Sullivan, Deloitte
“Thinking about materiality — how do you think about broadening that aperture of information, data, insights that can be brought to bear in terms of evaluating and continuing to put that set of controls around a broader universe of information that might not have historically fallen under a traditional governance structure or disclosure controls and procedures. There’s a huge opportunity to really unpack and better understand where some of these market levers, these market pressures — regulatory and otherwise — how they’re taking shape, and better understanding the applicability to the business while leveraging the tools that already exist today” - Kristen Sullivan, Deloitte
“It might sound kind of funny, but first, figure out if you actually have an ESG report, and what it says. If you don’t have one, begin to look at what we’ve said about ourselves related to people and the environment. You may find some of that in the risk factors. So first of all, what are you already saying? One of the fastest ways for you to get up to speed is to look at what other companies in your industry are reporting and what leading companies are reporting. Pick companies that you compete with that maybe are bigger than you… and really look at what they’re doing. You’ll learn a lot there.” - Bob Hirth, Protiviti
“A little plug for SASB: If you go to sasb.org, you’ll see the way that SASB has divided the world into 11 sectors and 77 industries. If you’re not already following the SASB Standards, you could go to the standard section and put in your ticker symbol or your company name, it will map you to a sector and you’ll be able to download those standards for free. What you would do with that is say, “Okay, if that’s what SASB is suggesting to disclose, do I think we could do that? How hard would that be to do?” - Bob Hirth, Protiviti
“If you have a story to tell, you can actually borrow money at a lower interest rate through sustainability-linked loans. Now actually it’s in writing, most insurance companies now provide a lower director and officer insurance premium if you’re doing certain ESG things.” - Bob Hirth, Protiviti
“My perspective — especially being in a middle market company, not a large, conglomerate company — is trying to figure out really what your customers are asking for. What kicked our program off is that our customers started asking questions because they’re meeting these ESG frameworks that require you to ask what are vendors doing? How are you shipping your stuff? What is your environment in that scope three? That’s what pushed us to start going down the ESG path.” - Rob Zunt, U.S. Xpress
“The hardest part is really focusing on the value add, right? Obviously we do have some environmental impacts with our trucks burning diesel, running on the roads, doing the mileage, and of course as a company, trying to burn less diesel is just good business practice. But there’s so many different levers to pull when it comes to ESG, what’s that true story? What do we want to go after? Do we want to say that we’re going to be focused on electric trucks? What are the implications and costs of that? Really looking in and diving into those levers.” - Rob Zunt, U.S. Xpress
How should internal audit leaders go about layering ESG components into their Audit Plan? How should risk leaders do the same for their broader Enterprise Risk Management strategy?
“First of all, a COSO plug. We have a document that provides guidance about how to think about these ESG factors and use the ERM framework to help you through that. There’s an executive summary — probably too long for the audit committee because it’s eight pages long, but that’s free. And the full a hundred page document is also available, so, that’s one place to start.” - Bob Hirth, Protiviti
“Do you have a report? What does the report say? What are the big items? I’ve got a strong view that, yes, the controls are really important over time, but if there’s a report out there with numbers, there’s some immediate validation that I think you need to begin to think about if you haven’t already done that. I think another way is to look at your existing reporting. In the 10-K you probably have some risk factors that are related to the environment. How are you covering that in the audit plan? For those of you that have not followed the SASB Standards, you could look up those standards for your industry. The thought process of those standards is those are the standards that through multiple interviews, investors believe are likely to be material items for that industry. You want to start with the big stuff.” - Bob Hirth, Protiviti
“Ultimately ESG needs to be part and parcel of your singular enterprise risk management framework process risk assessment. But if you try to jam it all together, the ESG stuff gets lost and you’re not as good at that. So I’d really encourage you — it sounds a little inefficient — but keep doing your ERM activity, but try to do something separate related to ESG. Now again, if you have a report and the material items have been identified through what people call stakeholder engagement. You have a little bit of your roadmap there. I would say, get some of these materials, do something a little bit separate, look for those most important items, and then begin to get them layered into your overall audit plan and ERM program.” - Bob Hirth, Protiviti
“If you go talk to sales and the different teams, there are probably numbers we’re already putting out somewhere else. Maybe it’s not in our sustainability report, but it’s in our customer surveys or maybe it’s just talking points. Finding those numbers and getting a catalog, that’s what we started building out. Then asking, “What do we need to do about those? How are those numbers being calculated? Is it something pulled out of a report? Do we need to look at the systems?” Then, start putting some objectives around those and giving that value-add: “Hey, we’re going to make sure that number’s right every time it goes out” - Rob Zunt, U.S. Xpress
“Once you have a command of what information is and isn’t being reported, gain an understanding of the control environment that exists today, that’s where then you can really start to draw insights. The results of your ESG materiality assessment don’t always translate one for one to your enterprise risk assessment. In a lot of cases ESG-related risks manifest as drivers of more traditional enterprise risks: financial, legal, reputational, operational risks. In some cases like physical risk from climate, those risks manifest differently. In many cases, those can and should represent their own line on the risk register because they demonstrate attributes that are unique to other risks, require different responses, accountability, and monitoring mechanisms and data considerations. Based on that entry point and the role that internal audit can play in surfacing insights, that’s where you can really lean into a meaningful discussion around how these factors influence enterprise risk, and then how that really helps to shape and inform the strategy and strategic choices of the organization.” - Kristen Sullivan, Deloitte
“If you really step back and think about what are the business risks around ESG, to the earlier point about ratings and rankings and investors, you get a lower valuation because you don’t have a story to tell, but you’re not telling yours, so you’re worth less. You pay more for your borrowings because you’re not getting these sustainability-linked loans or advantages. Your employees aren’t staying with you as long, or it’s harder to attract them because the competition has a better story, or they have a story that you’re not telling. Your insurance cost could be higher. Rob mentioned that they have large customers. Now, they’re also a public company, but even private companies with large public companies company clients, there’s revenue implications to ESG… Over time there will be a compliance aspect because they will be an SEC rule or there’ll be a particular regional regulation — so there are plenty of real business risks to ESG.” - Bob Hirth, Protiviti
Looking ahead, what are some of the biggest opportunities for an audit, risk or compliance professional when it comes to ESG?
“I always go back to the definition of internal auditing, which is so good. So my advice, first of all, is to lead and add value. Remember ESG is a new thing. You can be the leader on ESG. You can educate your company. Certainly the risks are important — we don’t want those to occur, and we want to understand their probability and our controls around that. But let’s just flip it to the positive. Look at the opportunity that internal audit has because it understands the business to look at the ESG programs, and suggest why don’t we look at packaging, why don’t we look at having a better story, so we get a sustainability-linked loan? So, for every one of those risks that I listed: lower valuation, turnover, not attracting people, not telling your story — there’s a flip side. I’d like you to think about this as the opportunity for you to lead and to make your company a better business while you’re also thinking about the risk.” - Bob Hirth, Protiviti
“This whole ESG evolution is truly one — if not the — biggest business transformation opportunity of a generation as well as the biggest capital markets transformation in quite some time. When you think about the opportunity to unlock capital within organizations, within the capital markets more broadly, ESG has to be underpinned by governance, high-quality information, a very systematic approach to understanding and prioritizing risks — and the calculated strategic risks that companies want to take. All of that is so foundational to the role of those professionals in this room. It’s just such a tremendous opportunity and I think it requires shifting the mindset from compliance and regulation as a burden to how transparency can drive insights, accountability, and ultimately trust.” - Kristen Sullivan, Deloitte
“On the internal audit side, to me ESG is the same story as when SOX came. People were like, “Oh, this is just a regulatory burden, we don’t want to do this.” People fled, people tried to get out of it, right? But we tried to develop that story of the reason why — not just that we have to have controls for control purposes, but here’s why that control actually helps us. What’s the value we’re going to be able to get from this control? Trying to tell that story. It could be adding value for revenue purposes, focusing on our customer’s needs, but also here’s how we can lower that footprint, which is also cutting cost helping us be more successful as a business. I think that’s what audit has the opportunity to do with ESG in the next year or two because it is very new. We have that time to develop and start telling that story throughout the whole company. Not only at the management level… but telling the story to the people, the staff who’s going to be doing these things! Saying, “Here’s why you’re keeping up with your carbon footprint, with the electric bills — this is why.” Trying to tell that story of why.” - Rob Zunt, U.S. Xpress
“Pretty much everything related to ESG, and the environmental piece in particular, up to this point has been voluntary, but it’s quite clear that that’s not going to remain the case. We’re moving from a voluntary phase into more of a mandatory phase, and that’s where the compliance risks become real… it’s quite evident that we are migrating to a stage where ESG — particularly the environmental, but also the social, justice, equity, inclusion, and governance — it’s all going to become a significant compliance risk going forward. I hope that what you’ve been able to take away from the discussion is that the time for you to start to think about this, get this on your radar, and really start to make some headway is now.” - Richard Chambers, AuditBoard
Looking for more thought leadership? Check out our on-demand webinar library, and stay tuned for more Speed of Risk videos featuring industry leaders and experts discussing timely issues, insights, and experiences.