Is There an Unsustainable Gap in Internal Audit’s Focus on ESG Risks?

Environmental, social, and governance (ESG) is a topic that has catapulted to the forefront for many community, government, and business leaders. So how is the internal audit profession responding? Unfortunately, many are giving it scant attention. While some internal audit departments have responded with increased focus on ESG, many seem to be taking a “go slow” approach with the idea that there is plenty of time to address these risks.

Why Should Internal Audit be Concerned About ESG?

ESG is a broad concept. Some aspects of ESG gained attention years ago (e.g., environmental risks like contamination), others are top of mind now (e.g., climate change, social equity), and others are yet to fully mature. A recent article by McKinsey states it well: “Long-term-oriented companies … typically rely on (ESG) initiatives to address the needs of a range of stake­holders. In doing so… they stand to improve revenue growth, reduce costs, optimize investment decisions, improve employee productivity, and reduce regulatory and legal interventions.”

No matter how ESG is viewed, no one can reasonably deny that what was once a topic that many saw as far over the horizon is now presenting clear and present risks. It is a topic that brings a lot of uncertainty to an organization, and organizations must find their optimal way to manage that uncertainty.

Internal Audit Not Seeing the Risks?

Has internal audit identified this uncertainty as a risk area? In recent surveys of internal audit leadership such as the ECIIA’s annual Risk in Focus report, the large majority regards ESG risk as low for their organization. 

In reality, however, ESG is complex and its inherent uncertainties bring a myriad of very identifiable and tangible risks. Internal audit should consider how well management is addressing these risks. For example:

• Does the organization have a well-defined universe of business and strategic objectives that ESG risks could serve to undermine? 
• Will organizations identify the key ESG concerns, or only the ones for which they have data that presents a good story?
• Is the right data collected to assess and manage ESG risks, or only the data that is easily available?
• Is the data collection process robust so accurate and comparable information is consistently available to management and other stakeholders?
• Does reporting highlight all aspects of ESG performance, or only those that reinforce positive messages?

Imperatives for Change in Internal Audit’s Focus on ESG Risks

Internal audit has long brought value to an organization by focusing effort on important emerging risks. Unfortunately, we seem to be slow responding to ESG risks. Internal audit’s efforts devoted to ESG are significantly less than the assessed magnitude of the risk, creating a gap that is not sustainable. We need to get off the bench and engage — now.

We can start by focusing on the following:

1. Learn about ESG.

Internal audit will never be effective unless we know the subject matter we are addressing. Without trying to be ESG experts, we need to be fully informed on the topic and related risks. There is a wealth of information to review. Digest it and become conversant on how ESG affects your organization and why.

2. Coordinate with other functions.

Risk management, compliance, human resources, legal, and others should also be exploring ESG issues. Seek out these other parties to leverage knowledge and brainstorm ideas for the organization to best address the risks.

3. Convince the Board and management that they need internal audit to address ESG risks.

Some board and management personnel may not want to address long-term issues like ESG when short-term risks seem more pressing. Once you have the knowledge, engage in discussions about the importance of long-term risks like ESG and practical ways internal audit can help the organization. Internal audit is best positioned to objectively assess how well the organization is handling ESG risks, and to provide assurance to executive management and the board as appropriate.

4. Carefully assess the processes in place to manage ESG risks.

Are risks being identified, are they being comprehensively assessed, are responses to the risks considered and implemented when decided, is reporting related to these risks accurate and consistent, and is the culture espoused by management helping to ensure this is taken seriously by the organization? Assurance regarding ESG is currently very spotty. Internal audit can help management and the board in their oversight roles on the effectiveness of ESG risk management.

5. Execute, Reflect, Repeat.

The ESG landscape is changing quickly. Different aspects of ESG will have different levels of importance over time. That is often the nature of emerging risks. Don’t wait until you can be perfect in all aspects of ESG to start. Explain to your stakeholders you are engaging now, but coverage will be improving and expanding over time. Then start where you can, but build in continuous improvement.

ESG is similar to another topic from not too long ago. Cybersecurity has been identified as a key risk area for several years. In late 2017, most internal auditors considered cyber as a high risk area (see 2018 IIA Pulse report), but devoted less than 10% of their effort to it. Since then, cyber risk is proving to be one of the largest issues for many organizations to handle. Internal audit saw the risk years ago, but spent very little time on it. Let’s not let this happen again with ESG.