More ESG: Who Owns This Function?

The Society of Corporate Compliance & Ethics hosted its 2021 annual conference last week, and the agenda addressed all sorts of topics relevant to corporate compliance professionals. Everywhere you turned, however, one question seemed to worm its way into the conversation.

Should the compliance function also own ESG reporting? 

Some people are an emphatic “no.” Compliance officers are already buried under so much work, they say, and adding a burden as significant as ESG reporting will just break their back. ESG is still too new and immature a field, others say, and compliance officers can’t divert precious time and resources from immediate duties running an actual compliance program.

Those objections aren’t wrong, but I do believe they’re misplaced. Those are tactical, short-term obstacles the compliance community needs to overcome, but that’s all they are: tactical, short-term obstacles. Eventually they can (and probably will) be solved. Then what happens?

Then we’re back to the original question of who should own ESG reporting. Compliance officers should get ahead of that question now, before other parts of the enterprise answer it for them. 

My take on the question is this. ESG reporting is fundamentally about reporting non-financial metrics of business activity, to help stakeholders understand the overall performance of the enterprise. 

Well, that is what compliance officers already do. They report non-financial metrics of internal reporting, third-party oversight, and corporate culture to the stakeholders otherwise known as the board and regulators. Is it really such a conceptual jump that compliance functions could broaden their reach to other non-financial reporting issues, for the stakeholders known as consumers, employees, and investors? 

It seems to me that the compliance function is the obvious best candidate to pick up ESG reporting as well — even if that means our traditional concept of the corporate compliance function evolves into something larger.

Or, ESG Framed Another Way…

Another way to frame the debate is this: If compliance doesn’t own ESG, who does? What other part of the enterprise would be the better natural candidate? 

Just about every other function that might be a plausible candidate doesn’t have enough experience to make it the better candidate. Consider:

  • Legal. Sure, the legal team can craft contracts to compel ESG disclosure from suppliers, and can draft internal policies that satisfy any ESG regulatory compliance obligations. But it has little experience assessing controls and practices to see if those policies actually work.
  • Internal audit. Ummm, no. Internal audit could test controls and assess risks, but it has no experience drafting policies or contracts. Moreover, putting internal audit in charge of ESG would ruin the function’s independence. 
  • HR. Also no. HR might excel at the “S” part of ESG, crafting policies and running processes to navigate human capital issues, but it has no experience with the “E” and “G” issues. 
  • Procurement. Procurement might be excellent at managing the ESG issues in your supply chain, but it has no experience running internal policies and procedures for ESG within your own business. This also assumes that you actually have a dedicated procurement function; many companies don’t.
  • Investor relations. Some people out there say that since ESG reporting is about disclosure, the IR team could run this just like publishing an earnings report. That’s not how it works. IR doesn’t run the finance function; it passes along whatever reports the finance and legal functions generate. The same applies for ESG. 

The only other plausible contender to manage ESG is some sort of enterprise risk management function. If that function is properly structured, and it’s led by people with the right experience — yes, a risk function could manage ESG and its attendant reporting duties. It could work with all those other functions mentioned above, to pull together the right mixture of supply chain risk management, policy development, control testing, risk monitoring, and stakeholder reporting to get the job done.

But isn’t that what a properly structured and resourced compliance function already does for compliance risks? 

The Other Question to Consider

My fear for corporate compliance functions is that if they don’t take over the ESG function, and your large enterprise therefore develops one separately — couldn’t that ESG function eventually take over corporate compliance? 

After all, the “G” in ESG stands for governance, which is all about assuring that the business conducts itself properly. The specific issues that could fall into the G category include adherence to anti-corruption laws, accurate regulatory filings, proper disclosure of potential conflicts of interest, anti-retaliation policies, and the like.

So if a chief ESG officer is nominally responsible for all that, for both internal operations and the supply chain, wouldn’t that mean the compliance function reports into that person? Because all that stuff is what you do already. The corporate compliance function as we know it today would become, essentially, a deputy to the chief ESG officer responsible for the governance issues. 

My contention is just that compliance officers run that play in reverse: “We already have the governance stuff in our purview; and we’re already versed in developing processes to capture data for regulatory reporting; and we understand how to perform due diligence on third parties for anti-corruption. So let us take over the E and S parts too.”

That’s an argument you could make to the C-suite and the board. It’s about leveraging the compliance function’s natural skills to paint on the larger canvas that ESG represents. It would also be an effective strategy to position yourself for future advancement, perhaps to a chief operating officer role or something like that. 

The bottom line is that there’s opportunity in ESG. Compliance officers might as well take advantage of it before someone else does.

Leave a Comment

You must be logged in to post a comment.