Thoughts on ESG Controls & Reporting
I spent several days last week attending the annual user conference for Workiva, maker of audit and risk management software. ESG was all over the agenda, with numerous speakers talking about how to integrate ESG concerns into your annual audit and reporting. I took detailed notes, and my recap is below.
First, I was struck by the urgency of the matter; one speaker after another stressed the need to make their companies’ ESG disclosures defensible, and to get that done as soon as possible. Partly that’s being driven by the SEC’s forthcoming rule on disclosure of greenhouse gas emissions and other climate risks; and partly it’s also driven by other jurisdictions such as Europe, which already do require ESG disclosures.
But plenty of speakers said ESG disclosures need to be defensible simply because the time to do so has arrived. Too many companies now publish too many statements about their ESG efforts, and too many people consume that information to make all sorts of decisions — everything from where to work, what to drive, what to eat, where to invest your savings, and much more. Making statements about your ESG actions without the data to back up those statements is no longer tenable. Companies cannot afford not to put some assurance behind their statements; it invites too much risk, and the threat of regulatory enforcement is only one.
One speaker, who runs ESG reporting at a large consumer-facing business, put it this way: “The more people talk about it, the more important it becomes, and you need to tie that back to quantitative data to back up what you say.” That’s entirely right.
The good news is that audit, compliance, and corporate reporting professionals aren’t inventing an entirely new wheel here. You already have experience auditing financial data, and the exercise is fundamentally the same: for every ESG statement the company makes, the company needs to tie that assertion back to evidence.
The real challenge here is pulling people into that process who might not be familiar with how auditing and reporting works — and you’ll be working with them to develop new processes to capture ESG data, or new controls to assure that the data is reliable. Contrast that to financial audits and disclosures, where those processes are mature and well-understood from one company to the next.
It’s going to be a challenge of forging new relationships across your enterprise, and thinking innovatively to get data for the ESG actions and statements your company makes.
Some Real-Life ESG Examples
Another speaker walked through the challenges of auditing ESG using the delightful metric of employee hours spent volunteering.
Why would this metric be important at all? Because it’s a recruiting tool; apparently employees who enjoy volunteer work tend to remain with their companies for longer periods. Given the tight labor market these days (especially for skilled workers) and younger workers’ general desire to work at more benevolent businesses, talking about how much time employees can volunteer for favorite causes is important.
OK, but how can the company gather and confirm those hours spent volunteering? How are managers calculating those numbers? Do they just collect timesheets or forms from employees? Are the volunteer efforts team-based projects, where the manager just makes up his or her own estimate?
Volunteerism is a good example of the assurance challenge in ESG, because many companies probably don’t have a rigorous process to document those hours. So the audit leader looking to put some assurance around that disclosure will need to work with the managers to develop a reliable, practical process for doing so. That’s going to require good interpersonal skills; otherwise, those managers running the volunteer projects will dismiss auditors as buzzkills to be avoided. Auditors need to collaborate with those managers, rather than force your assurance needs onto their plate — and that dynamic has dogged the auditing world since long before ESG came long.
“It’s incredibly important to bring those departments along with you,” said the speaker who gave the volunteerism example. Telling those operating teams that “you’re doing it wrong” will get an auditor nowhere fast.
We should also remember, however, that most groups working on ESG-related issues like the work that they’re doing, and want to talk about it. Auditors can seize on that enthusiasm, although still explaining the need for controls over what the company is reporting: “We absolutely want to get this data out to the world, but we all know it would look terrible if that data turned out to be wrong. So how about one person enters it, while another supervisor confirms it?”
Not every ESG process will be as happy and harmonious as counting volunteer hours. For example, if you want to implement an automated system to monitor carbon emissions, that might be quite disruptive to the facilities management team. But the more you can collaborate with business units to make their ESG disclosures “assurable,” the better.
Don’t Underestimate the Challenges Here
Another session explored how a company even begins to define the ESG objectives it wants to disclose. The plain truth is that ESG will be a team effort, since ESG data cuts across so many parts of the enterprise. Risk and internal audit teams will still be key players on that team, given their experience in clarifying business processes and controls, but expect lots of conversation and collaboration to develop a consensus on what you’re going to report.
And just how big is that challenge, anyway? One speaker presented results of a survey of more than 1,300 corporate executives. Seventy-two percent of that group didn’t fully trust their ESG reporting, even while 68 percent of them had a specific person in charge of ESG reporting.
I take that to mean they weren’t worried about roles and responsibilities; they had an ESG reporting manager, after all. They were worried about the quality of the data.
One speaker said audit leaders could overcome that anxiety by, for example, leading workshops with operations teams to discuss the ESG issues material to your organization. Ask those operations people how one might test the processes and data around those issues.n (Bring along a consultant if necessary, especially for challenging issues like greenhouse gas emissions.) This is an especially good idea for younger companies that perhaps don’t have mature reporting processes yet.
Another speaker also stressed the importance of data governance, which is no easy thing for ESG reporting. You’ll have more types of data to report, both qualitative and quantitative; and that data might be generated either internally or externally. That’s a lot more complex than financial audits, which are primarily about income, expense, and asset values.
The questions for data governance, however, remain the same. How do you manage external and internally generated data? How do you validate it? How do you access it when you need it? How do you destroy it when you no longer do?
“People think there’s some magical new way that you look at ESG data,” the speaker said. “No. It’s the same as how you look at financial data.”
In other words, with a lot of hope — and a lot of skepticism.
(Disclosure: Workiva does pay me to write about internal control issues from time to time, and paid for me to speak at its Amplify conference. Workiva did not, however, pay me to write this post or review it prior to publication. The company paid me to attend Amplify and talk about cybersecurity.)