In the dynamic realm of modern business, technology plays a crucial role in seamlessly integrating ESG considerations into strategic processes. This integration ensures reliable reporting, robust data governance and a transformative leap in ESG assurance. Simultaneously, existing financial reporting structures provide a solid foundation for expanding into non-financial measurement, reporting and risk management.

Companies everywhere are transitioning to more sustainable business models to lower their carbon footprint, reduce waste and pollution, use fewer precious resources and recycle products, parts and packaging. They're also embedding diversity, equity and inclusion into the workplace so that all workers are treated fairly and humanely.

Such practices should help sustain the environment, make organizations more resilient to climate change and geopolitical tensions, and more attractive to investors, customers, employees and job seekers. There is also increasing pressure to report on ESG performance to comply with regulations and satisfy investors, consumers and the media. Regulators and capital markets now expect non-financial reporting to meet the same high standards as financial reporting.

Technology plays a vital and increasing role in the ESG evolution, driving strategy, operations, reporting and controls, and governance. Some of the accompanying transformation projects are huge, as companies convert to renewable energy, re-design manufacturing to become more circular, and re-configure supply chains to become more sustainable and adaptable.

According to technology leaders surveyed in the KPMG Global Tech Report 2023, ESG is their companies' top technology innovation priority. ESG data is at the heart of this transformation, enabling companies to track their ESG progress, disclose accurately and on time, and, crucially, manage risks like data privacy, security and reliability and non-compliance. 

You can't improve what you don’t measure

Measurement and reporting are crucial in implementing ESG into operations, and there is a vast and increasing number of metrics.

For ‘E’ (environmental), these include carbon emissions (internally and across the supply chain), energy consumption (renewable versus fossil fuel), usage of resources like water and minerals, waste, and recycling rates of materials, both in operations and in products. From an ‘S’ (social) perspective, organizations need to measure workforce diversity, salary equity, labor practices (again, including suppliers), and employee health and safety. Finally, for ‘g’ (governance), it’s all about governance structure and practices, encompassing board diversity, ethical business practices, executive compensation, and shareholder rights.

Half of the respondents to the KPMG Global Tech Report 2023 say expectations of ESG transparency are driving their transformation efforts.

Many key decisions will be based on ESG metrics, aided by real-time insights, including predictive analytics that might tell you whether you will likely meet a particular target. However, establishing processes for collecting, analyzing and verifying data is a considerable challenge, especially when it comes from outside the organization via third parties. For example, a robust report should show if your organization works with non-sustainable suppliers.

Companies should also be confident that data is complete and accurate enough for internal decision-making and external regulatory reporting.

Keeping on top of regulatory change and assessing its impact

ESG regulations are a major driver of corporate decision-making, affecting every part of the company. The first step in managing ESG risks is first to assess and quantify the prevalence of these risks. Which business processes are most exposed to ESG risks? The compliance and risk functions should hold a discovery exercise, with relevant business teams to determine how ESG regulatory change might affect the organization’s current technology and the kinds of metrics to be reported. While adhering to ESG regulations is critical, this is a minimum expectation and the control framework needs to be more robust and accommodate newer and emerging risks.

With a clearer understanding of data requirements, the company should be in a better position to enhance its existing risk and controls frameworks, invest in appropriate new technologies and redesign or improve processes.

Managing risk through processes and controls

ESG-related risks have the potential to affect multiple areas of an organization beyond the ESG realm. The ESG risk universe overlaps with that of operational risk, technological risk and even overall enterprise risk.

The risks of failing to track and report ESG performance are significant. Take HR, where companies need to have checks against bias in recruitment, promotion and pay. It’s a similar story with climate change, where reliable measurements of carbon emissions are required to compare against targets and benchmarks. Suppliers, meanwhile, need to be carefully vetted and regularly checked to confirm they aren’t using child labor or polluting their local environment.

In addition to the scope of ESG itself, various external and internal stakeholders are involved, including governments, regulatory bodies, shareholders, customers, employees and the public. The impact of ESG risks is far-reaching and cuts across most business areas, functions and the three lines of defense. While the quantum effect may vary, it does necessitate immediate and urgent action by senior management to design a robust ESG controls framework to mitigate these risks.

Installing controls helps reduce the risk of getting metrics wrong and, crucially, provides a defense that the organization made adequate provisions to avoid such errors. These controls should test the systems that provide data and show that access protocols are sufficiently secure to protect against hacking and data theft.

The risks of non-compliance with regulatory requirements, in specific, are significant in terms of potential penalties and reputational harm. And, with third parties forming part of organizations’ ESG obligations and commitments, technology can help manage associated risks, using inbuilt checks for due diligence, onboarding and ongoing monitoring — and a safe exit once the relationship has terminated.

Another critical element of controls is auditability: the ability to trace data flow from end-to-end. When combined with internal and, ideally, external, independent assessment, the organization can demonstrate that it manages ESG risks effectively.  

Don’t reinvent the wheel

Of course, companies have been refining their financial reporting for decades, and ultimately, non-financial reporting should become part of the same process, offering a 360-degree view of corporate performance. Existing financial systems have evolved to a high level of maturity and are subject to external audit and regulatory scrutiny.

Almost three-quarters of respondents to the KPMG Global Tech Report 2023 are confident they can progress their near-term ESG ambitions using their existing technology stacks. Financial and non-financial reporting systems need to be interoperable and ‘talk’ to each other. One example is using the same data and analytics tools to track performance, manage reporting and identify improvements. IT leaders should be thinking about how they can integrate ESG into business processes and adopt relevant new software tools.

Given the complexity of existing regulations and the constant introduction of new ones, there is a great opportunity to build technology solutions that can help meet multiple regulatory requirements and be used across different processes, systems and geographies.

However, it’s a mistake to think this is just a technology challenge. Building strong controls involves a joint effort from IT, ESG/ sustainability, finance, operations, compliance, legal, product development, HR and sales and marketing. The CIO should be involved from the start.

Setting good governance from the outset

ESG is a board-level issue that can determine a company’s competitiveness and reputation, so sponsorship — ideally from the CEO — adds appropriate weight and momentum to embedding sustainability and social goals into mainstream business strategy.

This calls for an understanding of both ESG and the underlying technology to drive a sustainable strategy and operations. An internal control team may be able to lead the framework design and help re-design processes to incorporate ESG metrics and reporting.

The four key steps towards a strong control system are:

  • Development of an ESG strategy.
  • Design and implementation of processes, systems and controls.
  • Measuring, reporting and monitoring of ESG assurance activities.
  • Enabling ongoing continuous improvement activities in your business.

Navigating key ESG considerations

Organizations should systematically address pivotal ESG considerations to refine their sustainability approach. These inquiries encompass:

1.     What are the primary ESG risks and opportunities for your company?

2.     Which ESG standards and frameworks is your company using?

3.     What specific information are ESG stakeholders seeking, and how is the company addressing these requests?

4.     How does the company stay informed about new and emerging regulatory assurance requirements?

5.     What methods does the company employ for collecting ESG information?

6.     What policies govern the company’s data collection processes?

7.     What safeguards are in place to ensure the reliability and accuracy of ESG information?

8.     What additional resources are necessary to implement new ESG processes and controls?

Successfully navigating these aspects enhances understanding of the ESG landscape, reinforcing a commitment to transparency, sustainability and effective risk management. Obtaining thorough responses to these questions is imperative for shaping a strategic approach and ensuring compliance with evolving regulatory frameworks.

Global contributors

We would like to acknowledge the valuable analysis, insights and production contributions of colleagues around the world.

Nehal Jilka
Partner, Tech Risk
KPMG in the UK
Annapurna Alladi  Partner, Digital Trust
KPMG India
Jeremy Fages
Director, Connected Tech
KPMG France
Mallika Chandra
Global Program Director
IT Internal Audit
KPMG India
William Dokko
Principal, Technology Risk
KPMG US
James Patten
Managing Director, GRC
KPMG US
Anupama Paniker
Senior Manager, GRCS
KPMG in the UK

Get in touch