ESG disclosure: Climate defense meets three lines of defense

As we move closer to mandatory environmental, social and governance (ESG) disclosures for organizations, the role of the audit committee in overseeing this reporting will become more critical. But, like the Canadian CEOs who, in the latest KPMG CEO Outlook, indicated that frequently changing regulations present the greatest challenge to delivering their ESG strategy, audit committees will face—as their first and perhaps most daunting task—the need to keep up with these regulations.

As with any reports that are released publicly, the audit committee may have a fiduciary duty to ensure that ESG reporting is complete and accurate, and will need to monitor the treatment of ESG disclosures by their organizations. They will also need to approach ESG reporting as they do financial reporting: pushing for data integrity, assessing the ESG strategy and keeping in mind the three lines of defense.

KPMG’s Survey of Sustainability Reporting 2022 found that 94 per cent of Canadian companies surveyed report on their sustainability efforts (up from 92 per cent in 2020). There are currently no legal requirements for companies to make ESG or climate-related disclosures in Canada, so what companies choose to report and how they report it is largely voluntary. But change is on the horizon, with requirements coming from several regulatory bodies that will make ESG-related reporting mandatory. Most of these requirements will be related to climate and will dictate what organizations must report, how it’s to be reported and the timing of that reporting.

The coming regulations vary by jurisdiction and industry, so there’s a lot to keep on top of. The Canadian Securities Administrators (CSA) released draft climate-related disclosure guidelines in October 2021, followed by the U.S. Securities and Exchange Commission (SEC) in the winter of 2022 and the International Sustainability Standards Board (ISSB) in the spring of 2022. The ISSB guidelines are broader, providing a framework for sustainability-related disclosures and more specific requirements relating to climate, and the CSA has since taken a step back and is re-examining its requirements. We expect the final product to better align with those of the SEC, to maintain the drafted exemption for Multijurisdictional Disclosure System filers. However, there is still a lot unknown and most respondents to the SEC and ISSB’s recent climate proposals acknowledged that alignment of requirements between frameworks was a high priority.

The Office of the Superintendent of Financial Institutions (OSFI) released draft guideline B-15: Climate Risk Management in the spring (the final version is expected in Q1 2023) that details climate-related reporting and disclosure requirements, while also mandating that federally regulated financial institutions incorporate climate-related risks into their risk management processes. The expectation is that the reporting and disclosures will reinforce better practices for incorporating climate-related risk into the pre-existing risk management processes.

It’s anticipated that over the coming year some of these bodies will release finalized requirements or updated proposals that will be subject to comment by external shareholders. The ISSB is aiming to finalize its standards in early 2023, but no existing regulations or legislation will make ISSB reporting requirements applicable to Canadian organizations.

Regardless, Canadian organizations will want to pay attention to what’s becoming the international standard. Even if this standard isn’t immediately or directly applicable, it will be a bellwether for how other regulations will be shaped—or it may be ultimately adopted. OSFI, for example, has cross-referenced the ISSB regulations in forming its own.

In organizations where ESG falls under the purview of the audit committee, one of the biggest challenges the committee will face is staying on top of what the requirements are and what stage impending regulations are at. This means keeping abreast of what is drafted, what’s out for comment and what’s due to be implemented. Audit committees will want to ensure that management is tracking this and, depending on the risk profile of the organization, may want frequent communication with the executive who oversees ESG.

There are strategic reasons for organizations to report on ESG even if they’re not legally compelled to do so. ESG is a differentiator, presenting opportunities for organizations that leap ahead of their peers. For example, these organizations may find it easier to access capital as investors seek out companies with public commitments to ESG principles and away from those that are silent on ESG.

A commitment to ESG can also make a company more competitive in attracting and retaining, talented individuals to its workforce. We see an increased interest in ESG from current and future employees wanting to know what their employer or potential employer is doing regarding ESG and may choose to work for a more ESG-conscious company over one that is less so¹.

Some companies report on ESG because they’ve made highly publicized commitments to certain targets and need to hold themselves publicly accountable for their progress against those targets (e.g., net zero, indigenous reconciliation, biodiversity and human rights). Some have joined ESG-related organizations or become signatories to group principles, initiatives, or pledges. For example, banks that sign on to the UN Principles for Responsible Banking must publish a disclosure statement detailing how the bank is complying with those principles. And investors that are signatories to the Operating Principles for Impact Management agree to operate their funds in accordance with the principles and make disclosures around their adherence. Audit committees should be sure management is keeping them apprised of which ESG disclosures the firm is making and why.

Once requirements are finalized, the timeline for implementation will be short. Organizations need to anticipate this implementation, not react—or they will be too far behind. The first step in preparation for coming mandatory disclosure requirements is to ensure that everyone in the organization receives the appropriate amount of training and education on material ESG topics and, more specifically, what the organization is trying to achieve with its initiatives. The next step is to put governance systems in place, or modify existing systems, to ensure the appropriate control and oversight over what is being reported―like those in place for financial reporting.

Finally, with respect to climate-related disclosures, it’s important to have a thorough understanding of the organization’s carbon footprint. This includes examining direct and indirect sources of greenhouse gas emissions throughout the value chain, such as emissions that occur from sources that are owned or controlled by the company, upstream sources such as purchased electricity and employee commuting, and downstream sources such as the organization’s investments and additional processing of products sold by the organization. Audit committees will want to ensure that management is properly assessing the carbon footprint throughout the value chain and putting robust processes in place to monitor this footprint.

One of the biggest challenges organizations face with ESG monitoring and reporting is procuring the appropriate data. In many organizations, different business units have implemented their own systems for collecting and reporting data and these tend to be less formal and less mature than financial reporting systems and controls. Some organizations are now trying to implement organization-wide systems, processes and controls for ESG data collection, which includes reviewing what data needs to be collected and how it will be managed.

Audit committees should be asking management how ESG data is being collected, measured and reported. They may be able to offer advice and leadership given their knowledge of the control systems and processes used for financial reporting. Many organizations, for instance, have standalone ESG teams that are responsible for ESG-related reporting but lack expertise around design, implementation and operation of internal controls over non-financial data. This will become increasingly important as organizations start to seek limited or reasonable assurance, or start down the path toward integrated reporting.

When audit committees are questioning the management team about systems and processes, they need to be thinking about—as they do with financial information—the three lines of defense:

• The first line often involves operations or standalone ESG teams, focused on delivery of products and/or services, but with a key role in collecting, measuring and reporting ESG-related data;

• The second line deals with providing assistance with risk management; and

• The third line involves providing independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management.

In doing so, audit committees need to consider whether assurance from other internal or external providers is required, or prudent.

There are a variety of drivers organizations consider when seeking external assurance (e.g., peer benchmarking, confidence with public disclosures or filings with ESG rating agencies, as preparation for external assurance mandates, required by lenders relating to sustainability-linked loans, etc.).

However, unlike systems for financial reporting, systems relating to non-financial reporting are often less mature and less formal, lending themselves to increased risk of error or fraud and therefore assurance findings. Leading organizations are engaging early with external assurance providers to ensure they are ready for assurance well before the assurance requirements become effective.

It could be said that all ESG data collection and reporting is a journey. Audit committees, by offering their experience in governing financial reporting and the related systems and controls, have much to offer their organizations along this journey.