An ounce of prevention with a side of detection

This post was originally published in collaboration with Nishitha Parial, who has since moved on from her role at KPMG in Canada.

In our previous posts, we discussed various schemes such as greenwashing, bluewashing, and other ways fraud may manifest in an Environmental, Social, and Governance (ESG) context, as well as how, even despite the best of intentions, fraud and misconduct may arise when the elements of the Fraud Diamond align. It’s now time to look at how organizations can prevent and detect ESG fraud and misconduct.

It’s clear that a brighter spotlight has been directed at corporate ESG practices and reporting. With it comes increased expectations and pressures as stakeholders elevate the importance of ESG on their agendas. Boards and executives are closely scrutinizing their organization’s ethics and compliance programs for ESG integrity and to protect stakeholder trust—breaches of such trust can lead to fines, penalties, reputational damage, loss of investor confidence, litigation, financial damages, and ultimately loss of the social license to operate.

An effective strategy that proactively manages fraud-, ethics- and compliance risk throughout the organization can create a strong foundation to help organizations establish and maintain trust with their stakeholders as ESG expectations—and practices—evolve. This foundation should consist of both preventive and detective measures.

Programs intended to prevent or reduce risks should be designed to help corporations and the individuals responsible for ESG efforts focus on identifying and assessing potential risks, evaluate relevant controls, and set the tone at the top for ethical behaviour. When designing or assessing current prevention programs and/or expanding them to consider ESG-specific misconduct risks, organizations should consider the following, in accordance with COSO’s Fraud Risk Management Principles:

Control environment

• Is management setting an appropriate the tone at the top to emphasize the importance of ESG integrity?
• Does that message translate down to frontline employees?
  

Risk assessment

• Does the organization’s risk assessment consider ESG misconduct risks and schemes (such as greenwashing) or potential violations of regulatory or voluntary commitments (such as use of government funding or carbon neutral promises)?
• When weighing these risks, is consideration given to non-financial measures such as loss of social license to operate?
  
• How well does the organization know its third parties, who may be providing the organization with ESG data, or conducting business on the organization’s behalf?
  
• Are there activities exposing the organization to risks such as bribery and corruption, money laundering, modern slavery, or other human rights issues?
  

Control activities

• Do the policies, procedures and internal controls cover new risks related to ESG concepts?
  • For example, do the controls cover risks in the supply chain (such a bribery and corruption), non-financial disclosures (such as ESG metrics), and human resources (such as human rights issues)?
• Is there appropriate oversight over ESG anti-fraud controls?
  
  • While the finance function may have well-established internal controls, the responsibility for ESG metrics may sit with functions that do not have this discipline, such as investor relations, marketing, legal and/or operations. The responsibilities should be clearly defined and assigned to the appropriate functions who can provide good governance.
    

Information and communication

• Does the organization communicate clearly and on a regular basis the expectations of its employees related to upholding ethical standards?
• Are employees sufficiently trained to understand these expectations?
  
• Are there channels of communications in place that ensure the appropriate individuals obtain information regarding potential ESG fraud in a timely manner?
  

Monitoring activities

• Is the organization using technology (such as data analytics, discussed below) to proactively identify fraud risks before they happen?
  • For example, non-traditional data approaches such as web analytics and sentiment analysis can be used to scrub the web for public opinion on a corporation’s ESG efforts and may point out reported issues/concerns that should be addressed.

• Being aware of “red flags,” such as:
  • “Too good to be true” ESG metrics that consistently exceed or meet targets exactly
    
  • Unexplained or unusual changes in how metrics are calculated or measured
    
  • Unbalanced or vague reporting of metrics.
    
    
• Using technology to identify unethical conduct. Data analytics can be an effective tool to detect fraud risks or incidents in a timely manner. Here are some tips to make the most of it:
  
  • The data collection methodology should be consistent and able to collect data at the right points in order to preserve data integrity and fidelity, reduce any assumptions made in calculating ESG metrics, and drive proactive risk-based analytics in the risk management program.
    
  • The more structured and clean the data is, the better. For example, well-structured data can reduce the time required to ensure it is complete and error-free.
    
  • The power of data analytics can be used to analyze 100 per cent of a population, not just comparatively small samples. This allows a more fulsome view of transactions and increases confidence in analyses.
    
    
• Using hotlines and whistleblower mechanisms. Mechanisms like these can help to ensure individuals responsible for governance are alerted to potential ESG misconduct so that they can respond appropriately. Note that confidential internal reporting channels can enable greater
  organizational control compared to scenarios where a whistleblower has reported concerns externally. This is especially important in the age of social media where public opinion can change faster than you can say “ESG.”
  

As organizations go through their ESG journey, the best approach to take is a balanced one. Avoid exaggerating progress for all the reasons we’ve explored, be mindful of the red flags, build the risk safeguards and stay transparent about where gains are made and where room for improvement still exists.

Now that we’ve covered prevention and detection, stay tuned for our next post, in which we’ll discuss items to consider should the time come when your organization must investigate a case of ESG-related misconduct.