What‘s Missing and Why It Will Matter
The focus and scrutiny on ESG-related risk and compliance is intensifying across regulatory agencies, fostering strong expectations for organizations to establish appropriate ESG risk and compliance programs. Can you say today that your organization has an effective risk and compliance program for ESG? If not, why?
Here are some common challenge areas where organizations will need to focus in order to build and/or mature their coverage in 2023. KPMG perspectives on each of these areas are discussed below.
A risk framework serves as a cornerstone to an organization’s operations and is a foundational element to effective risk and compliance programs. Currently, the industry is struggling with what should be included in their ESG risk framework. In many cases, the question arises whether “another” policy is needed on top of existing policies that tie within the “umbrella” of ESG and sustainability. An integrated ESG risk framework should coincide with the structure of ESG teams, in many cases a “hub and spoke” with ESG at the center. Frameworks should be inclusive of policies, governance structures, and how to measure and monitor ESG risk. Benefits of an ESG framework include having a clear and transparent strategy to communicate with investors, consumers, and others on the organization’s implementation of ESG/sustainability commitments and, perhaps most importantly, helping to ensure accountability across all lines of defense. Regulators expect organizations to:
Creating an ESG data governance and control framework requires a gradual approach that is consistent and in alignment with the organization’s strategies and existing internal controls. Ensuring data accuracy is vital to financial and non-financial reporting of ESG initiatives—expectations are raised even more with mandatory requirements such as those in the upcoming SEC climate disclosure rule. Organizations face the challenge of not only managing their own data quality, but also that of their vendors. Regulators are holding organizations responsible for lapses in oversight of their vendors and are looking for them to demonstrate accuracy, repeatability, consistency, completeness, and timeliness across data governance frameworks. Risks associated with ineffective data governance controls include:
Regulators expect FS organizations to take appropriate actions including:
ESG risks are interlinked across multiple financial and nonfinancial risk pillars and can potentially impact a wide range of risks throughout the organization, such as:
The draft principles for climate risk management released by the federal banking agencies outline actions that management should take when integrating climate risks into an existing risk management framework, including:
Though the guidance is directed toward large organizations, the regulators (and the FDIC and NY DFS, specifically) have called out the need for small and mid-sized organizations to better understand their climate-related risks, which they suggest may include concentrated business lines and/or geographies.
Notably, the federal banking agencies also name scenario analysis as an important element in identifying, measuring, and managing climate-related financial risks. The FRB has launched a pilot climate scenario analysis with six of the largest banks. The exercise will analyze the impact of separate and independent scenarios for both physical and transition risk on specific portfolios of assets. The FRB will also collect information on the participants’ climate-related governance and risk management practices, including approaches or tools other than scenario analysis used in “business-as-usual” risk management, whether climate risk is included in the “business-as-usual” risk identification process, and whether climate scenario analysis informs the organization’s business decisions. The exercise will likely set more detailed expectations for the industry on strengthening quantitative climate analysis, expanding model capabilities, and establishing governance and risk management practices.
ESG regulations are currently evolving amidst political and jurisdictional discord, creating some uncertainties about future regulatory requirements. This presents a challenge for organizations as they set ESG priorities based on shifting risks and regulatory expectations. Areas of regulatory scrutiny include reporting standards and frameworks, definitions/terms, scenario analysis/stress testing exercises, and third-party oversight. Highly anticipated federal regulations on climate and sustainability, which may introduce some clarity in 2023, are the:
Some of the discord stems from divergent approaches, especially related to climate and sustainability, found in voluntary disclosure frameworks such as TCFD, CSR, and Materiality (such as under GRI and SASB) as well as between state and federal laws and regulations. These divergences can potentially complicate management of ESG risk and compliance programs long after the regulatory expectations are known (inclusive of setting risk tolerances and managing reputational risk). Examples of state/federal differences include California’s law to phase-out sales of new gasoline powered vehicles, and Texas’ prohibition on state agencies, local governments, and state pension funds contracting with or investing in firms that divest from fossil fuel energy companies.
Despite these challenges, regulators expect organizations to:
Considering that the first line of defense is responsible for addressing ESG risks/issues as they pertain to product development, new technology and innovation, the second line (e.g., Risk and Compliance) faces the challenge of anticipating and applying appropriate risk management and oversight of products and services as they are built by the first line even as they begin to set Key Performance Indicators (KPIs) and risk appetite statements and undertake physical risk and scenario analysis. Integration of ESG regulatory expectations into existing risk and compliance programs must take into consideration the activities of the first line. Therefore, effective risk & compliance programs will require enhanced collaboration between both lines at the earliest stage of product development. Recent ESG-related enforcement actions against FS organizations underscore the importance of effective ESG monitoring and internal processes to mitigate inconsistencies in reporting, marketing, and disclosures.
Transition plans, which should align with the organization’s ESG strategy, are an important aspect of the Compliance role in establishing an effective ESG risk and compliance framework. A “good practice” transition plan should cover:
Measures to address material risks to, and leverage opportunities for the natural environment and stakeholders (including customers).