Building an ESG controls framework
ESG – right from the start? In this blog we explore the value of an effective controls framework for Environmental, Social and Governance (ESG)
Finance, Sustainability and Controls leaders questioning the adequacy of their control frameworks should not feel alone. From recent discussions with these leaders, it appears that many are at the beginning of their journey when it comes to ESG controls and are still reliant upon general controls, which have not been extended to address ESG risk specifically and provide limited coverage, if any at all. When embarking on a controls transformation it is critical to ensure the sufficient prioritisation of ESG controls. Why? Read more to find out.
Why should an ESG controls framework be prioritised?
There have been significant changes to the regulatory landscape, for example the introduction of the Corporate Sustainability Reporting Directive (CSRD) and UK Corporate Governance reform. These are key drivers for many businesses and require them to revisit their controls frameworks.
Looking beyond regulatory pressures, investor confidence, and stakeholder confidence more broadly (including consumers), is increasingly dependent on accurate and robust ESG data. Also, for businesses wishing to access finance or who are involved in deals, they must be ready to withstand diligence on their ESG data, or value will be lost.
This means that effective ESG controls frameworks are not only crucial in managing ESG compliance and obligations in a robust way, but there is a direct link to value generation and investor and consumer confidence.
What does an ESG controls framework look like?
An ESG controls framework needs to take into consideration multiple ESG metrics, some of which may require consolidation from several thousand data points, sourced from individuals, spreadsheets and systems owed across the organisation, and potentially outside of the business.
A key concept here is that of double materiality where both the impact of the business on its environment and of the environment on the business needs to be considered. Double materiality for ESG is a key concept introduced in CSRD and is a significant focus for many businesses. For a more detailed view on CSRD view our insights piece CSRD – A simple step-by-step guide.
As for any controls framework an ESG framework must still:
- be designed and prioritised based on materiality and a detailed knowledge of the processes and their risks;
- be underpinned by clearly defined processes and well controlled technology;
- have been embedded appropriately including any necessary training; and
- be subject to routine testing to be sure they are operating in line with expectations.
Technological solutions, including leveraging existing technologies and ERP where feasible, should be considered, as an alternative to spreadsheets, which may more appropriately handle the pervasive nature and volume of data.
Where to start?
In our conversations with Finance, Sustainability and Controls leaders around ESG controls frameworks, we’re often asked: where do we start? As always, start with risk. Controls should be designed to mitigate where things can go wrong.
You need a thorough understanding of the risk and what is important to your stakeholders and clear responsibility and accountability for the teams and individuals who will collect, process, and report the data. This will support the determination of:
- what to control,
- how to control; and
- how to assure.
As with any risk, in addition to materiality, the relative prioritisation for implementing controls may be impacted by organisational priorities; transformation programmes, knowledge or experience gaps in those operating processes; limitations in IT systems or software; and existing and upcoming regulations. There is lots to consider.
Supplier data – ESG control example
To bring this to life, here is an ESG control example around supplier data and emissions reporting.
As a result of emissions reporting, some businesses require suppliers to routinely provide them with emissions data. For most organisations this represents a risk in terms of data accuracy and reliability, which could impact the reputation of the business if reported on incorrectly.
There are key controls at play here, which will be dependent on factors such as, the nature of the business, the materiality of the supplier to the organisation and the relative supplier risk. However, the controls we would expect to see include; a clearly defined process for the routine checking of supplier data, including access to independent assurance reports, and as part of due diligence; clear guidance around breach identification and reporting as well as minimum standards and protocols where standards are breached; and a technological solution to capture data direct from supplier source systems.
Some of these controls are likely to be owned by the CFO and operated by the finance team on a routine basis, but the success of these controls will depend on appropriate design of the operational processes managed by the procurement team, for example ensuring that contract provisions allow for regular access to scope 3 data. The finance team will want to work closely with the Head of Procurement to define an appropriate materiality threshold so that focus is on timely access to data and on the reliability of data, examining the most important suppliers. The finance team is also likely to need to provide training to the procurement team so that there is a clear understanding of why certain aspects of the onboarding process may need to change.
Are controls operating effectively?
As with any controls framework, the final stage must always be to undertake assurance activities to assess whether the controls are operating effectively, to establish an ongoing testing strategy and to promptly remediate deficiencies. This will help gauge whether a control is failing and if that failure is likely to result in a risk event occurring, going unnoticed or being managed incorrectly. Without this final stage, the benefits of the control may be lost.
We hope this blog has been helpful in outlining the value of an effective ESG controls framework and highlighting why it’s so important now for organisations to be prioritising ESG controls – mostly due to regulatory pressures from CSDR and the Corporate Governance Reform. And finally, we hope it is reassuring to see that your approach to creating an ESG controls framework is similar to the approach for any other control, but perhaps brings in more stakeholders across an organisation.
Please get in contact with us if you would like to discuss any topics covered in this article, or to find out more about our diagnostic and ESG Controls Framework.
