AuditBoard Research and a growing ESG set of requirements/risks

ESG (Environmental, Social & Governance) reporting is a becoming a growing concern for HR, Supply Chain, IT and other executives. Let’s also add Chief Risk Officer, Legal and CFO to that list of executives. 

Why?  Companies can face a number of litigation risks, disclosure requirements, shareholder suits, and more for their failure to identify, remediate and/or reduce their firm’s real and complete exposure on a number of fronts. The low level of preparedness and documentation from many companies today is no longer acceptable.

But the real problems start when companies report a set of metrics regarding factors like sustainability that are not consistent with their actual situation. This happens when companies use dubious data or selectively choose which metrics to report vs. which ones they consciously omit from these disclosures. 

Now that European standards are stiffening up and that the US’ SEC may soon impose a number of disclosure rules on corporations, firms must disclose their situation and the risks they face. For example, if a company’s stock trades at, say, $40/share today, what would it trade at if shareholders knew the company had a major environmental and liability exposure due to its decades long use of forever chemicals? Chances are the stock price might fall materially as shareholders would discount future earnings to cover the cost of remediating this environmental issue. 

Beyond environmental challenges and reporting requirements, there will also be requirements for documenting a firm’s use of suppliers that may be restricted entities, use slave labor, fail to pay liveable wages, etc. The number of elements to be tracked and reported will be large and many of them will not exist within a firm’s ERP databases.

Regardless of ESG regulations, companies face economic and reputational risks and damages when they get caught violating the public trust, pollute, aid in the exploitation of others, etc. Ignorance of these risks is not a defense.

Regulations are changing as governments want to see more than financial data so that investors can better assess the true condition of an investment. That means financial and non-financial data will be subject to similar, exacting standards. 

How bad is the status quo?

Short answer: bad. Too many firms are not prepared. They lack the data and systems to pull together the needed information AND the data itself may be problematic. According to the Journal of Accountancy:

If information needs to be filed with SEC or provided to investors, the information needs to be investor-grade. That demands a higher level of quality, and with that a lot of companies are starting to migrate this work into the finance function,” she said. “It needs to have established  processes and controls around it similar to those that are applied to financial reporting.

In other words, the data that firms need to submit to different regulatory bodies globally needs to be auditable, verifiable, complete and correct. What won’t pass muster is data that lacks proper controls, has a poor (or no) audit trail and is selective in what it details. 

Selectivity is a real problem for some firms. For many years, a number of companies have picked which metrics they’ve chosen to disclose to investors, bankers and others. For example, a company that details a number of its sustainability efforts (e.g., tree planting program) but doesn’t ever mention the very material cleanup cost exposure it faces due to its prior contamination of ground water is deceiving investors as to the real value of the company. These unreported costs are actually liabilities that should be on the financial statements and would adversely impact earnings.

There’s another kind of risk that needs to be reported but rarely is: business risk attributable to climate change. Nasdaq recently reported:

The investors have been pushing auditors to improve for several years amid concern they were misrepresenting the true health of companies by not factoring in potential hits from the impact of climate change and associated policy changes.

These climate change risks could include disclosures on matters like:

• The company has assets in areas that could be harmed via rising sea levels
• Certain processes (e.g., fermentation of grains) cause the off-gassing of CO₂ and the company cannot find an alternate mechanism to eliminate this byproduct
• The company’s manufacturing plants, distribution centers, etc. are not located in places that can utilize less motor fuel, more renewable energy, etc.

Other risks that may need to be reported, beyond climate change matters, include social and governance risks. For example, can your company do a solid job of reporting:

• Where it sources critical raw materials (e.g., rare earth minerals) and whether these are being acquired via ethical means within democratic regimes?
• Whether all of its suppliers, including all n-tier deep suppliers, subcontractors and independents, are receiving livable wages and are not forced laborers?
• The impact the company and its suppliers’ companies are having on the local communities with which they interact?
• Etc.

Time to put meat on the bone

Recently, I spoke with John Wheeler, Senior Advisor, Risk and Technology at AuditBoard, regarding AuditBoard’s new report Titled:   2023 ESG Maturity Benchmarking Report: Accelerating ESG Transformation . Here are some of the highlights from that study and of our conversation.

The study found:

ESG is not included as part of ERM (enterprise risk management) in a strategic way in many organizations.

That’s actually pretty scary as it means that many potential environmental, societal and other risks aren’t being tracked, let alone identified. It also means that mitigation and tracking mechanisms are unlikely to be in place, either. 

That old adage of what gets measured, gets managed may have more than a kernel of truth to it. If you don’t have a clue about what’s going on in your firm, you can’t be managing the risks around your business activities. 

The study also found:

The majority of respondents have little to no governance or oversight over their ESG programs today. 2/3 of our survey respondents have not implemented ESG controls.

From what I’ve seen, this seems entirely plausible, although it seems unfortunate, too. For instance, how can a process that is only acted on annually and uses a lot of  paper or spreadsheets be  a model of controls? ESG teams that use this approach may get their required annual ESG reports out but are the results auditable, real-time, and controlled? Not really. 

In fact, the ESG reporting team composition can change year-to-year, systems can change, data models can change, M&A can occur, and those are just some of the change factors that could affect the largely undocumented, non-automated and/or manual processes used to collect this annual data. How can a company ensure this ‘process’ is being consistent year-to-year?  It can’t.   

And, this is the cherry on top of the sundae:

46% of our respondents reported that there is no dedicated budget allocated for ESG. Among those with an ESG budget, only 9% have a budget allocated for ESG technology.

Well, if there’s no budget, then it’s doubtful you’ll find integrated systems, automated controls, documented (and followed) processes, etc.  This is NOT how you manage risk. It is how you create an environment of ‘surprises’ and potential shareholder (and other) lawsuits.

The AuditBoard report kept giving, too. They noted:

While 72% of our respondents track at least some ESG data metrics across their physical locations, offices, and manufacturing plants, only 17% centralize ESG data collected on a regular basis and make it accessible to internal stakeholders.  

Only 31% of respondents perform third-party assurance on their ESG data, representing room for growth in data verification as well. 

Wheeler shared with me that these issues are especially concerning to CFOs as “this is going to fall into their laps, soon.”  I suspect he’s right. 

Audit firms are also eyeing this space and they’ll be selling their services to CFOs. John reminded me of PwC’s plans to hire 100,000 professionals for their ESG-related work. In 2021,  Reuters noted: 

Accounting firm PwC said on Tuesday it would invest $12 billion over five years to create 100,000 new jobs aimed at helping its clients grapple with climate and diversity reporting and also in artificial intelligence, as part of its new global strategy.

The new hires will come from mergers and acquisitions PwC completes and direct hires from competitors, Global Chairman Bob Moritz said in an interview. Of the 100,000 people PwC will hire, about 25,000 to 30,000 will be in the United States, and 10,000 of those will be from Black and LatinX communities, Moritz said.

My take

Businesses that haven’t even started to take ESG and related regulatory requirements seriously are woefully behind. And, even those firms that have been able to produce reports, in a mostly manual or lightly automated fashion, may only be slightly better off. From what I’ve learned researching a book on the subject, most firms fall into one of these two states. That should be a wakeup call for the boards and executive teams of a number of firms. 

Beyond meeting regulatory deadlines, companies also need to identify and track a number of risks associated with their business activities. While some of these are environmental in nature, a number of them focus on social and governance matters, too. The risks to be tracked could trigger economic, legal, reputational and other penalties. 

The AuditBoard study results show just how ill-prepared many firms are. This should be a top discussion item for IT, Finance, Audit, Risk Management and Legal executives. 

In the end, what is happening is that too many firms are taking an incremental, not holistic or systematic, approach to these new, evolving ESG and risk requirements. These loosely compliant ‘systems’ may fill a short-term, stopgap regulatory requirement but they don’t do a great job of identifying and managing a firm’s total risk profile. And that lack of rigor and attention could get expensive.

Will your firm do better?