At the very heart of a sustainable and resilient economy is a dynamic business sector that is willing and able to assume risk. To finance and manage risk taking is therefore as old as the corporate form itself. As new types of risks emerge or become more salient, the company, its shareholders and society at large all have an interest that these risks are properly managed and disclosed so that scarce resources can be allocated in the most efficient manner. In recent years, this has brought increased attention to environmental, social and governance risks that may influence corporate and economy wide resilience. This chapter address the outlook with respect to evolving tools and corporate practices for managing ESG risks and the challenges that remain with respect to establishing a commonly accepted high quality framework for disclosure of comparable, consistent and verifiable data.
OECD Business and Finance Outlook 2020
3. Corporate governance and the management of ESG risks
Abstract
3.1. The corporation, risk management and resilience
The corporation is a key engine for sustainable economic prosperity and societal progress. Corporations do not only provide income opportunities, goods and services. Through a dynamic process of technological and organisational innovation, they also contribute to economy-wide transformations of patterns of production and consumption. In well-functioning markets, this process results in an ever more effective use of scarce financial, human and natural resources.
In order to serve this dynamic function, the corporate sector requires access to equity capital with its unique ability to assume the financial risks that are associated with forward-looking investments that have uncertain outcomes. This includes investments in critical economic activities such as research, development, innovation and skills development that will upgrade human resources, generate new products, develop more efficient processes and increase productivity. Hence, it is not only the absolute amount of capital that matters for dynamic sustainable economic growth. At least as important is the kind of capital that is made available. Work by the OECD, for example, shows that at a given level, relatively more credit financing can actually slow down growth, while an expansion of stock market equity funding in general boosts economic growth (Cournède and Denk, 2015).
Equity capital also has the unique characteristic, that once it is provided to the company, it generally remains committed for the company’s entire lifespan. And since the providers of equity are residual claimants without any fixed return, equity provides the financial resilience that helps the corporation overcome temporary downturns and still meet its obligations to fixed claimants, such as employees, creditors, bondholders and suppliers. In the wake of the 2008 financial crisis for example, publicly listed non-financial companies raised a historical record of USD 496 billion of new equity capital through the stock market during a time when access to bank credit became scarce or vanished (Isaksson and Çelik, 2013). More recently, while initial public equity offerings in other industries practically halted in March 2020 as a result of the Covid-19 pandemic, the healthcare industry still managed to raise new equity capital at a level comparable to its 2015-2019 average.1 Because of its long-term nature, the willingness to assume risk and the adaptability to new circumstances, the equity-financed corporation provides an important contribution to the process of creative destruction, which in itself is one of the most important prerequisites for economy-wide sustainability and resilience.
A working paper published by the European Central Bank (ECB) illustrates that also from an environmental perspective, not all forms of finance are equal with respect their potential. Analysing a large panel of countries - and with data from 1990 to 2013 - the ECB working paper concludes that for given levels of economic development, financial development and environmental regulation, CO2 emissions per capita are lower in economies that rely more on market based equity funding (De Haas and Popov, 2019). The working paper identifies two main reasons for the relationship between the use of equity capital and lower carbon emissions: first, stock markets reallocate investment towards less polluting sectors more effectively than other types of financial markets; second, equity markets also push remaining carbon intensive sectors to develop and implement greener technologies. The working paper concludes that carbon-intensive industries produce more green patents when national stock markets deepen. In general, broad and deep public equity markets that present investors with the ability to diversify the firm-specific risks associated with technological innovation lower the overall societal cost of capital for research and development that result in new patents, products and processes that have a smaller carbon footprint.
Considering the society wide importance of the corporation and the unique characteristics of equity capital, it is not surprising that systems for managing and communicating corporate risks are as old as the legal form of the corporation itself. The history of the corporation is one where checks and balances continuously have been adapted to new circumstances and successively become embedded in legal and regulatory norms, such as company law, corporate statutes, securities regulation, auditing and accounting standards. As secondary markets for equity developed high-quality standards for public disclosure of comparable, consistent and verifiable information has also developed in order to facilitate for market participants to “measure what they manage” and make rational decisions and choices with respect to different investment alternatives.
The purpose of these checks, balances and disclosure practices that are at the heart of the corporate governance framework is to ensure that equity providers and other investors at any given time have the necessary information to assess, and as necessary the means to address, the resilience and future sustainability of the corporation. A critical component of this is information about risk. Failure to furnish capital providers with a credible assessment of the risks that face the corporation not only increases uncertainty about expected performance and the long-term viability of the individual company; it also leads to an increase in the cost of capital and ultimately, a misallocation of society’s resources.
When new risks appear, or existing risks become more salient, it is inevitable that the company, regulators, shareholders, creditors and other stakeholders with an interest in the long-term value of the company, will insist that these risks are properly identified, measured, mitigated and disclosed. As described in Chapters 1 and 2, this inherent necessity to adapt risk management and disclosure to new circumstances has in recent years brought increased attention to information about environmental, social and governance (ESG) risks that may influence the corporation’s sustainability and resilience.
3.2. The nature and occurrence of corporate ESG risks
From the corporate perspective, the value proposition for managing individual ESG risks is not fundamentally different from managing any other risks that the company may face. However, and to the extent that they have not yet been considered, the company is likely to need new types of expertise, additional information channels, better analytical tools and novel internal policies and practices that are specifically tailored to assessing the company’s ESG risks.
Like other risks, the occurrence and significance of ESG risks will vary between individual companies and across industries. Such differences may arise with respect to products, processes, organisational structure, business relationships and geographical location. A company engaged in the extractive industries, for instance, is likely to face a different set of ESG risks than a health care provider. Hence, to generically discuss how companies should go about identifying, assessing and mitigating ESG risks can be a rather complex task. For practical purposes it is therefore useful for policy-makers, standard setters, markets and companies to unbundle them and understand their individual characteristics. Such an analysis can also serve as a starting point for identifying priorities for disclosure of comparable, consistent and verifiable information to the market.
Environmental risks may have different origins and can be both exogenous and endogenous with respect to the corporation itself. An increase in environmental hazards in the form of more frequent and forceful hurricanes in populated areas, for example, may be entirely exogenous to the operations of an insurance company but still have a substantial impact on its risk profile. Likewise rising sea levels may adversely affect the value of assets in low lying areas held by a resort company and changes in local climate may alter the risks for the agriculture business in that area. But there may also be important endogenous environmental risks that are generated by the very character of the company’s own products, processes or organisational structure. Examples include potential liabilities as well as reputational costs that may follow from neglectful oil spills and emissions of toxic substances. When identifying and addressing environmental risks, the company needs to pay attention to risks that stem from exogenous factors as well as endogenous risks that are generated by their own operations, by those of companies in their supply chains and by the use of the company’s products and services by consumers.
Social risks are not only associated with specific stakeholders, such as the company’s own employees. They can also stem from violation of human rights in global supply chains and from conditions in local communities affected by the company and its suppliers. Social risks can also be related to how social attitudes, norms and regulations with the respect to the company’s activities may differ between markets and evolve over time. They may also be influenced by changes in the corporation’s organisational structure and its contractual arrangements. Increased outsourcing, for example, is likely to require increased attention to local conditions throughout the supply chain and additional resources to simultaneously monitor multiple layers of sub-contractors and joint-venture partners. Social risks may also emerge from new communication technologies and the use of social media that can trigger and amplify changes in consumer sentiments possibly resulting in reputational risks.
Governance risks are associated with the robustness and resourcefulness of the company’s procedures for compliance with the framework of relevant laws and regulations within which the corporation operates. This includes a wide spectrum of legal domains such as environmental standards, labour law, tax law, corporate law, securities regulation, anti-bribery, money laundering and disclosure requirements that establishes the legal and regulatory boundaries for the corporation’s operations. It may also include any self-declared corporate commitments, for example with respect to business strategy or standards for responsible business conduct (RBC) even when these are not embedded in laws and regulations.
Key quality indicators for governance are the quality of reporting lines, the design of incentive structures and a functional allocation of responsibility and accountability throughout the organisation and among the different company organs, such as the shareholders meeting, the board of directors and management. It should be noted, however, that investor assessments of governance risks often goes beyond evaluating just the formal routines for compliance to also include an appraisal of the internal corporate culture as well as RBC standards.
One factor that can impact the risk assessment across the entire spectrum of environmental, social and governance risks is the occurrence, or the probability, of legislative and regulatory intervention. The introduction of new environmental laws for example may alter the valuation of corporate assets or influence the demand for certain products. Assessing the effects or likelihood of regulatory intervention is therefore a natural part of a company’s risk management. One way to mitigate risks related to regulatory intervention is to commit to voluntary company and industry ESG standards. While it is difficult to estimate the costs and benefits of such voluntary undertakings, it is plausible to assume that they would only be justified from the company’s perspective when the costs to the company (or industry) from introducing voluntary commitments will be lower than the costs of complying with the alternative mandatory standards. The reason why the compliance costs may be lower may not necessarily be that voluntary undertakings are less ambitious or efficient. Cost savings could for example occur if the voluntary undertakings are adaptable in a way that makes their implementation more effective than the alternative black letter law would allow. However, while the absence of mandatory environmental regulation or improved labour safety standards for example, may be beneficial for the company and its shareholders, it may not necessarily be optimal from a wider economic perspective when market failures, such as differences in bargaining power or the lack of an appropriate market price for clean air exist and would suggest regulatory solutions.
To be sure, ESG risk management, due diligence processes and their related disclosure practices do not evolve in a vacuum. Even when a company’s board and auditors in good faith and in compliance with their fiduciary duties consider a specific risk immaterial, certain investors and stakeholders may disagree and request that it is addressed or disclosed. There may be multiple reasons for such disagreements. A particular investor may have holdings in other companies impacted by the first company’s activities, which from the investor’s portfolio perspective amplifies a certain risk in the first company. The question then arises whether the costs associated with addressing the portfolio risk of one investor should be borne by the company rather than by the investor itself. This illustrates the fact that the investor community is a heterogeneous group that differs with respect to investment strategies, risk appetite and qualifications. And what one investor considers a risk may even be seen as an opportunity by another investor. Such pluralism with respect to judgement, attitudes and competencies is the cornerstone of a well-functioning market economy and a good corporate governance framework provides efficient rules-based mechanisms to arbitrate any differences in preferences between investors, including exit opportunities for dissenting shareholders.
As mentioned above, and to serve the wide variety of interests of market participants, extensive work has been undertaken over decades to establish disclosure requirements for relevant information in order to be comparable, consistent and verifiable. This is indeed an on-going process where the relevance, quality and cost of disclosure items are assessed. When not being of material importance to the company or its stakeholders, it not obvious whether it is the company or the specific investor that requires the information that should foot the bill for the costs associated with producing and processing the information.
Conflicting assessments of risks may not only occur between company officials and its shareholders or among different shareholders themselves. They may also exist among different stakeholders, for example when the risk and associated costs of unemployment at a certain plant are weighted against the risks of its continued negative impact on the environment.
There are also cases when certain investors may militate for ESG actions or practices, indifferent to the costs it will impose on the company. Such actions may have little to do with risks to the sustainability of the company’s operations or its long-term resilience but rather with specific preferences of the particular investors. In this case, it is less about the company’s risk level and more about the intrinsic nature of the company’s business or its operations. Individual shareholders are obviously entitled to have views on matters also with no material consequences for risk or return, keeping in mind that from the managers’ and the board’s perspective, accommodating such demands against the interest of the company could imply a breach of their fiduciary duties.
However, if the demand for attention to certain ESG risks that are deemed immaterial by the company is backed by capital providers that are indispensable to the company’s capital supply, neglecting them may in itself become a material risk, affecting the company’s cost of capital. Under such circumstances the remaining shareholders may still be well served if the board and management cater to the demands of indispensable capital providers, assuming that it complies with equal treatment of shareholders.
Since the sustainability and resilience of the company typically coincide with the interests of the shareholders, the existence of differences with respect to their risk assessments should not be exaggerated. Also, shareholders who make substantial investments in independent information gathering may themselves, with the help of modern information systems and qualified advisors, be able to complement the quality of risk analysis that is generated through the company’s own internal processes. When this is the case, it may indeed be beneficial to the company to establish a dialogue that will provide additional information and help the company to identify hitherto neglected or unknown risks. In such a dialogue it remains important however that any material corporate information is equally shared with the market.
3.3. The G20/OECD Principles of Corporate Governance, risk management and ESG considerations
The need for robust structures and procedures for risk management and high-quality disclosure is firmly articulated in the G20/OECD Principles of Corporate Governance (the G20/OECD Principles; OECD, 2015). Their scope and recommendations extend beyond traditional financial and operational risks and point to the need to also address company policies and performance with respect to environmental and social issues.
Importantly, the quality of risk management with respect to environmental and social factors cannot be seen in isolation from the totality of the recommendations for good corporate governance provided by the G20/OECD Principles. This includes the rights of shareholders, the functioning of capital markets, the role of stakeholders, the quality of disclosure and the role of the board of directors. Effective risk management requires that all aspects of the governance framework, individually and in concert, work well in a functional and purposeful fashion. This is indeed why investors and regulators have identified weak overall governance arrangements as a potential risk along with environmental and social factors. As a consequence, the G20/OECD Principles recommend that explanation of the company’s corporate governance practices should be mandated as part of corporate reporting.
While the G20/OECD Principles identify some key areas to address and the main elements of ESG related risks management, the responsibility for the detailed design and implementation remains with the individual company, which must take its own firm- and industry-specific circumstances into account. Analogous to the internal organisation of financial and operational risk management and disclosure, there is today a growing range of tools in the form of mandates, standards, frameworks and guidance that boards and managers can use as tools when they develop the company’s system for managing and disclosing ESG risks. Some examples of the more common tools are discussed in sections 3.4 and 3.5.
3.3.1. Board responsibilities over strategy and risk
The G20/OECD Principles recommend that the corporate board of directors is vested with the responsibility to oversee the company’s risk management and the related systems that are designed to ensure that the corporation operates in conformity with the extensive legal framework that set the boundaries for their operations, including tax, competition, labour, environmental, equal opportunity, health and safety laws, company law and securities regulations.2
Importantly, this duty encompasses the distribution of accountability and responsibility for managing risks; specification of the types and degree of risk that a company is willing to accept in pursuit of its goals; and how it will manage the risks that it creates through its operations and relationships. As mentioned above, this responsibility should be linked to the responsibility to monitor the company’s governance practices and a continuous review of the internal structures that the company has established. Such on-going assessment and adjustments may be particularly important as new ESG risks emerge or existing ones become more salient.
The G20/OECD Principles also point to the usefulness of establishing compliance programmes that will support risk management. Such compliance programmes may cover different areas of risk exposure depending on the nature of the company’s operations and include issues related to safety conditions, human rights and the environment. It is worth noting that in large complex organisations, the parent company may be exposed to ESG risks beyond its own legal person. The G20/OECD Principles therefore recommends that compliance programmes should extend also to subsidiaries and where possible to third parties, such as agents and other intermediaries, consultants, representatives, distributors, contractors and suppliers, consortia, and joint venture partners.
Because of the increased importance of risk management, the G20/OECD Principles also recommend that companies consider setting up a specialised risk committee that can support the full board in performing its function. However, in order to avoid board fragmentation and to ensure that all board members assume collective responsibility for all aspects of its work, the setting up of specialised committees should be based on an assessment of the company’s size and risk profile. Again, in order to ensure objective independent judgment, it is important that the full board retain the final responsibility for oversight of company risks and it may for that purpose consider special reporting procedures around risk management, including direct reporting by staff members to the board.
In fulfilling its responsibilities, it is important for the board to encourage also other means of reporting of unethical/unlawful behavior without fear of retribution. Unethical and illegal practices by corporate officers may not only violate the rights of stakeholders but also be to the detriment of the company and its shareholders in terms of reputational damage and an increasing risk of future financial liabilities that may jeopardize financial sustainability and resilience.
As a consequence, the G20/OECD Principles recommend that stakeholders, including individual employees and their representative bodies, should be able to freely communicate their concerns about illegal or unethical practices to the board and that their rights should not be compromised for doing this. The G20/OECD Principles therefore point to the possibility in many countries to bring cases of non-observance of the OECD Guidelines for Multinational Enterprises to a National Contact Point (OECD, 2018). Moreover, the G20/OECD Principles recognise that the application of high ethical standards by the board and management is in the long-term interest of the company as a means to making its long-term commitments credible. In this context, aggressive tax planning is referenced as an example of practices that can give rise to both legal and reputational risks.
3.3.2. Disclosure and transparency
While the management of relatively minor risks may be handled internally in the company under the supervision of the board, certain risks may for the sake of materiality or other reasons also be disclosed to the market. Investors are particularly interested in information that may shed light on the future performance of the companies to which they have committed their capital, which may indeed be affected by growing ESG risks.
Based on this premise, many jurisdictions apply the concept of materiality, which can be defined as information whose omission or misstatement could influence decisions taken by the users of the information. However, the G20/OECD Principles recognise that material information can also be defined as information that a reasonable investor would consider important in making an investment or voting decision. They also point to the usefulness or obligation to provide information on issues that may have a significant impact on employees and other stakeholders. Considering their potential adverse impact and costs to the company, these concepts may indeed call for the disclosure of ESG-related risks in the financial statements or the management’s discussion and the analysis of operations, which typically are also included in the annual report. The G20/OECD Principles also encourage disclosure relating to business ethics, the environment, social issues and human rights. It is increasingly considered good practice to also provide disclosure about the company’s system for identifying, assessing and mitigating such risks.
The G20/OECD Principles advocate that both financial and non-financial information should be based on high quality disclosure standards, since this improves the ability to monitor the relevance, reliability, consistency and comparability of corporate reporting - something that in society’s interest should be equally important for the disclosure of financial risks as for the disclosure of ESG-related risks. In the area of financial and operational results, it is at least in principle relatively straightforward to meet this requirement by relying on the two leading, time tested and internationally recognised accounting and reporting standards. As will be discussed in section 3.5, the picture is more scattered for the comparability, consistency and verifiability of ESG risks and ESG information more generally. And as concluded in Chapter 2, greater clarity from corporate reporting frameworks on their approach to what constitutes material information in the context of environment would be beneficial for investors to make informed decisions regardless of their ESG investment strategy.
3.4. Evolving practices and challenges in managing ESG risks
As fiduciaries of the company and its shareholders, the board and its senior management are responsible for ensuring that the company has in place a comprehensive and robust approach to risk. The main elements of this responsibility, outlined in the G20/OECD Principles, are today established law or regulation in virtually every jurisdiction. According to the OECD Corporate Governance Factbook 2019, at least 90% of the 49 OECD and non-OECD jurisdictions surveyed now require or recommend the establishment of an enterprise-wide internal control and risk management system that goes beyond ensuring high quality financial reporting (OECD, 2019: 123).
This implies that in order for board members to meet their fiduciary duties, they must ensure that the company’s internal policies, structures and procedures for risk management are up to the task of identifying, measuring and monitoring risks that could have a material impact on the company’s performance. The board should also ensure that the company’s approach and the system for managing ESG risks is fully aligned with the company’s business model and its value proposition. The board must also ensure that company’s approach to ESG risk is consistent with its overall approach to risk.
3.4.1. Challenges and the need for adaption
Whichever way a particular risk is classified – as a traditional financial, operational or reputational risk and/or under a separate rubric of “sustainability”, “resilience” or “ESG” risk – the duties of the board and senior management to ensure the adequacy of the company’s response are the same. While the management of ESG risks is no exception in this regard, appropriate management of ESG risks is likely to pose some special challenges that companies should address upfront:
Some ESG issues may be novel and outside the experience of existing board members, senior management and even the company’s risk professionals.
ESG issues are often complex and multidisciplinary in nature, with responsibility for various components resting with sets of personnel that have heretofore had limited interaction and coordinated oversight.
Even when the company relies on both internal and external sources of ESG information and analytics that they regard as accurate, timely and reliable, investors and stakeholders that use other sources may reach different conclusions.
Years of routine reporting to the authorities on certain ESG issues, for example, health and safety standards, may have nurtured a compliance/check-list mentality rather than a truly pro-active approach to identify potential ESG risks.
Those with responsibility for identifying, measuring and monitoring particular risks that come under the rubric of ESG may not consider investors and other stakeholders (or even the board and senior management) as important parts of the audience for information about how such risks are managed by the company (Lubrano, 2017).
Considering the great variety of potential risks and the great diversity between companies and industries, there is no one-size-fits-all solution to the challenges of establishing a robust company level ESG risk management system. While the general framework and duties around responsibility for risk management are common to the corporate community, the operations, business model, value proposition and risk appetite do differ. Accordingly, the board and management must work together to tailor the company’s implementation of the basic principles of risk management to its particular circumstances, including the specific set of ESG risks that are salient to the company’s operations and performance.
Considering the need to tailor risk management systems to company specific circumstances, it is not surprising that governments, regulators and stock exchanges have largely refrained from providing detailed mandatory requirements around how companies should organise and resource their internal risk management systems. As a matter of fact, a certain degree of heterodoxy among companies in their approaches to risk may in principle contribute to the resilience of an industry and the economy as a whole by reducing the likelihood that a single event or confluence of unpredicted events will have identical negative impacts on all actors. Particularly with respect to forward looking assessments of ESG risks that often require a more pro-active approach, overly rigid and detailed regulatory requirements around internal risk management practices could also result in counterproductive boilerplate and box ticking responses that replace the more pro-active approach that every company must exercise in order to identify and assess its particular and often complex ESG risks. Within certain boundaries and subject to existing regulations in areas such as labour law and environmental law, companies are therefore left with the responsibility to determine their own risk appetites, set risk tolerances, and establish a matching risk management system that is fit for purpose.3
3.4.2. Tools for designing the ESG risk management system
The absence of mandatory, detailed and off-the-shelf templates for ESG risk management implementation at company level doesn’t mean that boards and management are flying blind. A growing body of resources exists today to help boards and management to develop and adapt policies and practices to address the challenges that are related to establishing a high quality internal ESG risk management system.
An increasingly global reference tool for integrating ESG risks into corporate risk management systems is the OECD’s Due Diligence Guidance for Responsible Business Conduct (OECD, 2018). This set of recommendations developed in 2018 by the OECD in consultation with business, investors and stakeholders provides an overarching framework on supply chain due diligence to help companies implement the recommendations on responsible business conduct in the OECD Guidelines for Multinational Enterprises (OECD, 2011). This risk based framework enables companies along any part of the value chain to identify, avoid and address adverse impacts related to workers, human rights, the environment, bribery, consumers and corporate governance that may be associated with their operations, supply chains and other relationships. Guidance is also provided to companies on how they can provide remedy for their actions, when relevant. The OECD due diligence recommendations also provide coherence to the ESG approach by aligning its key tenents to the UN Guiding Principles on Business and Human Rights and the ILO conventions on labour. The OECD Due Diligence Guidance for Responsible Business Conduct is also used as a tool for non-financial disclosure, notably by companies that are reporting under the EU Non-Financial Reporting Directive and is described in more detail in section 3.5. It is increasingly used as a basis for laws, such as the EU Regulation on Conflict Minerals and the French Duty of Care Act and referenced in EU discussions on mandatory due diligence.
A frequently referenced source of guidance on the design and implementation of corporate risk assessment and internal controls is the Committee of Sponsoring Organizations of the Treadway Commission - COSO.4 COSO’s Enterprise Risk Management – Integrated Framework, first issued in 2004 and most recently revised in 2017, provides guidance for integrating risk management into strategic planning, operational reviews, internal reporting and compliance, with risk considered at the enterprise, division and business unit levels. In October 2018, COSO also released specific guidance on how to integrate internal processes for identifying, assessing and managing ESG risks in its overall enterprise risk management framework (COSO and World Business Council for Sustainable Development, 2018). In its essence, COSO’s ESG risk management guidance applies fundamental risk management principles to the ESG space. Consistent with its guidance on integrating internal processes for ESG risks referred to above, the following eight steps in COSO’s framework for implementing effective risk management is applied to ESG risks:
1. Internal environment (risk culture);
2. Objective setting (strategy; risk appetite and tolerance);
3. Event identification (analysis of risks of potential business activities);
4. Risk assessment (likelihood and severity);
5. Risk response (actions to prevent or mitigate impact);
6. Control activities (policies and procedures to ensure planned responses);
7. Information and communication (capturing and reporting on risk-related processes and activities); and
8. Monitoring (analysis of data and revision of policies, procedures and practices).
While their ESG guidance was designed with COSCO’s own Enterprise Risk Management – Integrated Framework in mind, the guidance can also be applied to other risk management frameworks a company may choose to follow, such as ISO 31000 and company-specific approaches. Consistent with its intended purpose, COSO’s ESG guidance relies on or references such existing ESG frameworks, guidance, practices and tools, rather than providing its own taxonomy of risks, standards and metrics in the manner that, for example, the Sustainability Accounting Standards Board (SASB) does with respect to disclosure.
Box 3.1. Integrating ESG into a company’s risk management systems
In a September 2017 “thought paper”, sustainability and accounting experts Herz, Monterio and Thompson emphasise the importance at this point in time of improving enterprise risk and performance monitoring systems to ensure the quality of the company’s metrics around ESG risk for both internal (board and management) and external (investors and stakeholders) decision-making. Among the examples they give for how companies can adapt their internal systems to include the management of ESG risks are Denmark’s Novo Nordisk and Italy’s Pirelli.
Novo Nordisk is a major healthcare and pharmaceutical company whose charter has since 2004 reflected the company’s commitment “to conduct its activities in a financially, environmentally and socially responsible way”. In 2008 it undertook a process applying the COSO Framework to bring ESG within the company’s existing control framework. Recognising that resources are limited and that not all risks deserve equal attention, Novo Nordisk decided on “a top-down, risk-based approach and materiality assessment to identify the most crucial areas” to be brought within the scope of its systems. Novo Nordisk’s management put together a team of both finance and ESG specialists to work together across units to design and implement “entity- and transaction-level controls, manual and automated controls, and preventative and detective controls” in all sustainability areas deemed material.
Pirelli is one of the world’s leading tyre producers, with manufacturing operations in 13 countries and sales in virtually all markets. To encourage fuller integration of ESG risks within the company’s overall risk management approach, Pirelli includes its enterprise risk management (ERM) and sustainability (ESG) units in the same department. The company has also developed a proprietary information technology system for collecting and consolidating environmental and social performance data across units and including suppliers. While both of these innovations of course contribute to streamlining the company’s integrated reporting, just as importantly, they greatly increase the likelihood that the board and management will have the high-quality information they need regarding Pirelli’s ESG risks and its systems to monitor risk management targets, including those around water usage, carbon emissions, energy consumption and workforce training.
Source: (Herz et al., 2017).
A number of national institutes of directors and their associations also recognise ESG risk management as an important issue for boards and have issued guidance for directors on how to approach particular ESG issues in board oversight of risk management. One example is the Global Network of Director Institutes (GNDI), which has issued guidance papers on integrated reporting, cybersecurity and governance of data.5 And in its response to the European Commission’s 2018 public consultation on institutional investors and asset managers' duties regarding sustainability, the European Confederation of Directors Associations (ecoDa) affirmed its members’ view “that ESG factors do play an important role (for investors), not only in societal terms but for the business firms directly. They may not only pose important potential risks if neglected, while also offering strategic opportunities when optimally exploited. So sufficient attention for ESG factors is a component to secure long term business success.”6
Responding to increased demand, a growing number of commercial advisory services have also become available to companies, including all the major auditing and consulting firms, as well as consultants that are specialised in particular industries and categories of risk. The growing amount of ESG data and analysis generated by specialised providers, such as Bloomberg, MSCI and Sustainalytics, are additional sources of information and metrics that can assist companies with respect to information gathering, benchmarking, peer group analysis both at company level and with respect to individual ESG risks.
3.4.3. The allocation of responsibility and accountability
While guidance, advisory services and standards can help companies craft their more detailed and firm-specific ESG risk management systems, its ultimate effectiveness will always rely on a functional division of responsibility and accountability among the different company organs, which is consistent with their incentives, statutory roles and fiduciary duties.
3.4.4. The board and board committees
According to the G20/OECD Principles, it is the board of directors that should set the company’s risk appetite, specifying the types and the degree of risk that a company is willing to accept. It should also articulate how the company will manage the risks that arise through its operations and relationships in order to provide the necessary guidance to the managers that must ensure that risks are managed in a way that meets the company’s desired risk profile.
In order to act in a manner consistent with their fiduciary duties in their role to formulate and oversee the company’s approach to ESG risks, board members must first and foremost inform themselves. ESG encompasses a very broad range of sometimes new or emerging risks that often are interdisciplinary, complex and technical in nature, such as climate change estimates and effects. To continuously and systematically follow what possible ESG risks the company is exposed to from its operations is therefore essential, just as the board on an on-going basis keeps itself informed about technological developments, market sentiments and competitors. Also, the constant evolution of stakeholder expectations, regulations, mandates, standards, frameworks and guides with respect to ESG topics can be hard to keep up with even for specialists. But much the same as every board member should have at least a basic understanding of financial accounting and operations in order to serve effectively as a director, a similar minimum level of familiarity with the nature of ESG risks and the associated societal expectations, standards, metrics and frameworks for ESG risk management is today essential.
In addition to the various external sources for integrating ESG risk into risk management systems mentioned above, boards may also make use of different established ESG reporting tools to orient directors about what ESG risks are generally considered material to the sectors and industries in which the company operates. A basic grounding in such reporting tools empowers directors to make more effective use of the information that management provides them and to ask the right questions as the company’s approach to ESG risk evolves. For example, it behoves every director to know which categories of ESG risk are indicated as relevant to the company’s operations on SASB’s materiality map.7 Likewise, familiarity with the recommendations of FSB’s Task Force on Climate-related Financial Disclosures (TCFD) allows directors to make better sense of, and contribute to, the company’s approach to dealing with climate-related issues even when the company may not explicitly use that particular reporting tool for its disclosure.
Staying informed on ESG risks requires above all regular board interaction with management and the subject matter experts inside and outside the company that support the company’s ESG risk management work. In order for this dialogue to truly contribute to the effectiveness of the company’s approach to ESG risk, it must go beyond the mere exchange of compliance-related information and respond to the current era dynamics with respect to ESG risk management, including the use of information technology tools. In appropriate cases, board members may also engage directly with investors and other stakeholders to understand their views and expectations. For communications between the board, management, experts and stakeholders to take place in an efficient and effective way, policies and procedures need to be in place to ensure that the board receives relevant, high quality information on ESG issues in a timely fashion. Accordingly, the board and management must work out policies and practices for keeping the board updated and adequately informed on emergent ESG issues and ensuring that the board has the information it needs to assess the continuing adequacy of the company’s ESG risk management practices and planning.
Importantly, directors must ensure that their own board structure, composition and procedures accommodate the consideration of ESG risk within the firm’s overall risk appetite and approach to risk management. In line with the recommendations in the G20/OECD Principles, some boards today rely on special risk committees to take the lead in this area. Companies may also rely on an audit committee for the same purpose or a combined audit and risk committee. However, an audit and/or risk committee composed entirely of board members with a traditional finance or operational background may not be well suited to adequately consider non-traditional risk factors, or to decide whether the board has access to the right internal and external resources. In most cases, direct involvement by the Chair and the governance committee is also essential to ensure that the board’s needs in this area are taken into account in the overall programme for board evaluation and succession planning.
Regardless of how the board structures itself to oversee ESG risk, it will need to fashion policies and procedures for its interaction with ESG assurance providers in a manner analogous to that between audit committees, internal auditors and external auditors. As discussed further below, ESG assurance is a nascent but developing field. Just as in the case of financial and other operational risks, those with responsibility for oversight of ESG risk need to understand the nature of ESG audit and assurance practices, their value and their limits. This requires development of a programme of interaction between the board, relevant company staff and assurance providers.
Engagement with stakeholders and others is for the most part management’s role. However, it is for the board to assure itself that the company’s management, including its investor relations functions and other channels of communication with outsiders, foster productive feedback and expectations management around the company’s ESG policies, procedures and practices. It is therefore seen as a useful practice that the board goes through the exercise with management of mapping the company’s different stakeholders to the ESG issues that affect them, the operations of the company that impact those issues, the company’s responses in each area, its engagement with affected stakeholders, its objectives and recent outcomes. Especially for companies with elevated environmental or social risks, it can be considered good practice for management to monitor the ESG information flows that investors and other stakeholders rely on by gathering the same information and tracking how the company is being portrayed.
In assuming its responsibility, the board should also ensure that the company’s approach to ESG risk remains at all times coherent and consistent with existing legislation, the company’s strategy and value proposition. Not all risks are of equal importance to the company. Each company needs to articulate internally and externally how its ESG risk policies, procedures and practices, are focused on those risks that are likely to have the greatest material impact on the company’s sustainability and resilience. This includes both upside and downside risks and can be reflected in the company’s integrated reporting as will be discussed in the next section of this chapter. It is inevitably a complex task to ensure that ESG risk oversight and management does not take place in a vacuum. Integrating and adapting a company’s approach to ESG risk into the value proposition, business model and overall risk appetite demands careful coordination between all the committees and individuals at the board and senior management level responsible for strategy, business development, compliance, risk management, investor relations and public communications.
Box 3.2. Board committees and ESG risk
Boards can choose from at least four options in organising how to structure oversight of ESG risk: full board, audit committee, risk committee; or specialised ESG/sustainability committee. Deciding which approach is best requires consideration of a variety of industry and company-specific factors, as well as legal/regulatory considerations in the jurisdiction in which the company is organised or listed. The listing rules for the New York Stock Exchange, for example, require audit committee review of risk policies.
Leaving the full board to exercise oversight of risk without the support of a board committee is increasingly disfavoured. The OECD Corporate Governance Factbook reported a marked increase from 62% to 87% in the number of jurisdictions requiring (50%) or recommending (37%) assigning responsibility for risk to a board committee between 2015 and 2019. (OECD, 2019: 123) A pattern of the audit committee taking on responsibility for supporting risk oversight has emerged in a number of jurisdictions since the beginning of the century. Reasons why the audit committee might be selected to help the board oversee risk include the independent composition of most audit committees, a desire to ensure that oversight of financial and non-financial risk are well-coordinated and the historical pattern of risk management functions reporting to the Chief Financial Officer, who in turn reports to the audit committee.
A board typically establishes a stand-alone risk committee when operational risks (as opposed to the financial risks that are the focus of the audit committee) are particularly salient and/or the company’s systems are rapidly evolving in response to such risks. A separate risk committee of the board allows directors more versed in operations than finance and accounting to take primary responsibility for supporting the board’s work in overseeing the company’s non-financial risk management system. In some jurisdictions and industries (notably banking and finance) the financial statement and accounting compliance burdens imposed on audit committees may leave its members with little capacity to play an effective role in oversight of non-financial risk. The technical nature of a company’s business may also militate for establishment of a stand-alone risk committee whose members have the requisite professional expertise and experience to understand and evaluate risks inherent in its operations. Mining, energy and financial companies often establish stand-alone risk committees. In 2019, approximately one-third of jurisdictions require or recommend stand-alone risk committees, double the number in 2015. (OECD, 2019: 124).
A small but growing minority of companies have established dedicated ESG/sustainability committees of the board. Stand-alone committees to support the board’s oversight of ESG risk and disclosures may be desirable where such risks are especially salient and/or where establishment and monitoring of key performance indicators (KPIs) around ESG require a high degree of technical expertise.
Last but not least, it follows from its responsibility that the board needs to pay attention to how the company’s limited resources are allocated to address actual and potential risks to the company in the most cost effective way. Selectivity is a fundamental element of effective risk management. The company’s resources, including the “bandwidth” of board members and senior managers, are not unlimited. While boards should be accorded at least legal deference to make their own business judgments about the allocation of resources, the basis for such judgment must always be rooted in their fiduciary duty to act in the best interests of the company.
Management
On a day-to-day basis, it is management that has to make the ESG risk management system work within the context of the company’s overall risk management system. As noted above, important guidance for incorporating ESG risks into a company’s overall policies, practices and management structures already exists and can be expected to continue evolving. One particular management challenge when integrating ESG risk management within the existing organisational structure is that ESG risks are often interdisciplinary and cross-departmental in nature.
Often, the “traditional” risk management functions in a company report to the Chief Financial Officer (CFO), who in turn reports to the senior management and the audit committee of the board. Internal risk reporting and control functions more often than not are carried out on an operating unit basis, with those responsible for understanding and implementing the risk processes working with easily identifiable and frequently consulted operational counterparts. For ESG risk management to be effective, it often involves monitoring activities that cut across operational units and therefore require people to work together that have heretofore rarely done so. It may therefore be natural for operational staff to resist new ESG risk management practices and procedures if they do not fully understand how they relate to their immediate responsibilities.
As a consequence, senior management bears particular responsibility for ensuring consistency of the company’s messaging around ESG risk. And more importantly, consistency between its messaging and its actual practices. Clear articulation of a company’s ESG efforts allows management, staff and other internal audiences to understand why a particular set of policies, procedures and practices have been implemented and what they are intended to accomplish. Clarity also promotes the establishment of effective metrics, targets, performance indicators and incentives. Well-crafted internal communications around the approach to ESG risk also facilitate the setting of proper priorities within the overall risk management framework throughout the organisation and the development of assurance and audit.
In addition to the need to adapt the organisational structure to better capture ESG risks, effective ESG risk management within a firm may also require different reporting lines than those that have been established for financial and more traditional operational risk management functions. As noted above, the CFO, as the chief responsible executive for financial reporting, often plays the central C-suite role in risk management. To mimic this, some companies have created a Chief Risk Officer (CRO) position to coordinate the approach to identifying, measuring and monitoring operational risks. ESG risks however are typically likely to go beyond the scope of the CRO’s operational expertise, requiring the CRO to be supported by specialists. It may therefore be necessary for the management team to establish channels of communication and lines of reporting and accountability at the top that ensure that ESG risks are properly considered and managed in a manner consistent with the company’s overall approach to risk management.
Shareholders
As noted in section 3.3 above, the G20/OECD Principles recognise that shareholders (and other capital providers) have a high level of interest in the accuracy and completeness of the company’s disclosures around material risks, as well as the effectiveness of the company’s systems for identifying, measuring and monitoring risks. This information is to be given to shareholders so that they can act on it – not simply as an input into buying and selling decisions, but also in the exercise of their shareholder rights, including the rights to vote, question management and, when part of the legal framework, introduce proposals for resolutions at the shareholders meeting.
Shareholders have a role to play in encouraging better disclosure of ESG risks that are material to their interests and how the company manages such risks. While often considered a mere formality, in many jurisdictions the annual report of the company (not just its financial statements) is subject to the approval by shareholders at the annual general meeting (AGM). Shareholders who feel a company’s approach to risk management and/or its disclosure is inadequate can express their dissatisfaction by questioning management at the AGM and by objecting to annual reports they believe inadequately present material ESG risks. Short of such actions, shareholders, including institutional investors in the exercise of their fiduciary duties to beneficiaries, can proactively engage with portfolio companies to encourage them to adopt reporting frameworks and standards that allow for greater comparability across companies. Shareholders also have the opportunity to let companies know their views on the quality of assurance provided on ESG disclosures.
In several markets, it has become commonplace that ESG related resolutions are submitted without any direct relation to material information or risk factors but openly motivated by particular social, environmental or political agendas. When the board and other shareholders in the interest of the company are not able to meet such requests, it may still be in their interest to understand their rationale and possible impact on the company’s operations, reputation and long-term performance.
3.5. Challenges and evolving practices with respect to recognition and disclosure of ESG risks
In order to serve the economy and individual users, it is essential that corporate reporting be high quality, consistent, comparable and verifiable. With respect to the recognition and reporting of financial and operational results, this is typically accomplished through the application of two internationally recognised, time-tested and largely mutually recognised sets of accounting standards. These are the International Financial Reporting Standards (IFRS), which are developed by the International Accounting Standards Board (IASB), and US Generally Accepted Accounting Principles (US GAAP), which are developed by the Financial Accounting Standards Board (FASB), designated by the US Securities and Exchange Commission (US SEC) as the standard setter for publicly listed companies. Both bodies have developed their standards over a long period of time with the involvement of innumerable experts and practitioners.
As of today, neither the IASB nor FASB have embarked on setting their own specific reporting standards with respect to ESG factors. The Chair of IASB stated in 2019 that the IASB does not intend to move into standard setting for climate change related financial reporting (Accounting Today, 2019). The Chair also stated that the IASB is not equipped to enter the field of sustainability reporting, adding that setting standards in this area “requires expertise that we simply do not have”. This, however, does not mean that the IFRS Foundation and its stakeholders could not play a pro-active and constructive role in lending their expertise to advancing reporting with respect to ESG factors. In a recent remark, the IFRS Foundation Trustee Teresa Ko outlined possible future roles that the IFRS Foundation could play in supporting progress towards the development of high-quality and internationally recognised standards for sustainability reporting.8 FASB, the scope of whose SEC-delegated authority is basically limited to audited financial statements, has so far declined ambitions in ESG standard setting.
In principle, the recognition and disclosure of material ESG risks would be covered already under existing recognised reporting rules. But as already noted, in order to be effective, the identification and assessment of ESG risks may require different tools and standards than those developed for reporting of more traditional financial and operational risks. It may also be in the interest of the company to issue, and for markets and stakeholders to receive information that may not necessarily be recognised as material.
3.5.1. The evolving universe of ESG reporting
In the absence of the two dominant bodies vested with developing financial reporting standards from the arena of ESG reporting, and considering the challenges involved, it is not surprising that efforts with respect to internationally recognised, consistent, comparable and verifiable ESG disclosure are still at an early stage. No single universally agreed standard that companies can use for recognising and reporting ESG related information has yet emerged. This poses challenges both from the company and the investor perspectives. Just as differences in scope and methodology with respect to ESG ratings, investment strategies and products present a disjointed and inconsistent view of ESG (See Chapters 1 and 2), inconsistencies and lack of comparability between frameworks for ESG reporting may also mislead investors in their investment decisions. Catering to a growing demand, a number of different supporting tools intended for ESG related disclosure have been developed and while these supporting tools may indeed be useful in specific contexts, their multitude and diversity may in itself cause a certain degree of confusion among both issuers and users. Reconciling different approaches and identifying central indicators for comparable, consistent ESG disclosure has therefore emerged as one of the key challenges together with the additional complexities associated with assurance and audit to verify the content.
While there is no established taxonomy to describe the many different kinds of supporting tools for ESG reporting that exist, it may still be useful to point at some broad similarities and distinctions between them according to their character and intended use. In the brief overview that follows, the examples of different supporting tools and the experiences with their use are therefore structured by broadly classifying them as reporting mandates, reporting standards, reporting frameworks and disclosure practice guides.
Reporting mandates
Reporting mandates refer to legal and regulatory provisions imposed by governments that require disclosure of general or specific ESG information. The most prominent example is probably the European Union’s principles-based Non-Financial Reporting Directive (NFRD), which came into effect in 2018 and is currently under review, including the related national legislation issued to implement it.9 As a complement to the review, the European Commission in 2020 also launched an initiative on sustainable corporate governance with the aim to ensure that sustainability is further embedded into the corporate governance framework with a view to align better the long term interests of management, shareholders, stakeholders and society (EC, 2020).
The NFRD is designed with a broad set of stakeholder interests in mind, and so applies a correspondingly broad understanding of ESG risk materiality. The directive instructs member states to require each listed company and significant enterprise (“public-interest entities”) to publicly disclose its policies, the outcomes of such policies (including key performance indicators), and the risks associated with the company’s operations in the areas of: environmental matters; social and employee aspects; respect for human rights; anti-corruption and bribery issues; and diversity on boards of directors. Approximately 6 000 European companies are subject to the NFRD.
The NFRD does not prescribe integrated reporting. Approximately 60% of the 1 000 companies whose NFRD disclosures were analysed by the Alliance for Corporate Transparency (ACT) in 2019 integrated key ESG information in their annual reports, with the remainder publishing separate ESG or sustainability reports (COSO and World Business Council for Sustainable Development, 2018). Nor does NFRD require companies to follow a particular reporting framework, which obviously gives rise to challenges with respect to comparability. What companies need to do is to specify which domestic or international framework(s) they follow. The Global Reporting Initiative, United Nations Global Compact, Sustainable Development Goals, OECD Due Diligence Guidance for Responsible Business Conduct and its industry specific due diligence guidances, the Carbon Disclosure Project and ILO standards, were the most frequently used according to the disclosures that were reviewed by the ACT.
The ACT’s 2019 analysis of NFRD implementation paints a mixed picture of its completeness thus far. While over 80% of the companies surveyed disclosed their policies in the five categories, only 35% included targets and only 28% reported on outcomes. While about half of the companies surveyed by ACT provided disclosure on at least one strategic sustainability-related risk, only 7% described how these risks are reflected in their core business strategies. Not surprisingly, companies whose disclosures were reviewed by the ACT reported best on “traditional” risks that today have come to be classified under the ESG rubric. For example, 99% of companies provided disclosure with respect to employees.
It should be noted that the ACT analysed corporate reporting in the areas covered by the NFRD, not the workings of the internal ESG risk management systems of the corporations. It is therefore difficult to extrapolate from corporate disclosures the intrinsic quality of companies’ ESG risk management systems. Their ESG risk management practices and results may in fact be substantially better in reality than they appear from the public reporting. The results of the ACT survey at least point to the possibility that European companies are better at identifying potential ESG risks than at internalising consideration of them into strategic direction, setting key performance indicators and measuring outcomes. Interestingly, the ACT found a positive correlation between companies that reported ESG targets and those that secured some sort of assurance of the information included in their ESG disclosures. This would be consistent with boards and management seeking to have greater confidence around information that they judge may have a direct impact on corporate strategy and performance.
Reporting mandates may also be more rules-based, and narrower in their scope and intended beneficiaries. For example, some securities law regimes require listed companies engaged in mining to report accidents, violations of health and safety laws, fines and settlements for deaths and injuries.10 Others may require disclosure of employment law claims against the company.
Reporting standards
Reporting standards lay out what metrics should be disclosed for specific ESG topics that are deemed material and can be adapted to particular sectors and industries. For example, SASB requires that oil & gas companies estimate and disclose the amount of CO2 emissions that would be released by commercialising their proven reserves. Standards, like SASB and the Global Reporting Initiative (GRI), which likewise organises the application of standards by industry, aim to allow for quantitative and like-for-like comparisons between companies, and potentially third-party assurance through an audit (Global Sustainability Standards, 2018). To be credible, standard setters consult widely and seek consensus around the topics deemed material and the key performance metrics to be reported.
The GRI was established in 1997 to develop standards for all organisations (including listed and unlisted firms, not-for-profits and other entities) to report environmental, social and governance information for the benefit of a broad range of stakeholders. It has taken a modular approach, incrementally releasing standards over time as particular ESG issues gained salience. Companies employing GRI standards in their reporting are encouraged to upload them to the GRI website, which now catalogues disclosures from over 14 000 organisations.
The GRI standards are set by the independently operated Global Sustainability Standards Board (GSSB) consisting of 15 members “representing a range of expertise and multi-stakeholder perspectives on sustainability reporting” (GSSB, 2020). GRI standard setting involves regular stakeholder consultation, public notice and comment procedures. The GSSB’s meetings are open to the public and made available online. GRI recently modified its universal reporting standards to integrate and align with recommendations of the OECD Due Diligence Guidance for Responsible Business Conduct.11
The SASB started as an initiative largely focused on US companies but has over the past two years seen significant uptake also from non-US companies and investors. According to data provided by SASB, as of 31 July 2020, 169 US companies and 110 non-US firms report their ESG disclosure in accordance with SASB standards. 163 of these firms are included in the S&P Global 1200 index.12 Of the 41 global institutional investors surveyed for Morrow Sodali’s 2020 Institutional Investor Survey, 81% recommend SASB as the best standards for companies to communicate their ESG information (Morrow Sodali, 2020). Currently, more than 130 institutional investors from 18 countries incorporate SASB’s standards in their investment processes as licensees and/or have joined SASB as Alliance Members or as members of its Investor Advisory Group.
SASB’s governance structure and standard-setting process are similar to those of the internationally recognised bodies that set disclosure standards for the benefit of investors, such as the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) (SASB, 2017). SASB’s standards are developed and revised under the guidance of its Standards Board and a Standards Advisory Group for each of the 11 SASB sectors. Members of the Advisory Groups include industry representatives, investors, technical experts, legal and accounting professionals, academics and others who engage with the Standards Board with the goal of settling on standards and metrics that are practical and fit-for-purpose. Standard-setting takes place in accordance with a fully transparent six stage process, progressing from project screening through research, standard-setting agenda, comment period, update and post-implementation review phases. The standard-setting agenda and comment period phases of the process in particular are designed to ensure that new standards and revisions “are developed based on extensive feedback from companies, investors, and other market participants as part of a transparent, publicly-documented process” (SASB, 2020). SASB has also established an Investor Advisory Group of leading asset owners and asset managers “to encourage companies to participate in SASB’s on-going standards development process, so that outcomes reflect both issuer and investor viewpoints”. GSSB similarly commits itself to “due process” and multi-shareholder engagement and input in setting GRI standards, the main differences arising from the GRI standards’ broader set of intended beneficiaries (Global Sustainability Standards, 2018).
While usually cited as the most comprehensive ESG disclosure standards, SASB and GRI differ importantly with respect to their audiences, and thus their definitions of materiality. SASB is first and foremost a set of accounting standards for investors to consider in allocating capital while GRI’s definition of materiality takes into account the broader interests of non-financial stakeholders and societal impacts.
Reporting frameworks
Reporting frameworks such as the International Integrated Reporting Council’s (IIRC) framework and the framework issued by the Task Force on Climate-Related Financial Disclosures (TCFD) for climate-related disclosures are examples of principles-based frameworks that provide guidance on how reporting companies should organise and present ESG related information (IIRC, 2013; FSB, 2020). For example, TCFD recommends that every company include in its non-financial reporting an explanation of how its strategic planning process takes into account greenhouse gas emissions. 77% of the respondents to Morrow Sodali’s 2020 Institutional Investor Survey recommended TCFD as the preferred framework for climate-related disclosures (Morrow Sodali, 2002). The latest artificial intelligence review of the reporting of 1 126 companies from 142 countries and eight industries conducted by TCFD found that the percentage of companies disclosing information aligned with each of its recommendations increased between 2016 and 2018. The average number of the 11 recommended disclosures addressed by companies grew from 2.8 recommendations in 2016, to 3.1 in 2017, and to 3.6 in 2018. Seventy-eight percent of the companies in the review disclosed information aligned with at least one of the Task Force’s recommendations in 2018, up from 70% in 2016. However, climate-related disclosure remains patchy and “only around 25% of companies disclosed information aligned with more than five of the 11 recommended disclosures and only 4% of companies disclosed information aligned with at least 10 of the recommended disclosures” (FSB, 2019).
Some companies choose to organise the presentation of all or part of their ESG reporting along the lines of more aspirational objectives, such as the Sustainable Development Goals, or recommendations for operational best practices, like the OECD Due Diligence Guidance for Responsible Business Conduct and its complementary sector-specific guidance (OECD, 2018). The OECD Due Diligence Guidance supports the implementation of the OECD Guidelines for Multinational Enterprises and “help[s] enterprises avoid and address adverse impacts related to workers, human rights, the environment, bribery, consumers and corporate governance that may be associated with their operations, supply chains and other business relationships”. Together with its complementary sector-specific due diligence guidance for the minerals, agriculture and garment and footwear supply chains, and good practice reports for the extractives and financial sectors, the OECD Due Diligence Guidance provides companies with guidance for identifying and assessing potential adverse impacts of its operations, supply chains and business relationships and examples of practical actions for managing the risks that these present for both the company and others. Seventeen percent of respondents to a recent survey carried out by the Alliance for Corporate Transparency (ACT) of compliance with the EU Non-Financial Reporting Directive cited the OECD Due Diligence Guidance and its complementary sector specific guidance among the frameworks employed for reporting the ESG-related information required by the directive and national implementing legislation (Alliance for Corporate Transparency, 2019: 34).
Practice guides
Disclosure practice guides typically lay out certain disclosure principles in the expectation of voluntary compliance, often recommending the application of more detailed tools that usefully can be applied. Stock exchange initiatives intended to encourage public company disclosure of ESG information generally fall into the category of practice guidelines.
NASDAQ’s ESG Reporting Guide is one such effort to help companies listed on its exchanges to identify suitable reporting methodologies appropriate for their activities as well as to “help both private and public companies navigate the evolving standards on ESG data disclosure” (NASDAQ, 2019). In parallel, NASDAQ has established an ESG Reporting Platform to facilitate the distribution of listed companies’ ESG information to users, including data services, ESG rating services and index providers. NASDAQ also maintains a team of ESG experts available to work with client companies to “analyse, assess and action ESG programs with the goals of attracting long-term capital and enhancing value creation” (NASDAQ, 2019).
In early 2020, the Japan Exchange Group and the Tokyo Stock Exchange released their “Practical Handbook for ESG Disclosure” (Japan Exchange Group, 2020). The Handbook is intended to help Japanese listed companies respond in a meaningful way to demands for quality ESG information from investors. It advocates a step-by-step approach, encouraging boards and management to begin by gaining an understanding of market expectations around ESG disclosure and identifying the ESG issues relevant to the company’s operations. Companies should then articulate how these issues figure into the formulation of the company’s strategy. Once the links between ESG issues and strategic direction are clear, the company can “[p]ut in place an internal structure for oversight and implementation of ESG issues and set metrics/targets, to enable steady progress on ESG activities.” Finally, in dialogue with investors and other stakeholders, the company should be in a position to determine what existing disclosure frameworks and standards best communicate the company’s approach to ESG risk and how it fits into the company’s business model, value proposition and overall risk management system.
3.5.2. Selecting and communicating the tools for recognition and disclosure of ESG risks
At this point in the development of ESG reporting, a threshold question for the board and management of each reporting company is which set of ESG reporting tools would serve as the best foundation for presenting its exposure to ESG risks and the company’s approach to identifying, measuring and monitoring them. Reporting that uses high quality, comparable, consistent and verifiable tools that are well suited for the company’s activities would help to build consensus among investors and stakeholders on what are reasonable expectations for ESG risk disclosures.
However, and considering that some of the available supporting tools are still at an early stage of development, companies, investors and other stakeholders sometimes express near exasperation with the proliferation of tools for ESG reporting. The World Business Council for Sustainable Development’s Reporting Exchange catalogues more than 2 000 mandatory and voluntary ESG reporting requirements and resources from more than 70 jurisdictions (World Business Council for Sustainable Development Reporting Exchange, 2020). As a consequence, directors and managers, may be unclear about their purposes and audiences and whether and how investors and other stakeholders expect them to be applied in combination. As many companies are themselves at a fairly early stage of integrating financial and non-financial reporting, many boards and managers are themselves also new to the challenge of deciding what ESG information on the company’s operations their companies should report and how to present it.
As a basic rule and overall guidance when identifying reporting tools and formats, the reporting of ESG risk and performance should: 1) convey all materials information accurately and in a timely manner; 2) be as responsive as possible to expectations of investors, the market and relevant stakeholders impacted by the company’s actions; 3) be pro-active; 4) facilitate to the extent possible the users’ ability to meaningfully evaluate the information conveyed; and 5) be consistent with the company’s messaging to other stakeholders and special interests.
3.5.3. The selection process
The first step for the board and management in the selection of the supporting ESG reporting tools is to consistently tie the discussion of each element of ESG risk to its potential impact on the company’s business model, strategy and value proposition. The board must ensure the accuracy and completeness of communications with shareholders and investors around those ESG risks that are relevant to them - that is, primarily those that are material to the company’s financial condition and long-term performance.
However, there is also likely to be considerable diversity within the universe of a company’s investors, other market participants and the company’s stakeholders when it comes to their expectations about information on the company’s approach to ESG risk and its assessment of such risks. The challenge for the board and managers is to decide which issues are relevant to which stakeholder, and which among all the available standards, frameworks and guidance policies can justifiably be applied. This may not be straightforward, because the interests even among different types of capital providers may not be identical with respect to their risk appetite and exposure. As a consequence, companies can be tempted to be ambiguous, exaggerate or even, misallocate resources in the hopes of satisfying all stakeholders. This may not only create uncertainty for the prime users of the information, it can also be financially costly and distract attention from focusing resources on the most pertinent risks. Inevitable failures in these respects will compromise credibility with all constituencies.
A company’s non-financial public disclosures may, obviously, extend beyond items of material relevance to the company. Indeed, as noted above, the OECD Due Diligence Guidance and its complementary sector-specific guidance, the TCFD framework and the GRI standards are crafted to elicit disclosure of information that can be of material relevance to a broad set of stakeholders and potentially non-stakeholder interests. Transparency around environmental and social impacts of the company’s operations (both positive and negative) that do not present material risks to the company’s long-term financial performance may indeed be justifiable on a cost-benefit basis, taking into account the potential for adverse publicity and reputational damage to the company.
3.5.4. Consistency of messaging to stakeholders
Beyond the selection of supporting tools for reporting and the choice of metrics, it is also important that the company communicate the rationale for how this selection is consistent with the company’s approach to ESG risks. Such disclosure is an essential part of transparency and a sound relationship with markets, investors and other stakeholders.
The communication can form part of the company’s integrated reporting. According to the International Integrated Reporting Council (IIRC), integrated reporting means providing “a concise communication about how an organisation’s strategy, governance, performance and prospects, in the context of its external environment, lead to the creation of value in the short, medium and long term” (IIRC, 2013). In the context of ESG disclosure, integrated reporting ideally gives the users the opportunity to understand how the board and management have tied together the company’s approach to ESG risk with its value proposition, business model and strategy.
A public company’s initial forays into ESG disclosure rarely begin with the full integration in its annual report of ESG information provided along the lines of generally accepted reporting frameworks and standards. As discussed in Section 3.4, putting in place systems for the identification, measurement and monitoring of what are sometimes novel risks is a complex and painstaking process. Connecting these systems to a process for generating quality reporting on the same timeline as the company’s annual financial statements is equally challenging. The CFO may therefore argue that the company’s internal ESG reporting need to be a “well-oiled machine” before they feel comfortable to take the leap to fully integrated ESG reporting (SASB, 2020). When this is the case, it is probably more common for a company to begin by preparing a stand-alone ESG report on a separate timetable. Sometimes even on a biannual rather than annual basis.
Legal, regulatory and assurance considerations may also come into play in deciding whether to fully integrate ESG disclosure with financial performance reporting. The highest degree of legal responsibility is ordinarily attached to information provided in annual reports. Boards and management may therefore seek to gain more experience and confidence in the quality of ESG risk management and reporting before potentially exposing themselves to any legal liability. For this reason, they may also be well served if they can rely on a core set of high quality, comparable, consistent and verifiable ESG disclosure items.
3.5.5. Assurance and audit
Assurance and audit of ESG-related information collected and reported by the company has evident benefits for the board, management and investors. Independent assurance provides investors and other stakeholders with a greater degree of confidence in the accuracy and completeness of the ESG-risk information provided by a company in its disclosures. As is the case of financial statements, quality auditing ensures greater clarity, consistency and comparability of reporting over time and between companies. The process of obtaining independent assurance on emerging issues, including ESG risks, can also assist boards and management teams to more thoroughly understand the risks that they present and the options that are available for measuring and monitoring such risks. The very process itself of determining the scope of the audit, planning its execution and negotiating the level of assurance provides an important framework for keeping the board, its responsible committee(s), management and staff focused and committed.
By all accounts, the existing framework for consistent, comparable and verifiable ESG information provided by companies to investors, markets and stakeholders, and the current capacity of potential providers of assurance in these areas, are incipient. And as concluded in this and other chapters of this Outlook, the current state of affairs may not only lead to confusion but also misguide investors that explicitly aim to allocate their investments in accordance with a company’s ESG profile and performance. By its nature, the audit process requires a clear set of consistently applicable principles and rules against which to evaluate the veracity and comparability of company statements. And until such a unified standard exists, auditors can probably be expected to push back against providing assurance of ESG information that is presented in a sui generis fashion. Efforts like SASB and GRI have contributed importantly to the process of reaching market consensus on what issues can be considered material and how they should be discussed in relation to the company’s strategy and value proposition. But there is still some way to go before companies, investors, auditors and regulators can conclude on how relevant information should best be verified and presented. That said, growing demand for assurance may ultimately prove to be the driver of rationalisation and convergence of ESG disclosure practices.
Box 3.3. Assurance and audit in practice: Vornado Realty Trust
Vornado Realty Trust’s 2019 Environmental, Social and Governance Report may provide some clues to the direction in which ESG assurance is heading, and perhaps some general insights into the current trajectory of ESG reporting by public companies. Vornado is a real estate investment trust (REIT) organised under the laws of the US state of Maryland. Its principal offices are located in New York City and the company’s shares trade on the New York Stock Exchange under the ticker VNO. The company invests in retail and office buildings, with the bulk of its assets located on in New York’s borough of Manhattan. The company professes a strong commitment to sustainability. It is a TCFD signatory, a SASB sector advisory group member, a corporate member of the US Green Building Council and an Energy Star Partner of the Year award winner.
Vornado does not fully integrate its financial and non-financial reporting, choosing instead to publish a yearly ESG Report separately from its annual report and financial statements to shareholders. It has adopted the TCFD framework for presenting its climate-related disclosures and reports sustainability metrics against both GRI – Core Option and SASB standards for real estate. The same firm that audits Vornado’s financial statements (Deloitte) is contracted by the company’s management to provide assurance on the accuracy and completeness of the GRI- and SASB-compliant reporting in the company’s ESG Report. Using the same firm for auditing both financial and non-financial reporting makes sense from a practical point of view – the firm’s financial auditors should have a firm grasp of the company’s operations and value proposition and be in a better position to understand the potential impact of ESG factors on the company’s financial and operational performance than stand-along auditors of its ESG risk management systems.
Interestingly, Vornado’s auditors produced two reports to the company’s trustees in connection with, and included in the ESG Report. The first is a “Review Report” of the company’s disclosures against GRI standards and provides only limited level of assurance (“we are not aware of any modifications that should be made to [Vornado management’s assertion that the disclosures conform to GRI standards]”). However, Deloitte delivered an “Independent Accountants’ Report” reflecting a full examination of the company’s SASB disclosures and including a statement of its opinion that such information “presented in accordance with SASB Real Estate Sustainability Accounting Standard is fairly stated, in all material respects”. The higher level of assurance provided by Deloitte with respect to the SASB disclosure (comparable to the level of “reasonable assurance” provided with respect to the financial statements) is traceable in large part to SASB’s narrower definition of materiality. Audit firms can have considerably greater confidence in their ability to gauge what information is likely to be material to the traditional audience of investors (“material to financial performance”) and, accordingly, to estimate what risk they take on in providing assurance with respect to such information. But they and their clients are surely on shakier ground when it comes to what might be material to the more remote (and maybe even amorphous) set of stakeholders for whose benefit GRI disclosures are directed.
References
Accounting Today (2019), “Sustainability standards seen as too fragmented”, 17 October, https://www.accountingtoday.com/news/sustainability-standards-seen-as-too-fragmented.
Alliance for Corporate Transparency (2019), 2019 Research Report: An analysis of the sustainability reports of 1000 companies pursuant to the EU Non-Financial Reporting Directive, https://allianceforcorporatetransparency.org/assets/2019_Research_Report%20_Alliance_for_Corporate_Transparency-7d9802a0c18c9f13017d686481bd2d6c6886fea6d9e9c7a5c3cfafea8a48b1c7.pdf
Cournède, B. and O. Denk (2015), "Finance and economic growth in OECD and G20 countries", OECD Economics Department Working Papers, No. 1223, OECD Publishing, Paris, https://doi.org/10.1787/5js04v8z0m38-en.
COSO and World Business Council for Sustainable Development (2018), “Applying Enterprise Risk Management to Environmental, Social and Governance-related Risks”, October 22, 2018, https://gndi.weebly.com/papers.html.
Dee Haas, R. and A. Popov (2019), Finance and carbon emissions, ECB Working Paper Series No. 2318/September 2019.
ECODA (2019), https://ecoda.org/wp-content/uploads/2019/08/20180123_Investors_Duties_and_Sustainability-ecoDa_final_response.pdf.
EC (2020), Ares(2020)4034032 on Sustainable Corporate Governance, Proposal for legislation fostering more sustainable corporate governance in companies, European Commission https://eur-lex.europa.eu/legal-content/EN/PIN/?uri=PI_COM:Ares(2020)4034032.
FSB (2020), Task Force on Climate-related Financial Disclosures, Overview, https://www.fsb-tcfd.org/wp-content/uploads/2020/03/TCFD_Booklet_FNL_Digital_March-2020.pdf
FSB (2019), Task Force on Climate-related Financial Disclosures: Status Report 2019, p. 7. https://www.fsb-tcfd.org/wp-content/uploads/2019/06/2019-TCFD-Status-Report-FINAL-053119.pdf.
Global Sustainability Standards (2018), Board Due Process Protocol October 2018, https://www.globalreporting.org/standards/media/2099/gssb-due-process-protocol-2018.pdf.
GSSB (2020), Global Sustainability Standards Board Overview, https://www.globalreporting.org/standards/gssb-and-standard-setting/
Herz, R.H., B.J. Monterio and J.C. Thomson (2017), Leveraging the COSO Internal Control – Integrated Framework to Improve Confidence in Sustainability Performance Data.
International Integrated Reporting Council (2013), The International Framework, https://integratedreporting.org/resource/international-ir-framework/.
Isaksson, M. and S. Çelik (2013), “Who Cares? Corporate: Governance in Today's Equity Markets”, OECD Corporate, Governance Working Papers, No. 8, OECD Publishing, http://dx.doi.org/10.1787/5k47zw5kdnmp-en.
Japan Exchange Group (2020), Practical Handbook for ESG Disclosure, https://www.jpx.co.jp/english/corporate/sustainability/esg-investment/handbook/b5b4pj000003dkeo-att/handbook.pdf.
Lubrano, M. (2017), “EM companies must recognize investors are front-row in the audience for ESG information”, Pensions & Investment, November 21, 2017.
Morrow Sodali (2020), 2020 Institutional Investor Survey, https://morrowsodali.com/insights/institutional-investor-survey-2020.
NASDAQ (2019), ESG Reporting Guide 2.0: A Support Resource for Companies (May 2019), https://www.nasdaq.com/ESG-Guide.
OECD (2019), OECD Corporate Governance Factbook 2019, www.oecd.org/corporate/corporate-governance-factbook.htm.
OECD (2018), OECD Due Diligence Guidance for Responsible Business Conduct, https://www.oecd.org/investment/due-diligence-guidance-for-responsible-business-conduct.htm.
OECD (2015), G20/OECD Principles of Corporate Governance, OECD Publishing, Paris, https://doi.org/10.1787/9789264236882-en.
OECD (2011), OECD Guidelines for Multinational Enterprises, OECD Publishing, Paris, http://dx.doi.org/10.1787/9789264115415-en.
Sustainability Accounting Standards Board (2020), SASB, American Institute of Certified Public Accountants, Webinar: ESG Data Quality & Assurance, Wednesday, May 27.
Sustainability Accounting Standards Board (2017), SASB Conceptual Framework, February 2017, https://www.sasb.org/standard-setting-process/conceptual-framework/.
World Business Council for Sustainable Development Reporting Exchange (2020), https://www.reportingexchange.com/.
Notes
← 1. OECD calculations based on data from Thomson Reuters Eikon.
← 2. The term “board” as used in the G20/OECD Principles is meant to embrace the different national models of board structures. In the typical two-tier system, found in some countries, “board” as used in the G20/OECD Principles refers to the “supervisory board” while “key executives” refers to the “management board”. In systems where the unitary board is overseen by an internal auditor’s body, the principles applicable to the board are also, mutatis mutandis, applicable.
← 3. Governments and regulators may take a different approach to risk management practices in industries, such as banking and finance, where greater similarities and interdependence exist and where business failures can have important systemic or macroeconomic impact.
← 4. COSO is a committee composed of representatives from five organizations: the American Accounting Association; the American Institute of Certified Public Accountants; Financial Executives International; the Institute of Management Accountants; and the Institute of Internal Auditors.
← 5. Global Network of Director Institutes, https://gndi.weebly.com/papers.html.
← 6. European Confederation of Directors Associations. Response to the European Commission’s 2018 public consultation on institutional investors and asset managers' duties regarding sustainability, https://ecoda.org/wp-content/uploads/2019/08/20180123_Investors_Duties_and_Sustainability_-_ecoDa_final_response.pdf.
← 7. The Sustainability Accounting Standards Board (SASB), an independent non-profit, published the world’s first comprehensive set of industry-specific sustainability accounting standards in 2017. SASB’s classification system organises companies into 11 sectors and 77 industries in order to identify ESG risks that are expected to be material to particular economic activities. The SASB framework relies on 77 evidence-based, market-informed and industry-specific standards developed by other institutions against which to assess risk exposure and performance.
← 8. “Sustainability reporting and its relevance to the IFRS Foundation”, https://www.ifrs.org/news-and-events/2020/05/sustainability-reporting-and-its-relevance-to-the-ifrs-foundation/
← 9. The EU has recently initiated the process for reviewing and revising the NFRD and developing a uniform European Non-Financial Reporting Standard.
← 10. See the US SEC Standard instructions for filing forms under the Securities Act of 1933, the Securities Exchange Age of 1934 and the Energy Policy and Conservation Act of 1975 – Regulation S-K Subpart 229.104 (Mine safety disclosure), https://www.ecfr.gov/cgi-bin/text-idx?SID=fd3f92d14b821275a59c8aeecaabb6e9&mc=true&node=se17.3.229_1104&rgn=div8.
← 11. See Review of GRI’s Universal Standards (GRI 101, 102 and 103), https://www.globalreporting.org/standards/work-program-and-standards-review/review-of-gris-universal-standards/.
← 12. Data provided by SASB on August 24, 2020. A list of companies reporting utilizing SASB standards can be accessed at https://www.sasb.org/company-use/sasb-reporters/.