Topics:   Audit,Audit and Risk,ESG,Risk Management,Strategy

Topics:   Audit,Audit and Risk,ESG,Risk Management,Strategy

September 17, 2019

ESG: Audit Committees, Beware!

September 17, 2019

ESG is now a regularly used term in the business and governance world. It’s a big focus for investors, and companies are paying attention. As ESG (environmental, social, and governance) matters become a more common topic of discussion in the boardroom, the question I have is this: Will the audit committee play a key role in the oversight effort? For many boards, I think the answer is yes. Here’s why.

A primary driver of the ESG discussion is how to manage risks that range from carbon emissions and water usage to data privacy and employee health and safety. Many institutional investors believe ESG issues are critical to getting the full picture of a company’s risk profile. That’s because material ESG risks can have a significant impact on strategy and can compromise a company’s ability to create long-term shareholder value.

Investors are scrambling to find more company-specific data related to ESG. They are gathering data from company corporate responsibility reporting, from company surveys, and from the web. Companies are starting to realize that if they don’t provide data, investors will just use what they can find—whether it is appropriate or not. 

Consequently, more companies are starting to take ownership of the process. They know that ESG is about risks, but they also see ESG reporting as an opportunity to get out in front and tell their ESG story—how they’re embedding ESG-related risks and opportunities into their long-term valuation strategy. Companies are acknowledging that there are a variety of stakeholders (along with investors and shareholders) that have an interest in understanding the long-term strategy of the company, including employees, suppliers and communities.

The full board will need to be involved to make sure the messaging is right. As the story comes together, the company will determine metrics and key performance indicators (KPIs) that it believes are compelling and material value drivers for the business. And investors will use those metrics and KPIs to assess business performance.

If you are an audit committee member, you probably see where this is going.

I started out by saying investors are focused on this information primarily from a risk angle. If the board does not have a specific risk committee, the audit committee usually covers risk oversight.

We are also now talking about disclosure of metrics and KPIs that have an impact on the valuation of the company. That information needs to be reliable, consistent, and commonly understood. The company should have processes and controls around the development of those disclosures to support the accuracy of the data. Maybe internal audit should consider a review of the control procedures for these metrics in its annual plan. The board might even think third-party assurance over the accuracy of these numbers is important. So which committee has members with deep skills in overseeing internal controls, policies and procedures, and reporting? I think you know the answer.

And, to really make a point, some companies are already disclosing ESG-related metrics or KPIs in their annual 10-K filed with the U.S. Securities and Exchange Commission (SEC) in order to provide an “integrated” reporting of key risks and material financial and operational data. This is a growing trend, and I suspect we are going to see more companies using their public-facing annual report and SEC Form 10-K as the vehicle to tell their comprehensive long-term value creation story. If something is going into an SEC filing, there’s one committee that will certainly be looking at it. Guess which one.  

I know only too well that the audit committee agenda is already full. For most boards, audit committee meetings are more frequent and longer than any other committee meetings. Many audit committees have already taken on cybersecurity oversight, recognizing that it was a risk to the company and therefore fell under their risk oversight umbrella. 

Using that same logic, I think there is no escaping ESG oversight. To begin with, it is all about risks, but it goes one step further when you talk about performance measurement. ESG disclosure requires reporting of metrics and KPIs that are, by definition, material to the business operations. And value creation will need oversight by a committee that understands risk, policies and procedures, internal controls, monitoring, and reporting. That sounds like the audit committee to me.