Environmental, Social and Governance (ESG) is being demanded by investors and will soon be in place by regulators and financial reporting standards. This key area is one more area where companies need to establish their goals and benchmarks. A robust risk management should be undertaken to determine areas that need the highest priority attention.
After understanding the gaps and priorities, controls should be designed to manage these crucial data gathering systems and disclosures controls. The COSO 2013 Internal Controls- Integrated Framework was updated to allow it to encompass more than financial reporting. Given that it is the predominant framework in Canada and US for Sarbanes-Oxley and National Instrument 52-109, it is the logical framework to utilize for ESG. This allows consistency of controls design and testing for maximum efficiency. It also allows for the highest standards of assurance to be applied to these important controls.
These controls include those at the Entity Level for policy development and authorization and the highest levels of the organization. Secondly controls that allow consistent data gathering and quality assurance of such data are essential. These processes must complement the financial reporting and disclosure controls and be reconciled such that consistency of data and reporting is managed. Finally, monitoring controls must be established to enable companies to implement and manage ESG processes and data as part of their daily operations. This is much like any newer requirements such as when (2002) Sarbanes-Oxley and (2005) National Instrument 52-109 were first implemented, the controls and procedures were not part of the company operations, but over time, the organizations and people become trained, matured and these controls became part of the organization’s DNA and second nature. This is the future of ESG at well managed companies.