#takeaways ESG Webinar 8: The role of risk in maintaining your ESG compliance

The current sustainability reporting landscape and its impact

Existing reporting frameworks did not reach their full potential leading to undesirable effects such as greenwashing, and limited impact on companies’ operations and strategy. Therefore, the European Union evolved from a voluntary reporting landscape into a mandatory reporting framework with the following directives, as part of their Green Deal:

• CSRD, EU Taxonomy, CSDD Directive, SFDR (mandatory framework, EU driven)
• ISSB (non-mandatory framework, international)

The scope and timing of CSRD, the Corporate Sustainability Reporting Directive:

How to get started with your sustainability journey? ‘We recommend organizations to first develop a well-defined strategy,'' Mario Matthys says. “Before you start to build a data model or implement tools, you need a comprehensive plan, including an overview of the impacted processes and data points.” That is why TriFinance proposes the following 6-step approach to your CSRD journey to create maximum impact.

For a detailed overview of the different reporting directives and the 6-step approach for your CSRD journey, please have a look at the takeaways of our first webinar: Navigating the sustainability landscape.

We often miss the role of internal audit at the ESG table, while internal audit should be one of the key members. Throughout the entire CSRD journey, it is crucial to adapt and monitor the internal control framework and strive for continuous improvement.

Role of the internal auditor

The 2024 edition of the annual Global Risk Survey conducted by the Institute of Internal Auditors highlighted that corporate reporting, including non-financial, is the second highest ranked risk on which internal audit spends the most time and effort. Today, more and more companies have employed their internal audit functions to provide advice and raise internal awareness and confidence in sustainability reporting.

The survey also highlighted that Chief Audit Executives believe climate change, biodiversity and environmental sustainability will be ranked as the third highest risk in 2027, which stresses out their role in raising that internal awareness.

We believe the role of internal audit in achieving and maintaining ESG compliance is crucial for any organization. With the right mandate from Boards and C-suites, the internal audit function can meet and uphold regulatory compliance by:

For Financial institutions

• Raising awareness at Board and Senior management level about ESG priorities, gaps at their institutions and the implications of those. Internal Audit can serve as a sounding board for management when they design their program (Advisory);
• Benchmarking the controls in place against best practices and regulatory expectations to validate the maturity of the control environment;
• Reviewing how ESG risk factors (transition & physical climate risk) have been identified, assessed and verified, Internal Audit can encourage the development of control activities to mitigate ESG risks;
• Evaluating the design, operating effectiveness of internal or external stress tests, to ensure ESG risk scenarios are sufficiently severe and plausible, that the size and directions of effects can be reasonably explained, and capital and liquidity implications are monitored and remediated effectively;
• Evolving the positioning of Internal Audit. Within the banking sector, ESG experts have started to claim their place in various types of departments that need to work together on ESG topics, the coordination can be vastly different per company and even department. This has proven challenging for internal audit when covering the full scope of ESG in the audit universe and providing sufficient assurance via the audit plan.

For Corporates

• Conducting or supporting with the execution of an ESG enterprise risk assessment, based on the risks and opportunities identified during the DMA. This process helps identify and prioritize the most significant environmental, social, and governance risks that the company faces.
• Supporting the development and implementation of an internal control framework aligned with COSO principles. This framework provides a structured approach to managing ESG-related risks and maintaining regulatory compliance.
• Evaluating the design and operating effectiveness of ESG internal controls by conducting thorough internal audits. These audits assess whether the controls in place are functioning as intended and identify areas for improvement.
• Supporting the implementation of monitoring mechanisms using advanced analytics. These tools track environmental performance and help the organization achieve its sustainability goals.

We believe an important step each organization needs to take is to figure out who is responsible for what and if any roles and responsibilities need to shift. As ESG touches many business areas, it is important to know who to turn to in order to get the right information about ESG risks and ESG compliance.

The three lines of defense model can help you to determine these roles and responsibilities. The first line is responsible for executing the ESG internal controls, according to the internal control framework developed by the second line. The third line will objectively assess if the internal control framework is in line with ESG regulations and if the respective ESG controls are correctly and completely executed, in line with the audit requirement stipulated in the CSDD.

How to identify and assess ESG risks

It is crucial that companies identify and analyze risks that may prevent them from achieving their sustainability reporting objectives, as pointed out in the second internal control component of the COSO framework.

Based on the internal control component of the COSO framework and even more importantly the identified risks and opportunities of the DMA, we believe the key steps for identifying and assessing ESG risks are:

• Defining the sustainable reporting objectives and materiality together with leadership and based on applicable laws, regulations and frameworks applicable to sustainability reporting (principle 6);
• Identifying material ESG risks that can prevent the achievement of the sustainable reporting objectives, followed by an assessment of these risks on likelihood, impact and level of the existing control measures (principle 7);
• Continuously monitoring for emerging risks or changes to existing material risks and their impact on the achievement of your sustainability reporting objectives because this is key to staying focused on what matters also – make sure that the developed internal control measures to mitigate the top ESG risks are correctly and completely executed.

Materiality is determined on the corporate risk tolerance, considering internal and external inputs, regulatory and statutory requirements, industry standards and leading practices.

How Financial institutions must assess ESG risks

In today's financial landscape embedding sustainability into core strategies is no longer optional; it is a critical driver of long-term success and resilience in the evolving market. However, while ESG opportunities are significant, the risks are also substantial. Regulatory penalties for non-compliance can be severe, and greenwashing can result in severe reputational and business model risks. To address these challenges, financial institutions must assess and manage ESG risks, including disclosures, as supervisory expectations have strongly increased. Comprehensive management reporting processes for senior management are essential.

The ESG internal control framework: develop internal controls to identify the ESG risks

COSO is an integrated internal control framework designed to reduce fraudulent financial reporting and help companies create internal controls to restore confidence in financial information, especially for listed companies that need to be SOX compliant.

In 2023, COSO released an interpretation of how to apply its framework to sustainable business information. Although this interpretation is not a guide, ESG professionals can use the COSO model as they consider implementing an ESG internal control framework. All organizations, including privately owned, nonprofit and public sector entities need effective internal controls to meet their objectives and manage their key risks.

The five components of internal control, each contain three to five principles with a total of 17 principles. For a system of internal controls to be considered effective in providing reasonable assurance that objectives are achieved (hence risks are mitigated), controls must address all five components and 17 principles.

In the third column we mapped these five components and 17 principles to all actions required to become an remain compliant with ESG regulations, of which we have already discussed the importance to (I) align on ESG roles & responsibilities and reporting lines (referring back to the 3 lines of defense as a guide), (II) identify and assess material ESG risks and (III) implement internal control measures mitigating top material ESG risks.

Best practices

Implementing effective internal controls over sustainability matters is key, which is achieved when the seventeen COSO principles are present and functioning.

You do not have to do this alone. Form a cross-functional team consisting of experts in sustainable business, such as legal, public relations and HR, and experts in internal controls and reporting, such as ERM and finance and administration.

Do not forget information technology general controls, which provide additional insights into control activities over IT, ensuring that the data that you report is correct, complete and timely executed. Once you have developed your ESG internal control framework, you can also opt to implement a continuous control monitoring framework, to automatically track that your ESG internal controls are correctly, completely and timely executed.

It is best practice to use advanced analytics, which can consist of:

• Continuous control monitoring: design KPIs framework to monitor activities and identify patterns and trends on a continuous basis;
• Key ESG metrics: based on the reporting requirements for your organization. From workforce diversity and inclusion, ethical conduct and compliance (incidents of corruption, bribery), waste management, GHC emissions, energy intensity, pollution,…;
• Data and process mining: Model, analyze and optimize your ESG reporting by using large datasets to identify patterns, trends, and insights that can inform stakeholders, investors, board decisions, which can be based on your EU taxonomy classification system of all activities.

Conclusion

Limited assurance on sustainability information is mandatory under the CSRD and is expected to shift to reasonable assurance as of 2028. This implies that external audit will review the non-financial information and provide an opinion on the sustainability reporting. To ensure your external auditor agrees that your sustainability reporting is correct and complete, effective internal controls over sustainability related matters (including operations, compliance and various types of reporting) are crucial.

Our key takeaways on maintaining compliant with ESG regulations are all related to the implementation of an internal control framework, in line with COSO principles:

• A periodic enterprise risk assessment and determination of materiality are key activities to stay focused on what matters. Do not forget, as a starting point, the risks and opportunities identified during your DMA;
• Effective internal controls (including information technology general controls) are only achieved when the seventeen principles are present and functioning, which is different for each organization based on maturity, industry, resources and requirements;
• Work with others to determine the best organizational structures and roles and responsibilities to create the desired results. This includes the board and board committees, management, operations, compliance and of course internal audit. The three lines of defense model can be especially helpful in determining these responsibilities;
• Internal assurance and confidence in sustainability reporting needs to exist before external assurance. Take advantage of your internal audit function in this regard to provide advice.