Pending regulations prompt IA to validate companies’ climate-related claims and incorporate first and second lines of defense.
Several members of NeuGroup for Internal Audit Executives have recently or will soon conduct the first audits of their companies’ climate impact reports, and in a recent meeting they generally concluded that ESG group leaders may not understand much of the data behind their reports.
- The vice president of internal audit at a corporate with supply chains stretching worldwide discussed his company’s annual climate impact report and several others related to specific supply chains.
- “We had never audited them,” he said. “So I told my team that we really need to take a look at the information in those reports: where the data comes from, can we validate it and are there controls in place?”
- The audit led to the development of a climate framework that will enable the ESG team to comply with anticipated European Union requirements as well the company’s businesses to better understand and control their climate impact.
Data skills lacking. The executive said his company’s sustainability team members may be passionate, but they didn’t have any background in setting up a so-called second line of defense structure, which ensures the proper handling of risk controls and compliance by first-line risk managers. In some cases, they weren’t well-versed in establishing policies and expectations.
- After recently finishing an audit of her company’s climate impact report, another member noted there was no validated data for 40% of the numbers reported.
- A third member said her team was beginning a climate impact audit shortly, along with its external auditor.
Out of the ashes. The session leader said his ESG colleagues were upset about the audit’s conclusions, but the group’s leader saw the value of putting in more rigor behind the data.
- Now IA reviews every report before it is published and validates the data with limited testing, and has started to work with the ESG group to analyze its source data.
- A peer questioned whether that was excessive, and the session leader pointed to the potential for reputation risk and losing customers, adding that IA will review the reports until the ESG team sets up a functioning second line.
- Also stemming from the climate audit is a climate risk assessment template that IA created to apply to each of the company’s businesses.
- “Our ESG team has adopted this and will use it going forward as their official guide,” he said. “We don’t intend to do risk assessments in this area unless they ask for our assistance.”
- He added that such risk assessments are expected to be a part of the European Union’s proposed legislation regarding climate impact.
Framework aspects. Responding to a peer’s request for key aspects of the risk assessment framework, the session leader recommended analyzing the data inputs in a specific process and where it is sourced from—often the supply chain—then building a risk register. Like any risk assessment, common criteria in terms of impact and likelihood were developed, to help prioritize all the data.
- Climate change risk stands out because current frameworks typically divide it into physical and transitory risks; so, is it a factory at risk, or a change such as temperatures increasing that must be dealt with over time?
- Using a tool that predicts how climate change will impact businesses, “We can tell them here will be the impact on your business’s profitability.”