Internal audit and ESG

Introduction

Entities, including businesses, governments and non-profits, face an evolving landscape of environmental, social and governance (ESG)-related risks that can impact their profitability, success and even survival. Given the unique impacts and dependencies of ESG-related risks, COSO and WBCSD have partnered to develop
guidance to help entities better understand the full spectrum of these risks and to manage and disclose them effectively.

This guidance is designed to help risk management and sustainability practitioners apply enterprise risk management (ERM) concepts and processes to ESG-related risks.

What are ESG-related risks?

ESG-related risks are the environmental, social and governance-related risks and/or opportunities that may impact an entity. There is no universal or agreed-upon definition of ESG-related risks, which may also be referred to as sustainability, non-financial or extra-financial risks. Each entity will have its own definition based
on its unique business model; internal and external environment; product or services mix; mission, vision and core values and more.

Definitions

1. Environment: The contribution an entity makes to climate change through greenhouse gas emissions, along with waste management and energy efficiency. Given renewed efforts to combat global warming, cutting emissions and decarbonizing have become more important.
2. Social: Human rights, labor standards in the supply chain, any exposure to illegal child labor and more routine issues such as adherence to workplace health and safety. A social score also rises if a company is well integrated with its local community and therefore has a “social license” to operate with consent.
3. Governance: A set of rules or principles defining rights, responsibilities and expectations between different stakeholders in the governance of corporations. A
   well-defined corporate governance system can be used to balance or align interests between stakeholders and can work as a tool to support a company’s
   long-term strategy.

COSO ERM Framework

COSO’s Enterprise Risk Management—Integrating with Strategy and Performance (COSO ERM Framework) defines risk as “the possibility that events will occur and affect the achievement of strategy and business objectives.” This includes both negative effects (such as a reduction in revenue targets or damage to reputation) as well as positive impacts (that is, opportunities – such as an emerging market for new products or cost savings initiatives).

The evolving global risk landscape

Each year, the World Economic Forum’s Global Risks Report6 surveys business, government, civil society and thought leaders to understand the highest rated risks in terms of impact and likelihood. Over the last decade, these risks have shifted significantly. In 2008, only one societal risk, pandemics, was reported in the top five
risks in terms of impact. In 2018, four of the top five risks were environmental or societal, including extreme weather events, water crises, natural disasters, and failure of climate change mitigation and adaptation.

The World Economic Forum also highlights the increasing interconnectedness among ESG risks themselves, as well as with risks in other categories – particularly the complex relationship between environmental risks or water crises and social issues such as involuntary migration. In the business world, this evolving landscape means ESG-related risks that were once considered “black swans” are now far more common – and can manifest more quickly and significantly. A report by the Society for Corporate Governance in the United States found that these issues often, although not always:

1. Derive from a risk or impact inherent in the core operations or products
2. Have the potential to meaningfully damage a company’s intangible value, reputation or ability to operate
3. Are accompanied by persistent media interest, organized stakeholders and associated public policy debates that could magnify the impact of a company’s existing position or practice and increase the reputational risk (or opportunity) created by a change in company policy or practice