What internal audit should know about ESG risks: E is for Environmental
There’s no single taxonomy of environmental risks. Consider what categories your organization uses and what is used elsewhere in the sector. The following should all be covered, at a minimum, but may be described in different ways using different terminology:
- Climate change. This should include the effect of greenhouse gas (GHG) emissions – we usually talk about carbon dioxide but there are seven gases covered by the GHG protocol
- Pollution from emissions and discharge (i.e., water, soil, air)
- Biodiversity loss and deforestation
- Waste management
- Resource use – impacts of raw materials, production, transportation, and distribution (consider water, energy, and other natural resources)
- Hazardous materials
There is clearly an interplay between these risks, but as they represent the major environmental impacts, this offers a good starting point.
This should fit neatly into your existing risk assessment process. Typical impacts for the organization will be reputational, legal and regulatory, financial, operational, and ultimately strategic. All things we are very familiar with.
Getting started – Determining the key risks
Every organization is different. You will need to start with a risk assessment to determine the key risks, potentially using the list above. To do this, you will need to understand the main environmental issues in your business, considering a number of factors:
- What sector(s) you are in, and what are the main impacts of that sector. Search out industry guidance from standard setters such as GRI (Global Reporting Initiative), international business groups, such as the World Economic Forum, and thought leaders, such as McKinsey. It is important to consider all the main parts of your business, from the environmental impact of the raw materials you source, through transportation, production, and sales. Although focus on your immediate impacts may be easier, the impacts outside your organization’s immediate control are often more significant. For example, a significant environmental impact of electronics is the extraction of rare earth metals essential for their production.
- Where your business is based, the places in which you operate, where you source materials from, and where you sell to. This is important for a number of reasons. It drives the nature and extent of legal and regulatory risk that the organization faces. It also influences the attitudes of stakeholders, such as customers and consumers, as these may vary significantly. But bear in mind, that these factors can change quickly and this needs to be built into any risk assessment.
- Requirements of your customers. This may be contractual for government or corporate procurement, or the preferences and attitudes of consumers. This is also partly based on location (as mentioned above), but in global markets, it is never that simple.
All of this (and more) should have been considered by the business (first or second line) and internal audit should leverage their work, effectively challenging and validating. If this has not been done, internal audit needs to be taking a step back and conducting a more basic evaluation of the maturity of the organization’s risk assessment process.
Some types of environmental impact will be universal and significant no matter what your business activity. These include climate change and waste, which I will dig a little deeper into later in the article. Others may apply to a much greater extent in certain industries, such as those in extractive industries (oil and mining for example) and heavy manufacturing (where there may be high levels of resource use – both raw materials as inputs and energy and water in the production process).
How internal audit can make an impact
As with any aspect of audit planning, the greatest value internal audit can bring will depend on the major risks identified. But we can’t just consider the inherent risks, we need to understand what other sources of assurance are in place and, most importantly, what activities are contributing to both the risk and the assurance. Think about the following:
- What do we know about environmental management processes that are in place? Is there an environmental management system and is it ISO14001-compliant? What is the scope of these systems and processes?
- What reporting is in place? Are external reports assured? Which stakeholders use and rely on these reports?
- Are environmental factors (risks and costs) incorporated into project evaluation and capital decisions?
A common factor across many environmental risks is availability and the quality of the data. Process and controls for environmental data are generally less mature and systems are not always equipped or configured to meet the complexities and nuances of this data. This is often a great opportunity for internal audit to add value, both by providing assurance over processes and systems, and by validating the data itself. Both leverage core internal audit skills.
We can also go further, confirming that reports meet whichever standards are being applied, that management reports or projects evaluations fairly, and that these completely reflect risks as well as opportunities. However, this may require more specialized knowledge.
All organizations need a response to climate change, and so while the specific needs will differ, this is an issue increasingly relevant for everyone. How can internal audit add value? Let’s look at two potential opportunities:
- Has the business considered the potential physical and transitional impacts of climate change? Best practice suggests this should be done using scenario analysis that includes a range of realistic scenarios. Physical vulnerabilities may result from gradual, long-term changes in climate (chronic risks), or short-term (acute) risks, such as storms and fires during heatwaves. These potentially impact the cost-of-capital, the availability and cost of insurance rates, and cause operational disruption. Transitional impacts include changes in legislation, markets, technology, and stakeholder expectations. Internal audit can review the process used to establish scenarios and determine the impacts and, more importantly, assess actions to improve resilience, mitigate risk, and maximise opportunities.
- Many corporations are now publishing disclosures under TCFD (Task Force on Climate Related Disclosures). These are becoming mandatory in some countries and are an increasing expectation from investors. External assurance, if any, is usually very limited in scope. Internal audit can provide assurance over the processes to collate data and support assertions made in the disclosures. It can also audit the data and assess the evidence supporting those assertions. Other organizations may provide (voluntarily or by regulation) data on, for example, energy use or emissions. Again, internal audit can provide similar assurance over these processes or this data, as any external assurance will generally be limited.
Waste is an issue for all organizations, although the specific impacts will be very different across businesses. As well as the environmental impact, businesses have a cost-incentive to reduce waste, as it is increasingly expensive to treat and dispose of. Internal audit can add value in a number of ways. Here are some examples:
- Assess whether policies support the organization’s waste strategy. Are they specific to the business and relevant for the types and locations of waste produced? Do they take into account legislation and regulation in each jurisdiction? Are they effectively implemented, understood, and followed?
- Companies often report waste information, either in annual reports or to different public authorities. How is this validated? For example, how do we know that waste is recycled or reused? Are there controls to independently verify how the waste has been treated? In many countries, responsibility for safe disposal rests with the waste producer, not the waste contractor.
To summarize, we have described the importance of environmental risk to all organizations and have shown how internal audit can respond to some of those risks. Internal audit can use existing tools and skills to get started, and leverage widely available sources of knowledge to find out more.
The next article in this series will focus on the “S” (Social) in ESG. We will explore how internal audit can address important social risks, with a focus on labor standards and sales practices.