Tech-driven ESG: Navigating risks with precision

Measurement and reporting are crucial in implementing ESG into operations, and there is a vast and increasing number of metrics.

For ‘E’ (environmental), these include carbon emissions (internally and across the supply chain), energy consumption (renewable versus fossil fuel), usage of resources like water and minerals, waste, and recycling rates of materials, both in operations and in products. From an ‘S’ (social) perspective, organizations need to measure workforce diversity, salary equity, labor practices (again, including suppliers), and employee health and safety. Finally, for ‘g’ (governance), it’s all about governance structure and practices, encompassing board diversity, ethical business practices, executive compensation, and shareholder rights.

Half of the respondents to the KPMG Global Tech Report 2023 say expectations of ESG transparency are driving their transformation efforts.

Many key decisions will be based on ESG metrics, aided by real-time insights, including predictive analytics that might tell you whether you will likely meet a particular target. However, establishing processes for collecting, analyzing and verifying data is a considerable challenge, especially when it comes from outside the organization via third parties. For example, a robust report should show if your organization works with non-sustainable suppliers.

Companies should also be confident that data is complete and accurate enough for internal decision-making and external regulatory reporting.

ESG regulations are a major driver of corporate decision-making, affecting every part of the company. The first step in managing ESG risks is first to assess and quantify the prevalence of these risks. Which business processes are most exposed to ESG risks? The compliance and risk functions should hold a discovery exercise, with relevant business teams to determine how ESG regulatory change might affect the organization’s current technology and the kinds of metrics to be reported. While adhering to ESG regulations is critical, this is a minimum expectation and the control framework needs to be more robust and accommodate newer and emerging risks.

With a clearer understanding of data requirements, the company should be in a better position to enhance its existing risk and controls frameworks, invest in appropriate new technologies and redesign or improve processes.

ESG-related risks have the potential to affect multiple areas of an organization beyond the ESG realm. The ESG risk universe overlaps with that of operational risk, technological risk and even overall enterprise risk.

The risks of failing to track and report ESG performance are significant. Take HR, where companies need to have checks against bias in recruitment, promotion and pay. It’s a similar story with climate change, where reliable measurements of carbon emissions are required to compare against targets and benchmarks. Suppliers, meanwhile, need to be carefully vetted and regularly checked to confirm they aren’t using child labor or polluting their local environment.

In addition to the scope of ESG itself, various external and internal stakeholders are involved, including governments, regulatory bodies, shareholders, customers, employees and the public. The impact of ESG risks is far-reaching and cuts across most business areas, functions and the three lines of defense. While the quantum effect may vary, it does necessitate immediate and urgent action by senior management to design a robust ESG controls framework to mitigate these risks.

Installing controls helps reduce the risk of getting metrics wrong and, crucially, provides a defense that the organization made adequate provisions to avoid such errors. These controls should test the systems that provide data and show that access protocols are sufficiently secure to protect against hacking and data theft.

The risks of non-compliance with regulatory requirements, in specific, are significant in terms of potential penalties and reputational harm. And, with third parties forming part of organizations’ ESG obligations and commitments, technology can help manage associated risks, using inbuilt checks for due diligence, onboarding and ongoing monitoring — and a safe exit once the relationship has terminated.

Another critical element of controls is auditability: the ability to trace data flow from end-to-end. When combined with internal and, ideally, external, independent assessment, the organization can demonstrate that it manages ESG risks effectively.  

Of course, companies have been refining their financial reporting for decades, and ultimately, non-financial reporting should become part of the same process, offering a 360-degree view of corporate performance. Existing financial systems have evolved to a high level of maturity and are subject to external audit and regulatory scrutiny.

Almost three-quarters of respondents to the KPMG Global Tech Report 2023 are confident they can progress their near-term ESG ambitions using their existing technology stacks. Financial and non-financial reporting systems need to be interoperable and ‘talk’ to each other. One example is using the same data and analytics tools to track performance, manage reporting and identify improvements. IT leaders should be thinking about how they can integrate ESG into business processes and adopt relevant new software tools.

Given the complexity of existing regulations and the constant introduction of new ones, there is a great opportunity to build technology solutions that can help meet multiple regulatory requirements and be used across different processes, systems and geographies.

However, it’s a mistake to think this is just a technology challenge. Building strong controls involves a joint effort from IT, ESG/ sustainability, finance, operations, compliance, legal, product development, HR and sales and marketing. The CIO should be involved from the start.

ESG is a board-level issue that can determine a company’s competitiveness and reputation, so sponsorship — ideally from the CEO — adds appropriate weight and momentum to embedding sustainability and social goals into mainstream business strategy.

This calls for an understanding of both ESG and the underlying technology to drive a sustainable strategy and operations. An internal control team may be able to lead the framework design and help re-design processes to incorporate ESG metrics and reporting.

The four key steps towards a strong control system are:

• Development of an ESG strategy.
• Design and implementation of processes, systems and controls.
• Measuring, reporting and monitoring of ESG assurance activities.
• Enabling ongoing continuous improvement activities in your business.

Organizations should systematically address pivotal ESG considerations to refine their sustainability approach. These inquiries encompass:

1.     What are the primary ESG risks and opportunities for your company?

2.     Which ESG standards and frameworks is your company using?

3.     What specific information are ESG stakeholders seeking, and how is the company addressing these requests?

4.     How does the company stay informed about new and emerging regulatory assurance requirements?

5.     What methods does the company employ for collecting ESG information?

6.     What policies govern the company’s data collection processes?

7.     What safeguards are in place to ensure the reliability and accuracy of ESG information?

8.     What additional resources are necessary to implement new ESG processes and controls?

Successfully navigating these aspects enhances understanding of the ESG landscape, reinforcing a commitment to transparency, sustainability and effective risk management. Obtaining thorough responses to these questions is imperative for shaping a strategic approach and ensuring compliance with evolving regulatory frameworks.