Best Practices for Establishing ESG Disclosure Controls and Oversight
By: David A. Bell , Ron C. Llewellyn
In recent years the demand for information regarding companies’ environmental, social and governance (ESG) activities, risks and opportunities has risen sharply. Shareholders and other stakeholders seek ESG information that is useful, comparable and accurate, which necessitates that companies establish appropriate controls to gather, verify and disseminate such information. The variety of potential sources for ESG data may pose a challenge to companies trying to put a disclosure controls and procedures framework in place. This guide includes some suggestions and considerations for public companies in developing disclosure controls and related policies and procedures for ESG information.
In September 2021, the United States Securities and Exchange Commission sent comment letters to a number companies in different industries seeking more information about their climate-related disclosures (or lack of such disclosures in their SEC filings) referencing the SEC’s 2010 Guidance Regarding Disclosure Related to Climate Change, Release No. 33-9106 (Feb. 2, 2010). The SEC posted a Sample Letter To Companies Regarding Climate Change Disclosures in which it asked, among other matters, for companies to explain why certain climate-related disclosures were included in corporate social responsibility reports (generally found on company websites) but not SEC filings. The SEC has also expressed an interest in ESG disclosure more broadly, and has indicated the potential for rulemaking in the near future. Whether because of SEC regulations or to meet the expectations of investors and other key stakeholders, the amount of ESG information that companies will disclose in their SEC filings will likely increase. With the potential for increased visibility of ESG disclosure and the associated liability for false or misleading statements or omissions under securities law, as well as the risk of investor-, employee- or public-relations harm even where inaccuracies may not be material, companies should pay special attention to the disclosure controls that they have in place. Doing so will also better position companies if more ESG disclosure is mandated.
Under Rules 13a-15(a), (b) and (e) of the Exchange Act of 1934, as amended, public companies must maintain and periodically evaluate the effectiveness of their disclosure controls and procedures. This requirement extends to any ESG information that a company would be required to disclose under SEC regulations. For prudential reasons (including limitation of potential liability), these controls and procedures should also extend to significant voluntary disclosures, including voluntarily disclosed ESG information. As disclosure controls should already be in place for periodic and special reporting, a company’s disclosure committee, and legal and financial reporting teams, may be well-positioned to implement a control structure for the reporting of ESG data that is integrated with a company’s regular public reporting, including data that is voluntarily disclosed.
Given the broad nature of ESG, companies should focus on those risks and opportunities that are most material to their business. In many cases, a company may have already identified its key ESG issues but may also want to consult an established framework or standard such as the Sustainability Accounting Standards Board (SASB) or the Global Reporting Initiative (GRI)—or the framework under development by the International Sustainability Standards Board (ISSB)—for guidance on ESG risks and opportunities that are typical for an industry. ESG frameworks and standards may indicate specific metrics on which a company should report and for which it will need to gather data.
Companies should also consider the preferences of their largest shareholders and other important stakeholders regarding the information they would like the company to disclose. For example, BlackRock, one of the largest investors in many companies, has requested that companies disclose ESG data that is aligned with the recommendations of SASB and the Taskforce for Climate-Related Financial Disclosure in its Engagement Priorities for 2021.
In addition to shareholders, companies should also consider the expectations of their other stakeholders in determining the information on which they will report. Even if certain ESG information is not viewed as material by a company or its investors, it may garner significant interest from employees, consumers or customers. For example, a company may suffer a commercial disadvantage if it fails to disclose an ESG metric that its competitors disclose, or which consumers expect it to provide. Employee recruiting and retention may be similarly impacted. Business customers may also seek reporting of ESG metrics from companies in connection with supply chain due diligence initiatives and may require certain ESG reporting obligations in contracts.
Finally, many ESG ratings firms, on which some investors and creditors rely, will base a company’s rating on its public disclosure. Companies should understand the most important ESG metrics for their industry and benchmark their ratings with peers to determine areas for new or increased ESG disclosure.
Developing and documenting rigorous reporting procedures may pose a challenge for many companies. For example, companies may gather ESG data outside of enterprise resource planning (ERP) and financial reporting systems. Such data collection is often manually collected on spreadsheets and the process for gathering the data may differ depending on business unit, department or region. Still, companies should ensure that the data collection process is of sufficient quality for review if the company decides to get third-party assurance (discussed below).
Companies should also look to standardize their processes and create central repositories or reference sets for ESG data. Data management systems for ESG-related data should be formalized and automated if possible. More robust systems may have automated checks, secure access and data analytics, which surpass more manual processes that may rely on basic control activities like authorizations and manual data entry and recordkeeping. Where possible, companies should try to integrate ESG data with ERM systems.
The appropriate personnel to gather the information may already be apparent, particularly if it involves data that a company is already tracking. However, in some instances, employees may need to be trained or hired if the requisite expertise for collecting and/or analyzing the data does not currently exist at the company. As a precursor, it may be important for the company to train employees on the importance of the data as there may be a perception that it is not as valuable as the financial information on which the company is likely to have reported for a longer period than ESG data.
Companies should establish processes for ESG data to be reviewed and verified by appropriate functional areas, including the process by which the data is collected and analyzed. As many companies do with financial reporting, companies may look to put a certification and sub-certification process in place. Controls should also be put in place to detect and prevent fraud related to ESG data, including segregation of duties and ensuring that whistleblowers are protected. Finally, companies should make sure that their ESG disclosure is consistent across platforms.
To the extent the same metric is disclosed in multiple places (e.g., the proxy statement and the corporate website), the information should be identical. While companies are not required to provide the same level of information sought by a voluntary ESG disclosure framework or standard in their SEC filings, as noted above, failure to do so might invite questions from the SEC, investors and other stakeholders regarding the sufficiency or materiality of the information being disclosed.
Disclosure controls and procedures should be documented in policies once they are established. Such policies should specify what ESG data should be gathered, how it should be gathered, analyzed and reviewed, and the responsible parties. These policies should be monitored and reviewed periodically for effectiveness. Senior management and the relevant committee of the board providing oversight of ESG matters should also have an opportunity to review and approve such policies. Once these policies are adopted, or if they are revised, they should be communicated to the relevant employees who will need to follow or implement them.
While not required for U.S. public companies, some institutional investors have begun discussing the potential desirability of third-party assurance of some ESG data. As a result—and to increase confidence in the data that they are reporting—some companies may seek assurance for their ESG data, particularly if it is included in a securities filing. Though this practice is still in its early days, some accounting firms and other third-parties are preparing themselves to offer attestation procedures for ESG-related reporting.
However, according to a recent survey by the Center for Audit Quality, only 6% of S&P 500 companies received assurance from a public company auditing firm, while 47% had assurance from a non-CPA firm. Companies looking to engage a firm for assurance services should ascertain whether the firm has appropriate expertise. In many cases, when it comes to ESG metrics, operational or industry experience may be more valuable than traditional financial auditing experience.
Accounting firms can offer review or examination services based on the criteria that a company uses for ESG-reporting (i.e., whether the information provided is in accordance with a third-party framework or standard such as SASB or company-developed metrics). As discussed in the Association of international Certified Professional Accountants and Center for Audit Quality’s ESG reporting and attestation: A roadmap for audit practitioners, an examination engagement will provide reasonable assurance and will provide an opinion on “whether the ESG information is in accordance with the criteria, in all material respects.” A review engagement will provide limited assurance and “express a conclusion about whether the [accounting firm] is aware of any material modifications that should be made to the ESG information in order for it to be in accordance with the criteria.” A company should decide the appropriate level of assurance that it will seek, which may be influenced by the cost and the expectations of its shareholders and other stakeholders and potential for liability.
A company’s management should appoint a team tasked with monitoring its ESG disclosures and commitments, recognizing that these disclosures can appear in a variety of official, formal and even informal communications, such as SEC filings, website materials or sustainability or corporate social responsibility reports. This may consist of a formal management steering committee or a simpler structure. The broad scope of ESG will necessitate the involvement of various departments and functions within the company, including sustainability/corporate social responsibility, legal, human resources, investor relations, corporate secretary, communications, compliance, finance, risk management and relevant business units.
Many companies have formal charters for their management ESG committees, and such charters may include requirements regarding committee membership, frequency of meetings and reporting, committee leadership and duties and responsibilities. The duties specified in the charter could include:
Regardless of the level of formality, the management committee should ensure that ESG information is disclosed in a consistent fashion across the variety of platforms in which it may be disclosed. In addition, it should develop the policies and procedures discussed above and ensure that appropriate controls are in place for gathering the data. Finally, the management committee should create a process for regular reports to the company’s board or the relevant committee overseeing ESG.
Following the enactment of the Sarbanes-Oxley Act in 2002, many companies adopted management disclosure committees to oversee their disclosure obligations under SEC rules and to evaluate their disclosure controls and procedures in support of the CEO and CFO certifications required by the act. In addition to the principal accounting officer and general counsel, these committees typically include senior officers in investor relations, tax, internal audit and relevant business units. Accordingly, for many companies, there will be significant overlap between members of their disclosure committees and their management ESG committee, which should facilitate the sharing of information.
Regardless of the respective composition of each committee within a company, there should be mechanisms in place to ensure the frequent and timely communication between the ESG committee and the disclosure committee. Drafts of ESG disclosure, whether for standalone reports or to be included on webpages, should be provided to the disclosure committee for its review. Similarly, the disclosure committee should share relevant SEC reporting disclosure that may impact the company’s ESG disclosure with the company’s ESG management committee.
For efficiency, companies should consider whether it would be appropriate to have an existing disclosure committee or sub-committee of the disclosure committee oversee ESG instead of having a separate management ESG committee. In that case, the disclosure committee’s charter could be expanded to incorporate responsibility for ESG disclosure matters, including the addition of new members and responsibilities, and processes should be established for their involvement in and oversight of collection and dissemination of ESG data.
It may be possible for a company to utilize existing disclosure controls and procedures for gathering, verifying and reporting its ESG data. Companies may leverage existing activities, controls and established internal expertise as well as existing and proven methodologies, approaches and concepts from internal control over financial reporting, such as IT controls or monitoring techniques.1 Companies can also use the disclosure controls and procedures for SEC reporting for ESG reporting, particularly if it involves the same or similar data.
For example, timelines and task lists developed for the SEC reporting calendar may also be utilized for ESG reporting, even though companies typically have flexibility in determining when they release their voluntary ESG disclosure. Thus, human capital management data that may be included in both a company’s Form 10-K and its sustainability report would be subject to the same disclosure controls and procedures.
A company’s board of directors should play a key role in oversight of the company’s ESG efforts, including ensuring that the company has appropriate ESG disclosure controls and procedures in place, and that ESG is integrated with the company’s strategy. First, the board should understand and agree with management on the most important ESG risks and opportunities. Second, the board should consider assigning responsibility for some or all of its ESG matters to a board committee. It may choose to form a standalone committee for this purpose, or it may use one or more of the pre-existing committees. The importance of the board’s oversight of ESG controls and procedures may favor assigning responsibility for oversight of them, and perhaps all ESG matters, to the audit committee which already provides oversight for financial reporting and related controls.
However, the audit committee already carries a heavy workload (often including cybersecurity) and ESG may get insufficient attention there. The nomination and corporate governance committee may also be a potential candidate for this task given its responsibility for overseeing corporate governance issues such as board diversity and political lobbying, which are important ESG focus areas. For some companies, it may be appropriate to divide oversight among multiple board committees depending on the topic (e.g., the nomination and governance committee would oversee governance-related issues; the compensation committee would oversee the use of ESG metrics in setting executive compensation, human capital management, and diversity, equity and inclusion; and the audit committee would review the effectiveness of ESG-related disclosure controls and procedures and oversee the attestation process if an auditor or other service provider is engaged for such services).
Regardless of the oversight structure, the board should seek regular reporting of ESG information from management, including progress against stated goals, as well as understanding the company’s public disclosure posture. Board committees that are tasked with ESG oversight should include such responsibilities in their committee charters as many shareholders and other stakeholders want to understand the board’s involvement in managing ESG. Discussion of these topics should also be considered (e.g., in the section discussing board oversight of risk and/or in the descriptions of the committees).
Finally, as part of its ongoing evaluation and refreshment activities, the board should consider whether it has the requisite expertise to understand and advise the company on its most pressing ESG issues. This includes understanding disclosure trends, peer company practices and challenges that may be particular to the company’s industry. Accordingly, the nomination committee should identify and nominate, and the board should elect, individuals with backgrounds in relevant ESG issues of importance to the company to ensure that the board is able to provide appropriate oversight of ESG.
The intense interest in ESG underscores the importance of having a robust system of disclosure controls and procedures, as well as an appropriate oversight regime in place to ensure focus on important ESG priorities and the accuracy of ESG information. Once a company determines the ESG information that is most relevant to its business and stakeholders, it must face the challenge of establishing appropriate controls.
Enlisting the support of key functions within its organization and having the support of the board will be critical. Given the complexity and the importance of this undertaking, companies should begin the process of marshalling the necessary resources to meet the demands for ESG disclosure as soon as possible.
1. Leveraging the COSO Internal Control - Integrated Framework to Improve Confidence in Sustainability Performance Data, by Robert H. Herz, Brad J. Monterio and Jeffrey C. Thomson (September 2017).↩