In recent years, an increasing number of companies have voluntarily issued so-called “sustainability” reports in response to growing interest from investors and lenders about potential environmental, social and governance (ESG) risks. Unfortunately, these reports often vary significantly from company to company.
In February, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the World Business Council for Sustainable Development (WBCSD) proposed an updated draft of COSO’s Enterprise Risk Management—Integrated Framework that addresses the growing interest in ESG issues.
Here’s more on sustainability reporting and how enhancing an organization’s enterprise risk management (ERM) framework may help reduce ESG risks.
What is sustainability?
Sustainability encompasses a broad range of nonfinancial issues that may affect a company’s financial condition and performance. It may include environmental issues, such as the size of the company’s carbon footprint, efforts to replace fossil fuels with renewable energy sources and overall use of natural resources. Or it may cover social issues, such as workplace, health and safety, and consumer product safety risks.
Media attention on these external threats has increased public awareness and prompted concerns about how sustainability issues could impact value or increase a company’s risk of litigation. Investors believe that companies that improve their sustainability performance foster long-term viability in the global value chain.
The Securities and Exchange Commission (SEC) doesn’t specifically require companies to provide investors with information about environmental issues. But some information related to these risks must be disclosed under U.S. Generally Accepted Accounting Principles (GAAP) in the following sections of a public company’s financial statements:
Description of business. This disclosure describes the business and that of its subsidiaries, including information about its form of organization, principal products and services, major customers, competitive conditions and costs of complying with environmental laws.
Legal proceedings. This disclosure briefly explains any material pending legal proceedings in which the company, any of its subsidiaries and any of its property are involved. It includes disclosure of environmental litigation arising under any federal, state or local regulations regarding the discharge of materials into the environment or protection of the environment.
Risk factors. These disclosures highlight the most significant factors that make an investment in the company speculative or risky.
Management’s discussion and analysis (MD&A). These disclosures enable investors to see the company’s liquidity, capital resources and financial results through the eyes of management. Here, companies must identify known trends, events, demands, commitments and uncertainties that are reasonably likely to have a material effect on financial condition or operating performance.
In addition to these disclosures, some companies voluntarily issue separate sustainability reports that cover a broad range of nonfinancial issues. Unfortunately, without uniform sustainability reporting standards, these reports can be very inconsistent.
How may the risk framework be used to tackle ESG issues?
The COSO/WBCSD-proposed updates to COSO’s ERM Integrated Framework was released to help organizations respond to ESG-related risks, such as natural disasters or product recalls. It includes methods for identifying and evaluating the severity of ESG types of risks for which the costs aren’t known and management may need advice before responding.
When companies have a better grasp on their risks, they can make better business decisions. Peter Bakker, WBCSD president and CEO, said that the updates will help drive positive change in corporate governance.
COSO chairman Paul Sobel said that as ESG-related risks are becoming more widespread, organizations need to ensure they have processes in place for identifying, assessing and managing these complex entity-level risks and opportunities, and ERM is the most powerful way to achieve this.
Evolving risks
Comments to the proposal are due by June 30. So far, the response has been positive. Many stakeholders believe that ESG risks are business risks, so it makes sense to manage them with other risks under COSO’s framework.
Close-Up on COSO and Its Frameworks
COSO was formed in July 1985 in the wake of several accounting scandals and was originally called the National Commission on Fraudulent Financial Reporting. The panel is a joint initiative of the American Institute of Certified Public Accountants, Financial Executives International, Institute of Internal Auditors, American Accounting Association and Institute of Management Accountants.
Under the leadership of James Treadway, who had also been commissioner of the SEC from 1982 to 1985, COSO published its landmark Internal Control—Integrated Framework in 1992.
After the Sarbanes-Oxley Act of 2002 became law, the SEC said the COSO framework was acceptable for implementing the Section 404 internal control requirements. Other internal control frameworks are also permitted. But companies tend to employ the COSO framework because of its familiarity and the reassurance that the SEC and Public Company Accounting Oversight Board will accept it.
In 2004, COSO published its Enterprise Risk Management—Integrated Framework. Companies aren’t generally required by law or regulations to apply an ERM framework. But they often choose to use COSO’s ERM framework to enhance their ability to manage uncertainty, consider how much risk to accept and improve understanding of opportunities as they strive to increase and preserve stakeholder value.
Through periodic updates, COSO aims to capture today’s best practices and help management attain better value from their ERM programs. COSO has assembled an ERM team that’s charged with developing tools to help management report risk information and assess the application of ERM principles.
In September 2017, the ERM framework was updated to address questions about how risk management should be incorporated with an organization’s management of its strategy. That update addressed developments in the financial markets, the emergence of new technologies and demographic changes.
March 26, 2018
