The potential for fraud risk in companies’ ESG disclosures has grown as these initiatives have gotten more attention from stakeholders — and more corporate boards are becoming aware of this risk
According to a joint study by Deloitte and Center for Audit Quality, 42% of audit committee members at the corporate board level noted an increase in the risk of fraud in companies’ environmental, social & governance (ESG) disclosures. Indeed, the immature nature of some ESG data disclosed publicly over the last decade transpired with a lack of internal controls around it, which only increased the risk around ESG data.
To understand this more fully, the key components of fraud — pressure, opportunity, and rationalization (known as the fraud triangle framework) — must be better understood themselves, according to Carey Oven, National Managing Partner of Deloitte’s Center for Board Effectiveness.
All of these components come into play in fraud, Oven explains, adding that i) pressure is present around the increasing expectation that ESG data be released to the public; ii) the transparency, auditability, and nature of disclosed data are governed by the controls around that data, the estimates used for the data, and the data creation — all of which present additional opportunities for fraud; and iii) the immaturity in the data’s transparency, verifiability, and auditability “presents an opportunity for additional pressure and ultimately rationalization of fraud.”
For example, many companies were very quick to issue climate transparency reports, even a decade or so ago, and now these disclosures are in the public domain. The problem is that these disclosures were not conducted with hardened, auditable data. And this increases the risks that these ESG numbers will be seen as potential fraud.
Corporate boards become involved
Corporate boards have a huge role to play in reducing the potential for ESG fraud and risk. Indeed, “the board’s responsibility around ESG boils down to risk,” Oven states, simply because of their fiduciary responsibilities. To meet these requirements, corporate directors need to understand what could potentially go wrong with performance disclosures that a company is making public around their ESG activities.
Indeed, ESG risks have been on the minds and agendas of boards for the past several years, Oven says, mostly because risk oversight is a perennial responsibility of a corporate board. That means, that whatever ESG information has been publicly disclosed voluntarily and what might go into public filings is of keen interest to the full board and the audit committee.
Management is also trying to understand what additional proactive measures they need to put into their risk management processes for ESG both in terms of using some of the existing infrastructure they have around risk, but also how the unique scenarios and risks specific to ESG layer into that.
Possible risk reduction actions
Audit committees and C-level management need to take joint steps to assess and mitigate ESG risk, Oven says. Some of these steps should include:
Dedicating resources — The first step in reducing the potential for ESG fraud it so make sure that enough time, budget, and effort have been allocated to assessing the ESG risk landscape and how it impacts the company. Management and the board must understand what risks need to be addressed and what effective, permanent resources are required to continually analyze this new risk area.
Embedding ESG into the company’s risk infrastructure — Another key step is analyzing how ESG fits into the current risk infrastructure of the company, explains Oven. Because ESG is on the board agenda, top management needs to provide additional disclosure to the board and involve the board as the company moves through the ESG risk assessment journey.
The risk appraisal part of this preparation also involves understanding and documenting the full ESG data evolution from the point of collection as raw data to the point the information is publicly released. This ensures that detailed processes and procedures are developed and that the right internal controls and data governance levels are fortified. “Boards with their responsibility for and expertise in oversight and governance should be involved in this effort,” Oven states.
Gathering stakeholders to weigh in — Once the documentation of protocols and controls is complete, stakeholders from across the organization, including individuals from corporate legal, finance, and internal audit, need to convene to determine what information will be reported in any filings and transparency reports. “What we see organizations doing is putting forth responsibilities where Chief Sustainability Officer or Chief Risk Officers are owning certain elements of the program,” says Oven. “But the program right from the planning stage needs to be influenced by internal stakeholders, including internal audit and board.”
It is easy to conclude that the potential for ESG fraud will remain high on the agendas of corporate directors because of the ongoing acute presence of the three components of fraud — pressure, opportunity, and rationalization. As a result, corporate boards and their audit committees will continue to play a pivotal role in the maturation of ESG data governance and in supporting internal controls to ultimately reduce these risks.