As the world shifts its focus toward sustainability, public companies are feeling the pressure to not only comply with regulations but also to address their environmental, social, and governance (ESG) practices. This has brought attention to the need for stronger internal controls over sustainability reporting.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently released its framework on sustainability and internal controls, which serves as a valuable tool for companies looking to improve their sustainability reporting. The report highlights how the COSO framework’s five components and 17 principles can help companies establish an effective system of internal control over their sustainable business information.  

Synthesizing and Applying COSO Components

The COSO framework provides guidance on how companies can establish effective internal controls over their sustainability reporting processes. By using this framework as a starting point, companies can ensure that their sustainability and ESG reporting processes are reliable, consistent, and transparent. The five components are:

Control environmentEstablishing a control environment that supports sustainability objectives is essential. This component emphasizes the importance of setting the “tone at the top,” which means that senior management must be committed to sustainability and must communicate this commitment throughout the organization.  
Risk assessmentThe risk assessment component involves identifying and assessing sustainability risks, as well as evaluating the likelihood and potential impact of those risks. By integrating ESG-related risks into their risk assessment processes, companies can ensure that risks are given appropriate consideration and that mitigation strategies are developed as needed within a repeatable control environment. 
Control activitiesThe control activities component of the framework involves implementing policies and procedures to identify and address sustainability risks, in a similar fashion to Internal Controls over Financial Reporting (ICFR) and SOX compliance. By integrating ESG compliance requirements into their control environment, companies will be asked to implement a level of rigor around relevant data and control activities to ensure that sustainability risks are effectively managed and that sustainability reporting is complete and accurate.  
Information and communicationThe purpose of information and communication systems and processes is to provide timely, accurate, and reliable information. By integrating ESG compliance requirements into their information and communication processes, such as an integrated Governance Risk and Compliance (GRC) tool, companies can ensure that decision-makers are informed about sustainability risks and performance and that reporting is transparent and accurate.  
Monitoring activitiesRegular monitoring and evaluation of sustainable business information is vital to ensure that internal controls exist and are functioning properly.  

Explore expert Risk & Compliance solutions that solve real-world problems

Integrate sustainability reporting best practices and transform your enterprise risk function holistically to stay ahead of new standards, complexities, technologies, and threats.

Integration of ESG Into ERM  

It’s not enough to simply implement the COSO framework. To truly address ESG compliance requirements, companies must integrate them into their existing Enterprise Risk Management (ERM) programs.

A clear implementation approach is critical in establishing a “right-sized” ERM + ESG Framework that supports the identification of current and emerging risks and provides plans to identify, assess and mitigate ESG risks.  

To fully integrate ESG into ERM, consider the following actions:

Risk identification and assessment: To initiate the risk assessment process, the company should adopt a comprehensive approach that encompasses internal and external factors and:

  • Implements short, medium, and longer-term ESG objectives. 
  • Identifies financially material ESG risk exposures via a materiality assessment. 
  • Determines and documents the organization’s appetite for ESG risk.  

Risk analysis and evaluation: Following the initial risk assessment, the company should analyze the potential impact of the company’s existing risk mitigation strategies, including:  

  • Identifying necessary ESG metrics that need to be monitored as part of the ERM program. 
  • Integrating ESG risk elements into the list of risks and finding correlations with other risks to combine efforts. 

ESG materiality assessment: To establish an effective ESG program, it’s important to determine the specific focus areas and priorities for the organization’s ESG program. One of the primary objectives of this assessment is to identify and prioritize ESG financial material issues that are most critical to the organization.  

Risk reporting and monitoring: To ensure accurate and effective reporting, it’s recommended that the company confirm the key reporting requirements and integrate ESG metrics reporting into an ERM monitoring system. Reporting on ESG metrics promotes transparency and enhances holistic ERM awareness and oversight. 

Key Takeaways 

According to COSO’s report, companies can incorporate internal controls over sustainability reporting (ICSR) into their operations, similar to how they implement internal controls for financial reporting. In addition, the COSO framework is designed to be applied at various levels within organizations, including the entity, division, operating unit, and functional levels.  

The new COSO framework on sustainability reporting offers valuable guidance to public companies as they update their internal control environment for ESG reporting. Below are key insights from which risk and ESG leaders can benefit when taking action:

  1. Holistic approach: The COSO framework emphasizes the need for a holistic approach to sustainability reporting. ESG reporting should not be treated merely as an “annual and manual” activity. Rather, it should be integrated into a company’s overall strategy and operational practices. It encourages companies to consider ESG factors as interconnected and interdependent aspects of their operations. This broader perspective enables companies to identify and address potential risks and opportunities more effectively. 
  1. Integration of ESG in internal controls: The framework recognizes the importance of integrating ESG considerations into existing internal control systems. By embedding ESG factors within their control environment, companies can ensure that sustainability-related risks are identified, assessed, and managed alongside other operational risks. This integration fosters a more comprehensive and sustainable approach to governance and decision-making. 
  1. Stakeholder engagement: The COSO framework emphasizes the significance of stakeholder engagement in sustainability reporting. It encourages companies to involve a diverse range of stakeholders, including investors, employees, customers, and local communities, in the reporting process. This engagement facilitates a better understanding of stakeholder expectations and allows companies to align their reporting with the needs and interests of various stakeholders. 
  1. Materiality assessment: The framework highlights the importance of conducting a robust materiality assessment specific to sustainability reporting. Companies need to identify and prioritize ESG issues that are most relevant to their operations and stakeholders. By focusing on material issues, companies can allocate resources effectively, address the most significant risks, and report on the aspects that truly matter to stakeholders. 
  1. Data quality and reporting transparency: The COSO framework underscores the significance of data quality and reporting transparency in ESG reporting. It emphasizes the need for accurate, reliable, and timely data collection, measurement, and reporting. This aspect ensures that companies provide stakeholders with credible and meaningful information, enabling informed decision-making and fostering trust. 
  1. Continuous improvement: The framework promotes a culture of continuous improvement in ESG reporting. It encourages companies to regularly review and enhance their internal control environment, keeping pace with evolving sustainability standards, guidelines, and regulations. By continuously improving their processes, companies can adapt to changing expectations and demonstrate their commitment to long-term sustainability. 
  1. Integrated reporting: The COSO framework recognizes the value of integrated reporting, which integrates financial and non-financial information into a single comprehensive report. Integrated reporting provides a more complete picture of a company’s performance and value creation, enabling stakeholders to understand the interdependencies between financial and non-financial aspects and assess the company’s sustainability and resilience. 

As evidenced by the evolving ESG landscape in recent years, ESG compliance requirements are becoming increasingly important for public companies. Integrating ESG into ERM programs is essential for effective risk management and compliance.

Each company is going to be at a different stage of its ESG journey. Enhancing sustainability reporting practices and strengthening the overall control environment will be imperative moving forward. A structured adoption framework, as outlined above, can systematically identify and address sustainability risks and ensure that sustainability data and reporting are reliable, consistent, and transparent now and in the future.

For expert support understanding and acting on ESG risks and compliance requirements, contact CrossCountry Consulting.