In our last article, we discussed why ESG assurance is critical to ensure accurate reporting and laid out strategies to prepare your organisation to get the most out of this service. In this article, we discuss how ESG assurance can be implemented and utilised for several governance areas under the ESG umbrella. While the focus of ESG assurance has mainly been on environmental and social factors such as reducing carbon emissions and increasing diversity, governance might be the area that companies should focus on in the long term, since governance encompasses the policies, procedures, and systems put in place to direct an organisation’s actions. Essentially, governance is the foundation for the ESG programme. By securely building this foundation, the organisation has a better chance of succeeding in promoting other important areas under the environmental and social umbrella.
In our last article, we provided an example of how ESG assurance could be utilised to test one key governance area: anti-bribery. In this article, we will focus on three additional governance areas described in Speeki’s 19 risk areas model for ESG: board, corporate governance, and whistleblowing. As we mentioned previously, ESG assurance is likely to assess:
- the quality of ESG information being reported for the risk area
- the operations, processes and procedures supporting reporting activities for the risk area.
With this in mind, we will describe how an organisation can prepare to have these areas assessed through an ESG assurance service.
Board and corporate governance
As we all know, the board of directors helps set the tone and strategy for how corporate governance is implemented. Boards have become increasingly visible as the years have progressed, with individuals like Elon Musk and Sam Altman becoming highly public figures, drawing attention to how boards manage the businesses they oversee. In addition, customers and investors are increasingly focused on how boards are composed and selected. Long gone are the days when boards were made up of shadowy executives making behind-the-scenes decisions. Many of the same ESG concerns that people have about companies – such as diversity, fair pay, transparency and integrity – are now also measured at the board level.
Given these realities, how can companies verify existing reporting on their boards and corporate governance strategy? Most companies already report on these risk areas through annual or management reports. In the United States, public companies include forms like a 10-K to report on factors such as board composition, executive pay, diversity, and overall planning for ESG. In Europe, companies report in alignment with domestic governance codes, such as the United Kingdom’s or Germany’s corporate governance codes.
As we discussed in our last article, for companies to prepare for ESG assurance, they will want to undertake these four steps, which reflect the tenets laid out in our Speeki Engage methodology:
- link applicable ESG reporting standards to each risk area relevant to their ESG programme
- identify and establish stakeholders to manage ESG and reporting for each risk area
- identify which systems, platforms and files contain relevant data for each risk area
- work with value chains to gather, build and issue reporting.
To prepare for ESG assurance related to boards and corporate governance, companies should reference the corporate governance code applicable to their company as their reporting framework. Companies without an applicable governance code can take a principle-based approach to verifying reporting. Most corporate governance codes touch on the following principles:
- board composition
- board independence
- stakeholder input
- transparency of business, legal and ESG risk.
All reporting on board and corporate governance should include information on these areas. Companies should also describe the systems and teams that are in place to gather and report on this information, since ESG assurance services will also check these processes.
To help illustrate these points, we will examine real-life examples. A US-based household goods manufacturer, whose annual report we reviewed for this article, indicates in its Form 10-K that:
- 33% of its board seats are filled by females
- 17% of its board seats are filled by minority directors
- a chief diversity officer was put in place to ensure diversity is taken seriously and implemented within the executive and employee ranks
- the CEO and chief human resource officer and their teams are primarily responsible for implementing governance and oversight throughout the organisation
- the company maintains multiple compliance documents to ensure accountability, solicit stakeholder input and provide transparency regarding its stance on ESG, such as its code of ethics, workplace harassment prevention policy, unconscious bias training and an integrity reporting platform
- the company faces multiple strategic risks, including third-party/anti-bribery risks, cybersecurity risks, threats from competing technology products and ongoing risks related to stoppages induced by COVID-19.
A European-based auto manufacturer’s annual report lays out similar datasets and descriptions in accordance with the German Corporate Governance Code, including:
- meeting minimum requirements to include a certain percentage of female board members
- description of the remuneration system, including remuneration for each key director
- description of skillsets and experience for each director
- description of company strategy and products and how ESG concerns factor into company growth
- an outline of the compliance and ESG policies that govern the company’s operations.
Most companies are likely in a great position to verify their current annual or management reports through an ESG assurance service or to have assurance implemented at the time of financial reporting.
Whistleblowing programme and reporting
Whistleblowing and reporting is another key governance risk area. All ISO standards relating to compliance (ISO 37001, ISO 37301 and ISO 37008) cover reporting as an essential component. A company’s reporting programme shows stakeholders that the organisation takes compliance seriously and values the concerns raised by employees, stakeholders and the public. Most companies have a reporting programme in place, managed either internally or outsourced to an external provider.
However, most companies have not yet had an ESG assurance provider verify the metrics and performance of their whistleblowing programme. The key question that arises is: how would ESG assurance services review any reporting an organisation develops on its whistleblowing programme?
Section 9.1 of ISO 37031 – an international standard around which companies can build any key compliance programme area – lays out how performance can be evaluated. Essentially, this section asks companies to identify criteria and methods for measuring reporting performance and frequency, including systems to confirm reporting accuracy, and asks additional functions such as internal audit and top management to buttress review efforts.
When it comes to whistleblowing programmes, most organisations will want to report on the following criteria:
- employee awareness of the whistleblowing programme
- awareness of how to report
- percentage of ‘legitimate’ compliance-focused issues versus HR or other topics
- response time back to reporters
- regularity of updates back to reporters
- resolution time
- management visibility of metrics and issues
- cases by geography
- anonymity metrics
- reporting channel breakdown (email versus phone versus app).
Once criteria have been established, organisations should ensure they have identified stakeholders, systems and processes to gather these data points for reporting purposes, as ESG assurance firms will verify these.
Companies are preparing to have several ESG risk areas verified through assurance services. To ensure a solid foundation for the ESG programme, we recommend that companies include certain governance areas within the purview of their assurance efforts, since governance forms the foundation of ESG.