Climate change creates many risks and opportunities and requires actions and commitments that will differ across organisations. Managing these risks and opportunities is the responsibility of the directors, and it is important to consider all aspects of the strategic and commercial choices when determining the level and nature of assurance they require.

Risks will include physical and transition risks, as well as issues such as legal, financial and commercial obligations and implications. Assurance must also address the quality of programme management over the transformation that is required to meet targets and deliver on commitments. This may involve systems changes, changes to products and solutions, and behavioural change. 

No two organisations will have the same assurance needs. Directors should be commercially driven by aligning their strategic priorities with their climate considerations, particularly in relation to products and services. In doing so they will identify the need to make commitments that will form the basis of the trust customers and other stakeholders have in the organisation. The risks associated with these commitments and with the commercial processes will be bespoke to the company.

As with any risk and control environment, understanding the end-to-end processes will be critical, including where accountabilities lie and where there are hand-offs between different parts of the organisation, or indeed to and from third parties. In creating a process map, the reliance on key systems and third parties will become clear. The lines of defence are central to ensuring that the system of internal control is effective across all significant systems and processes. Much of the assurance that directors require will be sourced through these functions, but the directors will need to determine where they may want particular focus or additional third-party support.

Assurance must include the disclosures that are made externally and those that form internal commitments or are the basis for key decisions such as executive remuneration. The commitments the company makes will go beyond the annual report, including those disclosed on the website or in other documents (such as sustainability reports) provided to investors, customers, suppliers or employees. Directors will want to have confidence that they are not misleading or misrepresenting their position to any of their stakeholders. However, assurance should focus on what is material to strategic decisions. 

Manchester Business School and the FRC’s 2021 report on Climate Scenario Analysis stated: “Scenarios provide hypothetical constructs of possible future states that are used to challenge prevailing assumptions and to analyse business model resilience. Climate scenario analysis helps companies to identify and prepare for the impacts that climate change will have on their business models by guiding a structured exploration of different possible futures to identify the most relevant risks and opportunities.”

As with any situation where uncertainty means assumptions and judgements must be made, there is a need to form a view on the appropriateness of those judgements, engaging individuals across all three lines of defence.

Although the UK government withdrew its legislation underpinning formal reporting on an Audit and Assurance Policy (AAP), audit committees may still find it helpful to develop a policy, or at least adopt its principles in the audit committees’ discussions. ICAEW’s guidance, Developing a meaningful Audit and Assurance Policy, recommends one such tool in the form of an assurance map.

“Companies must already consider and make extensive disclosures about their risks," says Carolyn Clarke, CEO of risk and assurance specialists Brave Consultancy. "However, [an] AAP presents an opportunity to bring together, in a single place, a much more complete picture of where all the necessary assurance comes from – plus its underlying nature, and the degree to which directors rely upon it.” 

In ICAEW’s report on the AAP, climate was recognised as the issue that investors and directors feel should be given the greatest focus in developing the policy. This will mean creating a framework that breaks down the sub-categories of risks associated with climate, incorporates the regulatory requirements, details the specific disclosed commitments, and then maps the assurance provided across all three lines of defence and through third-party providers.

Directors will find it helpful to consider the full range of assurance obtained over climate risks each year. This is in addition to the existing requirement to consider and approve the annual internal audit plan and to consider the nature of all audit and assurance activity undertaken by the firm’s external auditor.

Providing disclosures aligned with the TCFD is now a requirement for a range of large companies. Many will understandably start thinking about assurance through the lens of the disclosures they are required to make (or choose to make, depending on the nature of the company). This provides a starting point that can be built out over time for both reporting and assurance. The table below outlines possible types of assurance around TCFD considerations.

The FRC and the Financial Conduct Authority (FCA) produced thematic reviews considering climate disclosures in July 2022, based on their research into the information provided by premium listed companies at that time on TCFD. This research indicated that most companies were complying with the TCFD’s principles and the majority of its requirements.

The FCA noted that they continued to have some concerns about elements of the quantitative reporting and whether the appropriate level of detail is provided. Among the steps the FCA recommends companies take is ensuring that they “set up compliance review and assurance processes". 

The FRC’s recommendations include the need to ensure appropriate linkage between disclosures and other aspects of the annual report, such as risk disclosures.

• Understand the specific nature of climate-related risks and opportunities in your company and align these carefully to end-to-end processes.
• Map out the associated systems and any third parties that you may be reliant on and consider how these controls are embedded and managed.
• Create an inventory of short, medium and longer-term commitments and where these are disclosed.
• Prioritise the creation of an assurance map of all risks and sources of assurance, both internal and external.
• Use TCFD or other existing disclosure requirements as a means of testing the assurance approach.