Do we have the right capabilities and capacity?
There is significant competition among firms to attract individuals with climate-related skills and experience. This is an issue facing external audit firms, boutiques, internal auditors and preparers of information. Obtaining and retaining the right skills and capabilities is the most frequently cited challenge for all organisations in our research. At the same time, employees are excited by this issue and want to be able to contribute fully. This can be a real enabler for improved engagement, particularly among younger staff.
Many of our research contributors mentioned concerns over key person risks, as with limited capabilities and experience available, organisations will rely on certain critical individuals. The NED of a utility provider told us: “Climate change creates a high level of key person risk. We have to grow in-house capability. This is a real challenge for smaller organisations.”
Others we spoke to made similar observations regarding companies of all sizes. However, with increasing demands for resources across many competing disciplines, the question is how to balance the necessary investment with appropriate cost control.
Climate change creates a high level of key person risk. We have to grow in-house capability. This is a real challenge for smaller organisations.
To solve this, there are many approaches being taken to develop the right capabilities, as well as ongoing debate over what these skills really are. To what extent are specialist scientific skills required? Or for assurance purposes, is it more of an inquiring mindset and standard professional audit and assurance skills?
Some of those we spoke to in our research suggested that it is helpful to look at this in a similar way to cyber, culture and GDPR. There are generic skills that all directors, managers, auditors and preparers of information should have, but there are also additional specialist requirements, particularly when viewed through a scientific, regulatory or investor lens, or when these requirements drive a need for greater accuracy.
Comments from contributors to this guide included:
Head of Sustainability Audit for a global bank: | “There is no such thing as a climate auditor at present. To move forward we have gathered people and combined skill sets to include data, commercial, regulation, legal, sustainability and transformation.” |
Head of Internal Audit for a financial services company: | “Skills are transferable using the scenario analysis skill set we would deploy for other risks. The main skill is curiosity and critical thinking. This applies across all lines of defence.” |
Head of Internal Audit for a building society: | “We have focused on building a team internally. Young team members are emotionally attached and keen to work in this area. We’ve given people space and empowered them. We’ve worked alongside third parties for benchmarking. But data analysis, modelling and scenario analysis are core internal audit competencies.” |
Even with the transferability of skills, investment in training is essential:
An Audit Committee chair: | “You can bring in subject experts, but upskilling individuals who are there for the long term is paramount. We must upskill our own people and accept the investment associated with this.” |
Head of Audit and Risk for a large retailer: | “There is real uncertainty about what skills and capabilities are required. Climate creates complexity with assumptions built on assumptions. We need to be modelling scenarios and this requires quantitative analysis that has not been prioritised in the past.” |
External audit firms have invested heavily to identify and develop the right skills to meet their clients’ needs and expectations and to ensure they are positioned to provide the necessary assurance. They also believe that many of the existing skills are transferable. However, there needs to be ongoing discussion with companies to provide reassurance.
For example, an executive in a FTSE 250 industrial company voiced concern about the challenge of finding people in external audit who have the right skill sets. “We perceive there is scarcity in capabilities alongside a lack of clarity as to what they need to sign off on.”
External audit firms will undoubtedly continue to lead the way in the provision of specialist training to fulfil this requirement.
How do we manage uncertainty over requirements?
Another key issue of concern when debating the need for assurance over climate risk and disclosures is uncertainty over what companies really need to be committing to and reporting on.
As detailed in the section on Meeting stakeholder expectations, the landscape of extant or emerging standards and regulation that drives reporting and assurance requirements is complex. Some of these include the Task Force on Climate-related Financial Disclosures (TCFD), the EU’s Corporate Sustainability Reporting Directive (CSRD), IFRS Sustainability Disclosure Standards (IFRS S1 and S2), and UK requirements around the Corporate Governance Code. Companies must ensure that they have the capabilities to horizon scan and react to new developments as they evolve.
Even with this in place, there will be internal uncertainty over strategy and plans, alongside limited experience of reporting on wider commitments and understanding the response of investors and wider stakeholders. As a result, the ability of companies and assurance providers to plan their assurance approach and plans is limited.
The greatest uncertainty is government policies. How should we approach these requirements through an assurance lens when we don’t know the targets we are aiming for?
The head of audit and risk at a major retailer told us: “Uncertainty over the timing of when requirements will become reality is a real issue for planning audit work. We can start with TCFD but beyond this the value proposition is not defined. It’s critical that we are agile in the development of assurance plans. Internal audit needs to think about where we really bring value and where the process level maturity is. This is difficult when it’s a moving feast, so we need to engage with management and understand where the organisation wants to be: what are the aspirations?”
We believe that directors must look beyond reporting and regulation to consider the underlying risks and opportunities, as well as the commitments they are making as part of their commercial business model. This offers an opportunity to achieve greater mutual understanding between the directors and their second and third-line functions.
With no extant standards that external audit firms can apply specifically to climate and related risks and disclosures, the IAASB’s proposed International Standard on Sustainability Assurance (ISSA 5000) is a welcome and timely development. The draft standard caters for both limited and reasonable assurance.
The approach of limited or reasonable assurance can be adopted as described in the section on Making informed assurance decisions, and as detailed in the Buyers Guide to Assurance over Non-Financial Information and ICAEW’s ESG Hub for Financial Services.
The board is preoccupied with reporting and disclosure requirements. Climate risk is not considered to be an auditable entity, so there is a risk that process level risks are not picked up.
What is really being assured?
Climate risk and opportunities manifest in many ways. The board must be clear, given its fiduciary responsibilities, about its strategic ambition and risk appetite. It must know whether it is aiming to be leading or following, and the implications of this positioning. Risk appetite will require educated discussion between stakeholders.
Directors must understand and be accountable for the full range of commitments the company makes, both formal and informal, and external and internal. Companies need to be clear on what represents a longer-term enduring risk versus a transition risk, and then consider how to measure and monitor these factors. Directors should think carefully about timing and when assurance creates most insight and value in mitigating risks. It is important to have proactive, early input to set up for success and an approach where an assurance provider gives an independent view to highlight any emerging issues.
To be clear on where assurance adds value and insight, risks should be disaggregated. These include:
- strategic risk in embedding climate factors within the wider business strategy and plan;
- reputational risks and alignment with what the organisation is saying;
- compliance risks aligned with relevant standards or expectations;
- change and transformation risks, and embedding operational and strategic changes into business as usual; and
- control effectiveness, including data, processes and reporting.
Where can internal assurance be relied on?
Directors are required to establish a sound system of risk management and internal control, as detailed in the section on Making informed assurance decisions. This system will include internal assurance providers, ranging from the views and day-to-day monitoring activities of managers, to second-line compliance teams and independent internal auditors. Directors are accountable for all aspects of the business including delivering the strategy and the commitments and reports that are published. The focus on climate-related risks and opportunities drives the need to revisit this and generate discussion about where internal functions can be relied on, and where further independent or third-party assurance may be valuable.
Internal functions are, by definition, less independent than external parties. First and second-line functions will not have defined methodologies or tools and may not recognise the extent to which directors are relying on their views and perspectives. However, they will have a closer understanding of the underlying business and may have specialist scientific, operational or technical skills that are harder to obtain outside of the company.
Internal audit should be established as an independent internal function able to provide constructive challenge, professional scepticism and an objective view. They are also positioned to work alongside management on a real-time and continuous basis, and are not constrained in offering advice as the company is developing its strategy and implementation plans.
However, internal audit functions vary significantly in their size, capacity and strength. Many will work with co-source providers to obtain the necessary additional resource when it is required. Internal audit can be a significant asset and the right hand of the independent directors, but they should be ensuring appropriate quality standards are in place with regular evaluation against the Institute of Internal Auditors’ (IIA) standards, Code of Practice and professional practice expectations.
In addition to internal assurance, there is likely to be demand for third-party assurance by external audit firms over specific metrics. When directors have confidence in their internal processes, they are better positioned to determine the extent of external engagement and assurance required. Understanding the internal lines of defence, with clarity over the risks and the data points that would benefit from external assurance, enables a clear business case and value proposition for engaging with third-party providers.
How do we access and assess third-party risk?
Many of the contributors to this guidance raised concerns about reporting in relation to third parties. For example, the measurement of greenhouse gas emissions requires consideration of scope 1, 2 and 3 emissions over time. For many companies, the most significant elements of these emissions will relate to third parties outside of the company’s control. This may include customers, suppliers, joint ventures, franchisees and investee companies.
The head of internal audit for a FTSE250 retailer told us: “We are not yet asking for assurance from our supply chain. This is concerning and we need clearer internal policies and standards. Disclosures are multi-faceted, so we must prioritise what matters most. We have commenced an engagement process that includes tiering suppliers, and we will then expect compliance with our policies.”
For all climate risks (and broader ESG elements), third-party standards and policies need to be developed by companies with reporting and compliance tracking to enable organisations to be confident in any statements or commitments they make where third parties are involved. The challenge is exacerbated by the international dimension of supply chains, whereby varying standards are likely to apply in different jurisdictions.
A portfolio NED explained this, saying: “Clear accountabilities are important, including clarity on what you are capturing and why. People can then understand the real questions that are being asked. The internal process is critically important. It then enables you to get assurance by a third party to inform you as to where they see gaps. It provides quality assurance over the internal assurance without limiting the scope.”
The further the risks are from the core sphere of influence, the harder they are to measure and to assure.
What is the role of data analytics?
Climate reporting is evolving rapidly, and companies need to invest in identifying the commitments they wish to make, both internally and externally, assessing the origin of the underlying data, the processes the data transitions through and the supporting systems. In a survey by Deloitte, 46% of audit committee members said that data quality was a significant challenge in overseeing climate change within their organisation, and 79% said accurate and complete management information was needed to rise to the challenge, and get to a position to be able to reach the necessary level of assurance.
A portfolio NED told us: “Most concerns relate to metrics from a data perspective: data has to be real, and we should focus on the first line providing this. We must ask questions about whether we have the right data, is it authentic and supportable, how we are validating it, and how do we collate it? There is real variation in focus and capability. In the main, we are reliant on estimates, and we are worried about double counting across scope one, two and three."
We need to be able to challenge and understand the parameters around which the data is accurate: does it really feel broadly right? What does materiality mean in that context?
Directors need to take a top-down view to evaluate the robustness of the data.
There is a real opportunity to develop a data-driven approach from the outset in climate change projects, embedding learning as the organisation progresses in this area and integrating financial and non-financial information assurance on a real-time basis. This will mean using data analytics and technology where possible from the start, and embedding and evaluating automated controls and the systems they are reliant on. It will require:
- professional scepticism to challenge the quality of data and the underlying processes;
- well-judged and planned assurance activity that goes to the root source of the data and is not simply about tying in numbers;
- a focus on the big picture to see the underlying issues, risks and unintended consequences;
- an understanding of roles and accountabilities, and the importance of culture and behaviours in climate risk adaptation;
- real-time engagement between assurance providers and management to form aligned views and meaningful recommendations that optimise the data available to drive efficiency.
Recommendations
Case study
Unilever clarifies its approach to sustainability commitments.
This page is part of a series
To find out more about other aspects of climate assurance, visit the hub.