The board’s responsibilities
Typically, climate is owned as a risk and strategic issue by the board. Directors are on a steep learning curve in determining what they consider to be important. Establishing their assurance strategy follows on from this.
Demand for assurance is often driven by regulatory needs rather than by standing back and thinking about what the organisation really needs to deliver on its strategy and achieve its goals. For example, because there is no regulatory requirement for assurance on Modern Slavery Act statements, assurance activities (both internal and external) may not be undertaken or externally reported. Directors must take greater accountability for deciding what’s important.
The board is pushing for assurance, but they are still trying to define their strategy. As that clarity emerges, it will generate new assurance priorities, but there is a vacuum at present.
There is also a question of how the board’s accountabilities are delivered and managed in practice. In Deloitte’s 2021 report, The Audit Committee Frontier – Addressing Climate Change, 61% of audit committee members surveyed believe the board has responsibility for oversight of climate risks. Beyond this, 12% say it is the responsibility of the risk committee and 8% say it is the audit committee. Another 13% suggest it would be owned by another committee, which might include ESG committees. However, 48% of audit committee chairs recognise they are responsible for the effectiveness, independence and objectivity of assurance obtained over climate-related information and disclosure.
Although this research points to only 13% of those surveyed establishing a separate board and/or executive committee for issues associated with ESG, this is a growing number, and we expect more companies to use the opportunity to have a separate forum for discussions. We believe that this provides additional prominence and time to discuss these issues, recognising also that major assurance implications and recommendations will need to be discussed with the audit committee and then, as appropriate, with the full board.
Critical to fulfilling these responsibilities is ensuring the board has the right experience and capabilities to constructively challenge the information and assurance it receives. One non-executive director (NED) told us: “To deliver on expectations, boards need more climate competence. Competence should be assessed by going beyond a desktop exercise to review experience and qualifications. In addition, it’s critical to meet specialists within the company in person and ‘kick the tyres.’”
In Deloitte’s report, 48% of audit committee members surveyed believe they were not equipped to fulfil their climate responsibilities and 34% describe a lack of climate literate talent. In addition, 87% of audit committee members suggested they need more education and 79% improved management information to support their decision processes. Strong assurance should provide a mechanism for building confidence at board level.
Audit committee obligations
Audit committee chairs interviewed for ICAEW’s guidance indicated that they are searching for solutions to the questions about how to get the assurance they feel they need.
Housing Association audit committee chair: | “We need assurance providers to come with us on this journey and help us to understand whether we are delivering on our obligations. While there are many assurance practitioners, it is not yet an established profession like financial auditing. It’s going to take many years to reach that maturity, and in the meantime the focus should be on doing the basics well: having effective controls over the quality of data.” |
Audit committee chair: | “My personal view is that if we agree that we have an obligation as the audit committee to oversee management and to ensure good governance, then it is fundamental that we understand the strategy of the company. And fundamental to any strategy are the questions: Are we sustainable? Do we understand the risks, the obligations, and the opportunities that climate change brings? What does this mean for our business? Every audit committee must understand and see how these risks, obligations and opportunities are clearly embedded in the strategy of the organisation.” |
Group CAE of a FTSE 100 industrial conglomerate: | “A year ago this was an interesting subject, now it is firmly on the agenda. The external auditors are driving the discussion within the audit committee. Our directors are leaning on internal audit to help them ensure the right processes are in place and to support the sustainability team as they gather the necessary information. However, these issues must be owned by the business first.” |
Internal systems of risk management and control
Alongside clarity at board level, there is a need to identify which executive is responsible for representing climate-related risks to the board. Authority should be delegated to executives with appropriate experience and capability, but there are challenges from the top down with how this is structured. There must be clear ownership to ensure responsibilities are understood in relation to risk management, reporting, policy setting, monitoring and independent assurance.
A portfolio NED suggested to us: “Sustainability can sit outside of finance, but the CFO has to be responsible for oversight of the annual report. However, finance people rarely have sufficient lived experience of non-financial data. We had a conversation with 11 people in a room on TCFD: it was a little bit of everyone’s job, so who is really responsible?”
It is important to be clear from the outset what the internal accountabilities and responsibilities are for managing climate-related risks and mitigating activities. The three lines of defence model is the common framework for considering this.
First line: | As with all risks, management in the first line must own and manage the risk and associated mitigating activities and controls. Management attestation that controls over climate risk are working as intended will become ever more important. |
Second line: | In the second line, we need to look at climate risk through a multi-function lens, such as financial, legal, commercial, scientific and technical. There will often be a head of sustainability whose role is to create policies, monitor compliance with these policies, and determine and advise on the relevant metrics and wider commitments that the organisation needs to be able to comply with. Coordination of these functions will be necessary to avoid duplication and create a pragmatic and optimised approach. |
Third line: | Internal audit in the third line owns the overall internal assurance framework and process and is best placed to integrate the three lines of defence and drive consistency with the second line. There is a strong case for internal audit to act as coach and facilitator across the three lines, as many do for other strategic risks that manifest in multiple ways. |
Companies’ levels of maturity in embedding effective lines of defence vary significantly. While many companies may believe their lines of defence are well established, the need to monitor ESG matters and information provides an opportunity to review this.
For example, a concern raised by the CAE of a global mining company is that “lines of defence are not well established generally". The CAE added: "Climate risk is not in one place, so how do you differentiate and define accountabilities?”
Moreover, a NED of a major utility provider told us: “We thought we had a three lines of defence model, but our experience of environmental reporting evidenced that it was not working. The first and second line were operating as one, whilst the third line was not sufficiently involved in oversight.”
We need internal audit to help the organisation in thinking forward appropriately and in ensuring all risks are considered.
We believe climate risk and assurance activities should become embedded in business as usual within organisations as part of the system of risk management and internal control and be discussed at the executive table. Larger companies have had sustainability functions for some time and companies are increasingly seeking to appoint heads of sustainability. However, the skills required are scarce and they won’t always be at an appropriate level of seniority.
A robust, fully implemented and understandable internal framework will provide directors with a clear view on the confidence they can take from the internal lines of defence. They can then determine where external assurance is required because of regulatory or other demands, and where such assurance creates value and insight.
Recommendations
Case study
Unilever clarifies its approach to sustainability commitments.
This page is part of a series
To find out more about other aspects of climate assurance, visit the hub.