As the law on CO2 reduction going to a public vote later this year shows, climate change risk and environmental, social, and governance (ESG) issues are now a priority. Banks need to establish a strong control environment for ESG issues. With this comes an increased focus on the quality of data about the risks. Internal audit (IA) can bring the same structure and rigour to processes, controls and governance for ESG risks that they apply to internal controls in other risk areas.
With their transversal knowledge of the organisation of the bank, auditors can bring the right structure to the management of ESG risks and opportunities...
ESG considerations create a number of challenges for banks. These include:
- The need to respond to local and global regulatory requirements, currently mainly related to climate change risk, such as the upcoming FINMA mandatory disclosure according to TCFD (Task Force on Climate related Financial Disclosures) recommendations (mandatory for category 1-2 institutions for now), or in the EU context, the planned stress testing requirements
- The difficulty to ensure consistency and quality of the data needed for ESG risk assessments and reporting obligations
- Guarding against ’greenwashing’ and reputational risks, and ensuring that a robust controls framework is in place for the products and services that the bank offers or deals in – across valuation, modelling, accounting, due diligence, product governance, suitability, and disclosure.
Providing assurance is a core remit of auditors, and the advantages of involving IA in ESG strategies and risk management include the ability to:
- Assess the ESG maturity of the organisation, plan for change and ensure smoother transition.
- Review how ESG is integrated into the responsibilities of the Board and the senior management
- Review how the impact of ESG risks is included into financial and non-financial risk assessments (for instance in credit decisions via assignment of specific ratings/shadow probability of defaults (PDs) or stress testing)
- Provide transparent insights in reporting to those charged with governance (the Board and its committees)
- Assess the credibility of ESG information disclosed to internal and external stakeholders (regulators, external auditors, investors);
Integrating ESG in the audit plan will become key, not necessarily as a standalone item, but looking to incorporate those aspects in all audit missions, for instance on the governance and strategy of asset management functions, or on credit risk assessment.
As the figure below shows, the activities deployed by IA for ESG would be similar to the ones undertaken in other areas, although adapted to the level of ESG maturity in the financial institution.
As a strategic partner to the Board and a constructive challenger to the business, internal auditors can increase awareness and accelerate the pace of change…
The debate over the appropriateness of an advisory role for internal audit ended long ago. A broad consensus emerged that internal audit has to be ‘upfront’ during moments that matter to their organisation, rather than only intervening after the fact to criticise management about the governance, risk, and control choices they made.
Today, the internal audit function usually engages in some advisory work alongside their traditional assurance role. The issue now is one of degree: Has internal audit reached a level of maturity that justifies an expanded advisory role? Is the IA function equipped to increase its advisory role? Where can internal audit provide the most value to the business?
Internal audit is uniquely positioned to help navigate the transition towards a more sustainable business model, but to do so the function must evolve as rapidly as the issues it must deal with. This requires a willingness to cast aside old ways of operating and thinking, squeeze out inefficiencies, embrace innovation, operate proactively with a focus on the future, and prioritise high-value and risk-ranked activities. This will be all the more feasible if members of the IA team are from diverse backgrounds and have also been trained on ESG issues.
But Internal audit cannot function in a vacuum. It needs the backing of the audit committee and the C-suite, which must include ESG responsibilities within the IA function mandate. Then the Head of IA must take responsibility: as the ’eyes and ears’ of the audit committee, the Head of IA must be a truth-teller, willing to say what others won’t, offering an alternative point of view, focusing more on foresight than hindsight.
Four key attributes to make IA successful on the ESG journey…
To embed ESG in all IA interventions, we identify four success factors:
- Specialised experience - Specialised expertise and knowledge of latest ESG regulatory and normative developments, enabling auditors to provide added value in their review of sustainability strategy and risk management
- Risk-based methodology and business acumen – review of Internal Control System and KPIs/KRIs used, based on level of maturity of ESG integration around environmental performance, social strength and corporate governance
- Innovative tools - Innovative tools to facilitate scenario analysis as well as assessment of ESG data quality
- Flexible and scalable approach – Effective maturity assessment of the bank sustainability journey, tailoring recommendations to the ESG strategy in the short term versus the end goal.
IA can contribute, not only to keeping the bank afloat in a sea of changes, but also to help pilot it toward a new era of greater resiliency, sustainability, responsiveness, and profitability.
- Previous The Swiss mortgage lending landscape in transformation - Platforms as one of three underlying drivers
- Next Compliance Modernisation: Creating an effective, adaptable and efficient compliance function