In January, BlackRock CEO Larry Fink published an open letter to company CEOs warning them that if they didn't take immediate steps to help their businesses become more resilient to climate and environmental risks, they risk being dropped from pension fund portfolios. This kind of announcement has the ability to spark boardroom conversations during a time when the push for organizations to identify, mitigate, control, and disclose the myriad risks to their businesses to a wider range of stakeholders--not just shareholders--continues to gather pace worldwide.
Companies now report not only on the financial risks to their business, but also the nonfinancial risks they face. These risks include climate change, business ethics, human rights abuses, slavery and child labor, and their operations' impact on the environment--which fall under the realm of environmental, social, and governance (ESG) reporting. In fact, the current revision of the International Integrated Reporting Council's
Yet despite such reporting progress, the consensus view of several experts is that many organizations are paying lip service, disclosing only the bare minimum of detail to comply or satisfy investors, regulators, and other stakeholders. Some organizations, meanwhile, are struggling to get their heads around what exactly they need to report--or how to do it, they add.
"Sustainability reporting is largely done as a paper exercise," says Lawrence Heim, managing director at audit and consulting firm Elm Sustainability Partners in Atlanta. He adds that "internal audit needs to be more involved in sustainability reporting, or become involved if it is not already part of the process." Such views are shared by other experts.
In the U.K., listed companies have a duty to disclose how sustainability risks may impact the long-term viability of the business and what steps management is taking to address them. But research from international accounting firm Mazars found that disclosures around carbon emissions in Financial Times Stock Exchange reports are "not fit-for-purpose" and are "in many cases a box-ticking exercise that does not appear to be integral to the way management runs the business." The Financial Reporting Council, the U.K.'s corporate governance regulator, and the European Union--where sustainability risk reporting has been mandatory for the past two years--have raised concerns about the quality of disclosures around sustainability risks.
Aside from nonfinancial reporting being voluntary for most organizations around the world, there are several reasons why efforts to improve sustainability reporting and risk management are failing. First, the bulk of all mandatory disclosures is still concerned with financial reporting and most of the effort goes into getting that right. Second, the term sustainability has become an umbrella buzzword for every risk that doesn't have an immediate financial price tag attached to it. Many organizations are either overwhelmed by the scale of work required to report meaningfully on the array of risks included, or are simply confused by the term and the issues being covered under ESG reporting (see "ESG Metrics" on this page).
Experts have some sympathy, but they say that organizations--and internal audit--cannot be indifferent to the problem, and they stress the need for deeper audit involvement.
Heim says organizational sustainability is not clearly...