Outside of Hong Kong, particularly in the European Union (EU), the assessment and reporting of corporate ESG considerations and risks have already become listing and legal requirements. In the EU, additional ESG requirements are continuing to take form, including the first two chapters of the EU Taxonomy Regulation came into force in January 2022. So far, though, ESG-related undertakings for listed companies in Hong Kong have been indirectly driven, such as through investor pressures or transactional obligations to EU customers. Due to the regime of the Code of Corporate Governance, the risk approach to ESG for listed companies is expected to shift in 2022 and beyond. Facing this challenge, internal auditors should better identify and evaluate ESG risks within their own organization. In March 2022, the Institute of Internal Auditors (IIA) published a paper to discuss the establishment of risk management programs to identify, assess and respond to ESG risks.

Step 1: Expanding the vision on ESG-related elements
According to the World Economic Forum’s Global Risks Report 2022, in the next decade, eight of the top 10 most severe risks were related to environmental and social risks, with climate action failure, extreme weather, and biodiversity loss taking the top spots. Several ESG-related risks have significantly affected after the outbreak of the COVID-19 pandemic. Leaders of each company should broaden their knowledge and vision on ESG elements and consider the ESG risks. As for the internal audit function, the ESG-related risks should be considered and prioritized in the coming years when the internal audit team formulates an enterprise risk management approach.

Step 2: Selecting relevant risk elements by considering the business and industry
It is important to narrow the scope of ESG relevance from a broad and general view to a specific and focused one. Some ESG-related issues, especially those related to governance, are widely applicable; but in practice, environmental and social requirements are often relevant based on the industry and business the company is engaging in.

Step 3: Delegating risk management responsibilities to each operation unit
ESG risk evaluation responsibilities should not be delegated to a single operation unit or functional department. To promote transparency, communication, and alignment across all operational functions, from front-line operations to senior management, risk management responsibilities shall be mutually shared within an organization. In addition, the internal audit function can act as a strategic advisory role to observe and monitor the risk management process, since the internal audit function needs to have a broad purview of each level of operations. It helps the internal audit function to understand what material ESG risks each operational function face. With a better understanding of the key ESG risks, the internal audit function can easily perform risk evaluation and other assessment procedures on identified key ESG risks.

Step 4: Adopting a materiality-based approach to undergo risk assessment
Several approaches and tools can be utilized by the internal audit function to assess the impact and likelihood of the identified ESG key risks. In general, materiality assessment is a standard approach to prioritize ESG key risks as part of an organization’s strategy and risk management. This is used to qualitatively and quantitatively measure each ESG key risk based on its importance to the business and stakeholders. According to the World Business Council for Sustainable Development, the most generally accepted approach for ESG risk assessment can be divided into the following seven steps:

1. Define the purpose of the materiality assessment.
2. Determine the ideal materiality cycle.
3. Establish the organization’s perspective on materiality.
4. Identify the key issues.
5. Determine stakeholders’ involvement in the assessment.
6. Establish criteria for calculating materiality scores.
7. Based on materiality scores, select the material ESG key risks to include in the final assessment.

After performing the above assessment, the internal audit function can identify material ESG key risks which should be integrated into the enterprise risk management framework.

Step 5: Benchmarking and learning process
Internal auditors can use company disclosures in the benchmarking process as companies have been under increased pressure from investors and other stakeholders to provide. Particular focus has been placed on climate risk disclosures, but other ESG topics such as diversity and human rights have received attention, as well. Although global reporting standards on ESG risk are yet to be formally announced, the internal audit function can evaluate the quality of a peer company's disclosures against one's own and provide assurance that adjustments are made accordingly. This type of analysis also can be included in internal audit plans.

Summary
Due to market demands and regulatory requirements, companies face increasing pressure to assess and communicate the ESG risks and the impacts on their operations, products and stakeholders. The internal audit function of each company should study market trends, evaluate ESG risks and opportunities, and take proactive steps. They can also work closely with legal and consulting teams to ensure ESG risks are identified, monetized, and mitigated. In the coming years, regulation development, increase in ESG expertise in the industry and resulting improvements in available data should lead to the ongoing maturity of the organization’s ESG risk management capabilities.

Source:
Logan Wamsley (March 2022). The ESG Risk Landscape, Part 3: Evaluating ESG Risk. The Institute of Internal Auditors.

If there are any aspects which we may assist, please do not hesitate to contact:

Gloria So  Partner, SW Hong Kong

gloria.so@shinewing.hk (Tel. 3583 8517)