What Role Should Compliance Play in ESG?

The ESG agenda is bold, combining three key and far-reaching topics — each of which, on its own, presents significant compliance challenges for financial institutions. For example, at the United Nations’ Conference of the Parties in 2015, many governments committed to using financial objectives, and the global financial system, to achieve global climate-change goals and targets. The size and complexity of the response required — by some estimates $6 trillion per annum will be required to fund the changes needed to achieve net-zero carbon emissions, with 80% of that coming from private sources^[1] — have resulted in more than 1,000 mandatory laws, disclosure requirements and regulations, which have broad impact on global financial institutions.^[2] 

Legal and regulatory considerations aside, there are also sound commercial reasons to adopt an ESG strategy. In a 2021 survey, 76% of consumers across various geographies said they will stop buying from companies that treat the environment, employees or the community in which they operate poorly.^[3]

Responding to the demands of their various stakeholders, including regulators, shareholders, employees and the general public, financial institutions have made ESG commitments across the spectrum of ESG to which they will be held to account. To achieve their goals, financial institutions will need to integrate ESG considerations into almost all areas of their businesses and will need to make periodic disclosures on their progress.

We see chief financial officers (CFOs), chief risk officers (CROs), chief sustainability officers (CSOs) and other C-suite executives shaping ESG strategies, but CCOs are often missing from these discussions. Why is this, and does it make sense?

The key challenges of implementing ESG requirements

The importance of engaging CCOs in ESG discussions is highlighted by the key ESG regulatory risks:

• Breadth of mandatory new E regulations and requirements: Given the acceleration of new environmental regulations, it is a challenge keeping up. In the 2021 survey, 37% of respondents cited a lack of reporting standards and regulatory/complexity, and 31% cited volatility of regulatory requirements as barriers to ESG progress.^[4] Following on from government green strategies, ESG requirements cover a broad range of topics, including an initial focus on entity- level reporting and disclosures, product taxonomies and disclosures, scenario analysis and modeling, and sustainable finance and the development of green products.
• Scope of S and G requirements: As with environmental requirements, S and G requirements have developed or are developing along national and, in some instances, local lines:
  • The development of legislation and regulation for the S dimension of ESG has been maturing over many years and includes measures to combat human trafficking and modern slavery; labor laws and employment rights; diversity, equity and inclusion; and other human rights initiatives. Defining the scope of these requirements across different countries, and determining the enterprise approach, can be challenging.
  • While many would argue that G requirements and expectations for financial institutions are long-established, the form they take varies significantly from formal G regimes, such as the United Kingdom’s Senior Managers and Certification Regime and Australia’s Banking Executive Accountability Regime, to more directed (e.g., limits on compensation) and less formal regimes.
• Divergent rules and requirements: As ESG requirements have evolved, they have not been consistently developed or internationally aligned:
  • Regulatory requirements vary by country, and the same disclosure requirements can be based on different underlying calculations. In addition, the laws of some countries apply across jurisdictions, such as the European Union’s Corporate Sustainability Reporting Directive (CSRD), which can apply to non-EU-based companies, and the European Sustainability Reporting Standards, which will become the baseline for CSRD compliance.
  • Requirements vary by line of business, so the allocation of capital by banking activities (e.g., capital raising, lending and trading) attract different requirements than asset management activities.
  • Some requirements (such as those of the International Sustainability Standards Board (ISSB)) apply between jurisdictions, whereas in the United States, intra jurisdictional requirements mean there may be variations between state-level and federal ESG laws.
  • Differing regulatory requirements, frameworks and standards are complicated by varying implementation timelines and, in some cases, whether adoption is voluntary or mandatory. 

• Implementation complexities: While there are many complexities, especially noteworthy are the following:
  • Impact across the organisation — ESG requirements impact all areas of the business. Assessing the material implications and determining an appropriate risk management and reporting strategy require a coordinated approach, appropriate governance and strategy and coordinated leadership from multiple teams.
  • Customers, supply chains and third parties — ESG requirements include an assessment of impacts, and reporting from customers, supply chains, and third-party vendors and partners. For example, data must be collected for disclosure of Scope 3 emissions, and the social impacts of an organisation’s supply chain and third parties must be assessed and managed from a regulatory and reputational risk perspective.
  • Data — ESG reporting requires significant external data, which brings challenges such as availability, reliability, consistency, comparability and relevance. Environmental data may include science-based targets, emissions reporting or carbon accounting, introducing unfamiliar data sets and calculations for financial institutions.

In addition to specific legal and regulatory requirements, financial institutions have undertaken voluntary commitments. It is estimated that 42% of financial institutions globally have committed to reduce Scope 1 and Scope 2 greenhouse-gas emissions to net zero by 2050, and the Global Financial Alliance for Net Zero has secured net-zero commitments from more than 550 financial institutions, representing $150 trillion in assets.^[5]

Many other commitments have been made in other areas of sustainability, green finance, diversity and inclusion, human rights, and other social and development goals. Globally, there are various initiatives, such as the Climate Policy Initiative’s Net Zero Finance Tracker, charting progress toward these targets. As the focus shifts from voluntary commitments to mandatory requirements, regulators are expecting financial institutions to report on progress toward achieving these targets, and the reputational risk of making misleading or exaggerated sustainability-related claims (i.e., greenwashing) could be considerable.

What we have is an evolving, complex and disparate agenda — regulatory and discretionary — that financial institutions must be able to manage effectively. Who in the organisation has the most experience tackling such a massive undertaking? The obvious answer is the CCO , as the organisation’s Compliance leader. While Compliance has this experience, it can’t and shouldn’t own the ESG programme. Rather, it should collaborate with and guide the business in its response. As we discussed in our December 2022 issue of Compliance Insights, compliance teams are broadening their risk mandate to many areas that involve various risk and process owners across the organisation.

ESG is another example of this trend.

What does Compliance bring to ESG?

Compliance officers are no strangers to managing complexity in global regulatory requirements and implementing multi jurisdictional programmes.

Many organisations manage ESG issues across multiple business units without a coherent set of comprehensive standards and guidelines around risk-assessment approaches, taxonomy, data collection and analysis, and governance structures. Several business units with ESG issues to manage lack the experience and skills to deal with mass emerging and evolving regulatory requirements and the heightened regulatory scrutiny that accompanies them. The scrutiny that comes with the transparency of granular ESG-related data will be particularly important to address.

Compliance teams are often tasked with thinking strategically about regulatory risks and applying risk-based approaches and impact assessments in engaging with relevant stakeholders to understand challenges. They have extensive experience in understanding and navigating such challenges, while keeping their finger on the pulse of industry peers and competitors to appropriately benchmark activities undertaken.

Strong, comprehensive governance is important with cross-functional compliance initiatives and in situations where regulatory obligations are evolving and at different maturity levels across multiple jurisdictions. Compliance teams also bring independent regulatory challenge to the business, operational and governance processes by asking tough questions and through monitoring and testing activities. This feedback is key to successful ESG implementation.

Compliance can assist with strategic prioritisation of activities to address systematic risks — through the innovation of solutions and development of controls — to avoid the risk of repeat deficiencies. Compliance is well-versed in identifying and mitigating material risks, including identifying reasonable risks to knowingly accept, and in eliminating risks that have punitive financial and reputational consequences.

Regardless of its role in ESG strategy, Compliance will be monitoring the regulatory risk associated with ESG obligations. Rather than advising on remediation activities after deficiency identification, Compliance should provide challenge to strategic decisions and, as with other regulatory risks, be viewed as a trusted adviser to the risk owners. The function should ensure that the risk of regulatory deficiency is appropriately mitigated within the organisation’s established risk-tolerance limits.

It is vital for Compliance to be involved now. Regulatory expectations are increasing, and managing regulatory and reputation risk will become ever more important.

Defining Compliance’s Role in ESG

As noted above, Compliance should not assume responsibility for the ESG programme — it is not the risk owner. The risks are owned by various business functions across the organisation. Compliance plays an important role in the governance and oversight structures of a financial institution and, as with other regulated activities of an institution, should have a seat at the table. The compliance team can provide line of sight across activities of the organisation because of its intimate familiarity with the processes and key regulatory risk controls throughout the operations of the business.

To ensure ongoing compliance with a growing number of ESG-related regulations, a holistic framework for identifying, measuring, managing and reporting ESG risks and mitigation strategies is needed. The framework should incorporate at least five elements of the ESG programme:

Compliance teams should be engaged in each of the above elements, with a mandate for the following tasks:

• Ensure that the strategy is incorporated across the institution’s regulatory footprint.
• Assist in the materiality assessment needed to identify relevant ESG factors to be incorporated into an organisation wide taxonomy.
• Liaise with CFOs, CROs, CSOs and other C-suite executives to develop a coherent ESG strategy and plans that can be consistently communicated to regulators and meet regulatory expectations.
• Ensure that the ESG strategy and organisation wide initiative aligns with the organisation’s overall risk appetite and tolerance levels.
• Provide insight and advice in the development of the governance structure, ensuring that all compliance facets (e.g., reporting, escalation, roles and responsibilities, legal entity management, three-lines-of-defense considerations, subject-matter experts (SMEs), etc.) are integrated.
• Help define regulatory and reputational risk and provide insights on risk mitigation approaches, including a risk-based approach to implementing ESG requirements that ensures proportionality.
• Assist in development of a comprehensive regulatory database, including processes to identify and integrate emerging regulation.
• Adapt the organisation’s existing policies and procedures to ESG regulatory changes, including in impacted areas such as marketing and investment advice.
• Assist and advise on compliance risk management activities, including the control-effectiveness assessments integral to measuring residual risk and evaluating risk-appetite alignment.
• Participate in enablement activities, including identifying data requirements, key risk indicators and key performance indicators, and tools and technology to support risk management and governance activities.
• Advise on the institution’s cultural and ethical responsibilities and strategies for their execution.
• Incorporate ESG requirements in assessments and evaluation of regulatory risk in product and services governance frameworks.
• Support ESG health checks.

Compliance teams are experienced at performing risk assessments of various types of compliance risk. ESG compliance is a new risk factor to consider in the process and should be applied across multiple functional areas of the organisation (e.g., third-party risk management, procurement, marketing, product or service design, finance and accounting). The results of the risk assessments will factor into the compliance monitoring and testing activities.

Ongoing effectiveness of the compliance team in the ESG initiative requires an inward review and assessment of the team. The CCO should immediately:

• Evaluate whether the team’s structure is impacted by the need to integrate ESG activities into the compliance team’s activities (e.g., develop and/or add SMEs within existing teams, create a separate team of SMEs, etc.).
• Conduct an ESG skills assessment of the existing team and consider training needs.
• Build ESG-specific monitoring and testing activities into the annual compliance plan.
• Establish roles and responsibilities of the team within the institution’s ESG framework (e.g., within the governance activities and risk management activities, and as part of the enablement activities supporting ongoing compliance).

What are the next areas of focus for ESG?

Greater regulatory alignment over the upcoming months is likely as international bodies such as the International Organisation of Securities Commissions and the ISSB attempt to bring together existing frameworks and standards. However, complexity will remain a key issue in ESG. Compliance will need to have a greater role in navigating emerging ESG topics such as:

• Integrating ESG considerations into third-party risk management, supply chain, and procurement relationships and activities, as well as location and premises strategies and plans.
• Assessing ESG risks in relation to customer acceptance, and onboarding and gathering data and information to support assessments of sustainability and social risks.
• Integrating ESG assessments into business decisions, including lending and credit reviews, investments, fund and discretionary mandates, insurance and reinsurance strategies, and funding, as appropriate.
• Integrating ESG considerations into other risk assessments to ensure that decision-making takes account of all risks.
• Maturing governance arrangements, including consideration of ESG objectives and goals within performance assessments, remuneration and compensation arrangements.
• Balancing litigation risks with progress toward ESG objectives and implementation.
• Designing sustainable finance products to meet market demand and assessing the financial promotions of these products to avoid accusations of greenwashing.
• Considering the S definition, materiality assessments and policy development.
• Keeping pace with increasing regulatory disclosures and changes to the E agenda as regulations shift from climate change to broader world impacts (e.g., biodiversity).
• Continuing to mature, develop and keep pace with ESG data needs, provisions and risks to ensure that disclosures and reporting meet industry best practices.

Conclusion

Compliance officers have a big role to play in ESG implementation initiatives in financial institutions and can contribute meaningfully in the efforts to implement effective policies, procedures and risk assessments. Many in compliance functions want to make a difference and play a key part in the ESG transformation that is just starting. The knowledge, skills and experience of compliance teams mean that it is vital that they step forward and bring this understanding to bear in ESG.

1. Paris Agreement, United Nations Framework Convention on Climate Change, 2015, https://unfccc.int/sites/default/files/english_paris_agreement.pdf.
2. Sustainability Reporting Instruments Worldwide, Carrots & Sticks, www.carrotsandsticks.net/reporting-instruments/?status=Forthcoming&status=Current&esgC overage=Environment&esgCoverage=Governance&esgCoverage=Social&mandatoryVoluntary=Mandatory.
3. Beyond Compliance: Consumers and Employees Want Business to Do More on ESG, PricewaterhouseCoopers, 2021, www.pwc.com/us/en/services/consulting/library/consumer-intelligence-series/consumer-and-employee-esg-expectations.html.
4. Beyond Compliance.
5. “Financed Emissions Are Missing From Many Firms’ Net Zero Plans,” S&P Global, January 20, 2023, www.spglobal.com/esg/insights/financed-emissions-are-missing-from-many-firms-net-zero-plans#:~:text=The%20data%20shows%20that%2042%25%20of%20 banks%2C%20financial,the%20785%20financial%20institutions%20assessed%20in%20the%20CSA.