Ep. 224: Unraveling ESG: Understanding Environmental, Social, and Governance Factors in Business – Part 1

< Intro >

– Hello, and welcome back

to another enlightening
episode of Count Me In.

I'm your host, Adam Larson,

and today we're diving deep into the complexities

of Environmental, Social,
and Governance, ESG,

with a distinguished panel of experts.

We're joined by Douglas Hileman, an
experienced sustainability consultant,

with over three decades of experience

in environmental management
systems, and internal controls.

Alongside him, we have Dan Mosher,

a seasoned professional who excels
in helping businesses navigate

the complexities of sustainability
and environmental risks.

Last but not least, we welcome Catie Serex.

A leader in environmental,
health, and safety, auditing

and management who assists businesses

in integrating sustainable and
socially responsible practices.

Today's discussion will delve
into the importance of ESG,

the challenges businesses face
in managing ESG data,

and the potential risk of fraud in ESG reporting.

Here we go, let's listen in together.

< Music >

– And one of the things that
we might kick-off

is with a very basic question of what is ESG?

Dan, when people ask you this,
how do you answer?

– Well, it really is a big umbrella,

and I'll ask for some help
from Catie in this regard.

But ESG stands for Environmental,
Social, and Governance.

And, so, lots of things under
that environmental area.

Everything from waste management
and air quality, climate change.

From a social perspective, it could be

your human capital management,
health and safety matters.

Governance, I think of anticorruption,
data risks, and the like.

So it really is a broad title
when we say ESG.

Catie, do you have some things
you'd like to add to that comment?

– Yes, Dan, you definitely covered the gamut

as far as some of the phrasings and the terminology,

and really the topics that fall
under that ESG umbrella.

What I would want to add is that ESG

is certainly one of the buzziest
words in business today.

But you might not know that ESG is, very simply,

the newest iteration of concepts
you've likely known for a long time.

It's been previously known
as corporate purpose,

sustainability, even philanthropy.

But what differentiates ESG
from these previous versions

is that it now represents the
closest alignment, to date,

of business operations, so think
about your tangible assets.

To those intangible elements of
business that drive value.

And, in this case, I'm referring
to things like customer loyalty,

labor environments, community engagement support.

And because of this connection,

ESG is moving from a nice-to-have
to a need-to-have for companies,

but also their investors, their customers,

and other key stakeholders like their employees.

– I also think of ESG as a convenient
taxonomy for all things non-financial.

Many people have published those pillars

or the word clouds that's in the ACFE
report, and what topic goes where.

For financial reporting, we know where sales goes

and we know where EBITDA goes.

We know where those are in
a format and how to put the data

and information together for clarity and reporting.

For all things non-financial, it's just
such a sprawling array of topics

that ESG serves for one reason,
in one way, as just simply a taxonomy.

And there are some issues,
such as climate change,

like Dan mentioned, that really transcend
more than one category, if you will.

But for purposes of just where do you
find it, and how do you manage it,

and it can just serve as a taxonomy.

Catie, to your point, on how to
organize some processes,

some controls, some recordings to understand

what the organization is doing.

– And I'd be interested in hearing
your thoughts on the various channels

in which this information is being
put out there in the public.

Catie, maybe you have some thoughts
around the wide scope of that.

– Yes, so in terms of the
reporting side of things

and getting to the nuts and bolts of what,

I'm sure our listeners are interested in,

in terms of, what am I on the hook for?

There are a lot of reporting frameworks
out there that are guiding folks.

And I know that that's been
a point of confusion for people

is understanding, there are all these
different acronyms out there.

That I can report to like SASB,

or the Global Reporting Initiative, GRI.

Task Force for Climate-Related
Financial Disclosures or TCFD.

There are a lot of frameworks out
there, but the field is narrowing.

So some of the communication
that we've been seeing

from these wider umbrella frameworks,

are that they are working together to consolidate.

To make things a little bit more straightforward,

and to make things a little bit more
uniform across the reporting landscape.

But that's currently in progress,

and this is just a result of this
being not in nascent stages,

but still in its growth period,
and really honing down

what are the things that
shareholders, regulators, and such

need to see when it comes to these ESG disclosures.

– And I know that Doug
has been on the front line

when things are misreported or omitted,

and I'd love to hear some of his worst stories.

– Thank you, Dan.

The question about reporting
channels is a very good one,

and Catie brought up several
things that are happening

in reporting to general capital markets.

I also observe that there are
other channels for reporting,

including impact investors who may be
interested in one particular topic.

The general purpose capital reporting
takes in one tranche, if you will,

of topics that need to come external
from an organization, a company.

There are other investors who
are interested, let's say, in human rights,

or in product conformity, or in diversity,
or in commitment to climate,

and they want more information
about those topics.

So you may get information from investor group

or analyst groups, and that's a type of report.

Another channel of reporting
that I see is B2B reporting.

The customers, and business partners,
and banks, joint venture participants,

are looking more into non-financial risk management.

Non-financial performance
and alignment, which is ESG.

So before entering business relationships,

and even during business relationships
up and down the value chain,

there's also ESG reporting that happens there.

It is starting to align in some ways
that they're asking questions

about the same topics, but the
questions themselves can be different.

And, in many cases, the reporting,
the demand for reporting

has outpaced companies' abilities

to report on the data and information.

So that pull has created a bit of a vacuum.

And many companies are scrambling
to come up with processes, systems,

and controls so they can generate
the data and information

that these stakeholders are
expecting in terms of reporting.

– Doug, just to jump in there,
from a client perspective,

we are seeing that a lot of
our clients are getting,

especially, those B2B requests
from either their suppliers

or their downstream supply chain vendors.

And the way that we're seeing that manifest

is a lot of these larger companies
are looking at their supply chain.

If you think about greenhouse gas emissions,

they're looking at their Scope 3
emissions, which is all value chain.

And, so, they're sending
requests to clients like ours

that are asking, "Well, what are your
Scope 1 and 2 emissions?

Because we need to report that."

We are seeing clients feeling
the pressure to respond to that,

to continue to be part of
those wider supply chains.

And, so, they're coming to us
asking for assistance in figuring out

what those ESG metrics are
and being able to respond

in complete and accurate ways.

So that they can continue
to have those key customers

that are asking for that information.

– Yes, and I'd like to pick up on that point, too,

and Catie was just touching on it.

I think some of the key challenges
are, for businesses today,

what is the providence of their ESG data?

What is the confidence they have over
the accuracy and completeness of it?

And what is the integrity and quality of
that data as it travels along its life cycle,

from where it started to where it was reported?

And has it maintained that integrity all along?

Because bringing this back
to our main topic of fraud,

there are many pressures and incentives

that might have someone misstate

or omit information in their ESG reporting.

– I'd like to pick up on a topic that
Catie discussed on climate change

and greenhouse gas emissions.

It does, inherently, involve a
complex web of data

from different sources, including suppliers.

And companies may be asked to produce

or report the greenhouse gas
emissions for themselves,

as a company, on Scope 1 and Scope 2,

I hope our listeners know what that means.

Or on a part of Scope 3, or their
carbon emissions as a company,

or their carbon emissions
in a particular country or state,

or their carbon emissions for the products

they manufacture for a certain customer.

So those are different ways to slice
and dice much of the same data.

And it all goes back, I'll put in a plug here

for the COSO report mapping the
internal control framework to ESG.

That can be applied to anything,
any topic, any company,

including, for example, greenhouse gas emissions.

In terms of fraud, there can be
a difference between just sloppy,

or just unavailability of data
and willful reporting

of incorrect or misleading data.

For example, to get preferred
treatment at a customer,

or to get preferred inclusion
in an ESG index fund,

or to get a reduction on interest
rate from a line of credit,

from a financial institution that's
looking for green investments.

So we're still seeing an increase
in awareness of the fact

where, "Well, we can just report
this because nobody cares."

Or, "Well, it's not regulatory,
so we'll just let it go."

And willful deceit in order to get a benefit

at the expense of other
competitors in these areas,

which goes into the fraud bucket.

That ACFE and Grant Thornton
touched upon in that report.

– Yes, thank you, Doug.

The report that Doug is referring
to is a joint publication

of the Association of Certified Fraud
examiners and Grant Thornton

called Managing Fraud Risks in
an Evolving ESG Environment.

You can get it from our website
and from the ACFE,

and within that, we did develop
an ESG fraud taxonomy.

It encompasses both some of
the traditional areas of fraud

that have always been there.

Corruption, asset misappropriation,
and financial statement fraud.

And there are certainly ways
in which ESG fraud

manifests itself under each of those headings.

To that traditional fraud tree
we have added an additional area

of non-financial reporting fraud,
which Doug was alluding to.

And the things that might happen under there,

there could be false labeling or advertising.

Think of things like declarations of saying

that it's "Dolphin-free tuna" that has certainly

been an area of litigation in the past.

I'm thinking about false
disclosures or representations,

and that might be along the B2B relationships.

Where you are omitting information
or misstating information

to a company that you are a supplier to.

Lots of ways that things can be
contorted, and misrepresented,

and misstated, omitted, and if
it is done intentionally,

then we're going to consider it fraud.

– Dan, I can't say enough good
things about the report

that came out and, certainly, my hat
is off to you, and Catie,

and everybody who contributed to that.

I know that was a massive effort.

What I think is so elegant about
that report is that

many of our listeners struggle with
how to get their arms around ESG,

this sprawling issue is so new, it's so different.

The report begins with a construct
that's familiar to everybody

who deals with fraud, that
famous ACFE fraud tree.

And the report adds a leaf, if you will,

if you look at that tree at the bottom row,

that provides an ESG example for
the fraud tree as everybody knows it.

And then it was very elegant how
you added that branch, if you will,

for the ESG, the non-financial
reporting with nine different twigs

to describe a taxonomy there,

and then the leaves with the examples,
it was really well done.

So anybody familiar with
fraud and the fraud tree.

Anybody who has been involved
in developing procedures

to prevent fraud or to detect
fraud on the audit side,

you can just use that reference document

and get pretty close to how
you think about ESG fraud

to prevent it and detect it.

Another thing I would observe
that the human rights,

no product was made with child labor.

Non-financial reporting and compliance
exists in a lot of places out there

and it can be possible, it can be easy

for stakeholders to compare information

that arises from different reporting channels for consistency.

For example, Dan mentioned
one of the claims could be,

"None of our products use forced labor".

In the U.S. there's a law called

The Uyghur Forced Labor Prevention Act.

That has the rebuttable presumption
that products made

from a certain area, in China, if you
cannot prove that those products

were made absent forced labor,
the assumption is that

they were made with forced labor.

And the Customs and Border Protection
is seizing products at the docks

before they come into the country,

and waiting on companies to provide evidence

that the products are forced-labor-free.

So if you have claims on
your website, or on products,

or in contract documents that
they're forced labor free,

and the Customs and Border Protection

is reporting that your goods are being held

and not allowed into the country.

There is an inconsistency there
that can be embarrassing,

at a minimum, to companies.

And it can cost the company sales, customers,

and reputational damage if it turns out

that those claims cannot be supported.

– Yes, so just picking up on
what Doug was talking with

The Uyghur Forced Labor Prevention Act,

this is a big stick for the government,

in they have a presumption
of guilt, so to say.

That if they suspect that a good has
any raw material or input within it,

because it is in whole or in part
of your good that's being imported,

is suspected of having forced labor in it,

and that means every tier of your supply chain

down to the raw material or seed,
if it's an agricultural product.

If there is a suspicion that it
is tainted by forced labor,

it will not be allowed into the country

unless you can prove otherwise.

And, I think, it's going to become, increasingly, challenging

for companies to know their
supply chain inside and out.

And from a fraud perspective,
whether any part of that supply chain

is deceiving the rest of the
supply chain on whether

or not it's tainted by forced labor.

I was just reading over the holidays,
there is a tremendous report

that came out from Sheffield
Hallam University, in the UK,

around the various risks in the auto industry

for being tainted by forced labor
in the production of raw materials.

it's really a very difficult area, and it
is something that our clients

are coming to us, asking for help around.

– Catie, do you have some other thoughts around

the regulatory environment in which
this is probably just one small piece?

– Yes, Dan and Doug, you both
brought up a great point

of there are current existing regulations

that apply to certain areas of ESG.

But what we're seeing is a global movement

towards more overarching regulations
across different jurisdictions.

So, for instance, last year,
the European Union

approved the Corporate Sustainability
Reporting Directive Regulation,

also called CSRD, and that
sets reporting standards

for entities that meet certain
EU reporting thresholds.

In the UK, there is BEIS, which is
focused on climate-related disclosures

for entities that operate in the UK.

And then, of course, for our U.S.
listeners, I'm sure you all have heard

about the coming SEC final rule when
it comes to climate disclosures.

We anticipate that being finalized
as early as April of this year.

But all that to say that the
regulatory environment, itself,

from an ESG perspective, there is
a growing recognition that

there needs to be standards
that companies adhere to.

So that there is comparability
across the landscape

when it comes to ESG data.

Because it is hard for whoever
is looking at this data

to discern what certain data points may mean

because they may be defined differently.

So these standards are helping
to create an environment

that is more accountable and more
comparable which, hopefully,

will help clarify some things and clarify
the way that you go about reporting.

That said, even though some of those regulations

are very early stage or
haven't been released, yet,

there are already consequences for misreporting.

So we saw last year, or in
the past couple of years,

that Goldman Sachs was fined $4 million

and BNY Mellon was fined $1.5 million

for what were considering material misstatements.

And in the future, we see that
more frequent consequences

could be around the corner.

But I can't speak to what
that looks like just, yet.

Dan, do you have any experience, or Doug,

in terms of any additional consequences

that you're seeing for
misreporting of ESG data?

– Yes, well, for me, as you said,

there are consequences from
misstating, publicly, the information.

There are just a ton of business consequences

of misstating the information.

So, for example, I myself was
involved in an investigation

in which there was a licensor of images

for the front of T-shirts and the like.

There was a requirement that
none of the production

would take place in Bangladesh
after the tragedy in 2013,

in which a building collapsed, killing
more than 1000 apparel workers.

And, so, there was a requirement
that no production take place

in Bangladesh, and there was wide-scale deception on that point.

Such that there was a lot of
production going on in Bangladesh,

but it was being misreported to
the licensor as being produced in India

or in other jurisdictions throughout Asia.

That finding, in the investigation
that we carried out,

was the subject of whether or not

a billion-dollar license
would go forward or not.

– I can see several potential risks
or consequences for misreporting

or misleading content and reporting,

and they vary according to the reporting channel.

For example, there is ESG
content in financial statements,

in income statements and balance sheets.

There are reserve estimates for
contingent environmental liabilities.

Something that's a little newer is asset values

for Emission Reduction Credits

or expected costs in the future
for Emission Reduction Credits,

if that's part of a company's strategy

for reducing greenhouse gas emissions.

Those have a vintage and the
value depends on the vintage.

If those are, knowingly, misstated,
you're subject to all the things

that come with that in financial reporting,

disclosure controls, and
procedures, and the like.

For misrepresentation and
misreporting in the Form 10-K

the analysts and the investors are using
this to make investment decisions.

There are shareholders who are
quite happy to file proxy filings

or to file suit by claiming to be
misled for the content in there.

Some of those are starting
to see the light of day

or to get quietly settled.

There was an instance of
a major European bank,

an employee blowing a whistle, publicly,

saying that their screening process for companies

to include in an ESG index fund was
just not very good or, maybe, a sham.

So there's the reputational damage
that can be a hit to a company

and the market cap for many companies,

the reputation, the intangible value,

exceeds the value of PP and E,
Plant Property and Equipment.

So intangible value and brand value
is something to watch out for, too,

and that can take a hit with misrepresentation

or loss of reputation in ESG
and non-financial matters.

– And, Doug, just to piggyback on that point,

there's the financial disclosure side of that,

but there's also, as we talked about,
the intangible side of that.

So customers are increasingly wanting

to purchase sustainably made goods,

and engage with companies that align

with their own, personal, moral values and

And, so, when they learn that whether it's
a good

that's claiming to be sustainably
made is actually unsustainable,

you could lose members of your customer base.

At times it inspires boycotts and protests

and, especially, in the age of digital media,

just imagine someone telling their
community about their experience,

and that going on Twitter, or TikTok,
or something of that nature.

Those are some of the risks that we're seeing

from not a regulatory penalty approach.

But also there are consequences
when it comes to your customer base,

the value of your brand, and your brand reputation.

– We've discussed a lot of different data,

a lot of different stakeholders,
a lot of different needs.

So how do companies manage
this kind of reporting.

When everybody wants something different.

There are different ways to slice and dice.

How does a company get their arms around this

and make sure that it's right?

– Yes, that's a great question, Doug.

So as I said before, there are a lot
of different frameworks out there.

But they are working to
consolidate the frameworks

and to consolidate the data
expectations of those frameworks.

From what I'm seeing, it appears
that SASB, GRI, and TCFD,

all of which I previously mentioned,

are emerging as the big three of
ESG data disclosure frameworks.

And it's important that our
listeners understand that

while these frameworks are
not required for disclosure,

they can help guide your reporting.

And, ultimately, they can help your company

be more aware of any potential fraud risks

and avoid being susceptible
to associated fraud

with those activities and reporting.

Of course, the frameworks, themselves,
are not mandatory for disclosure.

They are, as I said, guidelines
and we talked, previously,

about the different regulations that are emerging.

I think the thing that's important to know

here is that some of these frameworks

are being utilized to inform those regulations.

So we know that the SEC climate disclosure

draws heavily from TCFD reporting framework.

And, so, some of our clients are asking us

to conduct TCFD reporting gap analysis

to help them prepare for those
upcoming SEC-required disclosures.

We have clients who are asking us
to do assurance readiness services

because they know that they will fall
in that year one reporting group,

the large accelerated filers for the SEC.

And, so, having us test their existing processes,

internal controls, things of that nature,

and validate that their data is complete

and accurate is something
that they're doing to prepare

for the upcoming regulatory framework.

So the way to think about those frameworks

is that it's a helpful way for you
to organize your disclosures

in anticipation of future reporting requirements.

Dan, do you have any thoughts from
the fraud risk perspective of how

those frameworks can usually help you.

In terms of guarding against
any potential misreporting

or intentional or unintentional?

– Yes, so when I think about this,

I usually do go back to the
ACFE's Fraud Triangle,

thinking about incentives and pressures,

the opportunities for fraud, and the rationalizations

one might apply to committing those frauds.

So when I think about reporting
what is the role of that report?

Is it going to a regulator?

Is it going into a corporate social responsibility

or a marketing publication?

All of those bear different kinds of risks.

So in terms of, on this reporting topic,

that people and companies
should be thinking about

taking an inventory of all the ways in which

that ESG information is going out

to the public, across those different channels.

And ensuring that as they're
building up their capabilities

and infrastructure to maintain good data quality,

that it is also ensuring consistency

across all of those reporting channels.

What I anticipate, and I think
we're starting to see it,

is that there will be cases
where the same information

is reported in one channel, but is inconsistent

with how it was reported in another channel,

and that will be held against the company.

You should not be finding yourself
saying one thing to the government

and something else in a publication.

– Dan, I absolutely agree with that.

I would say to this question,
it comes back to a familiar trilogy

that we hear as the answer
to so many questions,

and that is people, process, and technology.

And I'll start at the end and work
my way back, there are many vendors

offering technology fixes
and even companies, in-house,

building technology fixes to
gather and report data.

But the data and the information
is only as good as the process

it took to come up with the data.

You can automate the wrong process

and just get the wrong answer faster.

So you back up to the process

and say, "Well, since this non-financial information

originates in so many parts of the company,

and even from other companies, suppliers,

customers, business partners, and the like.

What is the process to get them?"

There are also challenges
I see on reporting periods.

Governments, like EPA may have
an annual reporting process.

There are companies with
a non-calendar fiscal year,

who need to report some of this
on a fiscal year basis.

So where are the reporting periods?

What is the process to collect information

and report to a state agency,
to a stakeholder, to a customer?

So those processes need to be nailed down,

and that's where that wonderful COSO
internal controls framework comes in.

Just follow that and apply it as it's appropriate.

And because that data and information

comes from so many different sources,

I encourage people to have
the right people involved.

If companies establish
a cross-functional team

and get folks from all the places
who provide this information.

Real estate, operations, safety,
procurement, R&D,

if they understand their roles and responsibilities

in collecting this information
to enable the kind of reporting

that Catie has mentioned and others,

then that goes a long way to making the process

more effective and more efficient.

– Yes, and I would like to add on
to what Doug was saying

That in terms of the fact that this information

is coming from different parts of organizations,

that haven't necessarily undergone
third-party assurance procedures.

That this is a transition period here where,

I think, a broader spectrum of people,

within an organization, are going
to be changing their mindset

around the accuracy and
completeness of the data

because they know that they are
subject to that third-party assurance.

– And, Doug, you had mentioned,
I think, very rightly,

that having the right team in place is critical

to being able to have the right processes

and technology also in place,

to ensure that your reporting
is complete and accurate.

And we're seeing on the client side

that a lot of our clients don't, necessarily,

have the resources in place
to start to organize that.

So I wanted to ask, in your opinion,
and Dan, feel free to jump in.

How important is it to not
just assign one person

to do all of your ESG reporting.

But how important is it to have that
cross-functional team approach

to these non-financial disclosures?

– I think it is absolutely essential.

One structure that I see work a lot
is to have a steering committee.

To set strategy and to be plugged

into those reporting frameworks
that you've mentioned, Catie,

and some of the customer demands

and organizational strategy
and where things are going.

And a more tactical working
group that's closer to operations,

and the systems, and controls
to really modify those systems

and controls and talk to each other.

A couple of things I've seen work really well.

I've seen those committees be assembled,

and people show up, and they don't
know why they're in the room.

And it really helps to have a coach

or an external resource to
help facilitate all that.

To make sure that people
are talking the right language

and not talking past each other.

So you get everybody on the same page

to take actions in ways that are aligned

with the company objectives,
that helps a lot.

A couple of functions that
I don't see on those teams

but, I think, should be there a lot
more than they are IT, for sure.

And many of our listeners are from accounting,

I would say accounting.

I don't see on those cross-functional teams

as much as I think they should be.

Much of what is required for
the sustainability reporting,

it comes from accounting.

You get utility bills from accounting.

Get a list of assets from accounting.

Get a list of our ten largest
customers from accounting.

Accounting has the master
key to a lot of this information.

But the information that's in company systems,

in my experience, was not
designed for the way

the information needs to
be reclaimed and used now.

So there are some changes that
need to be made in accounting

to enable this reporting and to
enable the systems and controls.

To, then, ensure accurate
reporting, verifiable reporting,

and the fact that we tighten down the controls

so that we can prevent
the possibility of fraud.

– Yes, great points, Doug.

I really appreciate you bringing
up the steering committee.

Someone at the top of an organization
that is there to set strategy.

And I think that it is common, and
it will become more commonplace,

to have that steering committee require
that any fraud risk assessments,

that are being done within an organization,

include ESG fraud as part of
what they're doing.

And in conducting a fraud risk
assessment that is a stress test,

that's looking for ways in which
various kinds of scenarios.

Such as the scenarios we brought
up in our report with the ACFE,

of ways in which ESG fraud could be committed.

And then looking at whether
the controls in place,

within the organization,
are sufficient to prevent

and detect or detect those occurrences.

So, Doug, I know that you've been
contributing to an exciting report,

that's been recently released from the IMA.

Could you give us a few
highlights in that regard?

– Sure, I'd be happy to.

I was one of the primary authors of this document,

the only non-CPA on the team,

I provided the ESG specialist input
for this very important report.

It's a COSO report and IMA is,
of course, a member of COSO

and their leadership had a terrific
role in pulling this together

And it will resemble a lot kind of the report

you've had major involvement with
from the ACFE, on fraud, ESG fraud.

In that it begins with a
framework that everybody knows

and is very familiar with the COSO
Internal Controls Framework,

and there's something old and something new.

There is a summary of some of the key points

of the COSO Internal Controls Framework,

the components, and the points of focus.

And on each of the components
there's some information

demonstrating how the internal controls
framework can be applied to ESG.

So that in terms of non-financial
management of information,

and of reporting, and of communications,

and of control environment.

It can be applied and it points
you in the right direction

on how it can be adopted to improve
the effectiveness, and the efficiency

of company organization,
management, and reporting.

I encourage everyone to read it and use it.

< Outro >

– This has been Count Me In,
IMA's podcast.

Providing you with the latest
perspectives of thought leaders

from the accounting and finance profession.

If you like what you heard and
you'd like to be counted in

for more relevant accounting and finance education,

visit IMA's website at www.imanet.org.

©Copyright 2022 Institute of Management Accountants. All rights reserved.