ESG Risk Practices

January 2023

The focus and scrutiny on ESG-related risk and compliance is intensifying across regulatory agencies, fostering strong expectations for organizations to establish appropriate ESG risk and compliance programs. Can you say today that your organization has an effective risk and compliance program for ESG?  If not, why? 

Here are some common challenge areas where organizations will need to focus in order to build and/or mature their coverage in 2023.  KPMG perspectives on each of these areas are discussed below.

1. Developing an ESG risk framework that is not aspirational and sets the standards for ESG initiatives  and accountabilities as well as how to measure associated risks.
2. Strengthening (and documenting) ESG data governance and controls.
3. Demonstrating ESG risk and compliance coverage across risk pillars.
4. Inventorying and assessing regulatory expectations/requirements (amid continued political/jurisdictional discord).  
5. Building an effective ESG risk and compliance assessment and monitoring program that is inclusive of the organization’s various ESG initiatives.

KPMG Perspective: 

ESG risks are interlinked across multiple financial and nonfinancial risk pillars and can potentially impact a wide range of risks throughout the organization, such as:

• Reputational risk 
• Operational risk
• Model risk
• Credit risk
• Market risk
• Compliance risk
• Liquidity risk 

The draft principles for climate risk management released by the federal banking agencies outline actions that management should take when integrating climate risks into an existing risk management framework, including:

• Employing a comprehensive process for identifying emerging and material climate risks –including establishing definitions and thresholds for material risks.
• Developing processes to measure and monitor material climate risks and inform the board and management about the materiality of those risks (including physical and transitional risk).
• Incorporating climate risks into internal control frameworks, including internal audits.

Though the guidance is directed toward large organizations, the regulators (and the FDIC and NY DFS, specifically) have called out the need for small and mid-sized organizations to better understand their climate-related risks, which they suggest may include concentrated business lines and/or geographies. 

Notably, the federal banking agencies also name scenario analysis as an important element in identifying, measuring, and managing climate-related financial risks. The FRB has launched a pilot climate scenario analysis with six of the largest banks. The exercise will analyze the impact of separate and independent scenarios for both physical and transition risk on specific portfolios of assets. The FRB will also collect information on the participants’ climate-related governance and risk management practices, including approaches or tools other than scenario analysis used in “business-as-usual” risk management, whether climate risk is included in the “business-as-usual” risk identification process, and whether climate scenario analysis informs the organization’s business decisions. The exercise will likely set more detailed expectations for the industry on strengthening quantitative climate analysis, expanding model capabilities, and establishing governance and risk management practices.

KPMG Perspective: 

ESG regulations are currently evolving amidst political and jurisdictional discord, creating some uncertainties about future regulatory requirements. This presents a challenge for organizations as they set ESG priorities based on shifting risks and regulatory expectations. Areas of regulatory scrutiny include reporting standards and frameworks, definitions/terms, scenario analysis/stress testing exercises, and third-party oversight. Highly anticipated federal regulations on climate and sustainability, which may introduce some clarity in 2023, are the:

• SEC’s climate risk disclosures.
• Federal Banking Agencies’ (FRB, OCC, FDIC) joint guidance on principles for climate risk management.
• SEC’s ESG investment practices disclosures.
• CFPB’s guidance on disparate impacts.

Some of the discord stems from divergent approaches, especially related to climate and sustainability, found in voluntary disclosure frameworks such as TCFD, CSR, and Materiality (such as under GRI and SASB) as well as between state and federal laws and regulations. These divergences can potentially complicate management of ESG risk and compliance programs long after the regulatory expectations are known (inclusive of setting risk tolerances and managing reputational risk). Examples of state/federal differences include California’s law to phase-out sales of new gasoline powered vehicles, and Texas’ prohibition on state agencies, local governments, and state pension funds contracting with or investing in firms that divest from fossil fuel energy companies.

Despite these challenges, regulators expect organizations to:

• Inventory both current and emerging regulations and guidance.
• Assess risk exposures (via risk assessment processes) to pending regulations and guidance.
• Establish a strategy to implement ESG-related regulatory requirements, as well as sustainability commitments. 

KPMG Perspective: 

Considering that the first line of defense is responsible for addressing ESG risks/issues as they pertain to product development, new technology and innovation, the second line (e.g., Risk and Compliance) faces the challenge of anticipating and applying appropriate risk management and oversight of products and services as they are built by the first line even as they begin to set Key Performance Indicators (KPIs) and risk appetite statements and undertake physical risk and scenario analysis. Integration of ESG regulatory expectations into existing risk and compliance programs must take into consideration the activities of the first line. Therefore, effective risk & compliance programs will require enhanced collaboration between both lines at the earliest stage of product development. Recent ESG-related enforcement actions against FS organizations underscore the importance of effective ESG monitoring and internal processes to mitigate inconsistencies in reporting, marketing, and disclosures.

Transition plans, which should align with the organization’s ESG strategy, are an important aspect of the Compliance role in establishing an effective ESG risk and compliance framework. A “good practice” transition plan should cover:

• The organization’s high-level ambitions to mitigate, manage, and respond to emerging ESG risks.
• Short-, medium-, and long-term actions to achieve strategic ambitions alongside details on how those steps will be financed.
• Governance and accountability mechanisms that support the delivery of the plan and robust periodic reporting.

Measures to address material risks to, and leverage opportunities for the natural environment and stakeholders (including customers).