Chief Compliance Officers (CCOs) have an increasing and critical role to play in the vast ESG (environmental, social, and governance) movement. Both the scope and scale of companies’ ESG-related commitments, products, and exposures (including through their third-party relationships) are elevating the importance of assessing compliance risk and bringing ESG forward into all core elements of an effective compliance program. It is the dramatic speed with which ESG awareness and engagement is occurring, however, that demands CCOs act now, and decisively, to define and shape their role.
"From a compliance perspective, ESG considerations are rapidly evolving, yet sustainable investing is quickly becoming the table stakes for many constituents. To address this, and to the extent possible, we are integrating ESG into our existing compliance program and processes. This gives us the flexibility we need to meet our clients’ goals while maintaining the long-standing integrity of our platform."
-Una Neary, Global Chief Compliance Officer at BlackRock
Rising ESG risks and the role of CCOs
ESG is not a new concept but daily headlines calling out COVID-19 impacts, social unrest, racial inequities, and climate change—all ESG concerns—have broadened public awareness and raised stakeholder expectations for companies to commit to, act on, and report about their ESG-supporting initiatives. As companies take steps to meet those expectations, they must be cognizant that so much heightened interest and attention similarly heightens risk. For example:
- Public statements and/or announced pledges regarding ESG issues must be matched by follow-through actions – “do what you say and say what you do” – as failure to do so increases reputation risk and threatens stakeholder trust
- Inconsistencies between ESG-related marketing disclosures, such as product labeling or financial returns, and actual results may lead to findings that the disclosures were misleading in violation of prohibited unfair or deceptive acts or practices rules and/or increases in customer/investor protection risks.
- Aligning with vendors or forming third-party relationships with companies that do not hold to fundamental ESG tenets, such as employee health and safety, community development, pollution prevention, or business ethics, can directly reflect on the engaging company and may result in increased reputation risk as well as potential violations of other relevant laws and regulations (e.g., labor exploitation, anti-bribery and corruption)
"The scope of evolving ESG-related commitments and offerings dramatically increases the breadth, scale, and importance of compliance."
-Amy Matsuo, Principal and National Leader, Regulatory Insights and Compliance Transformation, KPMG LLP
Rising regulatory expectations
A Risk Alert recently issued by the Securities and Exchange Commission (SEC) highlights how traditional core concepts of compliance and control, such as accurate and meaningful disclosure, customer and third-party due diligence, and customer/investor protection, are directly applicable to ESG activities. SEC includes ESG considerations among its examination priorities and is integrating ESG into its broader regulatory framework, reinforcing the importance of a compliance role in this increasingly prevalent area. (See KPMG Regulatory Alert here.)
Amongst stakeholders—regulators, investors, customers, the public—ethical behavior is widely viewed as an indicator of good and responsible corporate stewardship. The U.S. Department of Justice (DOJ) Criminal Division, in fact, directly links ethics—and conduct and culture—with compliance program effectiveness. It has issued guidelines that set out minimum expectations for compliance programs, including third party due diligence assessments, that are both industry- and activity-neutral. Within the context of these guidelines, considerations for ESG-specific compliance and controls might include an evaluation of factors across the following topics:
- Risk assessments – including line of business, location of operations, market competitiveness, and use of third parties
- Policies and procedures – developed to address identified risks and give content and effect to ethical norms (such as through the code of conduct)
- Training and communication – integrating ESG-related knowledge with relevant policies and procedures across directors, officers, employees, and agents and partners (as appropriate) to mitigate misconduct and provide more meaningful review and opportunity for employees to identify and raise concerns
- Reporting and investigations – providing a mechanism for employees and customers to report allegations of misconduct, followed by timely investigation, resolution, and root cause analysis
- Third-party management – marked by ongoing monitoring of third-party relationships through updated due diligence, training, audits, and/or annual compliance certifications; tracking red flags identified through due diligence, and tracking rejected and terminated parties to ensure they do not re-enter the company
- Management commitment – demonstrating “conduct at the top” with rigorous adherence by example, and clearly conveying unambiguously the company’s ethical standards and ESG commitments
- Autonomy and resources – ensuring that compliance has sufficient seniority within the company, staffing resources and expertise (including access to relevant sources of data), and autonomy from management, including direct access to the board of directors
- Incentives and disciplinary measures – conveying zero tolerance for unethical conduct and establishing disciplinary procedures to address misconduct as well as failure to prevent or detect it.
DOJ adds that the effectiveness of a compliance program should be assessed over time, including whether the program is evolving to address existing and changing compliance risks. For all industries, ESG-related risks are clearly among the most pressing emerging risks in 2021 and beyond. (See KPMG Regulatory Alerts here and here.)
ESG compliance challenges
Key compliance challenges related to the pace of ESG-related change, which is expected to remain both aggressive and unabating, include the:
- Multiplicity of ESG inquiries and associated disclosures
- Potential for overlapping ESG-related roles and responsibilities and necessary coordination across the organization to support ESG initiatives and related reporting/disclosures (including voluntary reporting)
- Uncertainty of future regulatory requirements (e.g., reporting standards/frameworks, definitions/terms, scenario analysis/stress testing exercises, supply chain sourcing restrictions)
- Inconsistencies across jurisdictions (e.g., reporting, disclosures, definitions, permissible activities)
- Complexity of risk analysis, including third-party/supply chain analysis, and limited availability of reliable, consistent data
- Competition across industries to make public ESG-related commitments and ongoing efforts to measure, report on, and sustain associated progress
- Availability of compliance professionals knowledgeable about ESG issues.
The current role of compliance – cross-industry survey findings
The KPMG 2021 CCO Survey found that more than 50 percent of respondents identified the compliance department as having a role in the coordination and oversight of ESG employees. These roles and responsibilities frequently included the establishment of ESG-related policies and procedures (51 percent), the incorporation of ESG risks into overall compliance risk assessments (48 percent), and monitoring of ESG components of business investments (37 percent).
Activities the compliance function participates in related to ESG initiatives
Notably only 24 percent of total respondents identified ESG as one of the compliance department’s top three areas to refine in the next three years, though, perhaps unsurprisingly, respondents from the energy and industrial manufacturing/consumer markets/retail sectors disproportionately identified ESG as a top area for refinement (71 percent and 49 percent, respectively). In other industries, including financial services and healthcare/life sciences, some may be prioritizing other very critical items and/or may be waiting for regulators to set the tone and better define expectations before taking the next steps with their ESG programs. In any case, the role of the CCO to ESG is expanding and will only become more important in the coming months and years with regulatory, investor, and board/management attention. The time of the CCO in ESG is now.