COP26 is a reminder to everyone that protecting the environment is a key task for all organisations. But it's not just for governments. Businesses should be prepared for policy measures and statements that will have a direct impact on their strategies and operations. This article examines some of the key challenges arising and how internal audit can support the board in meeting them, with comment from our experts.
The UN’s climate change conference in Glasgow, was a reminder to everyone that protecting the environment is a key task for all organisations. After tough negotiations, and despite some disappointments, the conference issued the Glasgow Pact with pledges to “phase down” coal, increase climate finance and reaffirming a target of 1.5℃ for global warming above pre-industrial levels.
Those promises add up to a set of high-level commitments for political leaders around the world. However, when it comes to dealing with the policy implications it will be companies on the front line. As Matt Dalton, Partner and Risk Consulting leader at Mazars, says: “Governments will be unable to achieve carbon reduction plans without the cooperation and support of the business community. COP26 has helped moved more responsibility for responding to climate change onto companies.”
Business already knew the risk posed by climate change. For most, climate is listed among the top five on their risk registers. And if climate is up there among the biggest threats and opportunities, that creates a critical role for an otherwise unsung business department.
“Given that climate change is a principle risk,” says Dalton, “there is an important role for internal audit to play in managing an organisation’s response.”
COP26 may have produced a deal that will have significant implications for business, but it is not the only source of pressure. Investors are already demanding that companies confront climate risks, while bodies like the UN have set a global agenda through initiatives like the Sustainable Development Goals.
National governments have acted too. In the UK companies must comply with Streamlined Energy and Carbon Reporting while guidelines from the Taskforce on Climate-related Financial Disclosures (TCFD) will become mandatory for most listed companies by 2024. In Glasgow, UK chancellor Rishi Sunak announced that it would become mandatory for companies to publish their climate “transition” plans from 2023 while also pledging to adopt reporting standards issued by the newly launched International Sustainability Standards Board.
And as part of major reforms to audit and the audit market, the UK is about to introduce fresh regulation which could require directors to publish a statement on their internal controls, part of which will reflect the role of internal audit.
That leaves much for internal audit to consider. And while its key role is to review a company’s response to regulation, according to Dalton, it could become involved in the response to climate change at a much deeper level.
“Internal audit can respond to the climate question, and play a significant role in supporting boards, in two ways,” he says. “They can play their traditional role as a third line defence ensuring that the second line—the risk management and compliance functions—is solid.
“But internal audit can also play a consultative role supporting a business in developing climate-related projects and programmes.”
That may mean placing internal audit and its leadership at the “top table” and in the room as plans for capital projects, business processes and supply chains are hatched.
“Internal audit should be involved early at strategy days and providing a risk and audit lens on decision making,” says Dalton. “The role should be looking at how a business will change and whether it is investing in capital programmes to future proof the business. Then it should provide programme assurance ensuring that a company delivers on its capital programmes, changing business processes or a revamped supply chain.”
And with transition plans looming, internal audit will have another essential job to do. Dalton recommends internal audit teams help develop integrated assurance frameworks to understand where the assurance over transition plans will come from. “They should review the framework to ensure it’s fit for purpose and the second line function has the right capability,” Dalton adds.
Much of this may raise questions about the kind of expertise needed in a modern internal audit team. For Dalton, a team established now would include change management and programme experts. The push for digital business models as a result of the pandemic, also places a premium on IT expertise and knowledge.
However, internal audit cannot ignore its customary role of providing assurance over a plethora of new climate-related regulation. Chief among those is TCFD, a reporting framework that demands not only disclosure of numbers but also scenario analysis.
This could be handled as a simple compliance exercise. But, William Hughes, sustainability services lead at Mazars, warns against that. He argues that businesses should consider how they achieve value from the implementation of TCFD, and allow the reporting framework to provoke substantive questions about business models through the lens of climate-related risk. He adds that companies with an integrated approach to climate change and sustainability win themselves a lower cost of capital, lower costs of insurance, increased stakeholder trust and a reputation as an employer of choice.
“It’s important for business not to consider regulation as a compliance exercise because there are definite business advantages to be had from engaging in climate-related risk,” says Hughes.
That’s the position an enlightened internal audit team would take. “Internal audit has got to get its head around all elements of risk and regulation,” says Dalton. Not least, he adds, because audit committee chairs have signalled their desire for more internal audit. And that may require internal audit leaders to strengthen their ties with boardroom figures.
“Internal auditors are pushing at an open door,” says Dalton. “They need to be sitting at the top table. They need to have a consultative role in terms of these major initiatives that have been put in place by companies to change business strategy and models based on climate risk. It’s very difficult to influence things after they have happened.”