Who Owns ESG Today? Second Line Evolution and the Integrated Reporting Imperative

Who owns environmental, social, and governance (ESG) in your organization? Who should own it? What does “good” ESG governance and strategy look like, and how are companies integrating it with existing risk and compliance governance structures? 

As stakeholder interest in ESG continues to rise and disclosure requirements are written into law worldwide, forward-looking companies are working to answer these questions and others. They feel an increasing urgency to get in place the people, processes, controls, and technologies needed to support reliable, up-to-date, accessible, and auditable ESG reporting. But most ESG programs are still in their nascent stages: In KPMG’s 2023 Chief Ethics & Compliance Officer Survey, 48% of CCOs surveyed had not yet implemented sustainability/ESG compliance programs — with 44% still in the planning/development stages. 

Every company wants to know how other companies are handling ESG. Since ESG risk and responsibility span the organization, companies must find ways to improve collaboration and centralize governance. Many have responded by creating an ESG Program Manager and/or ESG Controller role, raising a compelling question: Is ESG creating a new “second line of defense” function, adding a fresh layer to the Institute of Internal Auditors’ (IIA’s) Three Lines Model? How does the role fit with ESG’s cross-functional context? And what past lessons and emerging best practices can companies draw upon to engender the collaboration, alignment, accountability, and visibility needed to build and run effective ESG programs? 

Read on as we explore emerging ESG roles and responsibilities and foundational guidance and best practices for ESG program management.

Big Picture: Sustainability Is a Team Sport

Nobody “owns” ESG today, since responsibility for ESG spans the entire enterprise and no individual can make ESG happen on their own. While a leader can set a vision and strategy, only a cross-functional team can deliver it. The necessary distribution of responsibilities means there is no one-size-fits-all approach to ESG program management. Further, given the cross-functional nature of ESG program management, contributors from different areas of the business — all with their own domain experience — are now required to collaborate more than ever. While the breakdown of roles and responsibilities will vary based on resource availability, industry-specific requirements, and the materiality of different ESG factors, the table below echoes common practices we see. 

ESG Program Management — Emerging Roles and Responsibilities

ESG Governance and Oversight

• Board: Provides oversight of ESG governance, risk management, reporting, and integration with corporate strategy and operations. 
  • Hear From Leaders: 2022 NACD Board Practices and Oversight Survey
• Executive Leadership: Develops/oversees implementation of ESG strategy and risk management, ideally integrating with overall business strategy. Benchmarks against peers and sets targets.
  • Hear From Leaders: 2023 EYC-Suite Insights: Sustainability and ESG Trends Index

ESG Reporting and Communications

• ESG Controller: Owns data verification and integrated reporting of financial and nonfinancial information as mandated by ESG disclosure requirements. 
  • Hear From Leaders: Deloitte’s “Controllership strategies for ESG reporting“
• Legal or General Counsel: Advises on understanding/mitigating ESG risks (e.g., compliance, reputational damage, fair labor, “greenwashing”), developing policies on ethical business practices, and setting goals. 
  • Hear From Leaders: EY’s2022 General Counsel Sustainability Study
• ESG Program Manager: Gathers key metric data, leads internal reporting and framework reporting efforts, and contributes to annual sustainability reporting. 
  • Hear From Leaders: Russell Investments’2022 Annual ESG Survey
• Marketing or Branding: Owns ESG press releases, report design and publication, and marketing efforts around ESG reporting, commitments, goals, and progress. 
  • Hear From Leaders: Connect.IQ Special Report: Global 100 
• Investor Relations: Owns ESG communications with existing and potential investors. Also helps assess materiality.
  • Hear From Leaders: Connect.IQ Special Report: Global 100 

ESG Assurance

• Internal Audit: Acts as an objective third line in ensuring audit-ready ESG data, relying on guidance (e.g., Finance, Compliance/Ethics) to ensure coverage against frameworks/requirements. Also helps identify risks and improve reporting.
  • Hear From Leaders: AuditBoard’s2023 Focus on the Future Report: Internal Audit Must Accelerate Its Response in Addressing Key Risks
• External Audit: Third party engaged to provide limited or reasonable assurance on ESG data metrics.
  • Hear From Leaders: CAQ, AICPA, and CIMA’sCorporate Decision-Making: Why Choose a CPA for Your ESG Assurance Needs?

ESG Performance

• Procurement or Supply Chain; Assesses ESG compliance/data across the entire supply chain and implements initiatives (e.g., GHG goals/progress, fair labor, waste reduction, responsible/resilient sourcing).
  • Hear From Leaders: DeloitteGlobal 3rd-Party Risk Management Survey 2022
  • Hear From Leaders: EY 2022 Supply Chain Sustainability Report
• Operations: Responsible for implementing the operational changes required to achieve ESG targets, identifying gaps in aligning with ESG priorities, and helping to manage third-party ESG risk.
  • Hear From Leaders: “COO and Operations Leaders: Latest Findings from PwC’s Pulse Survey”

ESG Risk Management

• Risk Management: Ensures that ESG is integral to and aligned with overall risk management. Identifies, assesses, and monitors ESG risk, including materiality and priority. Helps to build an ESG-aware culture.
  • Hear From Leaders: WTW’s2022 ESG Global Risk Managers Survey
  • Hear From Leaders: RMA and Oliver Wyman’s2023 CRO Outlook Survey
• Corporate Compliance and Ethics: Owns governance/oversight of ESG policies and procedures, mapping to frameworks, risk monitoring/mitigation, regulatory compliance, monitoring stakeholder expectations, etc.
  • Hear From Leaders: 2023 KPMG Chief Ethics & Compliance Officer Survey

ESG Program Management

• ESG Program Manager; Owns ESG data collection/verification, stakeholder engagement, framework mapping, and report writing. Creates policies, processes, and tools and manages issues. Helps shape ESG initiatives and strategy, advise on risks/issues, and train others.
  • Hear From Leaders: Russell Investments’2022 Annual ESG Survey
• Sustainability or ESG (if present); Leads strategy development, coordinates execution and communication, and ensures visibility/prioritization of ESG at C-Suite level. Makes recommendations to C-Suite and board and acts as SMEs in developing impactful strategies.
  • Hear From Leaders: GlobeScan-SustainAbility Survey: Sustainability Leaders 2022

This breakdown isn’t exhaustive — just consider all the other groups responsible for implementing ESG (e.g., HR’s employee well-being efforts, IT’s green data center practices). It’s nonetheless easy to see the need for centralized coordination and governance to ensure:

• Collaboration. Are the different groups connected, communicating, and relying on the same data? 
• Visibility. Do different groups have ready access to the data needed for their roles? Are insights and issues being communicated up, down, and across the organization?
• Alignment. Are efforts aligned with overall strategy? Are we duplicating efforts?
• Accountability. Are mitigation activities planned and implemented? Are individuals held accountable for fulfilling responsibilities and delivering on commitments?

More Background: Revisiting the “Second Line” 

These challenges are not new. As new risks and market pressures emerge and transform, organizations must develop the roles and frameworks needed to respond effectively. The “Three Lines of Defense” model introduced by The IIA 20+ years ago was one such response. According to KPMG, The IIA’s guide for dividing risk management roles and responsibilities “evolved after the 1990s (1995 to 2001) when the dot.com demise exposed the sheer breadth and depth of the risk landscape.” 

The IIA updated the model in 2020, citing the reality that organizations are “operating in an increasingly uncertain, complex, interconnected, and volatile world” with “multiple stakeholders with diverse, changeable, and sometimes competing interests” — exactly the situation with ESG. The updated model has a simpler name, increased focus on governance, reduced emphasis on rigid lines/roles, and explicit encouragement of greater collaboration and communication across lines (see below). 

Source: The IIA’s Three Lines Model

The IIA’s model stresses the importance of delineating the roles of a governing body, management — which includes both the first and second lines — and an independent, objective third-line advisory and assurance function (in this case, internal audit). The guidance stipulates that second-line roles can focus on specific risk management objectives (e.g., compliance with laws/regulations, internal controls, IT security, quality assurance) or broader responsibilities like enterprise risk management (ERM). To that end, traditional second-line roles include SOX and other compliance functions, ERM, IT risk management, and legal, roles responsible for developing and maintaining the policies, frameworks, techniques, and tools organizations use to identify, measure, report, and monitor risk, helping to ensure consistency in how risk is defined and measured. These roles also provide appropriate oversight of, and additional assurance on, management’s activities in implementing risk management. 

The Evolving ESG Program Manager and ESG Controller Roles: A New Second Line?

The job functions of the ESG Program Manager and ESG Controller are quickly developing into discrete buckets of work, and appear to align with how The IIA describes the second line. Though job descriptions evolve and mature daily, core responsibilities for the two roles include: 

ESG Program Manager: Emphasis on ESG data collection and aggregation 

• Developing and maintaining the processes and tools required to collect ESG data and ensure that reporting aligns with standards and meets applicable requirements. Eventually, this will include ensuring that ESG reporting passes audits.  
• Managing and monitoring issues and ensuring follow-up.
• Providing management with relevant insight and trends on ESG topics.
• Training others in the organization on ESG processes, risks, and considerations. 

ESG Controller: Emphasis on governance and data verification, and regulatory compliance

• Developing ESG measurement policies to ensure data accuracy and consistency.
• Bringing both a financial reporting perspective and an operational perspective of the organization to non-financial disclosures.
• Standardizing and controlling comprehensive ESG reporting in adherence to international standards, frameworks, and upcoming regulatory requirements.
• Owns integrated reporting of financial and nonfinancial information as mandated by ESG disclosure requirements.

Many people performing these roles have different titles and “official” functions, even as ESG program management and controllership has become integral to their work. In our experience, ESG Program Managers often have backgrounds in internal audit, risk, rating agencies, academia, or sustainability, and ESG Controllers may have a background that combines  financial oversight, deep understanding of ESG metrics, and experience with both the operational and financial aspects of reporting efforts. As ESG regulations take shape and companies assess their short- and long-term needs and priorities, we expect that the ESG Program Manager and the ESG Controller roles — as well as the professionals in it — will continue to evolve. 

AuditBoard is creating a video series to explore who ESG Program Managers and Controllers are and what makes them successful. Are you an ESG Program Manager or Controller with a story to tell? We want to hear from you! Please email us at esg-marketing@auditboard.com.

ESG Program Management 101: Lessons Learned From SOX

We don’t have to look back far for a relevant precedent: the Sarbanes-Oxley Act of 2002 (SOX), which created the second-line function of SOX Compliance Managers. From what we’ve seen, ESG Program Managers are looking more and more like SOX teams. 

As John wrote in his 2022 AuditBoard blog, “What Integrated ESG Reporting Can Learn From SOX,” there are notable parallels between the SOX compliance work companies have been doing for 20+ years and the ESG compliance work they’re anticipating. Both efforts are designed to improve the accuracy, transparency, and completeness of reporting in their respective areas, and both will ultimately require similar levels of assurance. Many feel that COSO’s new “internal controls over sustainability reporting” are essentially SOX controls over non-financial data. 

Companies have a key opportunity to use lessons learned from SOX to inform their approach to ESG, from framework selection and identification of relevant controls to understanding technology’s capacity to enable process and the urgent need to integrate with overall risk management. We can also view the evolution of the SOX team’s role as a foil for understanding the ESG Program Manager role, because decades on, many companies are still struggling to effectively transfer ownership for SOX compliance, risk mitigation, and controls out to the first-line process owners. 

ESG program management is still in its infancy. Most companies are years away from being able to transfer ownership in this way. But — armed with lessons learned from SOX — companies building their programs have the opportunity now to deliberately embed ESG compliance and ownership throughout the organization, positioning ESG Program Managers to more effectively perform their critical second-line responsibilities. 

Foundational Lessons in ESG Program Management

As we’ve illustrated, an ESG Program Manager is only one part of a still-developing puzzle. Effective ESG program management involves not only connecting data and controls, but connecting leaders across the organization. Emerging guidance and best practices suggest that organizations:

• Set and track commitments. Getting serious about ESG means setting goals, tracking progress, and documenting commitments and achievements. 
• Focus and prioritize. You don’t need to do everything at once. Chief Sustainability Officers (CSOs) have suggested selecting one area of your business where ESG is more mature, having an auditor perform a limited assurance engagement around only that area, and using those findings to improve other areas.
• Embed ESG in overall risk management. Requirements will involve documenting physical and transition risks and opportunities — part and parcel to ERM. Get scenario analysis in place to show regulators you’re identifying, assessing, and mitigating the right risks. In a 2022 KPMG survey, more than 80% of companies that embedded ESG into their enterprise-wide business strategy considered their ESG programs successful. 
• Use a common framework and strategy. Rather than reverse-engineer a piecemeal approach, design a framework upfront to bring together the processes and controls needed to comply with ESG requirements across jurisdictions. Consider leveraging existing frameworks (e.g., COSO) and teams (e.g., SOX) to address ESG needs. 
• Invest in enabling cross-functional collaboration. Technology is critical for gaining visibility, accountability, collaboration, and alignment. A connected risk platform like AuditBoard promotes improved visibility, clear alignment, transparency and agility for identifying gaps and issues, integration with overall risk management, and more.
• Identify a cross-functional ESG leader to own the program. If this person does their job effectively (and empowers their first-line counterparts to own ESG), they will ultimately work themselves out of a job. But having a CSO or similar role is often critical for launching a program, defining how ESG is addressed and integrated, and ensuring accountability for implementation. 
• Prepare to be audited. Internal audit should be the canary in the coal mine, performing readiness assessments and ESG report audits and establishing baselines for controls — even before limited assurance requirements come into play. 

ESG’s Risks and Opportunities Demand Evolution

As stakeholder interest in ESG continues to rise, pressure grows for businesses to address it effectively. Forward-looking leaders understand ESG’s critical connection with long-term value creation and business success. They are making it central to business strategy, which includes taking a proactive approach to getting ESG program management right — and evolving first-, second-, and third-line roles and responsibilities across the organization to meet ESG’s integrated reporting imperative. 

ESG demands evolution, and we will do well to remember the many lessons learned from SOX. Companies moved fairly quickly from viewing SOX as a burden to appreciating the valuable insight it provides into the organization’s financial risk exposure. Ultimately, despite inevitable bumps and bruises along the way, we expect ESG to follow a similar trajectory. Start today by looking at how your organization is dividing roles and responsibilities to address ESG, ensuring that you are respecting the “three lines” necessary for protecting and creating value.