UPDATE: COSO And Sustainability

© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

• More “stuff” is happening • Things are move faster • Expectations keep rising • The unexpected is increasing • There is more conflict • The impact of events is greater• We are moving into a new age of technology and

Business Models

DOES “NOW” REQUIRE SOME DIFFERENT THINKING?

Today’s Biggest Risks?

2018 Top Global Risks

•Extreme weather events•Natural disasters•Cyber attacks•Data fraud or theft•Failure of climate-change mitigation and adaptation

Source: WEF Global Risks Report 2018

Today’s Biggest Business Risks…

TOP RISKS FOR 2018Rank Risk Issue YOY

Trend

1 Rapid speed of disruptive innovations and new technologies

2 Resistance to change operations

3 Cyber threats

4Regulatory changes and regulatory scrutiny

5Organization's culture may not encourage timely identification and escalation of risk.

8

9

US SEC Proxy Requirement…

Provide Information About Board Leadership Structure and the Board's Role in Risk Oversight:• The SEC approved rules relating to board leadership structure and the board's role in risk

oversight. The rules require disclosure about:• A company's board leadership structure, including whether the company has combined or

separated the chief executive officer and chairman position, and why the company believes its structure is the most appropriate for the company at the time of the filing.

• In certain circumstances, whether and why a company has a lead independent director and the specific role of such director.

• The extent of the board's role in the risk oversight of the company.

10

Mission• COSO’s Mission is “To provide thought leadership

through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.”

COSO’s Fundamental Principle• EFFECTIVE risk management and internal control

are necessary for long term success of all organizations

11

Thought Leadership to Improve Your Organization

12

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

COSO is Happy ! 1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility3. Establishes structure, authority and responsibility4. Demonstrates commitment to competence5. Enforces accountability

6. Specifies suitable objectives7. Identifies and analyzes risk8. Assesses fraud risk9. Identifies and analyzes significant change

10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures

13. Uses relevant information14. Communicates internally15. Communicates externally

16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficiencies

13

14

Principle 9: The Organization AssessesChange… • External, Internal, Business Model, Leadership

“Technology innovation creates both opportunities and risks… It may increase complexity, which makes identifying and managing risk more difficult…The principles presented in this framework do not change with the application of technology… it affects how an organization designs, implements, and conducts internal control, but the same principles remain suitable and relevant.”

15

Principle 15: Assesses Substantial Change

“When innovation is introduced, riskresponses and management actionswill likely need to be modified”

Blockchain Internal Control Issues

Issues• NEW technology, processes and

controls• Security, availability, privacy• Lack of standards• De-centralized• Irreversible, unalterable• MORE…

Positives• Strong Audit Trail• Immutability • Faster• Automated controls, execution• Irreversible, unalterable• Reduces counterfeiting • MORE…

17

A New Title… • Retitled as Enterprise Risk Management—Integrating with Strategy and Performance

• Recognizes the importance of strategy and entity performance

• Further delineates enterprise risk management from internal control

18

1) Provides a New Document Structure

• Framework focused on fewer components (five)

• Uses focused call-out examples to emphasize key points (> 30)• Follows the business model versus an isolated risk management process

19

2) Introduces Principles 20 key principles within each of the five components

20

3) Incorporates New Graphics/Concepts

Graphic has stronger ties to the business model

21

Integrated, Not Added on

22

6) Links to Strategy • Explores strategy from three different perspectives:

–The possibility of strategy and business objectives not aligning with mission, vision and values

–The implications from the strategy chosen–Risk to executing the strategy

23

10) Builds Links to Internal Control • The document does not replace

the Internal Control – Integrated Framework

• The two frameworks are distinct and complementary

• Both use a components and principles structure

• Aspects of internal control common to enterprise risk management are not repeated

• Some aspects of internal control are developed further in this framework

NEW!!- Compendium of Examples

The compendium illustrates:• All principles • A variety of entity sizes from global

through to national, regional, and local entities

• Actual company practices and augmented with expected practices in select areas, as needed

• An ERM perspective from the business mindset

The Compendium Considers a Variety of Industry Types

In-Depth View of ERM in Practice

Each example:• Sets out the industry context

• Highlights the key benefits of enterprise risk management

• Lists the principles demonstrated

• Provides facts and circumstances for context

• Offers in-depth discussion

COSO, World Business Council for Sustainable Development to Issue First- Ever Guidance for Applying Enterprise Risk Management (ERM) to Environmental, Social, Governance-related Risks"Business is moving into an era of significant change in corporate governance. Integrating the environmental, social and governance factors into a company’s risk assessment will soon be the norm. New tools are needed for managing this new view of risks to the long-term financial and societal profile of business are needed. Using these tools will mean better decisions that will make more sustainable companies become more successful.“

WBCSD President and CEO Peter Bakker,January 2018

COSO Framework and SustainabilityLeveraging the COSO Internal Control – Integrated Framework to Improve Confidence in Sustainability Performance Data

9/17/2018

30

Oh, and One More Thing…

Already Here! Just Released!

The Evolution of Sustainability…

9/17/2018

It’s More than Just the Climate…

9/17/2018

What is the “Environmental, Social andGovernance (ESG) Criteria”

The Environmental, Social And Governance (ESG) Criteria is a set of standards for a company’s operations that socially conscious investors use to screen investments. Environmental criteria looks at how a company performs as a steward of the natural environment. Social criteria examines how a company manages relationships with its employees, suppliers, customers and the communities where it operates.Governance deals with a company’s leadership, executive pay, audits and internal controls, and shareholder rights. Source: Investopedia

6/13/2017 © SASB33

Source: PwC, 2014

SHAREHOLDER PROPOSALS

50%GLOBAL INSTITUTIONAL INVESTORS

Will request sustainability information directly from the company

89% “Very likely” to sponsor or co-sponsor a shareholder proposal

More likely to consider ESG information if common standards used

67%

2011 2012 2013 2014 2015

40% 40%45%

55%

Sources: EY, 2011-2014, As You Sow, 2015

Percent of total proposals filed that arerelated to social and environmental issues

63%

2016

67%

Investor Interest in Sustainability-related Information

9/17/2018 © 2017 SASB™

The Global Sustainability Leaders Index (GSLI)

The Global Sustainability Leaders Index (GSLI)• Companies that manage Environmental, Social and Governance (ESG)

issues well can also yield superior risk-adjusted returns. • The index is composed of 100 Global Compact signatories selected on

the basis of Sustainalytics’ proprietary ESG Rating, which identifies the top sustainability performers within their respective sectors and regions.

• To be eligible for the index, companies must have a consistent base-line profitability and meet a set of stringent minimum sustainability criteria.

ESG Matters…

• Valuation multiples 3% -19% higher than median performers

• Margins up to 14.4 % higher

What’s Your ESG Score?

What the Heck is SASB?

SASB is a private initiative designed to improve the sustainability disclosures of US public companies when those sustainability matters are material.Improvement includes:- Disclosure of ESG matters, when material - Specific, comparable, consistent, defined metrics- Decision useful, investment grade- Driven by industry participants

Think it Doesn’t Apply to You ?April 10, 2018, Wall Street Journal, page B6

Apple said it has achieveda decade-old goal ofhaving its facilities powered exclusively by renewable energy, an achievement that will shift thefocus to its supply chain.“We are not going to stop until our supply chain is 100% renewable”Lisa Jackson, VP of Environment

9/17/2018

Even Internal Audit !

Based upon a thorough review by NIKE’s internal audit function, considerable progress has been made to NIKE’s sustainability data processes over the past several fiscal years, including but not limited to: a performance management data system overhaul, development of standard operating procedures, and an improved data governance model. The review also identified opportunities to further improve systems and controls around sustainability reporting. NIKE will continue to evolve and address information systems in light of this goal.

9/17/2018

And Even Legal Advice…“Be aware that sustainability has become a major, mainstream governance topic that encompasses a wide range of issues, including a company’s long-term durability as a successful enterprise, climate change and other environmental risks and impacts, systemic financial stability, management of human capital, labor standards, resource management, and consumer and product safety, and consider how your company presents itself with respect to these matters.” (Wachtell Lipton, July 2018)

9/17/2018

Some Companies are Responding…

“As part of our commitment to transparency, this year we are expanding the reporting of JetBlue’s sustainability performance by incorporating the SASB’s guidelines for the aviation industry. These additional disclosures focus on four sustainability issues and ten metrics that are deemed to be material for our industry. Disclosure is not a static concept. Markets are dynamic and disclosure must keep pace. Integrating SASB disclosures into our sustainability reporting is proof positive that JetBlue intends to stay on the leading edge of sustainability performance and reporting.” JetBlue 2016 SASB Report

9/17/2018

Jet Blue Says…

• As an airline we depend on natural resources. Fuel, water are essential for flight

• We recognize that the airline industry has an important roles to play in addressing global climate change

• Sustainability is key to our long-term business planning• We view sustainability through the lens of fuel efficiency, risk

preparedness and customer experience• This year we are expanding our reporting by incorporating SASB

guidelines for our industry

Where a company discloses its sustainabilitydata isn’t as important as the quality of thatdata…

9/17/2018

The Elephant in the Room…

If that important to company evaluation and valuation, should the information be subject to some form of management certification and/or some form of third-party verification?

At a Minimum, It’s an Interesting Conversation

What You Might Think About…

• Bring ESG to the attention of Management and Board• Look at SASB Standards for your industry • Look at Peers and their reporting, website• Determine your current ESG activities, metrics and ESG score• Consider costs and benefits of doing more• Communicate with investors • Validate any ESG reporting

It’s Just the Right Thing To Do…