ESG and Board Oversight: Where to start?

Not all Boards are yet fully conscious of the need to extend their governance parameters beyond the more “traditional” aspects of governance and to consider ESG oversight, particularly if they have not to date been impacted by the obligatory disclosure rules in the area of ESG. However, independently of whether companies are subject to ESG related regulations or otherwise, there is an expectation on the part of investors and regulators for Boards to address ESG impacts and to incorporate this broader perspective into their strategy and decisions. In practice, therefore Boards should expand their governance remit and start to delve into the various ESG aspects relevant to their entities.

The ESG theme is not new but perhaps never has there been such a visible drive including on the regulatory front. EU initiatives can be seen in:

  1. the recent proposal for a Corporate Sustainability Reporting Directive (the “CSRD”)[1] which proposes to amend the reporting requirements contained in the Non-Financial Reporting Directive[2] by extending its scope to all large[3] companies (whether listed or not) and all companies listed on regulated markets.[4] The CSRD will require entities, amongst others, to report on their sustainability targets and the role of the administrative, management and governance bodies in relation to sustainability factors. The intention is to have EU sustainability reporting standards that will delve into Environmental, Social and Governance factors.
  2. the Sustainable Finance Disclosure Regulation[5] requires financial market participants and financial advisers to make pre-contractual and ongoing disclosures to investors regarding the integration of sustainability risks and impacts of adverse sustainability as well as the promotion of ESG characteristics and sustainable investments.
  3. the Taxonomy Regulation[6] provides a classification system for environmentally sustainable economic activities and creates a common language to be used when assessing whether economic activities have a substantial positive impact on the environment.
  4. The Guide on climate-related and environmental risks published by the ECB setting out 13 supervisory expectations for ECB-directly supervised banks to consider climate-related and environmental risks in their business strategy, governance, and risk management frameworks. Banks’ plans in this area will be challenged in the course of supervisory dialogue with these banks.[7] There is also an expectation that less significant banks will shortly also be expected to show commitment in this area.
  5. The Report of the European Banking Authority (EBA) published on 23 June 2021 on ESG risks management and supervision.[8] The Report provides a comprehensive proposal on how ESG factors and ESG risks should be included in the regulatory and supervisory framework for credit institutions and investment firms. Amongst others, the EBA provides recommendations for institutions to incorporate ESG risks-related considerations in strategies and objectives, governance structures, and to manage these risks as drivers of financial risks in their risk appetite and internal capital allocation process.

At the outset, before meaningful discussions about ESG risks and goals can take place in the boardroom, it is critical that a risk assessment is undertaken to identify which are the ESG risks underlying a company’s business. A wide range of risks are covered under the “E”, the “S” and the “G”. The ‘E’ in ESG seeks to understand how a company interacts with the environment and therefore the use it makes of natural resources, how a company contributes to greenhouse gas emissions, its carbon footprint, its waste policies and its energy needs. The ‘S’ captures human rights, labour standards in the supply chain, employee and customer relationships as well as workplace health and safety. ‘G’ refers to transparency in how a company is governed and how it makes its decisions, the establishment and composition of its Board, remuneration and shareholder rights. Some risks may already be on the company’s radar and are already being tracked but may need to be looked at from a different angle, other risks may have always subsisted but to date may have been overlooked or not perceived as relevant.

The Board will need to ensure that ESG risks are included within a company’s enterprise risk management systems and that there is alignment with corporate strategy. The Board will need to address with management how ESG risks will be factored in within the company’s risk management processes including how to retrieve the necessary data for any ESG reporting, whether mandated or otherwise, how to flag key issues and how to measure performance against ESG goals.

This should lead to management producing suitable reporting which can be interpreted by the Committees and Board and which will ultimately satisfy the needs of the various stakeholders. Regular reporting is important because once it becomes the “norm”, it will become easier to integrate ESG issues within Board and management discussions on business strategy and performance. While quarterly reporting from management to Board or the Committees (the oversight model is discussed below) is considered good practice, ad hoc or more frequent reporting may be required if it impacts decisions that need to be taken, for example about a new service or project. The type of reporting, the depth and the indicators will vary depending on the company’s business and the ESG risks which emerged from the risk assessment mentioned earlier. Where necessary, experts may also be engaged to assist management, particularly to establish reporting frameworks, KPIs or dashboards. Overall, the Board has a role to play in guiding management to allocate the appropriate resources and attention to this area.

The Board is also to ensure that any company policies with which compliance is assessed are in line with the associated risks and policies are drawn up where these are lacking. ESG related policies can differ immensely in terms of subject matter. Policies can vary from an anti-corruption and anti-bribery policy to a policy on the recruitment of a category of staff members to a policy on suppliers engaged. Policies need to be communicated and be known amongst the company’s management and employees. A system for continuous review of policies should also be in place.

The most challenging aspect is perhaps how to ensure proper oversight of these risks, also keeping in mind that disclosure about the Board’s role in overseeing ESG risks is expected. It is first and foremost fundamental for directors to adequately inform themselves on ESG issues. Directors are not expected to be experts on the various ESG risks which can range from energy matters to land use issues to equal opportunity and diversity matters. However, directors need to more than simply understand that these risks exist and receive reports from management. They need to challenge any evidence and assumptions provided by management and each other constructively also in this area in the same way as they would do for instance when reviewing financial performance. Against this backdrop, regular training on key ESG risks is important.

It may also be opportune for a Board to review and refresh its composition to make it more diverse in terms of skills, competencies and backgrounds and to bring in directors who do have a strategic understanding of ESG risks. This would be particularly relevant where a particular ESG risk is considered critical to the business and therefore engaging a director who has expertise in this area or who is well conversant with ESG standards and benchmarks can be beneficial. In any event, Boards should not also shy away from external expertise to support them in this role, especially where certain ESG risks are considered “technical” or uncommon.

As for other areas, the Board needs to decide on an oversight modus operandi. Clearly, the ultimate responsibility lies with the Board, however, the Board needs to assess whether it will be the Board itself which will directly consider all or some of the relevant ESG risks, including whether it has sufficient time to do so and whether generally, the reporting structure within the organisation allows the Board to effectively discharge its ESG oversight role. Amending the Board Charter to define ESG responsibilities and parameters and including ESG as a standard agenda item at Board (and Committee) meetings will be the first important step forward.

Particularly in larger companies with a multitude of risks, it may however be useful to delegate oversight of certain ESG risks to committees for more in-depth discussions, with a mandate to report to the Board on key issues or on areas that require Board approval or follow-up. For example, a Governance Committee might consider issues such as shareholder engagement and shareholder rights, a Remuneration Committee may be tasked with looking into in more detail remuneration packages and accountability, while an Ethics Committee may look at certain work-related practices. Where the Board decides that a separate or ad hoc committee is not needed, ESG risks would generally be delegated to the Audit or Risk Committee with a mandate to oversee and report to the Board. Some companies, particularly external to the financial services sector may to date have not set up a Risk Committee, indeed, this might be an opportunity to set up the Risk Committee to tackle ESG risks. As such, whatever name is chosen for the Committee, the Board needs to be sure that the Committee does have the capacity, the interest and the skills to take the lead on overseeing these ESG endeavours and that the scope of its mandate is clear. What needs to be avoided is governance overlap, complexity and at the same time risks being unaccounted for under the mistaken impression that they are in fact addressed by another forum.

Corporate governance never stops being a topic of public interest, whether it is in the aftermath of a financial crisis or during a pandemic. Admittedly, directors may feel that their role and responsibilities continue to be stretched in many directions, not least because of a risk landscape that becomes increasingly difficult to navigate. Where an ESG issue impacts or may possibly impact, the Board’s risk oversight role comes into play and this responsibility necessitates an ability on the part of the Board to understand and evaluate these risks. In addition, as the highest body within the company, Boards have an added ‘unwritten’ responsibility to set the “tone at the top”, including when it comes to the fostering of an ESG culture and conveying the significance of creating sustainable value in the long term. ESG should therefore be concretely reflected in the Board’s actions, through incorporation in business plans and budgets, in decisions on new projects, products or services or in the formulating of new policies.


[2]Directive 2014/95/EU of the European Parliament and of the Council of 22 October 2014 amending Directive 2013/34/EU as regards disclosure of non-financial and diversity information by certain large undertakings and groups
[3]Vide definition in Part 1 of the 3rd Schedule of the Companies Act, Cap. 386 of the laws of Malta
[4](including SMEs, but excluding listed micro-enterprises).
[5]Regulation (EU) 2019/2088 of the European Parliament and of the Council of 27 November 2019 on sustainability‐related disclosures in the financial services sector