Paul.Wenman@InvestAssure.net +44 7720 416363 Page 1

Five Questions about Assurance

Paul Wenman, InvestAssure, Oxford, United Kingdom

(Reprinted with permission from ‘Special interview - Emerging Markets ESG, April 8, 2016’)

__________________________________________________________________________________

On occasion, Emerging Markets ESG publishes a special interview with an academic, expert or practitioner about a specific topic with relevance to environmental, social and/or governance (ESG) issues.

This month’s interview, the 19th in the special interview series, is about assurance and is with Paul Wenman, Founder, InvestAssure, Oxford, United Kingdom.

Based in Oxford, UK with partners in Beijing, Hong Kong and Manila, InvestAssure is a research and consulting group, providing advice and support for responsible business, sourcing and investment in Asia and other emerging markets.

Paul Wenman has been a consultant in environmental management, sustainability and corporate risk since 1984, including 15 years with ERM and 4 years with E&Y. He has advised senior management at some of the world’s leading companies, e.g. Anglo-American, Apple, Black & Decker, BP, Bristol-Myers Squibb, British Airways, CBRE, Conoco, Danone, E ON, Hyundai, GlaxoSmithKline, Novartis, Pfizer, Procter & Gamble, Unilever and Vodafone.

__________________________________________________________________________________

Emerging Markets ESG: How would you define assurance?

Paul Wenman: Assurance is a widely misinterpreted and misquoted word. I would say assurance is the provision of information to give decision makers confidence and to build trust with a range of stakeholders. For shareholders, that invariably still revolves around financial performance and productivity data, though it is normal in many jurisdictions these days to provide various indicators of risk control. Increasingly, however, it means more, relating to environmental performance, social responsibility and wider aspects of business ethics – what we might broadly call ‘non-financial assurance.’

However, whereas there are long-established and formalized frameworks and methodologies for reporting and auditing financial data, non-financial performance evaluation is still subject to more ‘flexible’ guidance and reference points. It all depends on who you are and what you want assurance for. For some it may simply be confirmation that a company is complying with emissions legislation, whereas for others it may mean evidence that it has no child labour in their supply chain. The interesting thing is how we really are seeing all these aspects link up. There is growing recognition in the financial world that an environmentally inefficient or socially irresponsible company has a higher

Paul.Wenman@InvestAssure.net +44 7720 416363 Page 2

risk of not returning sustainable value to shareholders. There is however, a long way to go, I feel, in deciding exactly what non-financial information is most useful in delivering assurance to different stakeholders.

Emerging Markets ESG: What distinguishes assurance from audit?

Paul Wenman: There was a time when many, particularly in the accounting world, would equate assurance to ‘audit.’ When I worked at E&Y I was often told that there can be no assurance without audit. This was coming from a financial mindset. Similarly, audits have certainly formed the backbone of environmental assurance for decades and in many ways it has been a big driver of performance improvement. But there can be, and needs to be, more to environmental and other ‘non-financial assurance than audits.

The application of EHS due diligence audits in the mergers and acquisition (M&A) process became almost standard practice many decades ago – providing assurance information relating to a buyer’s liabilities. Compliance EHS audits became routine practice in the 1980s, particularly for American corporates seeking assurance that their assets were operating within the law. Although the findings of such audits have often provided material input to negotiations, they have also been driven by a desire to demonstrate personal due diligence should a non-compliance, accident, or fatality end up with senior executives in court.

But due diligence and compliance audits can only ever provide snapshots of an industrial facility. From the 1990s we saw audits applied increasingly to underlying governance and management systems, as a means of providing assurance that there is an ongoing, systematic approach to complying with legislation and addressing risks.

So audit is an important tool to deliver or validate a range of assurance data – but it’s often not enough. I see assurance like a join-the dots picture. Ideally you would like the whole picture for every significant operational aspect asset you invest in or every supplier. But this is not available and would not be cost-effective to pursue. So you do the best you can with the tools and information available. Audit will join quite a few dots and in some cases that will build up enough of a picture for your purpose.

In other situations, though, different information sources can become valuable, e.g. routine operational and business performance data, employee surveys, whistleblower reports, supplier feedback, accident reports, management system certifications, completion of training programmes, media alerts and so on. In all cases, these are providing direct or indirect indicators of how well an asset is meeting, or likely to meet, expectations.

Emerging Markets ESG: Which standards are used in conducting assurance?

Paul Wenman: Since the 1990s a vast array of standards has emerged as the foundation of an enormous branch of the assurance services sector. There are standards relating to companies, products, public reports and supply chains.

There has been much focus on the ‘management system’ standards, whereby a systematic adherence to policies, performance standards, operational controls and monitoring regimes should deliver a set of objectives. The environmental management system standard, ISO14001, is probably the best known and most widely adopted of these. Although this still requires an audit programme, the label itself has become a measure of assurance, supposedly relieving the stakeholder of the need to read an audit report.

ISO14001 has achieved a certain status, much like the ISO 9000 series of standards for quality management. Many retailers and manufacturing brands now look for ISO 14001, or accept it, as a mark of environmental acceptability with suppliers. Many large corporates also use ISO 14001 internally as a way to outsource corporate environmental auditing across their international facilities.

Paul.Wenman@InvestAssure.net +44 7720 416363 Page 3

Standards have also emerged to provide assurance on other aspects of ESG, for example OHSAS 18001 for health and safety. Others have encompassed labour and community aspects of ‘CSR,” such as SA8000 (published by Social Accountability International). Additionally, various ‘codes of conduct’ have been published by non-profit groups such BSCI, ETI and industry associations such as apparel (WRAP), electronics (EICC), jewellery (RJC), mining (ICMM), palm oil (RSPO) and toys (ICTI), amongst others. These are all aimed at encouraging performance improvements across supply chains and delivering assurance to customers and stakeholders.

GRI has also become an assurance standard of sorts, in relation to the publication of sustainability reports. This sets out a framework of requirements and guidelines for scoping the content of such reports, collecting data and presentation. The assurance profession has had to respond to the associated challenge of auditing such reports in accordance with GRI. GRI itself has published its own guidance in this regard and makes reference to two further independent standards for conducting assurance. One is AccountAbility’s AA1000AS, which provides guidance on auditing against the AA1000 Principles Standard. This standard focuses on how a company’s internal management and external reporting responds to stakeholder concerns.

Another is ISAE 3000, which has been widely adopted by accountancies in particular for guiding assurance engagements of a non-financial nature. It is very generic and flexible and provides guidance on how to gather and review evidence and how to formulate an assurance statement. It provides for two levels of assurance, limited and reasonable. Invariably the limited option is chosen because it allows a company to limit the scope and depth of assurance activities in exchange for a limited statement.

However, in my view, this short changes the stakeholder who is looking for assurance. You have to carefully read these assurance statements to discover exactly which aspects of an organisation’s activities or performance have been audited, which report pages have been verified, and so on. It is also normal practice for such assurance statements to use the ‘double negative,’ such as ‘Based on the results of our procedures nothing has come to our attention that causes us to believe that the selected information included in the corporate responsibility report is not fairly stated, in all material respects, in accordance with the company’s reporting policies.’ How that is meant to re-assure any stakeholder I can not begin to imagine!

There are also however, several challenges for ISO14001, and other ‘management system’ standards. One is the emphasis on paperwork, which many certification companies rely upon as a base level template for their audits. Whole businesses have been set up to provide paper and electronic templates for ISO 14001. This has caused many companies to focus on having the ‘paperwork’ in place as a priority, over and above the governance structures, capabilities, technologies and processes which actually drive performance improvements.

The second challenge relates to actual performance. ISO 14001 requires legal compliance as a minimum, but beyond that there has been huge flexibility as to what levels of environmental performance are required. The latest version has tried to tighten up on that, but still, beyond legal compliance, you can’t really be sure what ISO 14001 says about a company or facility’s performance.

Emerging Markets ESG: Are there specific challenges in conducting assurance in Southeast Asia?

Paul Wenman: Yes, there are some aspects that present challenges. Business culture is generally less transparent, there is less accountability than we expect in western Europe. Data fabrication, fake documents and coached interviewees are common.

This is compounded at a practical level, because there is much more deference shown towards senior management. So it’s harder for a relatively junior local auditor to challenge on a potential non-compliance or suspected evidence of cheating. We also find that senior management assurances that corrective actions will be implemented can not be trusted so much.

Paul.Wenman@InvestAssure.net +44 7720 416363 Page 4

Perhaps the biggest problem, however, is corruption, which feeds non-compliant facilities with operating permits, which can buy the consent of influential community leaders and which can buy the sign-off of auditors and certifiers.

Emerging Markets ESG: How has the conduct of assurance developed during the past decade and which trends will influence the future?

Paul Wenman: The conduct of assurance has responded to the shifting recognition of what we want assurance to be, and what it can and can’t be. It should provide a level of confidence, comfort if you like, that what we are buying, whom we are buying from, whom we are investing in, or whom we are partnering with…. are meeting our expectations, which vary – whether that is environmental performance, labour conditions, community engagement, or some integrated measure of risk across such issues.

After the tidal wave of corporate auditing of suppliers against ‘compliance’ requirements, there has been a realization that auditing alone isn’t the answer, it’s just a tool to help measure status, incentivize improvements and report progress (hopefully). Unfortunately, too many audits against strict codes of conduct had started to create a pass/fail situation, which only served to encourage evasiveness and cheating in supply chain audits.

Progressive brands recognized this and started to run training programmes and to reward good performance, as well as penalizing bad performance. There has been a recognition that you can’t audit all suppliers all of the time and this has implicitly driven more of a risk approach – picking off the suppliers which are more critical in the value chain and working with them to improve performance, whilst maintaining an auditing programme to keep others on their toes.

Meanwhile, the emergence of SRI and the integration of ESG factors into funding and lending decisions have kicked off a different approach in the financial world. With no real experience of EHS or social auditing of manufacturing or industrial facilities, most financial institutions have been wary of the whole compliance audit approach to monitoring and assurance, relying instead on initial due diligence assessments and risk ratings, followed up with ongoing analysis of self-disclosed corporate reports and controversy monitoring. Very few ongoing audits are undertaken. Given that the financial world and retail/brand-manufacturing world seem to have similar ESG concerns, you have to wonder how such different approaches can co-exist.

I think the answer lies in how seriously the risks are perceived. Retailers and brand manufacturers are more directly exposed to emotive high street consumers and have more to lose. Many investors and lenders see ESG as more of a strategic opportunity than an operational risk. Only recently the aba, Germany’s pensions association, were quoted as saying ‘(ESG) factors have “taken a back seat …. the security of the investment that achieves the necessary return is more important for investors than ESG factor.’

I think the future will see the assurance world really catching up with the implications of the web. If we look at how fast news travels across the web and how easy it is for almost anyone to communicate now via social media, using just a phone, I think we will see web mechanisms appearing to facilitate multi-stakeholder monitoring and reporting of non-compliant, unethical or otherwise irresponsible business practices. Audits will continue to be important for rating governance and operational management systems. However, the ongoing performance of industrial and agricultural operations will be more visible via third party allegations – from employees, communities, NGOs, local media and so on.

There is already a huge amount of hard and soft data available on the web. InvestAssure is already working in this area. Since 2009 our NIMBUS service has been monitoring web media for allegations, commentary, incident reports and so on, to track about 7,500 companies across the Asia-Pacific region.