Embedding ESG

and sustainability
considerations
into the Three
Lines Model
 Contents

Introduction | 3

Executive Summary | 4

1 The Three Lines Model: A timely update | 5

2 The relationship between governance and future-proof

businesses | 7

3 Embedding sustainability and ESG considerations into business

practices | 9

4 The Three Lines Model: Roles and sustainability responsibilities | 14

5 Recommendations and key questions | 20

WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 2
Introduction
The world faces three main
global challenges:
the climate emergency,
the loss of nature and
growing inequality. Each
of these challenges poses
a threat to business, and
the events of the past
two years— a global
pandemic, geopolitical
instability, continued
extreme weather events
and the biodiversity crisis
— have demonstrated
the increasing
interconnectivity of our
operating environment.
There is a pressing need for
a mindset shift within the
business community to address
these challenges, build more
resilience and future-proof
organizations.1 Stakeholders’
expectations on businesses
are becoming increasingly
demanding and developments in
the regulatory landscape mean
that business needs to respond
with an actionable and practical
approach. In this volatile and
uncertain environment, there is
a need for effective governance
structures and processes to
enable the achievement of
objectives, which should include
key sustainability topics.
While climate change remains
firmly on the corporate agenda,
business efforts toward nature-
positive and equitable societies
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 3
are growing in importance.
There is no net-zero without
nature.2 When we speak with
CEOs and CFOs, the question
is no longer if they should act,
but how and if their businesses
should be part of the solution.
For this, organizations need to
embed practical and credible
approaches into their business
models and across their
supply chains.2 It is critical that
material sustainability issues
are embedded into business
decision-making processes and
that governance mechanisms
are in place to ensure effective
oversight of risk management
and controls.
In 2020, The Institute of Internal
Auditors (IIA) updated the
Three Lines Model to include
a principles-based approach
that adapts to organizational
needs.3 The model is grounded
in governance and amplifies
the need for robust risk
management and controls as a
fundamental part of governance.
It helps organizations to identify
the appropriate structures and
processes that best support
the achievement of business
objectives to create and protect
value for the organization.
Rodney Irwin
Chief Operating Officer,
WBCSD
In 2021, the World Business
Council for Sustainable
Development (WBCSD) and The
IIA established a collaboration to
leverage each organization’s
knowledge and expertise.
The resulting collaborative
guidance:
1. Considers how
environmental, social and
governance (ESG)-related
risks and opportunities
should be embedded into
the Three Lines processes
to ensure efficient and
effective risk management
and internal oversight; and
2. Offers practical suggestions
and examples for integrating
sustainability considerations
into the key roles and
responsibilities within the
Three Lines.
The intended audience of
this guidance document
includes corporate boards,
C-suite representatives
within large corporations,
and senior management
to provide information and
understanding on the role
of the respective lines in
overseeing the effectiveness
of risk management and
internal audit processes.
Anthony Pugliese
President and CEO,
The IIA
Executive Summary
In 2020, The IIA updated the
Three Lines Model to guide
organizations toward effective
governance, risk management
and internal controls. Since its
launch, the Three Lines Model
has helped organizations to
identify the appropriate roles
that could best support the
achievement of business
objectives while creating value
for the organization, and its
stakeholders.
The guidance in this document,
jointly drafted by WBCSD and
The IIA, highlights internal and
external factors that are driving
the integration of ESG and
sustainability into decision-
making. It provides suggestions
on how to bring these
considerations into the key roles
and responsibilities outlined
in the Three Lines Model,
such as the governing body,
management (first- and second-
line roles) and internal audit.
According to the revised version
of the Three Lines Model,
presented in this guidance, to
embed ESG and sustainability
considerations, all roles need
to work together to ensure
good governance and make the
business model future-proof.
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 4
• The governing body
oversees and establishes
governance mechanisms
that integrate the strategic
objectives with ESG and
sustainability considerations.
These governance
mechanisms make the
governing body more aware
and actively involved in the
company’s ESG reporting
strategy and the impact of
the business operations on
ESG issues. The governing
body is also in charge of
identifying and engaging
with a variety of
stakeholders affected by
company operations.
• Management develops
a multi-capital approach
accounting for all the
financial and non-financial
capitals that the company
business model requires to
ensure the effective
functioning of its operations.
The management also
oversees the delivery of the
materiality assessment,
which establishes the link
between the operations of a
company, their impact on
ESG issues and relevance to
key stakeholders.
The outcome of the
materiality assessment—
the double-materiality
matrix—shapes the ESG
risk management strategy
and helps the other roles
understand the evolving
context in which the
business operates.
• Internal audit, independent
from the governing body
and the management,
assures the reliability of
internal control processes
for ESG data disclosure and
reporting.
Due to the diversity of
governance models, roles and
organizations, each company
should decide how to apply
this guidance according to its
needs, strategic goals, culture,
resources and business context.
To make this guidance as widely
applicable as possible, the
recommendations provided
were driven by insights from
12 companies, practitioners
and regulatory bodies, who
participated in interviews that
have guided the content of this
report.
 1 The Three Lines Model:
A timely update
The IIA’s Three Lines Model
is recognized globally as a
critical resource in successful
governance. It helps
organizations identify structures
and processes to best manage
risks and achieve objectives,
including an organization’s
ESG-related risks. The model
establishes the three essential
roles that define governance at
its most basic: accountability,
actions and assurance. It also
identifies the three essential
players in governance: the
governing body, management
and internal audit.
Figure 1: The Institute of Internal Auditors Three Lines Model
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 5
First-line responsibilities
include providing products
and services to clients or
customers in compliance
with the requirements and
expectations set by the
second-line, who provide
oversight, advice and assess
and perform risk management
activities, challenging the first
line where required. These
roles and responsibilities are
the fundamental components
of governance supported by
a governing body that is truly
accountable for the actions it has
asked management to perform.
It must have assurance from
an objective and independent
source that what has been
asked has been accomplished.
Without that assurance, there
is no governance. The model
identifies internal audit as the
board’s source for objective
internal assurance, independent
of management. The internal
audit function can also play a
key role in supporting external
assurance through their reliance
and coordination.
The Three Lines Model is an
updated and enhanced version
of the well-respected Three
Lines of Defense.3
The model was renewed in July
2020 to clarify and strengthen
some foundational principles,
expand its scope, and explain
how key organizational roles
work together to facilitate
strong governance and risk
management. The name change
reflects a clarified focus. Instead
of acting as a purely defensive
tool—as the old name might
have implied—the model is
intended to reflect how an
organization’s structures and
processes should be designed
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 6
to look ahead rather than simply These timely changes enhance
reacting to circumstances. It also the model’s value to incorporate
underscores how the internal sustainability considerations,
audit function’s role goes well while guiding businesses toward
beyond identifying concerns and becoming more resilient and
encompasses forward-looking future-proof.
advice and consultation on key
issues.3
The current model also better
illustrates the board’s and
internal audit’s integral roles in
risk considerations and how all
three lines interact. It includes
an updated concept of risk and
better defines responsibilities of
management, internal audit and
those charged with governance
and their interactions.
 2 The relationship between
governance and future-
proof businesses
In 2021, WBCSD updated Vision
2050, which sets a framework
for action towards a world in
which more than 9 billion people
can live well, within planetary
boundaries, by mid-century.a
This vision is still within reach,
but we have to act faster and, in
the decade ahead, all businesses
need to embed sustainability
into all aspects of their systems,
processes and practices to turn
this vision into reality.
Governance is one of
those key processes where
significant evolution is required.
Governance is defined as the
set of processes that ensure
the overall effectiveness of an
organization,4 and it must include
oversight of risk management,
controls and disclosure. In the
context of Vision 2050, however,
it must include governance
of ESG-related issues, as
well as broader sustainability
considerations.
Effective governance builds
stakeholders’ confidence and
trust that a company’s decisions,
actions, and outcomes can
address priorities and achieve
the organization’s corporate
purpose.5 The purpose of
business is defined by Professor
Colin Mayer as ”to produce
profitable solutions to the
problems of people and planet,
and not to profit from producing
problems for people or planet.”6
a “
Living well” means that everyone’s dignity and rights are respected, basic needs are met, and equal opportunities are available for all.
And “within planetary boundaries” means that global warming is stabilized at no more than +1.5°C, and natural systems are protected, restored,
and used sustainably. It also means that societies have developed sufficient adaptive capacity to build and maintain resilience in a healthy and
regenerative Earth system.
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 7
Having a purpose and business
model that demonstrates a
company’s contribution to
people, profit and planet means
that boardroom decision-making
can support the long-term
success of the organization.7
The Three Lines Model helps
organizations consider the
roles needed for effective
governance and management
of material ESG topics as well as
broader sustainability reporting.
It encourages a deeper
understanding of these roles
and how they work with each
other to support organizational
success. Organizations can
better determine the most
appropriate structures for
their own needs, applying the
model in conjunction with their
particular considerations—
goals, circumstances, culture,
resources—as the foundation
necessary to manage risk.
To make a business resilient
and future-proof, those risks
need to be managed against a
continually evolving backdrop.
A future-proof business
strategy8 connects to scientific
and social consensus on
progress towards a net-zero
and nature-positive economy.
An inclusive approach
that considers value to all
stakeholders is fundamental
to a company’s social license
to operate. Failing to take into
account ESG-related risks
and opportunities may impact
an organization‘s strategic
resilience.
At the same time, business
models need to reflect and
account for a company’s risk to
and from ESG-related issues,
adopting a double materiality
approach (non-financial
reporting in addition to financial
reporting - see Figure 2).9 To
achieve this, companies need to
consider the changes required
within their existing business
processes to better embed ESG
into their operations.
In the context of the Three
Lines Model, this means that
all roles are working together
to collectively contribute to the
creation and protection of value
when they are aligned with each
other and with the prioritized
interests of stakeholders.
The transition to a future-proof
business will require new natural
resource relationships as part
of the business model. Nature
must be considered alongside
climate, and should be seen as
business critical when it comes
to managing risks and identifying
opportunities for long-term
equitable and sustainable
growth.
Understanding these ESG-
related risks and opportunities
will require companies to have
robust internal and external
relationships and to ensure that
the quality of those relationships
supports a business in its value
creation process. This guidance
will support companies in this
process, and illustrates how to
embed sustainability and ESG
considerations into business
practices.
Figure 2: Double materiality perspective

MATERIALITY

DOUBLE MATERIALITY

Double materiality perspective is an extension of the key accounting concept of materiality. The double materiality concept
proposes that companies should consider reporting on sustainability issues (e.g. climate-related information, where they may affect
the financial performance of the company AND information should be reported for an understanding the external impacts of the
company).

Source: Graphic adapted from “Double materiality: what is it and why does it matter”, Grantham Research Institute on Climate
Change and the Environment, April 2021.10

WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 8
 3 Embedding sustainability
and ESG considerations
into business practices
Sustainability presupposes an
inside-out lens as it describes
how organizations impact
society and the environment.
Sustainability is used as an
umbrella term for how an
organization can operate within
environmental thresholds
and planetary boundaries.
Sustainability initiatives can
include a company’s efforts
to reduce its impact while
creating value on the external
environment (e.g., responsible
sourcing or regenerative
agriculture).
Environmental, social
and governance (ESG)
considerations presuppose an
outside-in focus on how ESG
issues (e.g., climate change)
impact the company and its
value by posing new risks,
threats and opportunities.
ESG considerations are data-
driven and inform stakeholders
on the value of a company
by quantifying the impact
of ESG issues on financial
performance.11 ESG is used
when considering ESG-related
risks and the integration of these
material topics into key business
processes.
To understand how ESG and
sustainability considerations
are currently embedded into
business practices and the roles
set out in the Three Lines Model,
WBCSD and The IIA conducted a
series of interviews with leading
companies and experts. The
insights from these interviews
are included throughout this
report and have informed the
recommendations for
companies to evolve their
processes.
b
There are several behavioral change models available for organizations to implement. The most common push factors (resources, and internal and
external triggers) are inspired by: Crawford Hollingworth and Liz Barker, “Behavioural Change Models: An overview of the two best behavioural change
models and how to apply them”, The Behavioural Architects, 2020.
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 9
The interviews highlighted
several factors that contribute to
the extent to which a company
integrates ESG and sustainability
considerations in its decision-
making processes. These factors
are discussed in the following
sections of the report and
include:
1. Corporate culture and
behavior change
2. The maturity of an
organization
3. The evolving regulatory
and voluntary disclosure
landscape
4. Net-zero and nature-positive
commitments
5. Pressure from investors and
other stakeholders
6. Trust and reputation
Embedding ESG and
sustainability considerations
into business practices is
also an opportunity. Leading
companies have now realized
that acting on nature is a chance
to win trust with customers, civil
society and investors. Major
investors are also pledging to
eliminate deforestation from their
portfolios by 2025; nature action
demonstrates mitigation against
significant risk exposure and
lowers the cost of capital.12
1. Corporate culture
& behavior change
Corporate culture refers to
the set of beliefs, behaviors
and business practices that
altogether establish how an
organization engages with
external actors, manages
outside business transactions,
and defines its attitudes towards
ESG-related risks.13
Corporate purpose and culture
are equally important, as
they show leadership while
characterizing the extent to
which the leadership values
and remunerates ESG
performance within the
operations of an organization.
Changing an established
corporate culture can be
challenging from a governance
perspective as it involves
reviewing consolidated
behaviors across different
corporate roles and levels.
Insights from the interviews
highlight that there are both
internal and external drivers
that can ensure the behavioral
change necessary to develop
a corporate culture rewarding
ESG performance.b
Internally, the push towards
behavioral change can be a top-
down or a bottom-up process. It
is a top-down process when the
governing body directly leads
the integration of ESG
and sustainability considerations
as part of the corporate
strategy. For example, when an
organization acknowledges that
climate change is a key risk for
its operations, managing material
ESG issues becomes part of
the corporate strategy, and
sustainability part of the culture
of the company.
The behavioral change process
can be bottom-up, however,
when management first- and
second- line roles highlight
new and emerging ESG-related
risks and opportunities that
should become part of the
corporate strategy. For example,
an organization might take a
proactive approach to identifying
ESG-related risks rather than
reacting and managing them as
they occur. Management has a
role to play here in developing
and implementing the necessary
processes.
Externally, pressure can come
from various sources, as outlined
in the following sections.
These factors external to the
organizations continue to drive
the need for behavior change
within the organization, ultimately
resulting in a corporate culture
that values and promotes
sustainability and ESG
considerations.
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 10
These push factors, internal
and external, are not mutually
exclusive but can lead to the
desired behavioral change
supporting a corporate culture
linked to ESG performance. The
governing body can ensure that
the corporate culture includes
practices, resources and
processes allowing management
to challenge the status quo,
highlight new ESG-related risk
trends and ensure relevant skills,
competencies and transfer of
knowhow within an organization.
2. Maturity of an organization
For many companies,
embedding sustainability and
ESG considerations within
their organizations presents
both a challenge and an
opportunity. This means that
often companies are at different
levels of maturity when it comes
to integrated business practices.
This maturity can be measured,
for example, by identifying where
responsibility and accountability
for sustainability sits within the
organization,4 the alignment
between ESG material topics
and risk factors14 (See Figure 3),
quality of ESG disclosure15 as
well as governance mechanisms
and processes to oversee
and manage this integration.7
The interviews that we
conducted with companies
provided interesting
perspectives on
maturity levels:
1. According to some
organizations, there is a
perceived risk of first-mover
disadvantage in integrating
ESG and sustainability
issues into governance, risk
management and disclosure.
For example, disclosure of
impacts and dependencies
on sustainability factors
could present threats to
competitive advantage.
The extent to which
companies choose to
pursue these opportunities
and mitigate risks will largely
be determined by the
corporate culture.
2. For complex organization
structures, for example
organizations operating
across different regions
and sectors with multiple
business units, ESG and
sustainability integration
requires more complex
governance processes
and resources. More granular
ESG disclosure and the skills
to prioritize ESG-related risks
will vary depending on the
local contexts.
3. For companies that are
more advanced on their
sustainability journey,
being a first-mover on
ESG disclosure was seen
as less of a concern because
integrated strategies,
governance processes
and other internal decision-
making systems were in
place to ensure confidence
and reliability of any ESG
disclosure.16
Figure 3: The level of alignment between sustainability disclosures and risk factors is one way to assess
the level of ESG integration
Source: Sustainability and Enterprise Risk Management: the first step towards integration. Full text available here
3. The evolving regulatory
and voluntary disclosure
landscape
The 10-fold increase in
ESG reporting requirements
between 1992 and 2017 has,
unsurprisingly, led to calls from
businesses and investors
alike for greater alignment
and consolidation of the ESG
reporting space.17 These calls
for consistency and alignment
have been heeded by global
standards setters. In the past
few months, the International
Sustainability Standards Board
has issued two exposure draft
standards for consultation,18
the United States Securities
and Exchange Commission
(SEC) has issued a proposed
climate disclosure rule,19 and
the European Commission,
through delegated responsibility
to the European Financial
Reporting Advisory Group
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 11
(EFRAG), has issued interim
drafts for public consultation on
European sustainability reporting
standards.20
Much of this activity draws on
the existing work of voluntary
reporting organizations such
as the Task Force on Climate-
Related Financial Disclosures
(TCFD), the Sustainability
Accounting Standards Board,
the Global Reporting Initiative
and others.
These new mandatory reporting
standards are being driven by
the increasing recognition by
regulators and others for the
need to build a common ground
for disclosure to ensure effective
communications of ESG-relevant
information between corporates
and investors. Capital markets
need decision-useful and reliable
information around companies’
strategic sustainability risks and
opportunities to understand their
short, medium and long-term
value creation.
In addition to climate-related
financial disclosures, there
is strong market momentum
towards including “nature
positive” in corporate
disclosures through the work
of the Taskforce on Nature-
related Financial Disclosures
(TNFD). The TNFD’s beta
framework requires disclosure
of businesses’ nature-related
risks and opportunities using
the same four pillar approach
as the TCFD – governance,
strategy, risk management and
metric & targets – that has been
widely accepted and adopted by
business and financial markets.21
4. Net-zero and nature-
positive commitments
Against this evolving regulatory
landscape and the shifting
operating environment,
businesses are under pressure
to set net-zero and nature-
positive commitments.
For example, WBCSD updated
its membership conditions in
2021 to require members to set
an ambition to reach net-zero
greenhouse gas emissions
no later than 2050 and create
ambitious, science-informed
goals that contribute to nature/
biodiversity recovery by 2050.22
The United Nations Race to Zero
campaign also urges companies
to commit to science-based
emissions-reductions targets,
but net zero commitments
will not be achieved without
factoring in action on nature,
too. A total of 70% of net-zero
goals from governments and
businesses are considered
unachievable without ending
deforestation23 within the
decade and protecting the
marine life that absorbs up to
30%24 of global carbon today.
At COP26, the launch of the
Glasgow Climate Pact saw all
parties agreeing to focus on
driving action across climate
mitigation, adaptation, finance
and collaboration.25 In parallel,
over 100 leaders reaffirmed
their commitment to sustainable
land use, and the conservation,
protection, sustainable
management and restoration of
forests and other ecosystems.25
c
Full text available at: https://www2.deloitte.com/global/en/pages/operations/articles/deloitte-cxo-sustainability-report.
html?id=mt:2or:3pr:4cxosurvey2022:GC1000053:6oper:20220118:pressrelease
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 12
These increasing levels of
scrutiny mean that it will not
be sufficient to make net-zero
commitments in isolation.
Companies need to consider
how to embed action on
climate and nature into their
business practices and drive
action down their supply
chains. Commitments must
be supported by coherent
strategies with interim
targets to measure progress.
Governance structures and
board responsibilities will need to
be reconfigured to include more
complex ESG information and
corporate ESG disclosures will
need to be transparent and have
high levels of external assurance.
5. Pressure from investors
& other stakeholders
In his 2022 letter to CEOs,
BlackRock Chairman and CEO
Larry Fink focused on investment
considerations when he said,
“We focus on sustainability not
because we’re environmentalists,
but because we are capitalists
and fiduciaries to our clients.”26
The demand from investors is
clear. In a recent PwC Investor
Survey, 79% of respondents
highlighted ESG risks and
opportunities as an important
factor in decision-making,
but only 33% believe that the
current quality of reporting is
on average good.27 Ceres has
urged corporate boards “to
systematically and explicitly
oversee environmental, social
and governance (ESG) risks in
order to keep their businesses
resilient in the face of growing
global climate and water
crises.”28
The board has a critical role to
play in challenging management
and should encourage the
integration of financial and
non-financial information so that
stakeholders can be provided
with investment grade data. But
the board in its oversight role
should look beyond the views
of shareholders and consider
its responsibility to understand
stakeholder views firsthand
to better inform boardroom
decision-making.25
Research conducted by
WBCSD and DNV highlighted
that corporate culture is one
of the key barriers to effective
stakeholder engagement,
as in many organizations the
governing body does not consult
directly with a diverse pool of
stakeholders or does not engage
with them at all. Management
can support the governing
body in this task; for instance,
by establishing governance
mechanisms to formalize
operational relationships
between the governing body
and groups of stakeholders.29
6. Trust & reputation
Building and maintaining
trust and confidence with
stakeholders is necessary
to ensure that business and
investor decision-making
can rely upon the information
exchanges that take place.
In Deloitte’s 2022 CxO
Sustainability Report: The
Disconnect Between Ambition
and Impactc, 97% of
respondents said their
companies had been negatively
affected by climate change,
including about half who saw
impacts on operations such as
disruptions to business models
and supply networks.
They also reported feeling
pressure to act on sustainability
concerns from a variety of
stakeholders, such as regulators,
shareholders, consumers, and
employees. The broad and
complex nature of sustainability
topics means that organizations
need to raise awareness
and build capacity to ensure
that multiple departments
understand how the business
could be impacted.
Board members’ personal
liability is another important
consideration that underscores
the urgency in this area.
d
Marchand v. Barnhill, 2019 WL 2509617 (Del. June 18, 2019)
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 13
In its 2019 ruling in Marchand,
the Delaware Supreme Court
referred back to the pivotal
Caremark case, stating that,
“If Caremark means anything,
it is that a corporate board must
make a good faith effort to
exercise its duty of care.
A failure to make that effort
constitutes a breach of duty
of loyalty.”d
Failure to uphold the board’s
duty of care can pose a wide
variety of risks for not only the
organization but also for boards,
a risk that directors should be
aware of.
There continues to be an
increase in ESG-related litigation
against both companies and
in some cases directors,
particularly on climate
change matters and net-zero
commitments, but also supply
chain and human rights issues,
and informal ESG disputes
on disclosed information and
allegations of greenwashing.30
Addressing sustainability is
no longer a “nice to have”, it is
a critical business issue that
should be rolled into the broader
corporate governance, risk
management, disclosure and
accountability frameworks of the
company. It is thus imperative
that directors understand the
nature of their fiduciary duties
and take advice in circumstances
where they are in doubt.7
 4 The Three Lines Model:
Roles and sustainability
responsibilities
The Three Lines Model
identifies clear processes and
roles to guide organizations
towards good governance. An
organization that relies on good
governance can identify, assess
and prioritize ESG-related risks
to inform decision-making.
Figure 4: Key actions for the Three Lines Model roles in sustainability and ESG considerations
Governing body
Governing body roles:
Establish governance
mechanisms
Oversee ESG reporting
strategy
Engage with stakeholders
All roles, governing body,
management, and internal audit,
work in close collaboration to
ensure feedback loops. Each role
is described in detail below.
1. Role of the governing body:
governance mechanisms
The governing body, including
the board of directors, defines
organizational objectives, as
well as appropriate structures
and processes for effective
governance. The governing
body aligns the organizational
objectives with the ESG issues
that stakeholders prioritize,
setting the direction and defining
a corporate purpose that
includes broader sustainability
considerations. Specifically,
this can be achieved when
the governing body oversees
governance mechanisms that
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 14
This section considers
how sustainability and ESG
considerations can be integrated
and embedded across the three
roles outlined in the model:
governing body, management,
and internal audit.
Management
Management roles:
Develop multi-capital approach
Undertake materiality
assessment to inform ESG risk
management
Oversee ESG data quality
and reporting
include sustainability and ESG
considerations; ESG reporting
strategy and engagement with
stakeholders.
1.1 Establishing governance
mechanisms that include
sustainability and ESG
considerations
Many companies have
chosen to establish formal
governance mechanisms to
oversee sustainability and ESG
considerations. This may be a
dedicated committee,
including members from the
board, or placed under the
responsibility of an existing
committee; for example risk
management or audit. There is
a relationship between the
internal audit function and audit
committees which presents an
opportunity to leverage the
oversight responsibilities.
Within the Three Lines
Model, ESG and sustainability
considerations can be integrated
as described in the visualization
below.
Internal audit
Internal audit roles:
Test internal controls and assure
accuracy of ESG data
Anticipate ESG disclosure
regulations
Interact regularly with other lines
1.2 Overseeing ESG reporting
strategy
The governing body also has
responsibilities to oversee the
ESG reporting strategy, make
strategic integrated reporting
decisions and adopt policies
and processes that allow for
strengthened governance
through risk management and
internal controls.31
The governing body has an
important role in developing a
narrative around ESG data and
indicators in line with the
corporate culture and purpose,
to signal to stakeholders a
strong commitment to ESG
and sustainability
considerations.
Sustainability management has
the necessary ESG knowledge to
integrate the right ESG indicators
into the business strategy and
convey evolving ESG-related risk
trends to the governing body.
The Three Lines Model
provides clarity on the roles
and responsibilities of the
different parties when it comes
to executing an integrated
approach to risk management,
internal controls, disclosure and
assurance to ensure that value
is created and protected within
an organization.31 When the
governing body understands
and oversees how the three
roles can contribute to a
resilient business model, there
are clear expectations on how
each role can contribute to an
organization’s external reporting
and assurance processes.
1.3 Engaging with stakeholders
Compared to other roles,
management and sustainability
departments are traditionally
more engaged with an
organization’s stakeholders.29
The relationship between
the governing body and
stakeholders may occur
through annual general
meetings, reports from
management or through
advisory groups, panels or
forums. However, stakeholder
engagement should be
a crosscutting activity
that percolates up to the
governing body. When the
governing body regularly
engages with stakeholders,
and vice versa, both have a
mutual understanding of the
expectations and the exposure
of an organization to ESG-related
risks.
The integration of ESG issues
within a sustainable business
model and a materiality
assessment is therefore
dependent upon stakeholder
engagement. When engaging
with stakeholders, the
governing body should be
aware of both the inclusivity
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 15
and intersectionality of the
stakeholders that are material to
the organization.
1.3.1 Stakeholder inclusivity:
Diversity between groups
The governing body should
ensure that the pool of
stakeholders is as inclusive
as possible. An organization
should first define and quantify
the impacts that its operations
have on different ESG issues
(e.g., climate change, ecosystem
degradation, water scarcity)
and then map dependencies
between each ESG issue
and one or more groups of
concerned stakeholders.
Mapping these dependencies
allows the organization to
understand how ESG-related
risks can propagate based on
their level of interconnectedness.
A stakeholder-inclusive
approach may include NGOs,
local communities, customers,
employers and suppliers.
1.3.2 Stakeholder
intersectionality: Diversity
within groups
Stakeholder intersectionality
can simultaneously encompass
society, nature capital and
actors from diverse cultural,
regional, and socio-economic
backgrounds that the operations
of a company directly and
indirectly affect.32
The intersectionality principle
allows the governing body to
ensure diversity within the same
group of stakeholders.
For instance, when identifying
NGOs impacted by the
operations of an organization,
a governing body can include
both international NGOs as
well as others advocating
for the rights of local
communities or operating
in different socio-economic
environments. In addition, to
ensure intersectionality, the
governing body can rely on
stakeholder and advisory
groups, such as trade unions or
groups representing different
local communities whose jobs
rely on the operations of a
company. Stakeholder groups
selected under the principles of
inclusivity and intersectionality
allow an organization to have
a more in-depth look at and
understanding of the context in
which it operates, minimizing and
anticipating ESG-related risks.
An effective stakeholder
engagement strategy,
coordinated by the governing
body, paves the way for the
materiality assessment.
2. Role of the management:
developing an integrated
approach to ESG risk
management
Management oversees the
achievement of organizational
objectives and can include
both the first- and second-line
responsibilities for specific ESG
tasks. First-line management
roles are directly aligned
with the delivery of products,
services and overall support
to the organization to identify
ESG-related issues that the
operations of an organization
affect.
Second-line management roles
are responsible for specifically
assisting in ESG-related risk
management. Second-line
roles can focus on certain
components of ESG-related
risk management, such as:
compliance with laws or new
ESG disclosure regulations;
internal control; and ESG issues
of quality assurance (internal and
external).
Alternatively, in some
organizations, second-
line roles may oversee a
broader responsibility for risk
management, such as the
development of enterprise risk
management (ERM)3 (pp.3-4).
Under the Three Lines Model,
management oversees the
following roles: i) developing
a multi-capital approach;
ii) developing a materiality
assessment to inform ESG-
related risk management; and
iii) ESG data quality, internal
controls and reporting.
2.1 Developing a multi-capital
approach
Traditionally, management
measures an organization’s
value through financial and
economic capital. Financial and
economic capital relates to easily
quantifiable assets that the
organization directly controls. In
addition, the growth of financial
capital can reassure current
and potential investors on the
stability of an organization.
Financial and economic factors
are not the only flows of capital
that management should
account for. Many organizations
opt for a multi-capital approach,
which accounts for “the active
consideration by an organization
of the relationships between its
various operating and functional
units and the capitals that the
organization uses or affects.”33
Under this multi-capital
approach, the management of
an organization defines,
quantifies and establishes the
relationships between physical
and intangible capitals that the
business model requires to
ensure the proper functioning of
the operations of an organization
and their impacts on ESG issues.
A multi-capital approach could
also enable a company to assess
their impacts and dependencies
e
Note: In November 2020, the IIRC and the Sustainability Accounting Standards Board announced their intention to merge into a Value Reporting
Foundation which was officially formed in June 2021. In November 2021, the IFRS Foundation has announced the consolidation of the VRF and the
Climate Disclosure Standards Board into the IFRS Foundation. The IFRS maintains the Integrated Reporting Framework under its responsibilities:
https://www.ifrs.org/news-and-events/news/2022/05/integrated-reporting-articulating-a-future-path/
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 16
on stocks and flows of capital
(e.g. nature), which in turn will help
them to understand
the effectiveness of their
sustainability efforts.34
The IIRC (International Integrated
Reporting Council)e developed a
6-capital integrated framework
that helps management in this
task.4 Moving from traditional
management processes to
integrated ESG management
requires good knowledge of
management practices and a
refreshed mindset based on
integrated thinking. An integrated
thinking mindset means
that an organization moves
from a narrow focus on the
maximization of financial capitals
and assets to basing business
decisions on the relationships
between multiple capitals, both
tangible and intangible.33
Adopting an integrated thinking
approach can support:
• An adequate identification of
ESG-related risks
• A deep understanding of the
macro-context in which the
organization operates
• The value creation of an
organization in the short,
medium, and long term.
2.2 Developing a materiality
assessment to inform ESG
risk management
The materiality assessment
prioritizes ESG issues against
two aspects: 1) importance to
stakeholders; and 2) impact on
the organization. The double
materiality matrix, the outcome
of the materiality assessment,
is a valuable tool to rank ESG
issues and priorities in relation
to key operations of the
organization.
The more inclusive and diverse
the pool of stakeholders is, the
more reliable the materiality
assessment is in capturing
ESG-related risks, because it
helps identify and prioritize ESG
issues in terms of how a risk
threatens the achievement of
an organization’s strategy and
objectives.4
The materiality assessment
process will also guide the
disclosure of ESG data, as
it helps to align relevant
ESG material topics with the
corporate strategy and should
be considered an important
crosscutting tool to which all
roles in the Three Lines Model
(governing body, management,
internal audit) can contribute.
 Best practices in materiality assessments
Materiality assessments are most effective and meaningful when they:
1. Indicate a clear purpose
2. Articulate time horizons and review cycle
3. Compare results over time
4. Articulate perspectives used
5. Include and consider a thorough analysis of stakeholders
6. Account for divisional and regional differences
7. Score topics on multiple aspects
8. Identify ESG risks associated with each material topic
9. Ensure high-quality information and support assurance

Adapted from: WBCSD, Erasmus School of Economics The Reality of Materiality: Insights from real-
world applications of ESG materiality assessment, 2021. Full text available here

Traditional methods of assessing
and prioritizing risks consider
impact and likelihood criteria, but
there are alternative quantitative
and qualitative techniques to
integrate ESG-related risks
so that the most appropriate
risk response is implemented.
These techniques, such as risk
scenario analysis, combine
the likelihood of an ESG risk
happening with future trends
or expected environmental
developments.35 In addition to
ESG scenario analysis, mapping
the interconnectivities of risks
and how they influence each
other gives insights into the
speed of their impacts, and the
diffusion of risks across the
different operations, upstream
and downstream, that the
organization manages.36
The interviews confirmed that
good governance practices
are critical in overseeing and
ensuring that management
understands the potential
impacts of ESG issues and
risks on the achievement of
the organizations’ strategic
objectives.4 During the
interviews, some participants
highlighted that this has been
achieved by bringing together
different management functions;
for example, having sustainability
and financial risk management
work together to define an
integrated risk management
strategy, or to set the most
appropriate financial and non-
financial key performance
indicators (KPIs) and key
responsibilities areas (KRA).
Some companies have
dedicated sustainability
committees involving
management roles (financial
and non-financial), or involve
members of the board or internal
audit to provide oversight and
direction on all ESG issues. The
presence of these committees
is usually welcomed by risk
management roles, as these
meetings allow for regular
discussions on ESG issues
and their integration within the
corporate strategy.
When companies have clear
procedures to identify, measure,
control and report ESG-related
risks, they can also become
more resilient in volatile
operating environments.
For example, business units
may have a more granular
overview of the context in which
the company is operating at
a country level and be able to
identify ESG-related risks and
implement rapid risk responses.
This vital risk information can
roll up to the group level for
inclusion and consideration
in the enterprise-wide risk
management process.

WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 17
2.3 ESG data quality
and reporting
The interview participants
suggested that collecting high-
quality ESG data can be difficult
to achieve and the nature of ESG
issues means that impacts and
dependencies are often beyond
the operating boundaries of the
company. For example, Scope
3 emissions data may have
to be provided by suppliers
or industry averages.37 Some
companies also suggested
a lack of confidence in the
information collected as a
reason why companies opt for
lower levels of external
assurance on their sustainability
disclosures.
Ensuring a consistent approach
to data collection, reporting
and disclosure is necessary
to ensure that information is
decision-useful. Understanding
the people, processes and
systems within an organization
and how they can be governed
to ensure the validity and
reliability of data is critical to
improving the quality of ESG
information.
ESG data disclosure and
reporting should be a forward-
looking exercise guiding the
different roles towards ESG
integration, effective risk
management and stakeholders’
engagement. ESG disclosure
has to align with the financial
statements and the sustainability
report, because different
groups of stakeholders will look
for coherent and consistent
information to make informed
decisions.

Ensuring quality, validity and reliability in ESG data.

When determining which ESG data to use, how to collect and to aggregate them into indicators, it is
important to consider three factors: quality, validity and reliability. This is particularly important for new or
emerging ESG issues or risks. In assessing data quality, validity and reliability the management second-
line should ask the following questions:
1. Are the data of high enough quality to produce reliable results? Are these ESG data measuring what
an organization wants to measure (e.g., Scope 3 emissions, waste produced, electricity generated)
2. Are controls in place for internally collected data? Who oversaw the data collection process?
3. Are the data collected in accordance with an industry standard or an internationally recognized
standard?
4. Are there other open-source secondary data to challenge the model assumptions or triangulate
the results?
Management oversees these processes and may require regular training on ESG data disclosure,
as well as training on the research design of indicators to understand biases and validity issues in
measurement.

Source: COSO-WBCSD, Applying enterprise risk management to ESG-related risks, 2018. Full text
available here.

WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 18
3. Role of internal audit
– internal controls and
compliance
Internal audit is ideally placed
to help companies evaluate
opportunities, assess changes
to operations and reporting,
meet regulations, and be a
catalyst for innovation and
improvement for sustainability.
While current practice is varied,
internal audit does not routinely
take the lead when it comes to
ESG information. There is an
opportunity for the governing
body to recognize that internal
audit can add value to the
company and that integration
with the sustainability function
can move beyond compliance
and take a more active
approach to monitoring material
sustainability topics.
The internal audit function
also has close ties to the audit
committee, which provides
further opportunity for a
more integrated approach at
board-level. In light of evolving
regulatory developments in the
European Union, (the Directive
on corporate sustainability
reporting, and Directive on
corporate sustainability due
diligence) audit committees may
be responsible for “overseeing
sustainability reporting and
related processes to identify
information reported.”38
The internal audit and
sustainability functions have
the opportunity to anticipate
future ESG disclosure trends.
For example, internal auditors
can monitor the evolving
regulatory landscape and level of
harmonization between different
regulatory frameworks.
Internal auditors can also
test internal controls on ESG
disclosure and assure that
the ESG data are collected
consistently to guarantee
confidence in the data collection
process. The internal control
environment presents clear
practices to ensure two-way
communication and feedback
loops between management
and internal audit. The 2013
COSO Internal Control Integrated
Framework39 introduces
practices to establish an
effective internal control
environment, a set of standards,
processes and structures on
which an effective system of
internal control relies on. The
internal control environment
enables organizations to:
1) achieve strategic objectives,
2) provide reliable financial and
non-financial reporting to internal
and external stakeholders,
3) conduct their operations
efficiently and effectively,
4) comply with laws and
regulations, and 5) safeguard
their assets’ internal control
across the organization.39
Internal audit is independent
from management, to ensure
its objectivity, authority and
credibility. Internal audit provides
independent and objective
assurance and advice on
effective governance and ESG
risk management processes
and structures. The internal
audit function should be well-
resourced and positioned
to ensure integrity, trust,
transparency, compliance
and accountability. The IIA’s
International Professional
Practices Framework (IPPF)
includes globally recognized
standards and authoritative
guidance that drive high-quality
internal audit work.40
It achieves this through
the regular disclosure of
sustainability and financial
reports, guaranteeing disciplined
data collection processes, and
expertise on ESG indicators.
Internal audit reports its
findings to management and
the governing body to promote
and facilitate continuous
improvement.3

A well-resourced, appropriately positioned internal audit function is:

1. Accountable to the governing body
2. Free from interference by management in its planning and operations
3. Empowered to access all people, data, and resources needed to undertake its work
4. Free from responsibility for executive decision-making
5. Thoroughly knowledgeable about all aspects of the organization
6. Compliant with the International Standards for the Professional Practice of Internal Auditing

Source: COSO-WBCSD, Applying enterprise risk management to ESG-related risks, 2018.

Full text available at www.wbcsd.org/erm

WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 19
 5 Recommendations
and key questions
This table summarizes the recommendations for companies in integrating ESG and sustainability
considerations into the roles set out in the Three Lines Model. The key questions are intended to
stimulate conversation within and between the different roles on the extent that sustainability and ESG
considerations are integrated into existing processes and practices.
GOVERNING BODY
• Consider a multi-capital
approach to capital flows
• Undertake stakeholder
engagement to understand
RECOMMENDATIONS
sustainability impacts and the
link with the business model
• Consider stakeholder
diversity in any stakeholder
engagement activities
• Ensure the governing body
oversees risk management
• Ensure the internal audit
function is well-resourced
(ultimately may reduce costs
of external assurance)
To what extent is the governing
body overseeing ESG integration?
How is the governing body currently
engaging with the other functions
on material ESG issues? And what
could be improved?
KEY QUESTIONS TO ASSESS LEVEL OF
ESG/SUSTAINABILITY INTEGRATION
How is information on risks
provided to the governing body?
What are the current obstacles to
integrating ESG risks?
What role is corporate culture
playing in the organization? Does it
include ESG issues to achieve long-
term sustainability?
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 20
MANAGEMENT
• Undertake a materiality
assessment that informs
enterprise risk management
processes
• Bring sustainability and
finance functions together
to define integrated risk
management strategy
• Establish ESG data quality
and reporting alignment with
financial reporting cycles
How can management capture
and measure the impact of the
operations of a company on ESG
issues?
How can management ensure
that the ESG data is complete and
accurate?
How is operational vs strategic
management assessing and
prioritizing ESG risks?
What practices and policies
ensure that first- and second-
line management roles have a
holistic approach to ESG risk
management?
INTERNAL AUDIT
• Monitor reliability of ESG data
collection and internal control
processes
• Build knowledge of
sustainability and ESG impacts
of the company
• Ensure regular interactions
between internal auditors and
1st, 2nd line roles
How can internal audit work
with external auditors to provide
assurance on the reliability and
consistency of information?
What role can internal audit play in
helping the organization prepare
for non-financial disclosures by
advising and providing assurance
on structures, systems and
processes for decision-making and
reporting?
What controls ensure that
sustainability data is collected,
analyzed and reported in a way that
is useful to decision-makers?
What processes and policies are
adopted to measure, monitor
and report on progress towards
company commitments?
How can internal audit advocate for
an organizational shift in mindset
to integrate sustainability into
governance and operations?
Endnotes
1
WBCSD. WBCSD steps up the
course for systemic business
transformation. (2021).
2
WBCSD & WWF. WBCSD and
WWF join forces to accelerate
business action on nature, with
focus on deforestation and
overfishing. (2022).
3
The Institute of Internal
Auditors. The IIA’s Three Lines
Model: An update of the Three
Lines of Defense. https://www.
theiia.org/en/content/position-
papers/2020/the-iias-three-
lines-model-an-update-of-the-
three-lines-of-defense/ (2020).
4
COSO & WBCSD. Applying
enterprise risk management to
ESG-related risks. https://www.
coso.org/Documents/COSO-
WBCSD-ESGERM-Guidance-
Full.pdf (2018).
5 WBCSD & PwC. Enhancing
the credibility of non-financial
information: the investor
perspective. https://docs.
wbcsd.org/2018/10/WBCSD_
Enhancing_Credibility_Report.
pdf (2018).
6 Mayer, C. & Roche, B. Putting
purpose into practice: The
economics of mutuality. (Oxford
University Press, 2021).
7 WBCSD. Board Director
Resources.
8 WBCSD. Future Proof Business
Guide. https://www.wbcsd.org/
Programs/Redefining-Value/
What-does-stakeholder-
capitalism-mean-for-business/
Resources/Future-Proof-
Business (2021).
9 WBCSD. The state of
corporate governance in
the era of sustainability risks
and opportunities. https://
www.wbcsd.org/contentwbc/
download/6706/112571/1
(2019).
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 21
10
‘Double materiality’: what is
it and why does it matter?
Grantham Research Institute
on climate change and the
environment https://www.lse.
ac.uk/granthaminstitute/news/
double-materiality-what-is-it-
and-why-does-it-matter/.
11
Pollard, D. & Bebbington,
J. ESG and sustainability –
different but related ideas.
12
COP26. COP26 roundup:
Investors make commitment
on deforestation. (2021).
13
Freeman, R. E., Martin, K.
& Parmar, B. The power of
and: responsible business
without trade-offs. (Columbia
University Press, 2020).
14
WBCSD. Sustainability and
enterprise risk management:
The first steps towards
integration. https://www.
wbcsd.org/Archive/Assess-
and-Manage-Performance/
Resources/Sustainability-and-
enterprise-risk-management-
The-first-step-towards-
integration (2016).
15
Reporting matters 2021:
Time to Transform. https://
www.wbcsd.org/rm2021
(2021).
16
WBCSD. ESG Disclosure
Handbook. https://www.wbcsd.
org/Programs/Redefining-
Value/Redesigning-capital-
market-engagement/
Resources/ESG-Disclosure-
Handbook (2019).
17
WBCSD. Insights from the
Reporting Exchange: ESG
reporting trends. https://
docs.wbcsd.org/2018/02/
Reporting_Exchange_Report_
ESG_reporting_trends_2017.
pdf (2018).
18
International Sustainability
Standards Board,. IISB
delivers proposals that create
comprehensive global baseline
of sustainability disclosures.
(2022).
19
United States Securities and
Exchange Commission. SEC
Proposes Rules to Enhance
and Standardize Climate-
Related Disclosures for
Investors. (2022).
20
European Financial Reporting
Advisory Group. Sustainability
Reporting Standards.
21
Taskforce for Nature-related
Financial Disclosures. TCFD
Beta Framework v0.1. https://
tnfd.global/wp-content/
uploads/2022/03/220321-
TNFD-framework-beta-v0.1-
FINAL.pdf (2022).
22
WBCSD. WBCSD Membership
Conditions.
23
Jessop, S. UK climate tsar
urges companies to join Race
to Zero campaign. Reuters
(2021).
24
World Economic Forum.
Protecting the ocean is key to
fighting climate change.
25
United Nations & UK
Government. COP26 The
Glasgow Climate Pact. https://
ukcop26.org/wp-content/
uploads/2021/11/COP26-
Presidency-Outcomes-The-
Climate-Pact.pdf (2021).
26
Larry Fink. Letter to CEOs The
Power of Capitalism. (2022).
27
PwC. Global Investor Survey.
https://www.pwc.com/gx/en/
services/audit-assurance/
corporate-reporting/2021-
esg-investor-survey.html
(2021).
28
CERES. Running the Risk:
How Corporate Boards Can
Oversee Environmental,
Social and Governance (ESG)
Issues. https://www.ceres.org/
resources/reports/running-
risk-how-corporate-boards-
can-oversee-environmental-
social-and-governance (2019).
29
WBCSD & DNV GL. Boards and
their stakeholders: The state
of play. https://www.wbcsd.
org/Programs/Redefining-
Value/Making-stakeholder-
capitalism-actionable/
Governance-and-Internal-
Oversight/Resources/Boards-
and-their-stakeholders-The-
state-of-play (2021).
30
Latham and Watkins.
ESG Litigation Roadmap.
https://www.lw.com/
thoughtLeadership/ESG-
litigation-roadmap (2020).
31
International Federation of
Accountants & Institute of
Internal Auditors. Executing
the Board’s Governance
Responsibility for Integrated
Reporting. https://www.ifac.
org/system/files/publications/
files/IFAC-IIA-Governance-
Responsibility-for-IR.pdf.
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 22
32
Hankivsky, O. Intersectionality.
The Institute for
Intersectionality Research &
Policy (2014).
33
Council (IIRC), I. I. R. Integrated
Thinking & Strategy State
of play report. https://www.
integratedreporting.org/wp-
content/uploads/2020/01/
Integrated-Thinking-and-
Strategy-State-of-Play-
Report_2020.pdf (2020).
34
Natural Capital Coalition.
Natural Capital Protocol.
(2016).
35
WBCSD. Climate Scenario
Analysis Reference Approach.
https://www.wbcsd.org/
Programs/Redefining-Value/
TCFD/Resources/Climate-
Scenario-Analysis-Reference-
Approach (2022).
36
WBCSD & KPMG. An
enhanced assessment of
risks impacting the food and
agriculture sector. https://
www.wbcsd.org/contentwbc/
download/13750/199446/1
(2021).
37
WBCSD & FSR Danish
Auditors. Guidance on
improving the quality of ESG
information for decision-
making Developing a roadmap
for companies. https://
www.wbcsd.org/Programs/
Redefining-Value/Making-
stakeholder-capitalism-
actionable/Assurance-
Internal-Controls/Resources/
Guidance-on-improving-the-
quality-of-ESG-information-
for-decision-making (2019).
38
Accountancy Europe.
ESG Governance
Recommendations for Audit
Committees. https://www.
accountancyeurope.eu/wp-
content/uploads/220412-
ESG-governance-
recommendations-for-audit-
committees.pdf (2022).
39
COSO. COSO Internal Control
Integrated Framework. https://
www.coso.org/Documents/
COSO-CROWE-COSO-
Internal-Control-Integrated-
Framework.pdf (2019).
40
The Institute of Internal
Auditors. International
Professional Practice
Framework.
DISCLAIMER
This publication is released in
the name of WBCSD and the
Institute of Internal Auditors. Like
other WBCSD publications, it is
the result of a collaborative effort
by members of the secretariat
and senior executives from
member companies. This does
not mean, however, that every
member company agrees with
every word.
ACKNOWLEDGMENTS
With thanks to 12 WBCSD
member companies and several
IIA volunteers who kindly
participated in the research
interviews that have guided the
content of this report.
This work was funded by the
Gordon and Betty Moore
Foundation’s Conservation
and Markets Initiative.
For more information,
please visit www.moore.org
WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 23
ABOUT IIA
Established in 1941, The
Institute of Internal Auditors
(IIA) is an international
professional association with
global headquarters in Lake
Mary, Florida, USA. The IIA is
recognized as the internal audit
profession’s leader in standards,
certification, education,
research, and technical guidance
throughout the world. Generally,
members work in internal
auditing, risk management,
governance, internal control,
information technology audit,
education, and security.
Globally, The IIA has more than
215,000 members in nearly 200
countries and territories. The
IIA in North America comprises
159 chapters serving more
than 70,000 members in the
United States, Canada, the
Caribbean (Aruba, Bahamas,
Barbados, Cayman Islands,
Curacao, Jamaica, Puerto
Rico, and Turks & Caicos),
Bermuda, and Trinidad & Tobago.
The IIA’s Audit Executive Center
provides chief audit executives
relevant and timely thought
leadership and connections to
peers for benchmarking and
sharing best practices.
The IIA has awarded 180,000
Certified Internal Auditor (CIA)
certifications. In addition
to the CIA, The IIA offers
the Certification in Risk
Management Assurance®
(CRMA®) and the Qualification in
Internal Audit Leadership®
(QIAL®) designations. IIA Quality
Services has helped hundreds of
organizations in various
industries around the world by
providing qualified audit
professionals, a global
benchmarking database, and a
repository of successful
practices.
www.theiia.org
Follow us on Twitter and LinkedIn
ABOUT WBCSD
WBCSD is the premier global,
CEO-led community of over 200
of the world’s leading sustainable
businesses working collectively
to accelerate the system
transformations needed for a net
zero, nature positive and more
equitable future.
We do this by engaging
executives and sustainability
leaders from business and
elsewhere to share practical
insights on the obstacles and
opportunities we face in tackling
the integrated climate, nature
and inequality sustainability
challenge; by co-developing
“how-to” CEO-guides from these
insights; by providing science-
based target guidance including
standards and protocols; and by
developing tools and platforms
to help leading businesses in
sustainability drive integrated
actions to tackle climate, nature
and inequality challenges across
sectors and geographical
regions.
Our member companies come
from all business sectors and all
major economies, representing a
combined revenue of more than
USD $8.5 trillion and 19 million
employees. Our global network
of almost 70 national business
councils gives our members
unparalleled reach across the
globe. Since 1995, WBCSD has
been uniquely positioned to
work with member companies
along and across value chains
to deliver impactful business
solutions to the most challenging
sustainability issues.
Together, we are the leading
voice of business for
sustainability, united by our vision
of a world where 9+ billion people
are living well, within planetary
boundaries, by mid-century.
www.wbcsd.org
Follow us on Twitter and LinkedIn
Copyright
Copyright © WBCSD, July 2022.
World Business Council
for Sustainable Development

Geneva, Amsterdam, Beijing, New Delhi, London, New York City, Singapore

www.wbcsd.org

WBCSD & IIA – Embedding ESG and sustainability considerations into the Three Lines Model 24