After my first blog post on internal controls and governance over sustainability information I received questions on right-sizing the steps for where an organization is on the maturity curve.

These are great questions as it can be a mistake is trying to implement “best-in-class” governance and controls over sustainability reporting before an organization is operationally ready, or worse the organization does nothing because the gold standard feels overwhelming.

Effective sustainability governance is not about perfection on day one.
It is about building the right level of structure, accountability, and control for where your organization is today, while intentionally designing for where you are going tomorrow.

Just as financial reporting evolved over decades, sustainability information systems must mature in phases.

Let’s walk through what right-sized sustainability governance and controls look like across a typical maturity scale, starting from foundational moving to developing, and finally mature. You organization may also be at different level of maturity for different sustainability metrics.

Keep in mind that the maturity level your organization needs to be at is not just about size but risk exposure. Typically, privately held SMEs, organizations with low regulatory pressure or organizations that started reporting for values driven reasons would be lower on the risk exposure.

Right-sized governance is intentionally practical and management-level, it does not yet require full board-level oversight of detailed metrics. Data ownership should be clearly assigned at the operational level (e.g., Facilities Manager owns utility consumption data; Fleet Manager owns fuel data; HR owns headcount data), with one centralized coordinator (often someone in sustainability, finance, or strategy) that is responsible for consolidating, documenting methodologies, and maintaining version control. For further information on what data ownership looks like at the operational levels the related blog post here. At this stage governance and internal controls are typically focused on a few key metrics important to the organization.

Accountability typically rolls up to a senior management sponsor (such as a CFO, Controller, or VP Operations) who reviews high-level results for reasonableness and completeness, however, unless the numbers are included in regulatory filings or required for public commitments or deemed a material risk, CFO or senior leadership may not sign off. The board’s role at this stage is usually limited to awareness rather than active oversight unless climate risk is already strategically material (see related blog post on methodology, where the first step is determining what the purpose for collecting this data is).

Internal controls in a foundational stage focus on clarity over complexity: documented calculation methods (even if simple), defined reporting timelines, evidence retention (invoices, utility bills, fuel logs), a basic independent review (someone other than the preparer performs a reasonableness check), and clear sign-off. The objective is not sophisticated automation or segregation of duties at scale but ensuring that sustainability data is owned, traceable, consistently calculated, and reviewed by accountable management before it is shared externally or used for decision-making purposes.

Controls should concentrate on completeness (how do we ensure all in-scope data sources are included in our calculation?) and consistency (ensuring data is consistency calculated the same way for comparability over time).

Right-sized governance at this stage includes:

• Clear data ownership for each metric (e.g., Fleet Manager owns fuel data, Facilities owns utilities).
• Basic documentation of calculation methods and assumptions
• A simple review process (someone independent checks completeness and reasonableness for example how often are emissions factors updated)
• Version control and audit trail for data changes (are formulas to calculate emissions locked)

At this stage ownership, documentation and review are your best friends to start on the path to strong governance over sustainability information.

Consider a mid-sized retail company beginning to track its greenhouse gas emissions. In the foundational stage, the company assigns responsibility for key data sources. The facilities team gathers utility bills across stores, and its logistics team tracks fuel usage for distribution. A sustainability lead consolidates this information in a centralized spreadsheet using a simple, documented emissions methodology. There may still be gaps or estimates, but assumptions are noted and applied consistently. Finance or a senior manager performs a high-level reasonableness check, comparing results to prior periods or operational activity (e.g., number of stores or delivery volumes). The process is manual, but the organization now has a clear line of sight into its data, with ownership, documentation, and basic review in place to support internal discussions.

For scope 3 data, which tends to be the most complex, the company should start simple and be pragmatic, focusing only on the most relevant Scope 3 categories, likely purchased goods and services, upstream transportation, and business travel. Rather than chasing perfect data, they use high-level, spend-based estimates (e.g., applying emissions factors to procurement spend or freight costs). Data is pulled from existing systems like accounts payable or expense reports, with finance often playing a key role in extracting and reconciling totals. Assumptions and limitations are clearly documented, and consistency over time is prioritized over precision. A basic review is performed to ensure completeness (e.g., all major spend categories are included) and reasonableness. The goal here is awareness, getting a directional view of where emissions sit in the value chain.

The two previous posts linked above provide some ideas on what these simple controls should look like (locked spreadsheeted formulas, segregation of duties between data collectors like fleet managers and the data calculators like the sustainability reporting specialist that will use a pre-determined formula to ensure data is appropriately turned into emissions, followed by a reasonableness check by finance).

As the organization matures, they increase readiness for external scrutiny. Governance begins moving to structured accountability with clearer segregation of duties and documented policies. This developing stage for example would add structure: data owners remain accountable for source accuracy, designated data preparers calculate metrics using standardized methodologies, independent reviewers (often finance or a centralized sustainability function) validate completeness and assumptions, and a defined executive sponsor (CFO, Chief Sustainability Officer, or equivalent) provides formal sign-off. Methodologies are documented in policy form, including base year definitions, recalculation triggers, estimation protocols, and materiality thresholds and version controlled. Controls evolve beyond basic reasonableness checks to include documented review evidence, cross-referencing against financial or operational systems, variance analysis period-over-period, and change management logs when assumptions shift. At this stage, board involvement typically moves from passive awareness to periodic oversight of climate-related risks and reporting readiness, but operational accountability still sits firmly within management.

Right-sized governance now includes:

• Further defined roles: data owners, data preparers, reviewers, approvers
• Standard calculation methodologies across business units
• Documented policies for GHG emissions this looks like:
• Base year selection
• Recalculations
• Estimation methods
• Materiality thresholds

Controls should now include:

• Formal review sign-offs
• Cross-checks between operational and financial data
• Change logs for methodology updates
• Detective reviews such as management review of trends and anomalies

Internal controls as this stage are focused on consistency, defensibility, and reduced key-person risk building a governance structure that can withstand external scrutiny without yet requiring full enterprise automation. At this stage, internal controls begin to resemble that of financial information.

As the organization moves into the developing stage, the process becomes more structured and repeatable. Data collection templates are standardized and rolled out across all store locations and distribution centers, reducing inconsistencies in how data is captured. Emissions calculations follow a formalized internal policy that defines base year selection, emissions factors, estimation approaches, and thresholds for recalculations. Roles are more clearly separated, with operations responsible for data input, sustainability applying consistent calculation methodologies, and finance performing a more detailed review, including variance analysis and cross-checks against financial or operational data (such as energy expenses or fuel costs). Changes in assumptions or methodologies are logged and approved, creating a stronger audit trail. At this stage, the organization is increasingly confident in its data and begins preparing for external disclosure or stakeholder scrutiny.

Scope 3 tracking at this stage becomes more targeted and methodologically robust. The company identifies its most material categories using a screening assessment and begins refining calculations for those areas. For example, instead of purely spend-based estimates, it may shift toward hybrid or activity-based approaches using supplier-specific data where available (e.g., logistics providers reporting fuel usage) and quantity-based data (e.g., kilograms of materials purchased) for key product categories. Supplier engagement begins to take shape, with standardized data requests or questionnaires introduced into procurement processes. Internally, roles are clearer: procurement supports supplier data collection, sustainability refines methodologies, and finance reviews outputs for consistency and alignment with financial data. Controls expand to include documentation of data sources, validation of supplier inputs (e.g., benchmarking against industry averages), and tracking changes in methodology. The focus is on improving accuracy in high-impact areas while maintaining defensibility.

At the mature stage, sustainability governance and internal controls are fully integrated into the organization’s core operating model, mirroring the rigor and discipline of financial reporting. Data flows are increasingly automated through ERP and enterprise systems, reducing manual intervention and improving both efficiency and reliability. Clear segregation of duties is established across the data lifecycle, with defined roles for data owners, preparers, reviewers, and approvers embedded within business processes rather than operating as a parallel structure. Preventive controls such as system validations, standardized input templates, and automated error flags complement detective controls like variance analysis and management review, shifting the focus from identifying issues after the fact to avoiding them altogether.

Governance at this level is characterized by strong executive accountability and active board oversight where sustainability risks and opportunities are financially material. Sustainability metrics are integrated into enterprise risk management frameworks, strategic planning cycles, and capital allocation decisions, ensuring that data is not only reliable but also decision-useful. Internal audit functions begin to formally assess sustainability controls, and organizations position themselves for external assurance by maintaining robust documentation, audit trails, and evidence of control execution. Importantly, sustainability reporting is no longer viewed as a compliance exercise, it becomes a critical input into business performance, risk management, and long-term value creation.

At this level, sustainability information is no longer a side project. It is embedded into:

• ERP systems
• Enterprise risk management
• Strategic planning
• Capital allocation decisions

Right-sized governance now expands to:

• Executive accountability for sustainability metrics
• Board-level oversight of climate and ESG risks
• Integration with internal audit and risk functions
• Alignment with enterprise control frameworks

Controls evolve to include:

• Automated data feeds where possible - processes and policies are now developed and ready to be automated.
• Preventive controls (not just detective reviews)
• Segregation of duties
• Periodic internal audits of sustainability data
• Formal assurance readiness

At the mature stage, sustainability data is fully embedded into the company’s systems and decision-making processes. Utility and fuel data are integrated directly from source systems into centralized platforms or ERP tools, significantly reducing manual handling and the risk of error. Emissions are calculated using standardized, system-driven methodologies with built-in controls such as validation checks, automated flags for anomalies, and approval workflows that enforce segregation of duties. Sustainability metrics are reviewed alongside financial performance by executive leadership and are incorporated into strategic decisions. For example, informing capital investments in energy-efficient stores or optimizing logistics routes to reduce emissions and costs. Internal audit periodically reviews the sustainability control environment, and documentation is maintained at a level that supports external assurance. At this point, sustainability information is no longer a standalone exercise but a reliable, decision-useful input that is managed with the same discipline as financial data.

Scope 3 at this stage is embedded into core business processes and supplier relationships. The company integrates emissions data collection into procurement systems, contracts, and supplier performance management, often requiring key suppliers to provide emissions data or align with recognized standards. Activity-based and supplier-specific data dominate for material categories, supported by system integrations where possible (e.g., logistics data feeds or supplier platforms). Controls are increasingly preventive such as standardized data templates, automated validation checks, and defined thresholds for data quality. The organization may apply data quality scoring frameworks (such as those aligned with Partnership for Carbon Accounting Financials concepts which apply to financial institutions) to prioritize improvement efforts. Scope 3 insights are actively used in decision-making, influencing supplier selection, product design, and cost optimization strategies. Internal audit may review Scope 3 processes, and the company is positioned for external assurance on key categories. At this point, Scope 3 becomes a managed, decision-useful dataset that informs both strategy and risk management.

Ultimately, the goal is not to leap straight to a “mature” state, but to build governance and internal controls that are right-sized for your organization today while intentionally evolving over time. Organizations that succeed in sustainability reporting are not those that start with perfection, but those that prioritize clarity, accountability, and continuous improvement. By focusing on the fundamentals: clear ownership, consistent methodologies, and disciplined review you create a foundation that can scale as expectations, risks, and regulatory requirements increase. Sustainability data will only continue to grow in importance, and those who invest early in getting the basics right will be far better positioned to deliver reliable, decision-useful information that stands up to scrutiny and drives meaningful business outcomes.