While at least some of the public company investment world is focused on or interested in ESG, the fact is that ESG criteria can be applied to every business (public and private), governmental entity, nonprofit, and other organization, and also to every industry and profession. I have written previously, for example, that governmental entities, education (schools), medical/medicine, and some nonprofits would be well-positioned to apply and report ESG criteria as a means of demonstrating how other public and private businesses might go about doing the same, while perhaps at the same time raise community and public awareness and expectations and reducing the need or push for legislation. In the end, unless ESG becomes overly or too expensive and starts to not insignificantly negatively impact jobs, I expect that we will have both additional mandated legislation and regulations, and increasing community and public awareness.   

The discussion in this blog post is about law firm ESG, applying ESG to law firms, and rating the ESG at your law firm. For reference and a useful discussion about ESG criteria, I have copied and pasted below my December 29, 2020 blog post titled ESG and the “E” and the “S” and the “G” – ESG + Sustainability + Climate Action.

With respect to law firms, and for that matter also for other service and professional service businesses, governmental entities, nonprofits and other organizations (including, for example, education/schools and medical/medicine, I would view the “S” and the “G” and “Sustainability” to be the most challenging and important. That is not to suggest that the “E” and the “Climate Action” are unimportant, but merely to recognize that in service and professional service type organizations, such as law firms, people, governance, services and related risk management lift the organization and keep it operating, sustainable and perhaps growing.

Let’s look at “S” for a law firm. Some law firms and partners or owners are satisfied to operate their own practices and have a reduced interest in associate and mid-level experience attorneys, other than to the extent that those worker type attorneys support the partners or owners. Typically that type of firm also will not provide much in the way of mentorship, development, guidance, allowing involvement, or at some point upward mobility opportunities (including little dissemination of information that would help provide direction in those areas). Whether and to what extent to provide “S” to associates and mid-level experienced attorneys is a partner and owner choice. Without much “S” the firm and its partners and owners still can do well, but in my view not as well as they could by providing “S.” “S” also relates to community involvement – again, without community involvement the firm and its partners and owners still can do well, but in my view not as well as they could. See below from my December 29, 2020, blog post examples of some possible “S” criteria. In the context of law firms and the atmosphere and opportunities that are present two words that come to mind are mental health and inclusiveness, both of which are related to both “S” and “G” criteria. You might be aware that there has been a general increased focus on mental health in the legal profession and at firms, and this increased focus started pre-COVID. The following is a link to a post on the California Lawyers Association page discussing a new, recent study about attorney mental health and wellbeing (including the extent of stress, anxiety, drinking and depression)

Let’s look at “G” for a law firm. Some of these topic areas also relate to the firm atmosphere and environment for associate and mid-level experience attorneys, including, for example, whether and the extent to which they are allowed and encouraged to be involved in the governance or growth or marketing of the firm. Importantly, “G” also relates to the relationships and interactions of and between the partners and owners, and to other “S” criteria. Lack of governance, or inadequate or improper governance, and definitely bad governance can or will negatively impact the entire firm and its longevity, whereas “good” governance will have a positive impact. See below from my December 29, 2020, blog post examples of some possible “G” criteria.

Finally, for the purpose of this post “sustainability.” Law firms come and go, grow, or shrink or stagnate, but they and the legal profession and market are always changing. Laws change. The demand for legal services change. The competition changes. The people with or at the firm change. The abilities of the firm change. Sustainability involves “S” and “G,” the experiences, abilities, strengths, weaknesses, personalities, and hard work of the attorneys and other people at the firm, services and practice areas that are and that can be offered, the ability to personally reach and communicate with clients and prospective clients, and collaboration and working together.

I have not covered “E” or Climate Action – those can be topics for another post, and with comments and suggestions by other people relating to law firms and service and professional service businesses and organizations. As, for example, you may have seen recent articles discussing “E” as it pertains to cryptocurrencies, certainty law firm “E” extends beyond the use of paper and ink, office energy use, waste, and recycling.

Obviously the above discussion is not intended to be a treatise – certainly many attorneys and other people who work or who have worked at law firms, and at other service and professional service organizations, could add considerably more discussions.  Immediately below is the copy and paste of my December 29, 2020, blog post.


December 29, 2020, blog post

ESG and the “E” and the “S” and the “G” – ESG + Sustainability + Climate Action

ESG criteria refers to an organization’s environmental, social and governance policies, practices and processes, some of which depend upon whether the organization is a public corporation or business, private corporation or business, nonprofit, not for profit or NGO, governmental organization or entity, or a hybrid or mixed organization or entity. ESG criteria will also vary depending on the size of the organization or entity, its industry, and whether it primarily provides a service, a product or manufacturing, or a combination of both.

The following criteria can be used for reference; indeed, however, whereas applicable criteria have been set in some circumstances or for some situations, applicable criteria otherwise often remain in a state of change, discretion, suggestion or proposal, and choice. The various services that evaluate and rate ESG also each individually decide which criteria they will use. Indeed, the below listed possible criteria are intended to be fairly encompassing so as to promote thought and consideration, but are not necessarily in the whole a list of required criteria. Each organization and entity must evaluate its own requirements and circumstances.

Environmental criteria broadly refer to some or all of the following:

Resource materials and energy evaluation, selection, use, and discharge, management and conservation;

Environmental risks and management;




Hazardous and toxic wastes and emissions;

Ownership and management of contaminated materials and land;

Treatment of animals; and

Compliance with laws and regulations.

Depending on the processes that are being used sometimes the environmental component of ESG can be the more clear-cut or direct component to identify and measure.

Social criteria broadly refer to some or all of the following:

The organization’s or entity’s internal and external relationships, values and culture and its adherence to and enforcement of values with employees and independent contractors in the workplace and work environment;

Its working relationship employees, independent contractors and in the workplace, with customers, with suppliers, in the community, and with other stakeholders;

Human capital, as it has been called – I don’t particularly like the term “human capital” as to me it sounds a bit faceless or depersonalized – instead I prefer something such as simply the category “People”;

Health and safety;



Opportunities provided, inclusiveness and equality, training, mentorship, advancement and advancement opportunities;

Talent acquisition and retention;

Social engagement and active involvement;


Organizational openness and communications;

Organizational trust, integrity and reputation; and

Compliance with laws and regulations.

I view the social criteria component of ESG as being the more currently challenging component because of the very large numbers of criteria that people can argue are or should be included, and its sometimes difficulty of measurement or more subjective nature.

Governance criteria broadly refer to some or all of the following:

The organization or entity overall, and to its leaders and their actions and leadership including such criteria as:

Board and management roles, makeup, structure, policies, processes and practices;

Decision making;

Accounting methods and related transparency;

Shareholder engagement and shareholder rights;

Avoidance of unlawful practices, and legally or ethically questionable business practices;

Strong, transparent and enforced governance policies and practices;

Codes of conduct and ethics, and enforcement;

Board, executive officer and senior management diversity;

Measurement of corporate and organization performance;

Corporate and organization values, trust, integrity, and reputation;

Board oversight;

Accountability for actions;

Oversight of internal controls;

Oversight of compliance with laws and regulations;


Avoidance of unlawful conflicts of interest;

Information disclosure;

Corporate and organization sustainability;

Oversight of environmental, social and governance criteria;

The organization’s use of information and private information, and information and cyber security;

Protection of the organization’s assets including intellectual property;

Officer, director, and management openness to appropriate challenges, disagreement, and criticism, and the manner and processes for learning about, addressing, evaluating and debating, decision making, and resolving those ongoing occurrences and situations; and

Board and director structure, agenda setting, demeanor, meeting processes, independence, and adherence to prudent business judgment and diligent, active and proactive business judgment rule practices.

Whereas the above list of possible governance criteria might suggest that the governance component of ESG is more well-defined, I view the governance criteria as currently being perhaps the more challenging component of ESG because a large number of possible criteria can be identified but in practice the criteria that are recognized as being accepted tend to be less numerous, and as a group governance criteria still tend to be more vague, undefined and less agreed upon, and identification, evaluation and measurement of governance criteria also tend to vary more from organization and entity to organization and entity.

* * * * *

Best to you. David Tate, Esq. (and inactive CPA)


Remember, every case and situation is different. It is important to obtain and evaluate all of the evidence that is available, and to apply that evidence to the applicable standards and laws. You do need to consult with an attorney and other professionals about your particular situation. This post is not a solicitation for legal or other services inside of or outside of California, and, of course, this post only is a summary of information that changes from time to time, and does not apply to any particular situation or to your specific situation. So . . . you cannot rely on this post for your situation or as legal or other professional advice or representation.

Thank you for reading this post. I ask that you also pass it along to other people who would be interested as it is through collaboration that great things and success occur more quickly. And please also subscribe to this blog and my other blog (see below), and connect with me on LinkedIn and Twitter.

My two blogs are:

Business, D&O, audit committee, governance, compliance, etc.

Trust, estate, conservatorship, elder and elder abuse, etc. litigation and contentious administrations

Best to you, David Tate, Esq. (and inactive California CPA) – practicing in California only

Litigation, Disputes, Mediator & Governance: Business, Trust/Probate, Real Property, Governance, Elder Abuse, Workplace, Investigations, Other Areas

Discussions About The New COSO ERM Framework And Related Topics

By: David Tate, Esq., Royse Law Firm, Northern and Southern California (Silicon Valley/Menlo Park Office)

I have pasted below four links in which the authors discuss enterprise risk management (ERM) and risk management, the new COSO ERM framework, and some aspects of internal audit.

I appreciate what the authors are discussing; however, my preference would have been to have more defined tasks or requirements in the new COSO ERM framework (I use the word “requirements” broadly because generally there is no mandated risk management framework that must be followed, although for some industries and businesses there are some risk management requirements that are mandated by law and which must be followed).

It is clear that whatever risk management framework or process a business uses will remain largely discretionary based on the business judgment of management and the board, and that in fact might be better for possible liability purposes; however, it is my belief that people and businesses usually will implement policies or processes or procedures (other than, for example, for how to design, develop and manufacturer a product or service that they provide) if they are required to follow or adopt certain specific requirements by law, statute, regulation, or rule, or perhaps as required by the expectations of the community or stakeholders. That having been said, we are where we are on this. And it is now also generally accepted (and in some instances mandated) that a business will adopt and implement risk management, the board will oversee risk management, sometimes audit committees and/or risk committees are required to be involved in or oversee risk management, and in some businesses the board will delegate risk management oversight to a committee of the board, to the extent that risk oversight can be delegated (I would maintain that the board still must oversee risk management with the help of the committee and that the board cannot delegate its overall responsibility to oversee risk management).

In my view, the components and principles outlined in the new COSO ERM framework are essentially only broad in nature, which allows for each business to decide how to design and implement, etc., enterprise risk management based on the business judgment of management and the board of that particular business, in light of the business’ mission, core values, business objectives, strategies, and views and evaluations of related risks.

Let me also say this, I do appreciate that the first of the five core components in the new COSO ERM framework is Governance and Culture, and that the fifth of the five components is Information, Communication, and Reporting which also includes principle 19 (Communicates Risk Information) and principle 20 (Reports on Risk, Culture, and Performance). I believe that including governance, culture, communication and reporting (if they are adopted – remember, no specific framework is mandated) will help to move ERM and risk management to a more visible position. And, it is my belief, based on recent business, nonprofit, and governmental entity shortcomings and failures, that governance, culture, communication and reporting need to be moved more front and center. In fact, COSO listed governance and culture as the first of the five core components because governance and culture can be central to the entirety of the entity’s ERM.

The following are the links to the four enterprise risk management, etc., discussions that I mentioned at the beginning of this post, and below those links I have copied and pasted from my September 7, 2017, post in which I discussed the new COSO ERM framework and which you can also read at 

The following are the links to the four additional discussions:

COSO ERM Framework – Enterprise Risk Management – Integrating with Strategy and Performance (five components, and twenty principles)

I.  Governance and Culture Component:

Supporting Principles:

  1. Exercises Board Risk Oversight
  2. Establishes Operating Structures
  3. Defines Desired Culture
  4. Demonstrates Commitment to Core Values
  5. Attracts, Develops, and Retains Capable Individuals

II.  Strategy and Objective-Setting Component:

  1. Analyzes Business Context
  2. Defines Risk Appetite
  3. Evaluates Alternative Strategies
  4. Formulates Business Objectives

III.  Performance Component:

  1. Identifies Risk
  2. Assesses Severity of Risk
  3. Prioritizes Risks
  4. Implements Risk Responses
  5. Develops Portfolio View

IV.  Review and Revision Component:

  1. Assesses Substantial Change
  2. Reviews Risk and Performance
  3. Pursues Improvement in Enterprise Risk Management

V.  Information, Communication, and Reporting Component:

  1. Leverages Information and Technology
  2. Communicates Risk Information
  3. Reports on Risk, Culture, and Performance

Enterprise Risk Management (ERM) and internal controls work together and should complement each other. The following is the broad outline of the COSO 2013 Internal Control Framework.

Sarbanes-Oxley section 404 requires public company management and its external auditors to attest to the design and operating effectiveness of a company’s internal control over external financial reporting. Internal controls should also be designed and implemented for private company, nonprofit and governmental entities.

COSO 2013 Internal Control Framework – 5 Components, and 17 Principles

1.  Control Environment Component:

Mandatory Principles

  1. Demonstrate commitment to integrity and ethical values.
  2. Board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes, with board oversight, structures and reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.
  4. Demonstrate commitment to attract, develop and retain competent individuals in alignment with objectives.
  5. Hold individuals accountable for their internal control responsibilities in the pursuit of objectives.

2.  Risk Assessment Component:

Mandatory Principles

  1. Specify objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  2. Identify risks to the achievement of its objectives across the entity and analyze risks as a basis for determining how the risks should be managed.
  3. Consider the potential for fraud in assessing risks to the achievement of objectives.
  4. Identify and assess changes that could significantly impact the system of internal control.

3.  Control Activities Component:

Mandatory Principles

  1. Select and develop control activities that contribute to the mitigation of risks to the achievement of objectives and acceptable levels.
  2. Select and develop general control activities over technology to support the achievement of objectives.
  3. Deploy control activities through policies that establish what is expected and procedures that put policies into action.

4.  Information & Communication Component:

Mandatory Principles

  1. Obtain or generate and use relevant, quality information to support the functioning of internal control.
  2. Internally communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  3. Communicate with external parties regarding matters affecting the functioning of internal control.

5.  Monitoring Activities Component:

Mandatory Principles

  1. Select, develop and perform ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
  2. Evaluate and communicate internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

The Business Judgment Rule

The business judgment rule also is relevant on these topics (from Tate’s Excellent Audit Committee Guide). The business judgment rule provides a director with a defense to personal liability, holding that as a general principle of law, a director, including a director who serves as a member of a board committee, who satisfies the business judgment rule has satisfied his or her duties. Thus, the business judgment rule provides one standard of care, although other standards may very well also apply to specific tasks and responsibilities. The business judgment rule provides a very good overall approach for directors and audit committee members to follow, although the rule itself is lacking in specific detail. In some states the business judgment rule is codified by statute while in other states the rule is established by case law (see, i.e., Cal. Corp. Code §309 for California corporations, Del. Gen. Corp. Law §141 for Delaware corporations, in addition to relevant case law). The rule also applies to directors as board committee members.

The Business Judgment Rule

In summary, as a general principle the business judgment rule provides that a director should undertake his or her duties:

-In good faith, with honesty and without self-dealing, conflict or improper personal benefit;

-In a manner that the director reasonably believes to be in the best interests of the corporation and its shareholders; and

-With the care, including reasonable inquiry, that an ordinarily prudent person in a like position with like expertise would use under similar circumstances. The rule itself doesn’t require a particular level of expertise, knowledge or understanding; however, as you might be aware, public company audit committee members do have such a requirement, and you can at least argue that, depending on the facts and circumstances, a board or committee member should have or should obtain a certain unspecified level of knowledge or understanding to be sufficiently prepared to ask questions, evaluate information provided, and make decisions.

Reliance Upon Other People Under the Business Judgment Rule

In the course and scope of performing his or her duties, a director must necessarily obtain information from and rely upon other people. An independent director is not involved in the day-to-day operations of the business. The director provides an oversight function. Pursuant to the business judgment rule, a director is entitled to rely on information, opinions, reports or statements, including financial statements and other financial data, prepared or presented by any of the following:

-Officers or employees of the corporation whom the director reasonably believes to be reliable and competent in the relevant matters;

-Legal counsel, independent accountants or other persons as to matters that the director reasonably believes are within the person’s professional or expert competence; or

-A committee of the board on which the director does not serve, as to matters within that committee’s designated authority, so long as the director acts in good faith, after reasonable inquiry as warranted by the circumstances, and without knowledge that would cause reliance to be unwarranted.

David Tate, Esq., Royse Law Firm, California (Silicon Valley/Menlo Park office), with additional offices in San Francisco, Los Angeles and Orange County,

* * * * *