Skip to content
Governance

How regulations are moving ESG into the risk and compliance field

Ingo Steinhaeuser  Senior Account Executive / Thomson Reuters

Ingo Steinhaeuser  Senior Account Executive / Thomson Reuters

New regulatory rule-making around disclosure could push companies and financial services firms to move their ESG activities under the oversight of risk and compliance teams

Last March, the Securities and Exchange Commission (SEC) announced new environmental, social, and governance (ESG) disclosure requirements for companies. Under these new rules, public companies must enhance and standardize climate-related disclosures. Additional climate risk disclosures, such as the impact of severe weather events and the governance of risk management processes, are required as well.

Similarly, in Europe, the Corporate Sustainability Reporting Directive was adapted to publish regular standardized reports on companies’ environmental and social impact activities from the fiscal year 2023 onwards.

Given this current set of regulations, while not yet clearly defined, it is clear that ESG issues are moving from a mainly voluntary disclosure-oriented dimension to a regulatory one with significant implications for how ESG information is collected, verified, and acted upon within an organization.

In recent years, various frameworks have been developed to create standardization in ESG data reporting, often overlapping in their purposes. For example, the newly formed International Sustainability Standards Board, seeks to define standards for investors. Prior to that, the leading framework and standard-setting organizations — the Carbon Disclosure Project, the Climate Disclosure Standard Board, the Global Reporting Initiative (GRI), and the Value Reporting Foundation (itself formed by the integration of the Sustainability Accounting Standards Board (SASB) and the International Integrated Reporting Council — provided guidance and rules to develop a comprehensive corporate reporting system with both financial accounting and sustainability disclosures.

It is quite common for large corporations to use a combination of the abovementioned frameworks. Coca Cola and 3M, for example, use SASB, GRI, Task Force of Financial Disclosures, and the UN Sustainability Goals as reporting and guidance frameworks. There are various implications, however, when information collection becomes part of a mandated requirement rather than a voluntary one.

In most cases, data collection is the responsibility of Sustainability Officers, who draft and implement sustainable organizational policies that address environmental concerns. These professionals are responsible for a company’s environmental impact and environmental-related resources. For example, if a company installs solar panels on their factory roofs or buys energy from windfarms, that would be part of the Sustainability Officer’s recommendations on the strategy for the company’s energy mix. Also, Sustainability Officers will be responsible to frequently communicate these plans to the market, often superseding public relations or investor relations executives. However, when information becomes required by law, these responsibilities likely will change.

The new responsibilities of sustainability officers likely will include more data delivery and strategic responsibilities, rather than them being seen as solely an agent for change and a communicator. “Sustainability is a becoming a delivery role,” says Olivia Whitman, Head of Sustainability at Siemens. “We’ve spent a decade trying to be changemakers, and now suddenly, we’re having to implement processes and think about strategy.”

The mandatory reporting of Scope 1 and Scope 2 GHG emissions in the recent SEC announcement is not the only example of risk and compliance relevance of ESG data. Other events are also contributing to moving ESG firmly into a compliance-related field, particularly in the S, or Social category. In fact, the law with likely the largest impact on the compliance relevance of ESG might the Uyghur Forced Labor Prevention Act. This law prohibits imports into the United States of products that are produced using forced labor in the Xinjiang region and has placed additional pressure on global supply chains.

Under the Social category, the question of forced labor can be addressed by companies’ disclosures if a prohibition of forced labor applies to their supply chains. If a company follows through on its ESG policies, complying with regulatory requirements should not make a structural difference in its business activities and supply chains. For example, portions of the United States’ Lacey Act — which bans trafficking in fish, wildlife, or plants, including timber that are illegally taken, possessed, transported, or sold — include ESG-related regulations. Such measures are addressed both in Social and Governance disclosures but are also part of US anti-money laundering regulations.

Why an ESG box-checking approach is falling short

If ESG were driven solely by regulatory requirements, then one could argue that meeting these requirements would only require a simple box-checking exercise. Organizations responding in such a manner would be in compliance, of course, but would miss the overall strategic implications related to ESG.

First, ESG information ought to be used in the creation of a risk-based approach, ultimately being applied in corporate risk assessments conducted by a top risk management officer or chief financial officer. For this, ESG data must be used alongside third-party risk data — for example, information on publicly exposed persons, sanctions, or corrupt actors.

Second, to create an effective ESG strategy beyond compliance requires the incorporation of relative ESG performance into long-term business plans with a clear understanding of the risk and opportunities. This is especially true in an area of change that’s driven by environmental and social factors as well as a shifting geopolitical environment.

A compliance mentality or box-checking approach towards ESG could well leave an organization short of the expectations of its investors and customers and even unprepared for future risks. From a reporting perspective, ESG reporting will be part of any new data reporting requirement comparable to SEC reporting, related legislation like the Sarbanes Oxley Act, or statutory reporting, among other requirements. In addition, these reporting requirements need to be made available for audit management purposes as well.

Creating an effective ESG data strategy

In a recent Deloitte Survey of 300 finance, accounting, sustainability, and legal executives at public companies with more than $500 million in revenue, 57% of respondents indicated that data availability (access) and data quality (accuracy or completeness) remain their greatest challenges with respect to ESG data for disclosure.

To improve data access and quality, organizations need to design and implement an effective data collection strategy that combines company disclosures and external data sources. Such a strategy includes four key elements:

      1. the collection of ESG data;
      2. the standardization and management of such data (according to various ESG frameworks);
      3. the routing of ESG data to the right decision makers, including auditors; and
      4. the analysis and embedding of ESG data into the organization’s risk and strategy decision-making process.

Not all of the collected data points are mandatory by law today. For example, energy efficiency metrics and improvements are included in various reporting frameworks but are not yet mandated. Forward-looking organizations need to continuously assess their ESG risks by combining company-collected information with external data sources.

Because whether companies and their advisors are ready or not, implementing a risk-based approach with the inclusion of ESG data will become the norm.