New, global ESG disclosure requirements are on the horizon, most notably the U.S. Securities and Exchange Commission (SEC) proposed climate-disclosure rule and the EU’s Corporate Sustainability Reporting Directive (CSRD). Companies are understandably focused on achieving compliance with these new regulations, but they should also bear in mind another key consideration: What is the organization’s current exposure from previous and current voluntary reporting?
A recent Norton Rose Fulbright survey of general counsel and in-house litigation leaders found that more than a quarter are seeing increased exposure to ESG-related litigation, and they expect that trend to continue in coming years. As you design your company’s reporting framework for compliance with mandatory reporting, it is important to understand the risk created by what you have already disclosed, and assess how investors and stakeholders have used that information.
Five key considerations follow
1. How and where is information being distributed?
Is your company providing ESG data outside of its formal financial reporting process? For example, has your office of sustainability or other internal department published a sustainability report or maintained a website for reporting key ESG metrics and goals? Are employees speaking about the company’s ESG activities at conferences, investor events, or industry roundtables?
Publishing key company ESG metrics and objectives across multiple communication channels inherently increases the risk of providing stakeholders and investors with misstated, inconsistent, or conflicting information.
Companies should consider conducting an internal risk assessment to inventory and map their ESG communications to shareholders and other stakeholders, including the origin of reported information, all places it may have been shared, the frequency of reporting, and the type of information being provided. Management should assess each communication channel for any risk that may have been inadvertently created. Any inaccuracies or inconsistencies of information between the various forums will need to be revised across all communication channels in a timely manner.
Identifying the internal parties responsible for managing these communications will help facilitate the company’s transition to mandatory reporting, as these parties are key stakeholders and sources of historical knowledge. It is essential to verify that existing ESG reporting foundations are secure before layering on additional mandatory reporting requirements.
Disclosure Risk Scenario, Part 1
Company A began publishing a biennial sustainability report in 2015, highlighting their commitment to a sustainable future with an emphasis on reducing greenhouse gas (GHG) emissions. The company promoted the report via the Office of Sustainability’s social media channels. Then, in 2020, the company created a separate sustainability-focused website with interactive features to host the report and highlight its other ESG metrics.
The company then began including its GHG goals and metrics in its 2022 10-K filing with the SEC. On the earnings call for Q4 2022, an institutional investor asked the CFO to reconcile a goal stated in the 10-K to reduce GHG emissions by 20% in five years with the company’s sustainability website, which highlighted a goal of reducing emissions by 30%. Furthermore, the investor wanted to know which goal the company used in determining cost savings for the FY23 forecast.
The CFO was only aware of the GHG goals included in the 10-K, which their team was responsible for drafting and submitting to the regulator. Unfamiliar with the goals referenced on the sustainability website, the CFO indicated they would need to investigate further and get back to the investor in due course.
2. Has the company reconciled disclosures across communication channels?
Companies need to ensure consistency across public and nonpublic disclosures. For example, does your company’s 10-K filing differ from your annual sustainability report, or from the information you provide to ratings agencies, banks, and partners for Scope 3 value chain reporting? There may be discrepancies if the information is coming from various sources within your organization with no established processes around ESG reporting to ensure accuracy and consistency.
In some instances, however, companies may only prioritize data validation for required reporting. As discussed previously, more careful consideration may be given to, for example, an SEC disclosure than a social media post. But stakeholders and shareholders alike may be relying on that information to make decisions.
Neglecting to validate data before it is publicized — in any instance, by any avenue — opens the company up to risk if there are inconsistencies in the ESG data disclosed on disparate communication and reporting channels. Even if there is no apparent immediate regulatory risk, companies may be risking their reputation and exposing themselves to litigation if the credibility of their disclosures is questionable.
Disclosure Risk Scenario, Part 2
The CFO tasks the Financial Controller with determining the origins of the two GHG emissions goals the institutional investor referenced in the example above — and to see if the company has publicized any other GHG emissions goals.
The Chief Sustainability Officer told the Financial Controller that they oversaw the creation of the company’s GHG reduction strategy and presented the board with two options: 20% in five years or 30% in five years. The board approved the strategy to reduce emissions by 20% in five years. The Financial Controller was confident that this goal, published in the company’s financials, was supportable and defendable.
The marketing team then confirmed that they recently met with the Chief Sustainability Officer, who shared their ideals for the company’s sustainability program — including an aspirational goal of reducing GHG emissions by 30%. Marketing was thrilled to demonstrate the company’s commitment to sustainability by sharing that goal across the company’s sustainability website and social media accounts.
The Financial Controller understood that marketing’s objective was to share and promote the company as eco-conscious. But the lack of clarity and validation around the aspirational 30% goal was causing confusion for investors, who were comparing it to the company’s official commitment published in their 10-K. The Financial Controller and the marketing team, with insight from the legal department, agreed the sustainability website should align with the committed goal of a 20% reduction for consistency and clarity.
3. Is your data validated and consistent? Can you support your ESG and tangential disclosures?
Data validation and/or third-party assurance helps ensure your company is complying with all applicable regulations and avoiding any pitfalls related to inaccurate or incomplete reporting. It is also an essential part of building trust among stakeholders.
This applies to the validation process itself. Is the process owned by the same team, using the same methods, in every instance? A Financial Controller and a sustainability team, for example, could pull together and validate the same data point for their respective reporting needs. If the groups used different assumptions, they would likely arrive at different reportable outputs.
These types of data inconsistencies may not withstand the scrutiny inherent in public company financial reporting, new regulations, assurance procedures or stakeholder analysis.
Disclosure Risk Scenario, Part 3
The Financial Controller met with the finance team to understand how the company factored its stated GHG emissions reduction goals into the FY23 forecast.
The finance team knew environmental and social issues were a hot topic. They also knew they needed to start considering how climate change could impact the company and, accordingly, the financial forecasts. They conducted preliminary research on the company’s industry and determined that their competitors had implemented GHG reduction strategies to reduce emissions by, on average, 10% over five years.
Leveraging this industry benchmark, the team created a model to estimate the costs and financial benefits associated with a 10% reduction goal. They leveraged this information during the creation of the FY23 financial forecasts, which were publicly shared on the earnings call.
The finance team was unaware of the company’s recently approved 20% emissions reduction goal and acknowledged that it was not reflected in the FY23 forecasts. The team needed to update its model — leveraging company-specific assumptions — and determine the impact on previously provided financial forecasts.
4. How long ago was the information updated?
While reporting requirements include a regular cadence for updates, the same cannot be said for voluntarily disclosed information. Has your company provided regular updates to voluntarily published information?
If a few years have passed since the last update on progress toward a goal, this could give the impression that your company is failing to meet publicly made commitments.
This is another area in which having a firm understanding of all disclosed information is essential. Knowing what information is published where — and how long it has been since updates were made — will help ensure accuracy and consistency.
Disclosure Risk Scenario, Part 4
The Financial Controller reported back to the CFO what they learned, the action items that were in process, and suggestions for integrating the various teams that touch ESG information to enhance communication and collaboration, as well as consistency in reporting.
The Financial Controller noted that between the biennial sustainability report, ad-hoc social media posts, earnings calls, and 10-K, the company’s GHG emissions reduction goal was well publicized. They expected stakeholders and shareholders to be paying particular attention to this key metric and that they would want to know how the company was progressing towards its goal.
The Financial Controller proactively established a cadence for recurring touchpoints with the internal ESG stakeholders to ensure alignment on how they quantify progress and to establish disclosure processes for that information.
5. Are your controls and processes for sustainability-related disclosures sufficiently robust?
Establishing rigorous internal controls is critical to ensuring data quality and reliability, as well as standardizing data collection, analysis and reporting. By establishing consistent and recurring processes, organizations can enhance their ESG reporting practices, ensure stakeholder confidence in their reporting quality, and reduce the risk of sharing conflicting or unsupported information externally.
This also goes beyond just mitigating risk. Creating these controls and processes – and ensuring their alignment across the company – also helps to drive sustainable business practices. This data could potentially yield valuable insights to enable better-informed decisions regarding the direction of your company’s ESG programs. And with the right disclosure processes in place, companies can also articulate their ESG achievements more effectively to a broader audience.
Disclosure Risk Scenario, Part 5
During the inaugural internal ESG stakeholder touchpoint, the Financial Controller inquired whether each group had established controls around each of their ESG-related processes and associated outputs. While each group could verbally speak to their process, none of the groups had established written processes or controls. Due to the lack of formality, the Financial Controller was worried about the consistency and comparability of information across periods. Furthermore, they questioned if the processes and outputs could be validated by an independent party such as internal audit or an ESG rating agency. The Financial Controller took an action item to discuss establishing ESG reporting controls with the company’s Enterprise Risk Management team.
While companies should focus on ESG reporting frameworks and the disclosures that upcoming regulations will require, it is important to ensure the accuracy and consistency of information that has already been published. They cannot overlook the inherent risks associated with this information.
Best practices include developing a process for reviewing (and subsequently amending) previously disclosed information, then establishing formal processes and controls for future reporting across all communication channels. This process can occur as part of the overall development of a more robust and disciplined approach to voluntary and mandatory reporting.