Sometime this spring, the U.S. Securities and Exchange Commission is likely to adopt one of its most controversial regulations ever: a rule requiring public companies to disclose their greenhouse gas emissions and their risks related to climate change.
This is a highly divisive idea, to put it mildly. Whenever the SEC’s final rule arrives, legal challenges and political firestorms inevitably will follow.
Global corporations, however, have another, larger reality to confront. The simple truth is that ESG disclosure obligations are already here, and companies need to develop a scalable, reliable way to meet them – regardless of any rule on greenhouse gasses the SEC might adopt.
For example, the European Union adopted its own rule for mandatory disclosure of ESG metrics (the Corporate Sustainability Reporting Directive, or CSRD) at the end of 2022. Germany has its own Supply Chain Due Diligence Act, requiring large companies operating in Germany to establish human rights due diligence procedures for their entire supply chain. Even within the United States, other regulators have required the reporting of various ESG data for years. And shareholders, employees and consumers want more insights about corporations’ ESG activity too.
As a practical matter, large corporations now have no choice except to undertake the complicated effort of building an ESG program. More precisely, they need to identify all the ESG activities they already do and then put a formal structure around that, so those activities can be reported in a reliable manner. Only then can a company’s ESG program satisfy compliance obligations and meet the demands of investors, consumers, employees, and other stakeholders.
To start, corporations will need to understand the ESG reporting obligations they have. That means surveying the rules that exist in jurisdictions where your company operates and compiling a list of regulatory requirements.
To a certain extent this exercise should feel familiar since companies already do something similar for privacy compliance. For example, a global corporation is most likely subject to the General Data Protection Regulation in Europe, numerous state and federal privacy laws in the United States, and even industry-specific privacy rules such as the PCI-DSS privacy rule to protect credit card data.
To satisfy those privacy compliance rules, a company will typically “map” the various policies, procedures, and controls it needs to have, to understand where those requirements overlap. Then the company can use fewer controls to serve multiple compliance rules.
Companies will now need to replicate that process for ESG compliance. For example, most ESG reporting requirements are based upon the Taskforce for Climate-Related Financial Disclosures (TCFD) framework; or standards being developed by the International Sustainability Standards Board. It’s entirely possible – likely, even – that many of your ESG obligations could be satisfied by implementing relevant controls based on those two frameworks.
It’s also likely that parts of your enterprise already make disclosures that will satisfy ESG compliance obligations. For example, in the United States, large companies must already report their Scope 1 greenhouse gas emissions to the Environmental Protection Agency, and provide extensive data on the racial and gender profile of their workforce to the Equal Employment Opportunity Commission. Companies will need to identify where such data already exists, and how it could fit into the ESG compliance programs you’ll soon need to have.
Companies will also need to assure that the ESG data they collect is complete, accurate, and reliable. This raises important questions about who should be “in charge” of ESG reporting and how to manage ESG compliance processes.
Some companies are trying to tackle the issue by bringing their corporate controllers into ESG reporting. It’s a sensible idea; controllers have long played crucial roles in assuring the reliability of financial data and can bring that expertise to bear on the challenge of non-financial data. They can work with leaders in other parts of the enterprise to review existing business processes, create new ones, and put structure around the ESG practices your company either already has or will need to have.
All that said, controllers (or internal auditors) are best suited to advise the enterprise on building reliable ESG processes. Someone else will need to oversee those processes on a day-to-day basis – and compliance officers are natural candidates for that role.
Compliance officers have experience dealing with third parties, receiving complaints about non-compliance, training employees on why certain standards of conduct matter, and so much more that is relevant to ESG success. It’s no surprise we’re seeing compliance officers at large companies move into sustainability roles on a regular basis. On the contrary, such moves make enormous sense.
The challenge for corporations in 2023 will be to move ahead on all these fronts: making an executive-level commitment to ESG compliance, articulating the right roles and responsibilities for your organization, and developing the reporting processes necessary to fulfill your ESG obligations.
The only choice corporations won’t have in the coming year is to do nothing – ESG compliance is now past that point, forever.
For more information about how to get started with ESG and stay ahead of regulatory requirements