Well isn't that a pretty CSR / Sustainability report? All the right tables, indexes, pictures of windmills and daisies, but yes, some fairly data rich tables and reports. There is also the great summary that shows that the company met 80% of its CSR targets for the year, and can even show how those targets have evolved over a number of years.
That report, of course, is your competitors. And the boss is not terribly happy about that.
Call in the troops, raise the alarm, set some goals, and produce that CSR report that makes us look like we care, dammit.
Yes sir, no sir, three pages full of pretty pictures sir!
And so the company starts down (or continues down the already well worn) path to CSR or Sustainability or ESG (Environmental, Social, Governance) reporting. Goals are set and agreed, business cases are produced, and external consultants are engaged to help with the process. A standard is selected, and soon, but realistically most of a year later, the company has its first CSR report ready to go. All that is needed is a nice front-piece from the CEO, written by marketing or the CSR team, and it is time for the press release and marketing event.
Did you, as the Risk Manager or Internal Auditor, know what was happening, and have you included the CSR reporting process on your risk register or audit programme? If not, why not?
I know of one Risk Manager who was invited into the CSR programme from the beginning, and he is convinced that the result has greater validity and value because of Risk Management's participation.
That report, of course, is your competitors. And the boss is not terribly happy about that.
Call in the troops, raise the alarm, set some goals, and produce that CSR report that makes us look like we care, dammit.
Yes sir, no sir, three pages full of pretty pictures sir!
And so the company starts down (or continues down the already well worn) path to CSR or Sustainability or ESG (Environmental, Social, Governance) reporting. Goals are set and agreed, business cases are produced, and external consultants are engaged to help with the process. A standard is selected, and soon, but realistically most of a year later, the company has its first CSR report ready to go. All that is needed is a nice front-piece from the CEO, written by marketing or the CSR team, and it is time for the press release and marketing event.
Did you, as the Risk Manager or Internal Auditor, know what was happening, and have you included the CSR reporting process on your risk register or audit programme? If not, why not?
I know of one Risk Manager who was invited into the CSR programme from the beginning, and he is convinced that the result has greater validity and value because of Risk Management's participation.
CSR (Corporate Social Responsibility) reporting is
important, but it also exposes the business to a new set of risks; operational,
reputational and regulatory. CSR (or similar) reporting processes and content
represent an uncharted area for too many risk managers and internal auditors.
The information has rarely been determined to be “material”, so even when the CSR
programme or report has been in the risk universe, it infrequently rose to a
perceived level of significance to draw attention and review.
Yet I would argue that the reputational risk alone
should be enough to encourage attention. Add the regulatory risk and there is a
clear rationale for Risk Management and Internal Audit (IA). IA in particular
has a mandate to review and report on the effectiveness of the system of
internal controls, and that the programme of reviews should be based on a risk weighting
of processes, systems and operational areas of the business. For too long we
have assumed that this means controls over financial reporting and IT systems.
Consider the easiest regulatory and reputational risk.
Does the CSR report contain the same information as the regulatory
reports? In an SEC context, are the risks reported in the 10K the same as in
the CSR report. As a specific example, does the CSR report in any way discuss
climate change or the risks associated with exploitation of scarce resources
such as water? If these are discussed in the CSR report, then they must also be
in the risks section of the 10K, or face the danger of an investor or regulator asking why
there are different risk factors being reported as being important to the
current or future of the company.
This is as true for statutory reports in other
jurisdictions.
This is also true regardless of the reporting standard that you use, be it the GRI, IIRC's Integrated Report, UN Global Compact, SASB, or any other standard.
There are also metrics. Imagine reporting the level of
carbon emissions or carbon offsets in a CSR type report, only to not report
this information in statutory reports, regardless of what IFRS or US GAAP (or
any other GAAP) requires.
While there are valid and important reasons to produce
CSR/Sustainability reports, the information contained should be subject to
independent review, and Internal Audit would be well placed to confirm the
effective functioning of controls over the production of the information.
Likewise, Risk Management can provide valuable support
in the establishment and operation of a CSR programme, and can ensure effective
consideration of the risks being reported, both in range and in depth. This can
include ensuring that common data sources are used for CSR and statutory
reports, reducing the risk of different and potentially contradictory information
being reported.
Key points:
·
The world of CSR/Sustainability
reporting is undergoing massive change
·
Most CSR data is financial
data, just packaged differently
·
Many CSR reporting standards
are little more than marketing standards
·
Most CSR reports cover only a
subset of the actual business. Disclosures in CSR/Sustainability reports do not
always mirror disclosures in statutory reports
·
One activist with a smartphone
can seriously ruin your day
·
CSR/Sustainability reporting
practices can be a bellwether of other reporting practices, good and bad
For these reason Risk Managers and Internal Auditors should
take a close look at what the company is saying to the world, and IA should confirm
the effectiveness of the control environment that is producing the information
that is reported, including the process (and costs) and the benefits.
No comments:
Post a Comment