02 April 2015

Why CSR is an important part of your risk universe

Well isn't that a pretty CSR / Sustainability report? All the right tables, indexes, pictures of windmills and daisies, but yes, some fairly data rich tables and reports. There is also the great summary that shows that the company met 80% of its CSR targets for the year, and can even show how those targets have evolved over a number of years. 

That report, of course, is your competitors. And the boss is not terribly happy about that.

Call in the troops, raise the alarm, set some goals, and produce that CSR report that makes us look like we care, dammit.

Yes sir, no sir, three pages full of pretty pictures sir!

And so the company starts down (or continues down the already well worn) path to CSR or Sustainability or ESG (Environmental, Social, Governance) reporting. Goals are set and agreed, business cases are produced, and external consultants are engaged to help with the process. A standard is selected, and soon, but realistically most of a year later, the company has its first CSR report ready to go. All that is needed is a nice front-piece from the CEO, written by marketing or the CSR team, and it is time for the press release and marketing event.

Did you, as the Risk Manager or Internal Auditor, know what was happening, and have you included the CSR reporting process on your risk register or audit programme? If not, why not?

I know of one Risk Manager who was invited into the CSR programme from the beginning, and he is convinced that the result has greater validity and value because of Risk Management's participation.

CSR (Corporate Social Responsibility) reporting is important, but it also exposes the business to a new set of risks; operational, reputational and regulatory. CSR (or similar) reporting processes and content represent an uncharted area for too many risk managers and internal auditors. The information has rarely been determined to be “material”, so even when the CSR programme or report has been in the risk universe, it infrequently rose to a perceived level of significance to draw attention and review.

Yet I would argue that the reputational risk alone should be enough to encourage attention. Add the regulatory risk and there is a clear rationale for Risk Management and Internal Audit (IA). IA in particular has a mandate to review and report on the effectiveness of the system of internal controls, and that the programme of reviews should be based on a risk weighting of processes, systems and operational areas of the business. For too long we have assumed that this means controls over financial reporting and IT systems.

Consider the easiest regulatory and reputational risk. Does the CSR report contain the same information as the regulatory reports? In an SEC context, are the risks reported in the 10K the same as in the CSR report. As a specific example, does the CSR report in any way discuss climate change or the risks associated with exploitation of scarce resources such as water? If these are discussed in the CSR report, then they must also be in the risks section of the 10K, or face the danger of an investor or regulator asking why there are different risk factors being reported as being important to the current or future of the company.

This is as true for statutory reports in other jurisdictions. 

This is also true regardless of the reporting standard that you use, be it the GRI, IIRC's Integrated Report, UN Global Compact, SASB, or any other standard.

There are also metrics. Imagine reporting the level of carbon emissions or carbon offsets in a CSR type report, only to not report this information in statutory reports, regardless of what IFRS or US GAAP (or any other GAAP) requires.

While there are valid and important reasons to produce CSR/Sustainability reports, the information contained should be subject to independent review, and Internal Audit would be well placed to confirm the effective functioning of controls over the production of the information.

Likewise, Risk Management can provide valuable support in the establishment and operation of a CSR programme, and can ensure effective consideration of the risks being reported, both in range and in depth. This can include ensuring that common data sources are used for CSR and statutory reports, reducing the risk of different and potentially contradictory information being reported.

Key points:

·         The world of CSR/Sustainability reporting is undergoing massive change
·         Most CSR data is financial data, just packaged differently
·         Many CSR reporting standards are little more than marketing standards
·         Most CSR reports cover only a subset of the actual business. Disclosures in CSR/Sustainability reports do not always mirror disclosures in statutory reports
·         One activist with a smartphone can seriously ruin your day
·         CSR/Sustainability reporting practices can be a bellwether of other reporting practices, good and bad

For these reason Risk Managers and Internal Auditors should take a close look at what the company is saying to the world, and IA should confirm the effectiveness of the control environment that is producing the information that is reported, including the process (and costs) and the benefits.

No comments:

Post a Comment