Why CSR is an important part of your risk universe

Well isn't that a pretty CSR / Sustainability report? All the right tables, indexes, pictures of windmills and daisies, but yes, some fairly data rich tables and reports. There is also the great summary that shows that the company met 80% of its CSR targets for the year, and can even show how those targets have evolved over a number of years. 

That report, of course, is your competitors. And the boss is not terribly happy about that.

Call in the troops, raise the alarm, set some goals, and produce that CSR report that makes us look like we care, dammit.

Yes sir, no sir, three pages full of pretty pictures sir!

And so the company starts down (or continues down the already well worn) path to CSR or Sustainability or ESG (Environmental, Social, Governance) reporting. Goals are set and agreed, business cases are produced, and external consultants are engaged to help with the process. A standard is selected, and soon, but realistically most of a year later, the company has its first CSR report ready to go. All that is needed is a nice front-piece from the CEO, written by marketing or the CSR team, and it is time for the press release and marketing event.

Did you, as the Risk Manager or Internal Auditor, know what was happening, and have you included the CSR reporting process on your risk register or audit programme? If not, why not?

I know of one Risk Manager who was invited into the CSR programme from the beginning, and he is convinced that the result has greater validity and value because of Risk Management's participation.

CSR (Corporate Social Responsibility) reporting is important, but it also exposes the business to a new set of risks; operational, reputational and regulatory. CSR (or similar) reporting processes and content represent an uncharted area for too many risk managers and internal auditors. The information has rarely been determined to be “material”, so even when the CSR programme or report has been in the risk universe, it infrequently rose to a perceived level of significance to draw attention and review.

Yet I would argue that the reputational risk alone should be enough to encourage attention. Add the regulatory risk and there is a clear rationale for Risk Management and Internal Audit (IA). IA in particular has a mandate to review and report on the effectiveness of the system of internal controls, and that the programme of reviews should be based on a risk weighting of processes, systems and operational areas of the business. For too long we have assumed that this means controls over financial reporting and IT systems.

Consider the easiest regulatory and reputational risk. Does the CSR report contain the same information as the regulatory reports? In an SEC context, are the risks reported in the 10K the same as in the CSR report. As a specific example, does the CSR report in any way discuss climate change or the risks associated with exploitation of scarce resources such as water? If these are discussed in the CSR report, then they must also be in the risks section of the 10K, or face the danger of an investor or regulator asking why there are different risk factors being reported as being important to the current or future of the company.

This is as true for statutory reports in other jurisdictions. 

This is also true regardless of the reporting standard that you use, be it the GRI, IIRC's Integrated Report, UN Global Compact, SASB, or any other standard.

There are also metrics. Imagine reporting the level of carbon emissions or carbon offsets in a CSR type report, only to not report this information in statutory reports, regardless of what IFRS or US GAAP (or any other GAAP) requires.

While there are valid and important reasons to produce CSR/Sustainability reports, the information contained should be subject to independent review, and Internal Audit would be well placed to confirm the effective functioning of controls over the production of the information.

Likewise, Risk Management can provide valuable support in the establishment and operation of a CSR programme, and can ensure effective consideration of the risks being reported, both in range and in depth. This can include ensuring that common data sources are used for CSR and statutory reports, reducing the risk of different and potentially contradictory information being reported.

Key points:

·         The world of CSR/Sustainability reporting is undergoing massive change

·         Most CSR data is financial data, just packaged differently

·         Many CSR reporting standards are little more than marketing standards

·         Most CSR reports cover only a subset of the actual business. Disclosures in CSR/Sustainability reports do not always mirror disclosures in statutory reports

·         One activist with a smartphone can seriously ruin your day

·         CSR/Sustainability reporting practices can be a bellwether of other reporting practices, good and bad

For these reason Risk Managers and Internal Auditors should take a close look at what the company is saying to the world, and IA should confirm the effectiveness of the control environment that is producing the information that is reported, including the process (and costs) and the benefits.

XBRL will be vital for CR reporting - but not by itself

Last night (24th March 2011) CorporateRegister.com announced the CR Reporting Awards for 2011 (results here). They also provided for a "debate" which, while I was unable to attend in person, I had the pleasure of participating in.

There were two topics:

Topic A: In future, all good CR reporting will be integrated
Topic B: XBRL will be vital for CR reporting

This second topic matched Liv Watson against Daniel Roberts (me). Liv's bio on the site reads: "Liv Watson is a Director and leads the Research and Development function at AccountAbility. She was one of the original developers of the XBRL standard, as well as a founder of the XBRL International consortium." I have had the pleasure of knowing Liv as a friend from many years. Her contributions to XBRL rank above virtually everyone else. 

Liv's (and my) full arguments are here, and comments are invited.

I thought I would also publish my arguments here. They stand alone form the general argument, and reflect my belief that we must do more to make CR (or CSR or Sustainability) reporting more effective, and that XBRL is only one way to accomplish that goal.

------------------------------------

There are more important issues to be addressed in CR reporting

Let me begin by stating that I believe that CR (Corporate Responsibility) reporting is no longer a nice-to-have – it is vital for capital markets to perform their primary function; the efficient allocation of capital for optimal return to investors. That means taking into account the true cost and impact of business, and that requires far more information than is currently reported.

The “Efficient Market” theory is well and truly dead, and in its place is recognition that more effective communication is required to approach even a facsimile of an efficient market. That additional communication needs to clearly demonstrate how each company impacts the “commons”. XBRL by itself does none of this, it is a boundary standard for the exchange and provision of data-level information that can be ‘trusted’. XBRL is important. But there are more important issues that must be addressed in CR reporting.

So if I (regretfully) disagree with the statement “XBRL will be vital for CR reporting”, then what do I consider vital?


1. Mandatory reporting
2. Against a regulator defined standard
3. That integrates financial and non-financial measures
4. That is audited
5. And finally, that is tagged, preferably in XBRL


1. Mandatory Reporting:

As long as CR reporting is optional, all reporting will be subject to the test: “Are we getting a better return for our money by producing this report than spending that money on other marketing activity?” Optional reporting ensures that forward looking businesses will report, cynical businesses will report what they want to report, while cost-sensitive businesses (which means most businesses) will provide limited or no reporting.

Mandatory reporting by all listed companies will ensure that the markets can view reported results from all companies by sector or size, or any other combination. Mandatory reporting is possible, requiring only the political will to make it so.

2. A Regulator Defined Standard:

Multi-stakeholder-created standards produce reporting requirements that are, by their very nature, the negotiated product of, well, stakeholders. This makes the standards malleable, with the reporting company invariably having the option of what to include and exclude. This makes CR reporting fundamentally a marketing issue. I call this the “Windmills and Daisies” syndrome, designed to create a good feeling while deflecting the reader from deeper issues.

Only when the regulators define the standard (with none of this “Core” and “Additional” stuff) will the standard be able to be applied equally. Ideally, such a standard would be the work of a consortium of regulators. In effect, an IASB for CR reporting.

3. Integrated Reporting:

Mike Krzus and Bob Eccles make the case for integrated reporting in their fine book “One Report”. They cite examples, and show how it is possible today to provide a more complete picture of a business for the investor community. Such reporting, in conjunction with a regulator defined standard, will ensure that what we now call “extra-financial information” or “externalities” can be and are reported alongside the range of information we currently use.

4. Audited CR reports:

When the external auditors review the financial statements, they do not ask the client what is in and what is out of scope, or what is material. They decide the scope and materiality. Until CR reports are subject to the same standard of assurance, the content and information provided will be viewed with skepticism. Such auditing standards already exist, so no additional standards development is required.

5. Report content tagged for easy consumption:

Once financial and non-financial information is being provided in a single integrated report, complying with a regulator approved standard, and containing audited information, it will only be a matter of time before providers and consumers of the information seek mechanisms to make it “easy” to consume. I want the information to be provided in XBRL. I am a huge proponent of XBRL, and chaired the XBRL US Steering Committee.

But only once organizations like the GRI (and others) stop paying lip service to XBRL, and build a real taxonomy, will the information be tagged in the XBRL standard. As a supporter of XBRL, my personal fear is that something “simple” will be used as a substitute, reducing the value of the information and benefits that can be achieved.

In summary, CR reporting requires meaningful, complete, accurate and trusted information that communicates a company’s true impact in a manner that allows rational decision making based on a holistic picture of the business. Certainly that information tagged in XBRL will be helpful to consumers of that information. Most important today is that the information is being collected and made available.

CSR Reporting Risks

Much has been written about the benefits of CSR and Sustainability reporting, so it may be worth taking some time to consider the risks, and potential mitigation of those risks. CSR and Sustainability reporting has a purpose, foremost to communicate a company's achievements, challenges and plan for being a responsible business, and to achieve a level of sustainability possible to that company and its industry.

It is easy (for those involved with sustainability or CSR) to assume that the benefits of reporting outweigh the risks or costs. This is an assumption that needs to be met head-on, to ensure that in each particular situation, the appropriate benefits are being achieved, accurate and relevant information is being reported, key stakeholders are engaged, and that the primary audiences are reading and using the reports.

Introduction

I’ll start with the assumption that a CSR / Sustainability report is produced, and that a project team is responsible for creation and maintenance of the report. So this is not "just a report", it is a project and a process. What could possibly go wrong? To a certain extent, the list of possible risks mirrors those of any project or set of deliverables. After all, it represents a set of approved expenditure designed to address a set of business needs and issues, and deliver a set of business benefits that should outweigh the investment.

Yet CSR / Sustainability reporting is not just another project or report. A CSR / Sustainability report combines aspects of marketing, financial and regulatory reporting, operational efficiency and effectiveness, and enunciation of the vision and mission of the enterprise. There's a lot riding on that funny little report with its photos of windmills, smiling girls and daisies.

So what are the risks? Here is a summary list, with more detail in the full White Paper.

·         Is it worth it?

·         Market expectations

·         Green-washing

·         Fraud

·         Regulatory requirements

·         Delivery of promise

·         Is it being read? Hitting the target

In discussion each of these risks, I hope you'll bear with my being boring and using a structured approach. For each risk, I'll describe the risk, discuss the likelihood, impact, how to monitor and responses. Dull yes, but systematic when dealing with discussion of risk. And far to long for a blog posting.

You can download the full White Paper here.

Why create a CSR report?

Why create a CSR report?

Why should a company create a CSR (Corporate Social Responsibility), sometimes known as a Sustainability report, or even a “Triple Bottom Line” report? What are the drivers? Is CSR a fad, a real reporting opportunity, or a requirement? The answer to that question depends on who you are, your markets and clients, your competitors, and those you report to external to the company.

It is easy to suggest that it is a fad, and we've all seen fads come and go. But it is also easy to see that if it is a fad, it is a fad that is being driven as much by consumers as by companies themselves. Companies across industries are touting their corporate responsibility on their websites. Why? Why would they spend the money and time to create reports, unless they actually believe there is a return for such reporting?

The very fast response is that they believe there is going to be a return, a real ROI, either through reduced costs or increased revenue, or both.

Drivers

So what are the key drivers? The can be summed up as including:
•    Investors
•    Market expectations
•    Competitors
•    Regulators
•    Employees
•    Communities

And each of these drivers has at its core either increasing revenues, or reducing costs. After all, if a program does not accomplish one or the other, then why should a company incur the associated costs?

In CSR circles, these drives are called "stakeholders", and frequently direct outreach to stakeholders is an important element of creating a successful CSR report. Strangely, for most companies that "stakeholder engagement" has already take place, in one way or another, and the information needed to create the CSR report already exists.

So lets look quickly at each of these drivers.

Investors

Why should a company produce any report? Fundamentally reporting should serve the purpose of improving internal decision-making, influencing external parties, or responding to regulator mandates. As CSR reports are external facing in nature, the question then is "who do we want to influence". At the front of the pact should be the investors or potential investors. And this means that the CSR report should provide the information needed for that group - information to demonstrate to investors (and analysts whose results are of interest to investors) that the company understands and is proactive in meeting is "responsibility" imperatives.

Investors want both short- and long-term rewards, and management's program must balance the two. The CSR report should, coupled with or even integrated with the annual and financial report, provide the data that delivers comfort to investors that the company understands and is focused on achieving short-term rewards in a manner that ensures achievement of long-term rewards and goals. Almost sounds like the classic definition of Sustainability - enough for today without stealing from tomorrow (my paraphrase).
 
Market Expectations

Markets, both B2B and B2C (and every other x2x) are becoming much more aware of the relationship between a supplier's corporate responsibility and the quality of product, acceptance of the product, and reduction of long term costs.

Equally, companies have come to understand that, as Warren Buffet said best "it takes 20 years to build a reputation and 5 minutes to ruin one". Corporate responsibility is not about always doing good, but about being able to prove to yourself and communicate to your customers that always try, honestly, to do good (within a business context of needing to make a profit).

Many companies are now including a requriement for suppliers to specifically address their CSR credential in proposals. One bank in Vancouver includes responses in it ranking of potential service providers. Other companies around the world are now looking for this information in bids.

You should be asking for a copy of any potential suppliers CSR reports before entering into any major contract. Companies that provide such reports are significantly more likely to understand the issues and to work to ensure that they are “responsible” businesses. Companies that cannot demonstrate their CSR credentials may cost you, and cost you big. Too often a failure to report is not because the company is not aware of the issues, but because addressing potential issues (child labor, carbon-intensive production or energy, pollution) can add costs that will eat into the suppliers’ profits. Competing against “responsible” businesses without carrying associated costs can be profitable business. But today, any tourist or activist with a cellphone could destroy your reputation, linking you to irresponsible companies in your supply chain.

Competitors

Companies should take a very good look at their competitors’ websites and the messages that they are sending.

Working with clients, I make a habit of looking at their competitors’ websites. It comes as a little surprise that many tout their sustainability or responsibility credentials. Sometimes in vapid and empty phrases, or with pictures of windmills, daisies, and little girls smiling in the sunshine (these I almost immediately discount). Others back up their statements with reports, online or in PDF format, sometimes with a GRI Content Index to help find various bits of information.

Then there are the majority - the companies that do not have CSR or Sustainability reports of position statements. I also like to point these out to my clients, asking if demonstrating the company’s credentials might actually provide a competitive advantage. Equally, if the company is already competing of a "level playing field", how level will the field be when their competitors do start showing their credentials?

Regulators

Ahhh, regulators, the gorilla in the room. Why are they a driver for creating a CSR or Sustainability report? The first reason is to show them that you are already a "responsible" business and therefore, as they say on the police shows - "Move along, nothing to see here". The second reason is to prove that there is no need for all that nasty regulation that they are considering, because you are already "responsible", as demonstrated in you report.

Of course, the first reason the more effective, because for the second to matter, your peers will need to be demonstrating that they are responsible businesses also.

So, the CSR or Sustainability report should be taking informaiton that your company already produces, and complies it into a quality report that all can see, not just the regulators who are already receiving those detailed reports.

A great example is the commercial property and construction industries. Many companies in these industries produce very nice CSR reports. A careful read of the reports, especially their health and safety sections (frequently described as "Caring for our People and our Communities" or words to that effect) can be boring, and sound like boilerplate. At there core is a simple message - "We comply with all health and safety laws". But that is not nearly as interesting as reporting a reduced accident rate, increased training, onsite safety briefings for all visitors (“because we care”), etc.

Employees

Employees like to have pride in their company. It is part of them. And a company’s image reflects on the employees. Ask any employee of a "Top 100 Places to Work" (in the US) or virtually any employee of a company like the Co-Op in the UK, and you will see their pride.

And pride in your employer translates directly into reduced unplanned turnover, reduced hiring costs and payroll, and increased productivity. We know that people work for money - but we also know that people chose where they work for many reasons beyond money.

Some companies are intentionally structuring the "responsibility" message with a view to attracting and retaining employees (even in this economy). Some look at their employees as long term assets that require investment. Others understand that the recovery, as it unfolds, will change the employment picture, and companies with a poor reputation will get their pick of the second-level candidates.

Communities

Finally, and possibly most importantly, all companies have a "license to operate" that is in no small part predicated on how the local and wider community views that company. Good employers, innovative products and services, and a respect for the environment and society all factor into that "license to operate". Abuse that license and society will turn against the company.

Therefore reports are being written specifically to highlight the value and respect that companies have for their communities. For the multinationals, they report to demonstrate their respect for and support for the varied cultures and communities in which the work and deliver products and services.

The support of companies for their communities is not something that happens because it is in a glossy CSR report. The CSR report highlights the support that the company provides to its communities.

Where does the content come from?

So, I've highlighted the drivers for CSR reporting. But where does all the information contained in such a report come from? The range of information, the number of people that maintain and hold that information within a company can be quite difficult to map. And mapping the sources of that information is important.

The good news is that there are ways to improve access to and collating all that information, filtering out the important from the merely interesting.

This is a subject for a different article, but clearly tools exist or are coming onto the market that will make the collection, collation and selection of already existing information and content much easier. This will facilitate the rapid creation and updating of CSR / Sustainability reports, regardless of the reporting standard used.

What reporting standards should be followed?

Today there are a few reporting standards, and the standard selected should be based on the primary audiences. If you are looking to create a pool of data for analysts, I would recommend you take a good hard look at the KPIs for ESP produced by the DVFA (German Investment Analysts Association) and endorsed by EFFAS. If your primary audience is marketing, consumers, and employees, then the GRI's G3 standard provides a range of reporting levels (they call them "Application Level") that allows you to produce a tailored report, and to grow the range of reported information over time.


The UN Global Compact probably has the "easiest" and "fastest" standard to comply with, and is a good "starter" report. But if a company is going to be serious about meeting the information needs of the widest range of audiences, the UNCG will not be adequate.


The work of the newly formed (August 2010) IIRC (International Integrated Reporting Committee) will be worth following, as the primary objective there is to create reporting standards that integrate sustainability reporting into tranal business reporting (annual reports, etc) and providing a sound accounting base for the reported information.