SASB’s XBRL Taxonomy; Stepping forward by stepping sideways

SASB’s XBRL Taxonomy

Stepping forward by stepping sideways

The future of business reporting is incomplete without a significant increase in the quantity and quality of ESG reporting, ultimately mandated by regulators and included in the scope of the external audit. For ESG data to be of an auditable quality, a common standard is required, with a level of rigour equivalent to IFRS or US GAAP standards approved by the FASB (and for the US government, GASB). To meet the need for higher quality ESG (Environmental, Social, and Governance) reporting, the SASB has just released an XBRL taxonomy version of their standards.

Is the SASB XBRL Taxonomy an extravagance, a step sideways, or in a strange way, a step forward for ESG reporting? Is an(other) XBRL taxonomy required, and if so, why and what benefit will be achieved (and for whom)? After all, there is already a GRI XBRL Taxonomy for Sustainability reporting.

The foundations for effective ESG reporting are being laid, but there remains a lack of compulsion that will be required to force companies to deliver.

Instead of another XBRL Taxonomy, I would recommend the SASB (VRF) put their energies and limited resources into:

1. lobbying the SEC and regulators to require ESG reporting in quarterly and annual reports, and
2. request the SEC to provide further guidance on how ESP information should be provide under Reg S-K, including the 2020 “modernisation” of the Rule, and
3. lobbying regulators to demand that ESG information be audited, and
4. developing course materials to enable universities to train young accountants to audit ESG information, and
5. developing CPD materials for established professionals to audit (including Partner review training) of ESG information, and
6. work with the data aggregators to develop easy to use reporting tools to analyse ESG content.

Sustainability data will remain “nice to have” until it mandated and it is audited, and any number of XBRL Taxonomies will not make that happen.

The importance of SASB

ESG (and Sustainability) reporting is not new, although its importance has increased through the pandemic and the climate crisis. When the Club of Rome released their “Limits to Growth” in 1972, there was little understanding of sustainability as a national and business priority. Over the next decades, that changed, and by the turn of the century, the first ESG and sustainability reporting standards were introduced.

The problem with almost all sustainability reporting standards is the lack of auditability of the reports, and the lack of accounting-standards level clarity or exactness of definition. It was almost impossible to ensure like-for-like meanings of the reported sustainability or governance concepts. Most standards were built with the PR department in mind, not Finance and share market or Compliance Reporting.

The SASB (Sustainability Accounting Standards Board) was established in an already well-populated ecosystem of competing standards for ESG reporting. However, SASB is the first standards organisation of develop a set of sustainability and ESG reporting standards to the same level as traditional accounting standards. The IIRC (International Integrated Reporting Consortium) was founded in the UK to pursue the development and introduction of the “Integrated Report” to improve the quality of business reporting. The SASB and IIRC have merged to create the Value Reporting Foundation (VRF).

For a standard to be successful it requires three market drivers. First a need must be satisfied that exceeds the cost of implementation – a compelling commercial case for implementation. Second there must be natural users or ‘consumers’ of the product of the standard. Finally, there must be regulatory drivers that compel the recalcitrant to implement the standard.

Until now, Sustainability and/or ESG reporting has lacked the third of these, in that sustainability reporting has been optional. This resulted in a plethora of standards (the GRI, SASB, CDP, UNGC, etc)* each providing optional levels of compliance and limited, if any, assurance mechanisms. We shouldn’t forget the “Accounting for Sustainability” (A4S) initiative from the Prince of Wales, or the Task Force on Climate-related Financial Disclosures (TCFD) initiative.

All of these standards are voluntary. This means that Sustainability and/or ESG reporting have been, by the very option nature of such reporting, an opportunity for marketing and PR to put forward the best story, especially if it is not the whole story.

SASB’s standard provides one of the first ESG standard with the potential to meet regulator’s needs for an auditable and consistent content definition. Therefore, when the third driver is in place (regulatory mandate), the SASB standard is ready to be used to provide the level and quality of data mandated by regulators.

The XBRL Dream

In 1998 (long before the first iPhone), a group of accountants came up with an intriguing idea. What if they were able to create an XML based standard for the “tagging” of financial information, so that all consumers of that information would know exactly what each piece of data actually meant. Of course, it was not so easy, as any financial and later “business” “fact” requires an awful lot of contextual information to give it actual and consistent meaning. So the XBRL (eXtensible Business Reporting Language) Standard was born, extending the XML standard considerably.

With XBRL, it was possible to state with certainty that one company’s reported “Cash and Cash Equivalent” actually defined the same accounting concept as another company’s reported “Cash and Cash Equivalent”. In addition, the “eXtensible” part of the standard meant that if you require a more granular concept than already exists in the taxonomy, you could add a new element.

Business reporting would be simplified, consumption of like-for-like information would transform analysis, and companies, through the (modest it was hoped) use of extensions elements, could “tell their story their way”.

Now it was simply a matter of developing a taxonomy of business terms, and convincing software makers to develop the tools required to support what had become a very complex standard.

The XBRL Reality

Unfortunately, the complexity of XBRL meant that for the first decade, all three of the major drivers for adoption were missing. There was no economic case for developers to create software or for companies to spend their money to produce financials and business reports in XBRL, because there were no consumers of XBRL (and little or no software to consume and use the XBRL). Finally, no regulator had mandated the provision of XBRL versions for key reports. Certainly, there were niche software houses that bought into the dream of XBRL, and a few companies that chose to produce XBRL. Some of the financial reporting aggregators even said that they could or would support XBRL.

In 2009 the SEC’s mandate for the provision of parts of the 10K (annual reports) and 10Q (quarterly reports) in XBRL came into effect. But they have yet, more than a decade later, to mandate that the XBRL content be audited, nor have the expanded the coverage of content adequately to the full reports.

Across Europe, regulators have mandated XBRL for everything from company reports to insurance solvency reporting. Companies House in the UK receives XBRL version of company financials from all companies. But as these files are, in effect, produced from templates, the dream of high-quality business data has not been met.

XBRL remains a cumbersome and limited standard, and one that is used only (other than very few exceptions to prove the rule) by companies that are required to produce reports in the XBRL format. There remains virtually no voluntary uptake of a complex and expensive standard that delivers unaudited data for which there is no consumer driven demand.

The best-mangled metaphor I’ve ever seen was used to describe XBRL. It is “like using a dinosaur to crack a walnut”.

Implications of the SASB XBRL Taxonomy

Now SASB has, with the assistance of one of the Big-4 who has supported XBRL from the very beginning, developed an XBRL Taxonomy for their reporting standard. This is good news. It will now be possible to “tag” the ESG data in XBRL for automated consumption by XBRL capable regulators and reporting systems. 

Furthermore, when a company tags an ESG “fact” in XBRL, consumers of that data will know that the underlying meaning and concept associated with that “fact” is exactly the same and the underlying meaning and concept of that “fact” reported by any other company using the same taxonomy and taxonomy element.

SASB’s XBRL Taxonomy will neither derail nor spur ESG reporting

Realistic and meaningful ESG reporting will not happen until regulators mandate not only the reporting but that the information is audited, and a dedicated XBRL Taxonomy will have little impact on the uptake of ESG reporting.

Only then will reporting companies provide information that investors can trust (Google “Greenwashing”).

The provision of ESG information tagged in XBRL (and audited) might be an improvement. However, the XBRL standard is so old and cumbersome that only a limited number of people will ever have the skills required to exploit data provided in native XBRL.

If SASB really wants ESG adopted…

SASB (or the Value Reporting Foundation as it is now called after merging with the IIRC) is probably the best standard for real, auditable, ESG information. If they really want companies to be providing ESG reporting, and using SASB as “the standard”, I would recommend that instead of playing with the Big-4 and XBRL, that their energies go into the list of activities listed at the beginning of this arlticle.

I would also challenge for any reader to add to that list. What else should the SASB/VRF be doing to encourage the uptake and use of ESG reporting?

--------------------------------------------

*  “GRI, SASB, CDP, UNGC”. These are four of the multitude of ESG “standards”: Global Reporting Initiative, Sustainability Accounting Standards Board, the Carbon Disclosure Project, and the UN Global Compact.

The Author: Daniel Roberts served as Chair of the XBRL US Steering Committee in 2005 and 2006, a time when XBRL US was working closely with the SEC to advance the use of XBRL for corporate disclosures. 

The SEC will take ESG seriously

Combined with a Final Rule Change in November, the announcement of Allison Herren Lee as Acting Chair of the SEC is excellent news from an ESG (Environmental, Social, Governance) and Sustainability reporting perspective. Rest assured, the new US administration’s acceptance of the science of Climate Change and stated understanding that there are already major impacts on the environment, are going to result in a major shake-up in corporate reporting.

For too many years the SEC has paid lip service to the need for ESG reporting.

No rule change will be needed

This means, finally, there will be real movement in requiring companies to provide ESG reporting. Way back in 2009, I wrote to the SEC in support of the Social Investment Forum (SIF) vision of what mandatory Environmental, Social and Governance (ESG) disclosure should look like. I pointed out there than the existing Reg S-K already mandated reporting on ESG in the MD&A.

Companies listed on the US markets are required to file various forms with the SEC, with the most notable being the Form 10-K, the annual filing that includes both financial information, and significant additional information included in the "Management Discussion and Analysis" (MD&A) section. The content of the Form 10-K is controlled by Regulation S-K, and there is some specific wording that applies to ESG and Sustainability reporting. However, it does not explicitly state ESG or Sustainability. 

I argued then, and still believe, that the "known trends" and "uncertainties" requirement was enough.

There is already the requirement under §229.303 for companies to "Describe any known trends or uncertainties that have had or that the registrant reasonably expects will have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations."

I believe that Climate Change and the wide range of potential negative impacts, raises to the standard of a "known trend", or at a minimum, based on the overwhelming amount of scientific research undertaken to date, an "uncertainty". Equally, Social and Governance issues have a significant impact on liquidity and operations, and therefore should rise to the level of "known trends" or "uncertainties".

The SEC has acted on the "known trend" or "uncertainty" clause before, when Y2K reporting was mandated. At that time the SEC also took the bold step of stating that boilerplate reporting would not be acceptable, and that filers had to provide detailed discussion of their plans, including potential impact on customers, and the cost to address. “No net impact” was not an acceptable response. The SEC's actions in relation to Y2K could form the basis for similar action in relation to Climate Change and ESG reporting.

Allison Herren Lee's appointment as Acting Chair of the agency will bring about a sea change in ESG reporting.

“During my time as Commissioner, I have focused on climate and sustainability, and those issues will continue to be a priority for me,”

Read those words again “those issues will continue to be a priority”. Finally, we will have some real reporting on ESG and sustainability in annual filings, and hopefully not the boilerplate. Investors and the public should begin to see what companies really think are the risks (and opportunities), and will need to say exactly what they plan to do to address the potential impact of Climate Change.

The Rules have changed

In November 2020, a Final Rule from the SEC strengthened the reporting requirement. In their Final Rule, they discuss the change from "will" have a material impact, to "reasonably likely" to have a material impact. 

"Item 303(a)(3)(ii) currently requires a registrant to describe any known trends or uncertainties that have had or that the registrant reasonably expects will have a material impact (favorable or unfavorable) on net sales or revenues or income from continuing operations".

The Commission's final Rule says:

"We are adopting Item 303(b)(2)(ii) with these amendments substantially as proposed, but with slight modifications to clarify that the “reasonably likely” threshold applies throughout Item 303. Furthermore, our amendments to Item 303(a) state that, as part of MD&A’s objectives, whether a matter is “reasonably likely” to have a material impact on future operations is based on “management’s assessment.”

I could contend that it will be the very brave, or very disconnected, company executive who, in "management's assessment", determines that Climate Change cannot be considered "reasonably likely" to have an impact on "continuing operations".

Preparing for the change

So with this change and increased reporting, what should reporting companies be doing?

First, consider a complete review of your CRS reporting. CSR has too frequently been seen as something owned by or shared with Marketing and Communications. The greater the ‘power’ in Marketing for the production of CRS reporting, the greater the risk that what you are reporting does not fully map to the reality of your operations or strategic expectations.

There is a risk of shareholder, regulator or customer sanction if your CSR reporting is not in sync with your internal strategic plans and the assumptions used to create those plans and, more importantly, with what you have been reporting in SEC other regulated filings. If there is a disconnect, then there is a risk to reputation and a risk that a regulator (or the markets) will respond punitively to a belief that the company has been ‘hiding’ information, or spinning and ‘greenwashing’.

CRS and Sustainability have just jumped to the top, or near the top, of the Internal Audit risk universe. What controls are in place over the production of the CSR report? What processes are in place to validate the information that is reported? Does management override play a part in the production of such reporting?

Instead of repeating myself, I’ll just point you to my post on the subject from all the way back in 2015; Why CSR is an important part of your risk universe.

Pick a Standard

There are several ‘competing’ CSR and Sustainability reporting standards. Do your research. Each has its strength, but so far we do not know which one will be the ‘one true standard’ the way COSO became the presumptive standard for internal control following SOX.

My own betting would be on either (or both) the SASB and the GRI standards. Both are comprehensive and established. SASB is modelled on the need for rules-based reporting and standards used in corporate financial reporting, and the very name pays homage to the FASB. The GRI standard, however, is global and has been around for close to 20 years. There may be some flaws, but it is a comprehensive standard for wider ESG reporting.

Plan ahead

Expect ESG reporting to expand, and expect scrutiny of reported information to increase. Mismatches between current and historical CSR and Sustainability reporting and corporate communications will come to light, so be prepared if you are concerned that there may have been mismatches.

With Climate Change on the agenda (finally) and with a new SEC Chair nominated (with clear views on ESG) there can be little doubt that ESG and Sustainability reporting will no longer be something for the marketing people; it is now center stage for regulatory reporting.

Why CSR is an important part of your risk universe

Well isn't that a pretty CSR / Sustainability report? All the right tables, indexes, pictures of windmills and daisies, but yes, some fairly data rich tables and reports. There is also the great summary that shows that the company met 80% of its CSR targets for the year, and can even show how those targets have evolved over a number of years. 

That report, of course, is your competitors. And the boss is not terribly happy about that.

Call in the troops, raise the alarm, set some goals, and produce that CSR report that makes us look like we care, dammit.

Yes sir, no sir, three pages full of pretty pictures sir!

And so the company starts down (or continues down the already well worn) path to CSR or Sustainability or ESG (Environmental, Social, Governance) reporting. Goals are set and agreed, business cases are produced, and external consultants are engaged to help with the process. A standard is selected, and soon, but realistically most of a year later, the company has its first CSR report ready to go. All that is needed is a nice front-piece from the CEO, written by marketing or the CSR team, and it is time for the press release and marketing event.

Did you, as the Risk Manager or Internal Auditor, know what was happening, and have you included the CSR reporting process on your risk register or audit programme? If not, why not?

I know of one Risk Manager who was invited into the CSR programme from the beginning, and he is convinced that the result has greater validity and value because of Risk Management's participation.

CSR (Corporate Social Responsibility) reporting is important, but it also exposes the business to a new set of risks; operational, reputational and regulatory. CSR (or similar) reporting processes and content represent an uncharted area for too many risk managers and internal auditors. The information has rarely been determined to be “material”, so even when the CSR programme or report has been in the risk universe, it infrequently rose to a perceived level of significance to draw attention and review.

Yet I would argue that the reputational risk alone should be enough to encourage attention. Add the regulatory risk and there is a clear rationale for Risk Management and Internal Audit (IA). IA in particular has a mandate to review and report on the effectiveness of the system of internal controls, and that the programme of reviews should be based on a risk weighting of processes, systems and operational areas of the business. For too long we have assumed that this means controls over financial reporting and IT systems.

Consider the easiest regulatory and reputational risk. Does the CSR report contain the same information as the regulatory reports? In an SEC context, are the risks reported in the 10K the same as in the CSR report. As a specific example, does the CSR report in any way discuss climate change or the risks associated with exploitation of scarce resources such as water? If these are discussed in the CSR report, then they must also be in the risks section of the 10K, or face the danger of an investor or regulator asking why there are different risk factors being reported as being important to the current or future of the company.

This is as true for statutory reports in other jurisdictions. 

This is also true regardless of the reporting standard that you use, be it the GRI, IIRC's Integrated Report, UN Global Compact, SASB, or any other standard.

There are also metrics. Imagine reporting the level of carbon emissions or carbon offsets in a CSR type report, only to not report this information in statutory reports, regardless of what IFRS or US GAAP (or any other GAAP) requires.

While there are valid and important reasons to produce CSR/Sustainability reports, the information contained should be subject to independent review, and Internal Audit would be well placed to confirm the effective functioning of controls over the production of the information.

Likewise, Risk Management can provide valuable support in the establishment and operation of a CSR programme, and can ensure effective consideration of the risks being reported, both in range and in depth. This can include ensuring that common data sources are used for CSR and statutory reports, reducing the risk of different and potentially contradictory information being reported.

Key points:

·         The world of CSR/Sustainability reporting is undergoing massive change

·         Most CSR data is financial data, just packaged differently

·         Many CSR reporting standards are little more than marketing standards

·         Most CSR reports cover only a subset of the actual business. Disclosures in CSR/Sustainability reports do not always mirror disclosures in statutory reports

·         One activist with a smartphone can seriously ruin your day

·         CSR/Sustainability reporting practices can be a bellwether of other reporting practices, good and bad

For these reason Risk Managers and Internal Auditors should take a close look at what the company is saying to the world, and IA should confirm the effectiveness of the control environment that is producing the information that is reported, including the process (and costs) and the benefits.