By Tim Bovy and Ian Hodges
The date for the initial filing of mandatory reports is fast approaching. The European Union Corporate Sustainability Reporting Directive (CSRD) took effect on 5 January 2023, replacing the Non-financial Information Disclosure Directive (NFRD) of 2014. Companies already subject to the NFRD must begin reporting in January 2025 on their 2024 financial year. Initially, the new rules will apply to the approximately 11,800 companies that came under the NFRD. This number will increase to over 49,000 companies in January 2026, as the CSRD expands its scope.
The CSRD brings non-financial sustainability reporting to the same level as financial reporting for the first time in history, thus providing the initial step in fulfilling the promise contained in the EU’s Green Deal to be the first climate neutral economy by 2050.
The Corporate Sustainability Reporting Directive (CSRD) will cover a wide range of sustainability topics. Companies will be required to report on:
- Climate change, including their greenhouse gas emissions, their exposure to climate-related risks, and their plans to mitigate climate change.
- Environmental protection, covering their environmental impacts, such as their water use, waste generation, and pollution levels.
- Social responsibility, including their social impacts, such as their workplace conditions, their supply chain practices, and their impact on local communities.
- Governance, detailing their corporate governance practices, such as their board composition, their risk management processes, and their policies on human rights and anti-corruption.
The CSRD is also introducing the concept of “double materiality.” Companies will be required to report both on the Environmental, Social and Governance (ESG) risks and opportunities that affect their business, as well as on the ESG impacts of their business on people and the environment. ESG impact assessments and registers will be placed on an equal footing with their risk brethren.
CSRD reports must be published on the company’s website and made available to investors and other stakeholders, as well as being uploaded to the European Single Access Point (ESAP), a database that will be created by the European Commission to store CSRD reports. Companies will be required to upload their reports to the ESAP in a standardized format.
The ESAP will be a valuable resource for investors and other stakeholders who want to learn more about the ESG performance of companies. It will also help to ensure that CSRD reports are more easily accessible and comparable across companies.
To achieve this objective, the EU has mandated specific requirements for filing CSRD reports on the ESAP. They must be filed in XHTML format; tagged with a digital categorization system; and submitted within 12 months of the end of the financial year. Companies that fail to file their CSRD reports on the ESAP may be subject to fines.
The challenge for companies will be to collect, synthesize, and analyze the non-financial information they need for their reports from their internal data stores, including extracting information from emails, word processing documents, instant messaging apps, and text messages, to name just a few. As a first step, they will need to identify what information is relevant to their operations based upon their industry and the categories contained within the European Sustainability Reporting Standards (ESRS) 1 and 2.
Some categories are generally applicable, including, for example: ESRS 2 DR GOV-1 Board’s gender diversity, ESRS 2 DR SBM-1 Involvement in activities related to fossil fuel activities I, ESRS E1 DR E1-1 Transition plan to reach climate neutrality by 2050, ESRS S1 DR S1-16 Excessive CEO pay ratio, ESRS S2 DR S2-1 Policies related to value chain workers, Human rights issues and incidents connected to its upstream and downstream value chain, ESRS G1 DR G1-1 United Nations Convention against Corruption, and ESRS G1 DR G1-4 Standards of anti-corruption and anti-bribery
The value chain plays a significant role in CSRD reporting because it helps companies to understand and manage their ESG impacts throughout the entire lifecycle of their products and services. The value chain includes all of the activities that are involved in the production, distribution, use, and disposal of a product or service.
The CSRD requires companies to report on the sustainability impacts of their value chain, including:
- The environmental impacts of their suppliers and partners
- The social impacts of their labor practices
- The governance impacts of their supply chain relationships
The value chain reporting requirements are designed to help companies identify and mitigate sustainability risks throughout their operations. They are also designed to help companies to improve their social and environmental performance, and to build more sustainable supply chains. Integrating value chain information with a company’s own internal reporting requirements adds a layer of complexity to what is already a formidable undertaking in gathering unstructured non-financial information.
Many existing information management systems will not be up to the task. A practical first step would be to run a pilot project, using a sampling of the company’s CSRD reporting requirements to test the system’s effectiveness. Can that system be used to efficiently gather and pass on relevant measurements of pertinent metrics through the use of a standardised test?
It may be some years before one single system can provide a complete solution for companies with complex supply chains and subsidiaries. In many companies, supplementing existing technologies with tools enabling more efficient interoperability could represent a more viable alternative. While the breadth and depth of reporting required by the standard is challenging, the specificity offers clarity, and the standardised format is a route to interoperability,
Let’s take working conditions as an example, and consider what would be involved in successfully reporting on works councils, collective bargaining, including the proportion of workers covered by collective agreements, the information, consultation and participation rights of workers, work-life balance, and health and safety.
The first challenge is one of logistics. It involves tapping into existing information systems across the immediate estate of the company and reaching into the supply chain to extract information and aggregate it for processing. All information systems will require careful appraisal of the relevance, sufficiency, accuracy, and ease of use of the information they contain, This is principally a technical challenge. As difficult as it will be in large and complex enterprises, technical solutions can always be found to technical challenges.
Processing the information is both a technical and a semantic challenge. A technical challenge because information from different sources will be differently coded and is likely to reference different, and not always compatible, metrics. And a semantic challenge because unpicking the encoded meaning will require an understanding of the environment that produced the information. This is the more significant challenge.
Reporting on the working culture of the wider organisation, whether that is supply chain partners or internationally located branches and subsidiaries, requires an understanding of the relevant working culture and how it differs from that of the parent company. Simply complying with the reporting requirements will bring its own insights for many companies.
Works councils represent an interesting example. They are of considerable, though variable, significance across Europe but largely unknown in the Anglosphere, where staff councils may exist as sounding boards for senior management or, more appropriately, as a voice to employees. A works council with a mix of senior management and worker representation is a decision-making body and a significant part of the corporate governance model in Germany, for instance, where they are required by law.
Unpicking the semantics underpinning the raw information will mean making qualitative judgements; in the above case, for example, about what it means to have good and improving working conditions in different parts of the world. ESG metrics should be gathered and reported against a target, since targets drive change. Comprehensive legal compliance is not the main target; an end goal must instead represent meaningful engagement with and aspirational goals for the subject being measured and reported in a cycle of continuous improvement.
Works councils provides just one example of the level of analysis that will be necessary for the 11,800 companies that must begin reporting in January 2025 on their 2024 financial year. But, it is representative of the significant amount of work involved in fulfilling the CSRD reporting requirements. Its multi-layered demands also show that adequate preparation is essential.
About the Authors
Tim Bovy has over 35 years of experience in designing and implementing various types of information and risk management systems for major law firms such as Clifford Chance; and for international accountancy firms such as Deloitte. He has also developed solutions for organizations such as BT, Imperial Tobacco, Rio Tinto, the Kuwaiti government, The Royal Household, and the US House of Representatives. Tim is an elected member of The Royal Institute of International Affairs, Chatham House, an Independent Think Tank based in Central London. Tim holds a BA degree, magna cum laude, from the University of Notre Dame, and MA and C.Phil degrees from the University of California, Davis.
Ian Hodges has worked in a variety of information management roles over a twenty-year career. He has designed and implemented records and information management systems at a national scale, developing parts of the digital archive at The National Archives (UK). At a corporate level he’s undertaken information management projects with The Royal Household and Her Majesty’s Treasury. Ian also has information rights expertise developing policies and procedures for Freedom of Information and Data Protection compliance and working as a Data Protection Officer. In addition to CISM, CIPP/E and CIPM certifications, Ian holds a BA degree from the University of Southern Queensland, a postgraduate diploma from Deakin University, Melbourne and an MA from Birkbeck, University of London.
