Three years ago, the senior managers of a company in an extractive industry decided to commission an audit of the environmental, social, and governance (ESG) metrics included in its annual report. They understood that disclosure of greenhouse gas emissions in particular was soon likely to be required, and they wanted to give investors and other stakeholders confidence in the quality of their reporting.
Then they did a pre-audit review of their data and processes—and realized they had some prep work to do. Not only could they not reliably follow the balance of all their emissions, but they also didn’t have complete records and couldn’t even tie their data back to actual utility invoices. When pressed, one manager quipped, “Oh, we don’t keep any of that stuff; no one has ever asked us for it.” Moreover, they weren’t using the right emissions factors or the right sources to support conversions to CO2 equivalents. An audit would have to wait, they realized, until they could conduct a thorough inventory of their emissions.
Their experience was not an uncommon one.
Investors and the public alike are keenly interested in companies’ performance on sustainability, by which we mean a company’s ability to maintain a certain level of economic resources over time without negatively affecting the environment or society. Yet many companies are still getting a handle on how to track and report, and eventually assure, their related data. They have questions about how to measure some nonfinancial data on a consistent basis, not just from year to year but from business to business, so that performance and impact can be compared. They often face limited or obsolete data—whether actual or modeled—and inconsistency across sources. And despite recent moves by some regulators to start providing broader reporting guidelines, the area is quickly evolving with varying initiatives, reflecting diverging opinions on what and how to report.
To build investor and stakeholder trust in sustainability-related measures of performance, companies eventually face the question of whether their reporting can be externally validated. For most, assurance in this area is a novel exercise even if they’ve been reporting some metrics for years. The data is qualitatively different, is rife with subjectivity, and has often been compiled through unstructured processes. With new reporting requirements on the horizon, there are some practical steps companies can take to prepare.
The trouble with sustainability-related data
Financial data is familiar, and the processes for managing it are well understood. When an invoice comes in, it gets scanned into a system, checked against expectations, and subjected to analytical procedures. Finally, somebody signs off and approves payment.
None of those processes have traditionally existed in the sustainability world, where data is qualitatively different from traditional financial metrics. Much environmental data is operational, coming from devices such as electrical or water meters, or is estimated using statistical models in which underlying data can be years old. Social data covers diversity and inclusion metrics with characteristics unfamiliar to the typical financial system. In both cases, much of the data is unstructured, unformatted, and manually tracked—and key performance indicators (KPIs) are often defined differently from region to region or even unit to unit. That makes it very difficult for a company to assess its contribution to sustainability objectives.
Take, for example, a European construction company with operations in more than 80 countries and territories. A statutory list of KPIs the company must disclose puts some boundaries on its reporting and auditing obligations. But the definition of those KPIs can differ by region. On social metrics, for example, defining the proportion of permanent to temporary employees gets messy, because what counts as a temporary worker can vary depending on local regulations. Some define all workers as temporary, while in others, legal contracts very clearly define who is temporary and who is not. Further challenges arise when it comes to tracking and reporting metrics such as training, salary, or diversity by temporary or permanent status.
Subjectivity and ambiguity
Regulators increasingly feel that some ESG metrics are useful indicators of good governance—that companies should know what their carbon footprint is and should ensure that they have a diverse and equitable workforce. Beyond that, companies still have a lot of wiggle room to determine what’s material, depending on the issue, the context, the time frame, and the stakeholder. That opens the door to subjectivity in definitions that can render reporting ambiguous and difficult for investors and others to interpret.
Even regulations, where they exist, are usually quite broad. Their emphasis on disclosing the risks that are most important—the most material—to their stakeholders still leaves it to companies to decide what is material and who are their stakeholders. Many companies still prefer a traditional, quantifiable definition of materiality that elevates shareholders and enterprise value over a more sustainable vision that includes all stakeholders and the company’s impact on society and the environment. The former is an outside-in perspective, reflecting how external elements could affect the company, whereas the latter is more inside-out, reflecting how the company could affect the external world. At the moment, only the European Union plans to require companies to consider both, referring to this as “double materiality.” Demands on reporting and assurance naturally change as a company’s perspective on ESG develops (see figure).
Reporting and assurance demands change as companies’ thinking about social and environmental issues develops
|Stage of development
|Reporting & assurance
|Difficulty of assurance
|1. The efficiency agenda
|Cost-focused operational efficiency
|Outside-in focus: “How does the world affect our company?” Efforts at this stage are often parochial and reactive, and are seldom tied to strategy. Companies want to be just a little less bad than last year.
|More input/ output financial metrics; limited assurance
|Easier to assure
|2. ESG neutral
|Cost-focused, but “good” is good enough
|As investor and stakeholder pressure begins to emerge, companies ask, “What does good look like?” They set broad, high-level goals, such as reaching net zero on emissions by 2040.
|3. Planet positive
|Grounded in purpose; better than just “good”
|Discussions on corporate purpose and a company’s role in the world begin to challenge managers to do better. Companies aspire to be more than just neutral on emissions or waste or accidents—and plan bigger steps to get there.
|Purpose-led systemic change
|Inside-out focus: “How does our company affect the world?” Efforts at this stage seek to be truly transformative, proactive, and strategic. Companies seek to define their role in restoring the planet and revitalizing the ecosystem. This is where they make moves with the biggest impact.
|More impact/ outcome metrics; reasonable assurance
|Harder to assure
Whatever approach companies use to decide what is material and for whom, they will need to disclose it once reporting is mandatory—including whether they solicited input from stakeholders. For now, though, most ESG reporting is still voluntary, and companies’ assessments of its materiality can be subjective. That can leave the door open to greenwashing, if managers intentionally disclose some data because it supports a positive image of their company’s performance and decide not to disclose other data even if it could interest their shareholders. For example, on some social KPIs, company leaders might reason that in the short term they are unconcerned that they have no women in positions of leadership or that they pay women less than men. But even financially focused shareholders might find this kind of data material if the company struggles to attract talent—or loses it to more diverse competitors.
Earning stakeholder trust
As is the case with any new standards or regulations, stakeholders and shareholders are more likely to trust reported outcomes when the processes used to derive them are fully transparent—and when reporting of shortcomings is as candid as that of successes. Indeed, we would argue that companies that are forthcoming today may enjoy a competitive advantage over those that wait, as long as any deficiencies are accompanied by credible plans for improvement. It will also burnish a company’s credibility if it discloses definitions and procedures at a detailed, case-by-case level, and ensures that they are comparable internally from group to group.
Stakeholders and shareholders are more likely to trust reported outcomes when the processes used to derive them are fully transparent—and when reporting of shortcomings is as candid as that of successes.
Some definitions will be clearly outlined in the reporting standards or applicable laws. Where they are not, some amount of judgment will be necessary. If a company were to disclose every single definition and procedure, its report could wind up being too long to be useful for stakeholders. The balance can be difficult to find, but the goal is to have something that is precise, transparent, and accessible enough for users to be able to navigate directly to the information they want.
The more rigorous the audit and assurance process, the greater the likelihood that measures of sustainability will be trusted (see figure). A full audit providing reasonable assurance for financial statements usually covers between 60 and 80% of a company’s activities. Limited assurance of sustainability reporting—a moderate level of scrutiny indicating no evidence that contradicts reported data—can cover as little as 20%. Beyond the breadth of activities concerned, the difference between reasonable and limited assurance also reflects the nature of procedures performed: the level of inquiry and analytical review, the depth of probing into processes and controls, sample testing, and challenging of key assumptions and estimates.
Investors are more likely to trust fully audited ESG reports
Because not all companies are ready for reasonable assurance of their sustainability measures, qualified opinions may be fine while these companies get their data and processes up and running. Adding transparent explanations and a clear path forward will smooth a transition later to reasonable assurance, assuring stakeholders that any subsequent restatements aren’t the result of something being overlooked or misstated. To avoid such confusion, we believe companies should provide reasonable assurance of sustainability measures from the start.
At the moment, though, we’re aware of few companies providing more than limited assurance of their sustainability reporting, which is all that is required by the few regulations that currently exist. And even within limited assurance, there are degrees of rigor that stakeholders will recognize. Some niche providers will focus on very specific reported data—even just a few selected data points—with a minimal amount of intrusion, cross-tabulating, or industry benchmarking. This may be a useful starting point for some companies, as they develop an awareness of stakeholder expectations and hone their definitions of materiality. But eventually, investors will expect more extensive scrutiny; industry, geographic, and subject matter benchmarks; and a tangible connection between a company’s sustainability data and its risk and financial performance. Stakeholders will probe how a company pulls data together, considering the sources, quality, and completeness of its data across the entire corporate footprint. And they will examine assumptions about the connection between measures of sustainability-related performance and traditional financial performance.
Preparing for effective reporting and assurance
Whether companies currently report audited ESG data or not, they will likely want to in the near future—and some regulations may soon make doing so mandatory. In our experience, effective reporting starts with what’s truly important to stakeholders. It requires ongoing diligence supported by a dedicated team. And a meaningful audit requires a higher quality of data than has often been available.
1. Decide what’s important to your stakeholders. Many companies have been developing sustainability reports for years, often on a bottom-up basis with the data that is available from various silos of activity. That approach on its own makes assurance difficult. It also opens the door to accusations of greenwashing, if stakeholders suspect that the company is cherry-picking what is easy to report in one area rather than disclosing material shortcomings elsewhere.
A more strategic approach can help identify what really matters to shareholders and stakeholders, reflecting both the company’s impact on the world around it and any impact on its financial performance. To focus on those metrics, companies would do well to establish a steering committee to review their sustainability reporting. At one global financial company, for example, the steering committee is cochaired by the CFO and the head of ESG, and includes the heads of key business units as well as functional heads of risk, legal, and investor relations. The committee meets monthly to review metrics, the connection of the metrics to strategy and operations, and how reported metrics fulfill the company’s objectives for disclosure. The steering committee then signs off on the final disclosure before it goes to the audit committee.
2. Examine the quality of your data. Even before companies begin reporting and auditing measures of sustainability performance, they need to confirm that their data is robust. This is more complicated than keeping invoices. It includes honing the consistency and precision of definitions, ensuring comparability among geographies, aligning data chronologically, and ensuring completeness. That challenge should allow them to identify relevant KPIs, or revisit what they might currently be reporting. Importantly, if their data has limitations, they should be candid and transparent in their disclosure. If an examination of their data shows it to be flawed, they should not be afraid to suspend reporting while they confirm its quality.
The global financial company above did exactly that after years of disclosing diversity data. As in many other companies, senior managers at the company realized there wasn’t a proper board-level review program to ensure the reliability of the numbers going out. Once the board took a closer look, they discovered that the normal data controls weren’t in place. Managers had been relying on self-reported data sets that were maintained inconsistently among regions. Today, the company discloses less data—but the data it does report is far more reliable.
Separately, senior managers discontinued the disclosure of a graph depicting the company’s annual carbon emissions relative to its current loan book—instead providing the data, along with an explanation of the change. They had realized that the model behind the graph could extrapolate reductions in emissions based on making fewer loans to high-emitting borrowers, but couldn’t adjust overall emissions until the following year, after Scope 2 emissions were reported by suppliers. In effect, a graph depicting reduction in emissions one year might require a meaningful and embarrassing realignment the following year.
3. Assign continuing responsibility. The processes and supporting organization for measuring and tracking sustainability performance have shifted. What was once a communications function housed in corporate philanthropy or social responsibility is now becoming part of the mainstream regulatory filing that investors rely on. When that happens, all the rigor and the discipline that have traditionally gone into the financial statements and the annual report need to be brought to bear in the ESG world. That requires a set of roles and responsibilities related to both ESG and the industry reporting that are embedded in the company. These are not just add-on responsibilities, but rather the tasks of people who are focused on sustainability data year-round, using a significant percentage of their time, who understand the concepts and the opportunities as well as the risks.
The global financial company mentioned above uses exactly the same reporting and controlling structure for both financial and nonfinancial data, assigning dedicated staff to sustainability data under the CFO and supporting those staff, as they would any other specialists, with experts in specific fields. Other companies may want to hire or designate an ESG controller until this becomes part of the normal routine of corporate reporting.
As investors increasingly clamor for reporting sustainability-related data and reporting standards continue to evolve, companies will need to be mindful of what they disclose—and how they can build investor trust in that reporting. Preparing in advance for the scrutiny of assurance can help.