TCFD: Task Force on Climate-related Financial Disclosures
SASB: Sustainability Accounting Standards Board
GRI: Global Reporting Initiative
IFRS: International Financial Reporting Standards
ISSB: International Sustainability Standards Board
COSO: Committee of Sponsoring Organizations
More than ever, there are a huge number of regulations being implemented around the external reporting of environmental and climate-related risks.
Many companies have stepped up in recent years to report under voluntary schemes and frameworks such as TCFD, GRI and SASB, resulting in a significant positive influence on the development of external reporting. We’re now seeing increasing alignment between these multiple standard setters, for instance, GRI and the IFRS Foundation moving to align their sustainability reporting standards and the Climate Disclosures Standards Board and Value Reporting Foundation consolidating into the ISSB.
Looking forward, as regulators start to push specific disclosure standards across countries, this once voluntary space is becoming much more compulsory.
Three recent examples include:
- The United Kingdom mandating that its largest companies will have to report under TCFD
- The European Union announced plans to introduce the Corporate Sustainability Reporting Directive, requiring 49,000 companies across the European Union to disclose climate and environmental information, including alignment with the EU Taxonomy
- The U.S. Securities and Exchange Commission (SEC) has proposed rules to enhance and standardise climate-related disclosures for investors
Leaving aside many of the current industry discussion topics, such as taxonomy (which requires companies to assess the degree of alignment of their revenue, OPEX and CAPEX with six environmental objectives), differing company responses and timetables for net zero implementation and reporting, and the perennial issue of obtaining Scope 3 information from suppliers, one pressing topic remains: internal controls over non-financial reporting.
Reflecting back to when Sarbanes-Oxley (SOX) was introduced, a US law enacted to improve the accuracy and reliability of corporate disclosures due to numerous corporate financial scandals in the late 1990s, and US registrants started projects on Internal Control over Financial Reporting, it’s clear that the proposed disclosure regulations will need a number of processes and controls over non-financial data. Some data within climate reports will already be covered by strong financial processes and controls, but it is likely that the bulk of the data required for climate reporting won’t be. It will need to be identified, mapped as to location and quality, and gathered in a way that is complete, accurate and reliable with evidence to provide reasonable assurance regarding its reliability.
Although auditors will relish the additional business of surmising non-financial data, they will push for strong processes and controls to be in place to help them manage their own risk. And whilst we haven’t yet seen the need for management to provide proof on their climate reporting, boards of directors will also want to sleep easy at night knowing that their non-financial reporting is managed robustly.
This leads to companies having to implement processes and controls in a similar way to how they did with Sarbanes-Oxley. For entity-level controls, this will encompass a review of the control environment, performing a risk assessment, arranging control activities, ensuring there is appropriate communication and management information, and implementing monitoring activities for the non-financial data. These changes will take place in a rapidly evolving world, and standards are still to be developed in many cases.
These statutory reporting requirements will complicate life for groups and multinationals who must consolidate data across companies, industries, and countries, often with different reporting requirements in each country. The first step will be a mapping of all requirements (statutory, regulatory, voluntary) across all jurisdictions. In some cases, this may even mean gathering some data for the first time.
Making it happen will require some degree of automation, particularly if we want to see a robust process and controls in place. One answer will be the implementation of a new IT application or solution that can gather, consolidate, and report data, and provide a solid audit trail or the adjustment of existing financial or non-financial systems. Whether automated or not, there are likely to be significant costs involved in implementing the processes and controls.
The key challenge will be engaging with and motivating a large number of people across companies and financial groups to support the changes. Much of the information needed may not come from the traditional sources of data that feed into financial processes and reporting. Many people may be unfamiliar with the requirements for processes and controls around financial reporting and will need to be upskilled to deal with the new requirements in their part of the business.
It seems that project management offices in many large corporations will be dusting off Sarbanes-Oxley implementation manuals for inspiration on project organisation and implementation activities. Budget templates will be refreshed, and consultants phoned for advice. Whilst the scope will not be the same, best practices from previous projects should help to deliver on the needs today for climate reporting.
The good thing about all this change is that we should be able to believe the reported facts and figures. And that information can educate our debate globally about what is working as we all try to achieve the targets of the Paris Agreement. Whilst there will be a lot of real work to come, it will lead us towards making real impact towards environmental sustainability.