The Corporate Sustainability Reporting Directive - IT professionals beware!

The Corporate Sustainability Reporting Directive (CSRD) has been passed and will apply from 2024. Another government obligation from the EU? Yes! It applies to about 50,000 organizations in the EU. That's less than the 160,000 covered by NIS 2, but still, there's a good chance you'll come into contact with it. To inform you, Valid is publishing a series of four blogs about the CSRD. In this first blog: what is the CSRD and why should an IT professional be interested in it?

The CSRD, as the name implies, is a reporting requirement. It deals with sustainability requirements arising from the Green Deal. To meet those targets, the EU requires an effort from business. How? By demonstrating that organizations are making concrete improvement steps in three areas: Environmental, Social and Governance (ESG).  

Organizations are expected to:

  • Create an ESG strategy (a.k.a. "CSR policy");
  • Report on its progress;
  • Take proactive measures to improve performance.  
"Counting what counts"  

In addition to an obligation, the CSRD offers opportunities. Directors will need to think more deeply about the opportunities of an ESG policy and ESG risk management. As you can experience for yourself in recent years, some unexpected events have a major impact on our society. Think of the Covid-19 pandemic, wars close to home, extreme weather events, media coverage of ethical issues, such as the "me-too-affairs," for example. These types of developments can disrupt society to some degree and affect an organization's performance and value. The reverse is also true: an organization has an impact on its environment, but only a few consider how big that impact is.

Below is an impression of the risks and opportunities of sustainability and thus ESG:

Opportunities and risks sustainability

Therefore, the EU has defined no less than 12 "European Sustainability Reporting Standards" (ESRS), criteria on which you should report. Incidentally, this reporting should be integrated with your regular financial reporting, your organization's annual report. That means that, just like your financial figures, ESG data will be audited. Auditors and accountants are therefore busy closely monitoring the implications of CSRD; soon it will be their turn.

The 12 ESRS fall into 82 "disclosure requirements." An organization subject to CSRD should consider what ESG-related risks and opportunities it sees for its organization. 

ESRS

The document describing the current set of ESRS in English counts 245 pages. You'll find it here. There is much more to say on this subject as well, such as that you will have to wait until mid-2024 for additional sector-specific ESRS.  

Dual materiality 

Rather than being reactive, the CSRD offers an opportunity to proactively consider "what if something happens on the ESG front?" What could, outside-in, impact your organization's value? And how, inside-out, can your organization impact these factors? This dual approach is called "dual materiality." What is "material," how much is something worth to your organization, depends on your industry. For convenience, assume something is "material" when it can affect 1% to 5% of your revenue.

The analysis of financial and impact materiality is a very important premise of the CSRD. Should you come to the conclusion that "the environment" has no material impact on your organization, or vice versa, you may omit ten of the twelve reporting requirements. Only ESRS 1 and ESRS 2 will then apply. Your double materiality test will further have to show which ESRS are material to your organization. You should report only on those KPIs.  

Dual materiality

There is much more to be said about this. The CSRD is still not very prescriptive on certain points. In particular, be aware that the scope of materiality can be very large depending on the "downstream" and "up-stream" chains in which your organization operates. You should therefore consider how your supply chain - your suppliers and their suppliers - deal with ESG. The same applies to your customers and how your products are used in society. For example, to what extent does circularity matter to your company?

For whom and when? 

The CSRD replaces the Non Financial Reporting Directive (NFRD) already in place. Organizations already required to participate in the NFRD will transition to the CSRD in fiscal year 2024, with first reporting in 2025. After that, it becomes more complicated to explain succinctly.

Below is a simple representation of reality. 

CSRD milestones

There is a lot to be said about this picture. For example, various "phase-in reliefs" apply, making the implementation of regulations somewhat slower than shown. For example, some of these measures apply to all organizations, while others apply to organizations with fewer than 750 employees.  

"What gets measured gets done"

Underlying the CSRD and ESRS are nearly 1,200 data points on which to report. This is where "the blue man" gets happy. The reporting people, think of your finance, control, risk management and IT colleagues, among others, may not be as happy about this because this is going to create a lot of (extra) work.  

The crux becomes how to smartly deal with these new reporting requirements. How can we estimate and substantiate non-financial numbers? What business processes can we build on to collect relevant data? When can you use estimates and where do you get them? How do you maintain an audit trail? How do you integrate internal and external data sources? How do you predict what your performance will be in the coming years? In doing so, it becomes crucial to get data governance in order: who is in charge of what data? Who commits to what performance and improvements?

Subject matter experts, such as Chief Sustainability Officers, see the introduction of CSRD as an opportunity to transform the organization into a more sustainable form. As seen with dual materiality, CSRD is not just about financial stakeholders. You need to engage for the whole with (possibly future) employees and customers, with end users of your products or services and with suppliers within your supply chain.

Conclusion

There is much more to be said about the CSRD. The main take-aways:  

  • It's going to affect many organizations so find out when it's your turn and start preparing early; 
  • Embrace this obligation as an opportunity to improve your organization.

I am an enthusiastic follower of this development and am happy to share my interpretation of the situation with you. Don't hesitate to contact me if you want to know more about this.

As announced, this blog is the first of a series on the subject. In the near future, we will return to the impact of CSRD on IT - as well as the impact of IT on ESG (think data housekeeping and "Green Ops") - and how to deal with it programmatically. Last but not least, we are happy to reveal what Valid is doing in terms of ESG.  

Phishing, mobile phone hacker or cyber scam concept. Password an
Previous article Blog series 3: Are you ready for the next hack?
Next Article Why is the protected view in Office so important?
Vault security