ESG reporting best practices

SEC's new ESG rules

What is ESG reporting, and why should organisations do it?

ESG reporting is the disclosure of environmental, social, and governance information that is material, or relevant, to an organisation. This information is used by investors and other stakeholders to understand how the organisation views and manages ESG risks and opportunities in relation to short-term financial performance or long-term value creation. Reports include quantitative and qualitative information, accompanied by performance analysis with respect to the company’s goals.

In some markets, ESG reporting is mandatory or will be soon, such as the European Union’s Corporate Social Responsibility Directive (CSRD) or the United Kingdom’s Sustainability Disclosure Requirements (SDRs). Beyond these requirements, many organisations choose to voluntarily publish ESG reports for several reasons:

  • First, ESG reporting is increasingly expected by investors or other stakeholders, such as NGOs or buyers. By 2020, over 90% of investors said nonfinancial information played a significant role in their investment decisions.
  • Second, ESG reporting builds trust with stakeholders through transparency, and can boost the organisation’s reputation. For example, in 2021, 70% of employment seekers preferred to work for sustainable businesses.
  • Finally, ESG reporting supports a robust ESG strategy, which can yield higher returns.

How can organisations ensure their ESG reports realize these benefits?

While there is a lot of guidance available on preparing reports, the best ESG reports:

  1. Clearly communicate with their target audience and are readily accessible
  2. Focus on the ESG issues that are relevant to the business and how they relate
  3. Align with recognized standards or frameworks
  4. Track annual progress towards science-based targets with clear and consistent figures
  5. Undergo thorough validation through either internal due diligence or third-party assurance

Top 5 ESG reporting best practices

Best Practice #1: Design the ESG report for a specific audience

The most effective ESG reports are designed for a specific audience and their expectations. Many groups may be interested in ESG information, each with their own needs. Before preparing an ESG report, the company should consider the intended audience(s), such as investors, regulators, customers, prospective hires, and the local community. Reports should account for the audience’s expectations in what information is included and how it is presented to ensure the reporting is effective.

For example, investors will expect reports to clearly state which ESG issues pose a risk to the company’s financial performance and how the company is managing those risks. However, customers would be more interested in the actions the company has taken to reduce its environmental footprint. When messaging to both groups is mixed in one report, the information may be less useful for all readers.

Best Practice #2: Focus on the ESG issues that are relevant to business strategy

Once the audience has been defined, the company should determine which ESG issues are most relevant to its business and strategy. ESG is very broad, with the key issues shown in the figure below. Not all ESG issues are applicable to every company. For example, water use is important for a food and beverage producer, but not an IT consultancy.

Source: NYSE

To determine the relevant issues, companies may conduct formal assessments, either externally through discussions with stakeholders or internally by considering the ESG issues included in the business plan, risk management program, or the board’s agenda. Additionally, companies can look at what industry peers report.

More formally, companies can use established frameworks and standards as a starting point to better understand the generally accepted scope for their industries. We will look at frameworks and standards below.

What is most important is that companies clearly state why the chosen topics were included and others excluded, with clear links to business strategy. This will build legitimacy and credibility of the reporting.

Best Practice #3: Don’t reinvent the wheel – Use an accepted ESG reporting framework

There are many ESG reporting frameworks widely used today, such as the Global Reporting Initiative (GRI), Sustainability Accounting Standards Board (SASB), and the Carbon Disclosure Project (CDP). Choosing the right one depends on the company’s objectives, audience, industry, and geography. For example, SASB was designed for investors and should be used to communicate with that audience, whereas GRI has a broader appeal to diverse stakeholders. Additionally, frameworks can be combined to serve multiple objectives, such as using GRI to structure the report and linking each activity to the UN Sustainable Development Goals (SDGs).

Frameworks and standards offer many benefits. These tools provide consistency, so it is easy for stakeholders to understand and compare different companies. Additionally, using vetted standards provides legitimacy and transparency. Finally, they offer a starting point for companies to begin a well-structured, comprehensive ESG report.

What is most important is that the company takes time to understand which reporting framework best fits its objective and audience, and uses the framework year-over-year for consistency and comparison.

Note: “Frameworks” and “standards” are not the same thing. A framework guides the topics to be included and “how” a report is structured. Standards provide specific requirements for “what” should be reported for each topic, such as the relevant metrics. Standards and frameworks can be used together for ESG reporting. For example, SASB is a standard that can be used to implement the Task Force for Climate-related Financial Disclosures (TCFD) recommended framework.

Best Practice #4: Track progress towards specific, science-based targets

A key function of ESG reporting is performance analysis towards the company’s ESG goals. Tracking performance demonstrates how the company is actively managing ESG risks and leveraging opportunities. Simply stating overly ambitious, ambiguous goals like “net zero by 2050” is no longer enough. As such, ESG reports should include the company’s short-term (<5 years) and long-term goals.

Examples of ESG goals include:

  • Source 100% renewable energy by 2028
  • Reduce absolute scope 1 and 2 GHG emissions by X% by 2030 from a 2015 base year
  • Achieve 50% of board positions held by women or minorities by 2025

Companies can use ESG reporting frameworks to determine which key performance indicators (KPIs) to track for these targets. Additionally, companies can align with the Science-based Targets Initiative (SBTi) to ensure their targets are relevant and sustainable. What is most important is that the year-over-year progress is shown clearly and accurately.

Best Practice #5: Conduct assurance of ESG reporting

While not required, companies can go above and beyond with a thorough internal audit or third-party assurance. This will support the accuracy and completeness of the report. An internal review process should consult the relevant subject-matter experts and senior leadership. If feasible, the company can also use a third-party auditor to assure the report.

Not only does this reduce the risk of liability, but it also provides confidence for the reader that senior leadership takes ESG seriously. Companies should consider including a description of the internal review or audit process in the ESG report to build credibility and legitimacy.

ESG reporting as a tool for value creation

Overall, ESG reports are only as good as their availability, utility, and reliability. The best ESG reports are designed for the reader, contextualized within business strategy, and offer a comprehensive, accurate view of the company’s ESG management. Ultimately, the best report is not the longest, but one that effectively builds trust with stakeholders and demonstrates that the company understands the relationship between ESG and value creation.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.