Supply chain management and the Corporate Sustainability Reporting Directive (CSRD)

Corporate Sustainability Reporting Directive (CSRD) is an ESG (environmental, social and governance) standard enacted by the European Union. It is designed to make corporate sustainability reporting more common, consistent and standardised like financial accounting and reporting. 

The new directive’s impact is far-ranging and essentially modernises and strengthens the social and environmental information that companies have to report. 

Corporate Sustainability Reporting Directive (CSRD) dramatically extends the scope of sustainability reporting requirements to tens of thousands of additional companies, including all large companies and all listed companies. CSRD also applies to large companies not in the EU, but who have an EU subsidiary which meets the criteria. It is estimated that the number of companies required to report will increase from around 11,000 under NFRD to nearly 50,000 as part of CSRD.

Beyond ESG

ESG was once the hottest acronym in the business world. It pushed out the CSR (Corporate Social Responsibility) approach in favour of a more holistic view that considers many more aspects of the business, from the carbon footprint as well as the number of women on the board. 

ESG introduced the concept that global businesses are no longer working on environmental, social and governance issues in a silo. They brought them together to demonstrate the positive impact businesses can have on the world. 

ESG did not come from one single source. It wasn’t sparked by a new law, but was spurred by institutional investors and then grew into something of an industry itself.

What companies, investors and stakeholders at large liked about ESG is that it combined all of the things that could impact a business. From regulatory faults and fines to environmental disasters and social disruption, it provided a singular measure of how well a company is able to respond to those challenges. In short, ESG measured resilience.

CSRD has its roots in the development of ESG principles. Adopting these principles of sustainability means that corporate strategy focuses on those three concepts and develops a set of standards to measure their business’ impact on society and the environment and how robust and transparent its governance is in terms of company leadership, executive pay, audits, internal controls and shareholder rights. The goal of ESG and now, CSRD, is to capture all the non-financial risks and opportunities inherent in a company’s day-to-day activities.

Supply chain due diligence and CSRD

Conducting effective supply chain due diligence is critical and enables companies to understand and address the risks associated with the different stages of a product’s journey from the supplier to the end customer. 

Supply chain due diligence is essentially a systematic risk management process that involves a comprehensive assessment of the social, environmental and ethical practices of suppliers, contractors and other partners. The process can help minimise the negative impacts of a company’s operations on people and the environment. It can also ensure legal compliance and, significantly, protect your company’s reputation.

For many companies, supply chain due diligence has become one of the most important ways to mitigate risk, ensure regulatory compliance and prevent reputational damage from customers and activists.

The Corporate Sustainability Reporting Directive (CSRD), requires, elevates and standardises ESG (environmental, social, governance) reporting like never before. CSRD places increased emphasis on supply chain transparency and due diligence. Organisations will be required to disclose information on their supply chains, including environmental and social risks and impacts.

CSRD broadens who must report, standardises what they report and expands the scope of reporting to include the full value chain. While it will reduce the noise of multiple reporting frameworks and help companies focus, it will also require companies to do things they haven’t thought about and place pressure on them to have increased transparency and accountability. 

Why is CSRD a big deal for supply chain sustainability?

CSRD requires all large and listed companies to publish regular reports on the social and environmental risks they face, and on how their activities impact people and the environment. It aims to help investors, consumers, policymakers and other stakeholders evaluate non-financial performance and encourage a more responsible approach to business.

The EU sees CSRD as an important part of delivering its European Green Deal – an ambitious effort whose ultimate goal is a carbon-neutral Europe. Part of that effort involves putting sustainability reporting “on the map” so it becomes an issue of significance for companies. CSRD defines – for the first time – a common reporting framework for non-financial data, encompassing not just climate change but broader Environmental, Social and Governance (ESG) metrics. 

One of CSRD’s main innovations is placing a company’s value chain at the centre. Unlike other sustainability legislation that focused on a company’s own footprint, CSRD goes to the supply chain. This is not surprising, given that most of a company’s impact and risk lies within its supply chain. But it means that organisations must now take responsibility for their suppliers. 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.