ESG takes time: Don’t underestimate the amount of work required

By Sandra Ebbesen, Senior Manager at KPMG

When it comes to ESG and the new requirements in the CRSD directive, it has become a bit like changing winter tires on your car – you have all the intentions of doing it in good time and yet you end up panicking and booking an appointment for a wheel change once the snow has fallen.

The bill implementing the CSRD directive in Denmark has not yet entered into force and is not expected to do so until 1 June 2024. However, it is clearly expected that it will be adopted, and the first companies will be required to report for the financial year 2024.

So, what does this mean for you as a company, and if you haven’t already started the work, you can look forward to a hectic time for the rest of 2024.

In the following, I will give you a quick overview of the work that awaits you in relation to ESG, with a focus on the steps related to the data part.

CSRD = double materiality

When we talk about CSRD, we can’t avoid talking about double materiality, as this is what determines what companies need to report on. A double materiality assessment is not something that is done once, and the results are applied to all companies – it’s not a one-size-fits-all.

Instead, it is a company-specific assessment based on how each individual company is affected by sustainability issues and what impact they themselves have on sustainability issues. This means that you need to have a good understanding of your organisation to be able to make this assessment. Therefore, it’s not one of those tasks that you give to the newest member of the team, even though it can be incredibly tempting.

Don’t get too excited, the work has only just begun

Even though the work of double materiality assessment seems to be extensive and demanding, which it certainly is, I’m tempted to say that it’s actually the easy part. Because it’s after this assessment has been made that all the work really begins.

Once it has been determined what it is that needs to be reported on, a gap analysis must be carried out to find out what you have a good handle on and where you are completely out of control. This is where you get a real insight into how good or bad things are, and based on this insight, a plan can be drawn up for what actions need to be taken to reach the goal.

Processes, risks and controls

When we talk about ESG data and reporting, we also need to consider data quality, as the directive requires the auditor to provide assurance on ESG reporting. Initially, this will only be with a limited degree of certainty, but it is expected that this will eventually be raised to a high degree of certainty.

This means working with processes, risks and controls, because just as with financial data, these things must also be in place for ESG data if the quality is to be reasonably assured. Now, some of you may be sitting out there thinking that there is only a limited degree of certainty to begin with, so is all this really necessary?

The short answer is, probably not. But the longer answer is that if you don’t do it now, when you still have to go through all the work of creating an overview of the processes, where data is to be collected from, etc., then you will have to go through all the work again in, let’s say, 3 years, when the audit requirements change to a high degree of security… So don’t jump the gun.

So there’s nothing left to do but roll up your sleeves and get to work:

1. Create flow charts for the processes to ensure you have insight into where data comes from, how it is processed, what steps it goes through, etc.
2. Identify risks related to the processes by asking what could potentially go wrong at each step in the processes. It’s important to remember the risk of fraud.
3. Assess which of the identified risks are significant and need to be mitigated or reduced. Here it is necessary to have an insight into management’s risk appetite.
4. Design controls that mitigate or reduce the material risks to an acceptable level. Remember that there is not always a correlation between what we would ideally like to have done and what is practically possible.
5. Get the controls implemented and accepted by the business to ensure that they become an integral part of the processes and are executed. It may be necessary to set aside time to train the business on how to perform and document the controls.

With these 5 points, you are ready to start working on processes, risks and controls for ESG data. Don’t underestimate how much work is involved and how long it can actually take. Because while these are actions that in many ways are similar to what we know from financial data, in many ways there is a world of difference.