What’s your risk appetite? EU firms grapple with ‘ridiculously complex’ ESG reporting rules

So far, while the rules have been spelled out in a series of directives around due diligence and sustainability reporting, what’s not so clear is what businesses should be doing now. And, perhaps even more vexing, it’s unclear what the evolving role of a compliance officer in enabling business continuity and growth in the midst of such radical incoming regulatory requirements.

Attempting to comply with the myriad of EU rules related to ESG, supply chain, and sustainability rules requires large companies to comply with the letter of the new law, but the EU laws also contain requirements that will flow down to the business partners of those large companies, according to a June blog post by the law firm Seyfarth.

While small and medium enterprises and other non-EU companies are not covered, “the ambit of the European Union’s Corporate Sustainability Due Diligence Directive will have indirect implications for value chain business partners that will need to be cognizant of the CS3D obligations,” the blog post said.

Those obligations for small- and mid-sized companies will include having to answer hard questions from their large company partners about the environmental and human rights impacts that arise from their business operations, and to be able to provide that information in a way that is both meaningful and succinct.

“The rules being passed are ridiculously complex, and it’s hard to comply with everything,” said Patricio Roffo, head of global governance, risk, and compliance for GetYourGuide, an online travel booking company based in Berlin. He added that complying with some of the new rules will require “huge resources which smaller companies lack.”

“We can’t comply with everything, and it might not even be efficient to comply with everything,” he said. “Each business has to determine its risk appetite, have difficult discussions with the board and company leadership.”

These questions around risk and resources are among the many issues likely to be discussed by compliance professionals and experts during Compliance Week Europe, a two-day conference in Amsterdam starting Tuesday. The conference brings together Compliance Week and its sister organization, the International Compliance Association, and more than 200 GRC professionals across tech, banking, media, manufacturing, and healthcare to help discuss how they’re making sense of a constantly changing business environment.

“We can’t comply with everything, and it might not even be efficient to comply with everything. Each business has to determine its risk appetite, have difficult discussions with the board and company leadership.”

– Patricio Roffo, Head of Global GRC, GetYourGuide

Four compliance experts will discuss the topic in the panel, “ESG reporting & due diligence: New regulations to help save the planet and protect human rights–the impact on compliance teams and businesses.” The experts include compliance leads at supply chain services company CellMark AB; vehicle management company Fleet Alliance; and GetYourGuide.

Although Compliance Week Europe is being held under Chatham House Rule, Roffo agreed to be quoted.

Many EU companies, he warned, will not always be able to follow CS3D regulations initially, but must at least “show regulators that we are doing our best to comply.”

More alphabet soup

Some of the new expectations in Europe come from a series of new disclosure policies for CS3D, which took effect in July, and the Corporate Sustainability Reporting Directive (CSRD), which will apply to the 2024 financial year.

Regulators want the directives to push large companies to address how ESG impacts their business operations, as EU regulators say only about 10 percent of large EU businesses currently compile and report their ESG data. The laws are designed to help businesses recognize and respond to both the risks and opportunities provided by fully appreciating their ESG impact, an understanding that will be derived from their own data.

CS3D applies to approximately 6,000 large EU companies and partnerships with more than 1,000 employees and a worldwide net turnover of 450 million euros, and approximately 900 large non-EU companies with 450 million net turnover within the EU.

The CSRD will first apply to large companies that are public entities with 500 or more employees at the group level, according to an FAQ published by European Commission in August, and each year will lower the size threshold until it applies to most companies by 2028.

Firms in the U.K. are also struggling with compliance with ESG and supply chain regulations, according to a report released by the U.K. firm Burges Salmon in April.

The survey found that of the 361 U.K. companies polled, 32 percent were “completely unprepared” to meet their ESG supply chain disclosure obligations, and that only 29 percent believe their companies fully understand the legislative and regulatory landscape governing ESG corporate disclosure.

“Ensuring that business partners meet ESG standards requires investment, resources, and constant monitoring, and it is clear from our research that many companies still have some way to go on this aspect of their ESG journey,” the report said.

Ahmed Shawky, managing director of sustainability consultancy LevelUp ESG, previously told Compliance Week that the Burges Salmon report indicated that “compliance officers clearly need to step up their game.”

Another recent report on ESG reporting, this one by The Conference Board called Cutting Through Complexity-Managing International ESG disclosure, recommended that companies start with a gap analysis that examines the firm’s current reporting capabilities, and the information demanded by various ESG disclosure standards.

The Conference Board report also recommended that companies employ a company-wide approach to ESG data collecting and reporting, supported by a multilayered governance structure that creates clear lines of accountability for collecting accurate data. Firms should also work to build up ESG expertise within their organizations.

These ESG requirements will inevitably flow down to smaller organizations that are not yet required to implement them. But they eventually will, which is why GetYourGuide’s Roffo said small companies need to find that point of equilibrium where firms comply with what they can comply with, then have “uncomfortable discussions” between risk/compliance and the executive team to determine their risk appetite tolerance.