Guest contribution: Jens C. Laue (KPMG)

Managing CSR risks correctly

When setting up corporate governance systems in German companies, subsystems have been developed that deal with operational, strategic and financial reporting risks (risk management) and legal risks (compliance management). Within the framework of the CSR Guidelines Implementation Act, the legislature has introduced a new reporting obligation into German law by means of the”non-financial declaration”. This mainly addresses non-financial risks that are linked to the company’s own business activities and are very likely to have negative effects on which reporting is required.

Basically, this is an independent part of risk management at least for the aspects specified by law, such as environmental, or employee and social concerns. An effective implementation of the CSR reporting requirements in companies should therefore not be achieved by setting up additional structures, but by a maximum integration of already existing systems. It therefore makes sense to check in advance how CSR reporting requirements can be transferred into existing structures.

Requirement 1: Risk identification and risk assessment

Company-wide risk management often focuses on risks with financial effects, e.g. on the annual financial statements. However, the existing models are also suitable for dealing with non-financial risks and it is therefore advisable and also advisable to integrate corresponding CSR risks into risk management. Particular risks should be mentioned here that relate to the achievement of the objectives of the CSR aspects mentioned in the law, e.g. risks from complex global supply chains (human rights), risks from working conditions (employee and social concerns), risks from production processes (environmental concerns) or risks from supply and service relationships (corruption).

Requirement 2: Risk management

In risk management in the area of non-financial reporting, a distinction must be made between two control groups. On the one hand, it is a question of what measures management has set up to control identified risks in the reportable aspects of business activity (the”handling”). On the other hand, reporting requires content (e.g. industrial accidents, CO2 emissions) within the company and in global group structures to be additionally collected and consolidated by the subsidiaries. As this is generally based on existing (IT) structures, this area should not be rebuilt in parallel, but should instead be fully integrated into the internal control system in order to improve the quality of non-financial reporting.

Request 3: Monitoring

Like all other controls and processes in the company, measures implemented for non-financial reporting must be regularly monitored for compliance and thus for effectiveness. This is done through audits carried out by our own employees in the area of sustainability and usually involves the implementation of and compliance with sustainability management concepts. However, the internal reporting structures in particular, which form the basis of non-financial reporting, are usually excluded from this.

In essence, therefore, the aim is to integrate financial and non-financial reporting within the company as much as possible in order to avoid the emergence of a redundant and thus ineffective reporting structure. Due to their inherently identical orientation, modern corporate governance systems already offer the structures, tools and processes to depict reliable non-financial reporting.