Will US companies create their own business risk abroad by not adopting compliance policies for risks that they deem controversial or may not fully believe in at home? On the surface this may seem like a rhetorical question – one without a clear answer – but it has existential implications.
Better understanding of risks (known and unknown) was a key driver for my EU colleagues during the recent ASIS Europe 2023 held in Rotterdam, Netherlands. Given the recent events surrounding the Pandemic, Russia’s on-going war in Ukraine, and the (apparent) decentralization of the standing world order – it is no wonder these existential questions are rising to the surface.
In one particularly enlightening discussion as part of a workshop breakout, the concept of Environmental, Social, and Governance (ESG) arose – specifically the risks these concepts are attempting to mitigate as well as the legislation meant to govern how companies manage them.
ESG attitudes in the EU tend to be focused on compliance and governance, with a belief that ESG risks are real and need to be addressed through legislation like the Corporate Sustainability Reporting Directive (CSRD). The CSRD, which is set to go into effect at the end of 2024, is seen as a means to mitigate a variety of risks in the ESG framework and will govern how companies will be able to conduct business in the EU once the legislation takes hold.
Lack of compliance by companies outside the EU could bar them from working within or through the EU. Any company, wherever located, that is unwilling to support the requisite approach to ESG risks limiting its own access to the EU.
On the other hand:
In contrast, ESG attitudes in the United States and the United Kingdom can be more varied, with some companies and investors embracing ESG as a way to enhance financial performance and others viewing it as a more optional or even irrelevant consideration. There are, however, certain exceptions on both sides of the Atlantic, and many US and UK companies are also taking steps to address ESG issues and improve their sustainability practices. These companies will have an advantage when they are required to disclose these practices in the EU.
The CSRD will require companies in and operating within the EU to begin mandatory reporting on ESG initiatives as part of their corporate responsibility with the first reports due in 2025. The requirement’s ambition is to expose those who have a limited record in the areas of the environment, social responsibility, and human rights that would find the EU an inhospitable environment in which to operate.
Unlike in the US and UK, there was no handwringing about the necessity of the CSRD in the EU. The focus was instead on the power of the EU to enact legislation that would have an impact on the way businesses operate in the region. Just as the US and UK were willing to use their regulatory authority to prevent money laundering and support for terrorism in the wake of 9-11, the EU sees the risks highlighted by ESG in the same light, and the CSRD is their means to mitigate those risks.
The bottom line:
The CSRD initiative may be viewed as a flex of power by the EU authorities, rather it is a recognition that within the EU there is consensus that these requirements are necessary to further mitigate substantial external risks on a global level. The concept of ESG is no longer being debated, the EU has moved on to implementation of specific ESG requirements, and the CSRD is the EU’s way to begin managing these risks. In the same manner that Anti-Money Laundering standards were enacted in the wake of 9/11, US companies will need to view their response through business compliance and governance.
All that said, the need for businesses to meet compliance requirements to a governing body in response to an identified threat is not new. The CRSD sets out specific actions that must be taken for companies to conduct business within the EU and these actions are not up for discussion. At a base level, US companies will need to understand what the CRSD requires of them, how they augment or add to their current compliance program, and how they will govern this process in the future. Whether it is Sarbanes-Oxley, the FCPA, or the CSRD, businesses must adopt proper compliance and governance principles or risk losing business. The time for discourse within the EU is complete and US Companies must move forward in preparing how they will advance in this new realm of compliance