Ferma urges risk managers to act on sustainability directives
Double materiality set to be a big challenge
Risk managers must now help their organisations prepare for upcoming EU regulations on sustainability reporting and environmental and human rights due diligence within value chains, the Federation of European Risk Management Associations (Ferma) has told Commercial Risk Europe.
EU companies currently face a wave of sustainability-related regulations, but two new regulations have particular relevance for risk management: the Corporate Sustainability Reporting Directive (CSRD) and the proposed Corporate Sustainability Due Diligence Directive (CSDDD). Combined, these two directives create harmonised requirements for large and listed companies to report on environmental and social risks and their impact.
The CSRD, which amends the existing Non-Financial Reporting Directive (NFRD), will apply to large companies from 1 January 2025 reporting on their 2024 financial year results – SMEs and companies not previously in scope of the NFRD will be phased in over 2026 to 2027. The CSRD substantially increases reporting requirements for a wider range of companies across a broad range of sustainability areas, including climate change, human rights and workforce diversity.
If adopted, the proposed CSDDD will require companies to monitor their value chains for the human and environmental right violations. It is intended to drive sustainability standards through the chain. While the scope of the directive has yet to be finalised, it will require companies to establish due diligence procedures to identify and act on human rights and environmental impacts on their operations and their associated value chain.
Risk managers have a vital role to play in helping their companies set up compliance processes for the new sustainability regulations and should start thinking about this work now, according to Valentina Paduano, Ferma board member and chairwoman of its Sustainability Committee. CSRD and CSDDD compliance will require a risk-based approach, she told Commercial Risk Europe in an interview at Ferma’s biennial Seminar this week.
“For sure, this is not only a compliance topic. Risk managers need to activate measures to be compliant, but it is fundamental to create within the organisation the right processes, starting from a risk-based approach. In my opinion, compliance is just a consequence,” Paduano said.
Having helped define and set up the initial risk-based process, risk managers will also need to assist with periodic risk assessment reviews, and provide support for specific risk cases, such as where due diligence identifies potential risks at a certain supplier, or within a sector or region, explained Paduano.
Given that the scope of the directives are very broad, risk managers can help companies prioritise the main areas of risk, said Paduano, who is also chief risk and compliance officer at Dedalus Group and board member of the Italian risk management association Anra.
“The risk-based approach is really the only solution. You must understand your risk and the areas where your value chain is more exposed to the risk, and focus the actions on these areas,” she said.
A particular challenge of the CSRD will be the concept of double materiality. It requires companies to report on how sustainability issues might create financial risks for the company, but they must also publish information on their impact on people and the environment.
“The concept of double materiality will require a big effort from risk managers to perform risk analysis for each topic. The challenge is to translate the compliance requirements into business language. From my perspective, the new requirements of risk analysis on each topic required by double materiality could also negatively affect the traditional ERM and risk management process already in the organisation,” said Paduano.
“There are common aspects between the risk assessment carried out from a business perspective and the risk assessment required by the CSRD. I really believe it is the responsibility of a risk manager to take the role to perform the risk assessment to avoid that the analysis under CSRD becomes only a compliance exercise, and to avoid a negative impact on the day-to-day activities of the risk manager,” she added.
Similar challenges exist with the CSDDD, according to Paduano.
“The CSDDD will have a huge impact in terms of how the company is able to comply with the need to perform due diligence on the entire value chain. Again, it will be fundamental to define a risk-based approach – a road map – that enables an organisation to prioritise the main risks relative to the value chain. There are concerns regarding the feasibility of addressing the entire value chain. The risk-based approach enables an organisation to carry out proper prioritisation,” said Paduano.
Given the levels of outsourcing and the size and complexity of global value chains, sustainability due diligence on suppliers is likely to be challenging, especially for small suppliers in low-cost countries that are typically used to operating with less stringent standards. Companies will need to assess suppliers’ level of compliance with international human rights and environmental standards.
“We need to assess the risk that a supplier will not comply, and based on that the company will have to decide whether to collaborate or not with this type of supplier, or to work with suppliers to support critical suppliers when investing and improving their governance and compliance model,” explained Paduano.
The risk of non-compliance is higher among smaller companies in the supply chain, according to Paduano. “Most large companies already conform to international standards. The risks are more likely to come from smaller companies in more risky low-cost countries. This could be a concrete risk,” she said.
Ferma and Italy’s national risk manager association are raising awareness about the CSRD and CSDDD within the risk management community, according to Paduano. “We are working to inform and make risk managers aware of this legislation. There is certainly a lot of interest,” she said.
Ferma has been monitoring the evolution of the two directives and providing a risk manager perspective during the consultation phase. It also continues to develop guidance for risk managers around sustainability.
“We are working on knowledge sharing and have a master class on the CSRD at the upcoming Ferma Seminar, our second such event we have organised. It is also on our agenda to publish some guidance on the legislation focusing on the role of risk manager, to complement last year’s paper on how to apply a risk-based approach for the CSDDD, and our 2021 paper on how to integrate ESG into the ERM process,” said Paduano.
She advises risk managers to get up to speed on the requirements of the CSRD and the CSDDD, and understand the key role they can play in the compliance process.
“We must also convince management to start the journey as soon as possible to ensure compliance ready for the implementation of the regulations. We cannot wait until the directives are effective, we need to start to think about process and mindset – to prepare the organisation for when the legislation is effective,” she said.