Featured Author: Matt Kelly, CEO, Radical Compliance
On May 31, shareholders at Exxon-Mobil approved a proposal calling for the company to report annually on how climate change regulation and new clean-energy technologies might affect its business.
The proposal was non-binding; Exxon said it would take the shareholder vote under advisement. Exxon, however, is only the latest example of companies pressured—by investors, consumers, regulators, and others—for more non-financial reporting. And as more companies start saying more about climate change, cyber security, supply chains, and other risks—compliance and audit executives have a practical, urgent concern here.
Somebody at your organization will need to ensure the accuracy of all this disclosure. Most likely, that person is you.
Demand for non-financial disclosure is galloping at full speed. Some non-financial reports might be prompted by regulatory requirements; think cyber security and SEC rules, or human-trafficking and the UK Modern Slavery Act. Some might be driven by investor pressure, as with Exxon-Mobil. Some might be driven by an organization’s own self-interest; think colleges and hospitals disclosing all manner of data to get on those “Best Of” lists by U.S. News and World Report.
Non-financial reporting is disclosure, and at least some of it is driven by regulatory requirements; so it feels like something that should be in the compliance officer’s domain.
Is that impression correct? What should the compliance officer’s role be, really?
Let’s consider a few points.
Demand for non-financial reporting is rising because it can. The computerization of business processes in the last 25 years has created tremendous visibility into corporate operations. Companies can find, pull together, and disclose an endless range of data. The groups clamoring for non-financial reports know this. That’s why they clamor for it.
As non-financial reporting becomes more prominent, boards want more assurance over it. When the Sarbanes-Oxley Act was enacted in 2002, it directed boards to ensure the accuracy of financial statements. Boards, in turn, had to ensure that companies had effective internal control over financial reporting. “ICFR” was the acronym, and many a compliance officer spent years in the 2000s figuring out how to demonstrate that the company’s ICFR actually worked.
We’re seeing the next phase of that idea today: boards now want effective internal control over non-financial reporting, before inaccurate data makes its way into the world and harm’s the company’s position.
Clarity and precision matter. Imagine, for example, that a supermarket company wants to disclose food waste, but half the stores measure waste in truckloads, the other half in tons. Or a government contractor wants to report the percentage of minority employees on a project, but some of divisions count sub-contractor employees while others don’t.
Inaccuracies like that—unclear definitions of data, or imprecise rules for collecting data—can harm a business’s reputation or even draw regulators’ ire. So the company needs strong governance over the process of non-financial reporting, regardless of whatever specific piece of non-financial data is getting reported.
That is, do all parties participating in some non-financial report understand (and agree upon) exactly what data they’re reporting? Does the company have a policy for creating new types of non-financial reports that might be disclosed? And do all parts of the enterprise know about it?
The compliance officer plays a role here, but not always a leading one. Questions like those should sound familiar to compliance officers; they are the same questions you might ask to roll out a policy for anti-bribery or data security.
The compliance officer’s ideal role, then, should be the same as always: assessing the risk; bringing together the proper parties to manage the risk; developing a policy for the risk; and ensuring that those groups follow it – that they own the risk for non-financial reporting, not you.
Likewise, your company’s internal audit team is likely to be your best friend in this journey.
Likewise, your company’s internal audit team is likely to be your best friend in this journey. As boards inquire about non-financial reporting more often, internal auditors might examine how business units define data to be reported or even re-perform calculations to confirm that the non-financial numbers add up. They can tell you how well your non-financial reporting policies are working.
The greater a company’s non-financial reporting activity is, the more you might diverge from this model. For example, Tier 1 banks have huge obligations under the Dodd-Frank Act for reporting risk data. Little surprise, then, that many have created a “chief data officer” role in recent years. (More than 30 of them, according to one recent study.) The CDO’s job is to ensure data meets required standards for format and timeliness of disclosure.
Will every company have a chief data officer? Probably not. And in that case, the compliance officer can fulfill those duties of identifying risks and developing policies. The internal audit executive can confirm that the process you try to build for all that actually works.
Then you can assure the effective internal control over non-financial reporting that your board (and others) want.