The Corporate Sustainability Reporting Directive (CSRD) is on the horizon, and its impact will be felt around the globe. To learn more about the CSRD and what companies need to do to prepare, we spoke to Nick Henderson-Mayo, head of learning and compliance at VinciWorks.
Tell us a little about yourself and your role.
I’ve been heading up VinciWorks’s compliance advice since about 2016. Before that, I was involved in other areas of ESG throughout different things I’ve done professionally. I worked in policy for the Scottish government for a while with different social action groups, and I sat on a number of voluntary boards. Although I didn’t really plan for it, I’ve actually been around sustainability for quite a while.
What is it VinciWorks does?
VinciWorks is one of the leading providers of compliance training and software [to deal with] money laundering, bribery, and tax evasion. That kind of hardcore compliance has always been our bread and butter. But a few years ago, clients started asking about ESG, what they should be doing, what sustainability means, and how we can help them. And so we added sustainability and ESG support services to our compliance suite.
We offer packages of training, free policy templates, downloads of guides, advice and bespoke consulting, and then ESG gap analysis.
How have you seen ESG grow over the last few years?
It’s really picked up. Before COVID, I don’t remember us working so much on the ESG side, and around the 2020s something shifted when people started to add up things like supporting employees working at home, mental health, supply chain issues. It all coalesced into understanding why.
ESG has been around for a while and I think people have really started to pick up on it. Since then, it’s become much more mainstream, at least with our client base, which is around half leading law firms in the UK and internationally, but also just international businesses as well. But that’s certainly where we started to hear about [it].
In your words, tell us more about the Corporate Sustainability Reporting Directive (CSRD).
So, [CSRD] is quite a big change coming from the European Union. It’s essentially mandating ESG compliance. And while the old NFRD regime, which is about non-financial reporting disclosures, captured around 10,000 businesses, CSRD is going to capture at least 50,000 businesses.
I think we’re looking at GDPR levels of attention [with CSRD] that will have to be paid by people up and down supply chains and, really, all over the world.
We may think that’s a big increase, but it’s not just those people who are directly affected. Everyone within those supply chains is also going to be captured. Even with NFRD and the 10,000 businesses there, if that had a tenfold impact based on their supply chains, CSRD is going to have an even greater impact again.
What impact do you foresee CSRD having?
I think we’re looking at GDPR levels of attention [with CSRD] that will have to be paid by people up and down supply chains and, really, all over the world.
Because CSRD is global, some companies who are not even in the EU will be captured specifically by it, but [there is] also the knock-on effect on global supply chains that large companies in the EU are going to have to start paying attention to. I think we’re looking at a very big deal when it comes to CSRD compliance.
Within the next year, we’re going to really start seeing a lot more activity around it. The first reports are due to be published in 2025, and that means next year, people are going to start scrambling around to figure out what all that means for them. And if you’re a supplier for a larger company, you can expect a stream of requests for information and data starting to come probably from January, when people start to get this stuff together.
VinciWorks recently published a study which explored how prepared ESG leaders were around upcoming CSRD requirements. What was the key motivation behind this?
We wanted to understand how ESG and compliance managers were thinking about CSRD and how they were thinking about the impact it was going to have. From our early research, we realised that this was going to be a big deal, but other people hadn’t cottoned onto that yet.
We work mostly in the UK, including law firms and international businesses. And particularly from a law firm perspective, their clients ask them about new topics, and then those law firms come to us to say, “What is this thing? What do you know about it? What can we do?” So we often hear about these sorts of things from our clients, from the interactions we have with them. We started to realise that this is getting to be a big deal.
When topics like CSRD come up, we want to know what’s going on. We want to know what people are actually thinking about it, not just what we think they’re thinking about it. So we do surveys such as this once in a while just to get a sense of what people are talking about.
What were some of the key findings of the CSRD survey, and what if anything surprised you of those results?
I think the fact that half of our respondents said they knew they would need to comply with CSRD, but then three quarters had not started preparing for it yet, was a surprise at first. But actually, we found the same thing with GDPR compliance back in 2018. Also, when the Modern Slavery Act came in 2017, people knew it was something they were going to have to start dealing with, but just put it off.
Understandably, it’s really hard for compliance teams to stay on top of all these regulatory changes, particularly something as complex as supply chain management.
But something else that struck me was that 90% of our respondents think sustainability reporting will be good to implement in the organisation. And one thing I think regulators need to understand is that organisations generally want to do more on sustainability. That is the key differentiator these days. In the corporate world, companies are investing in ESG to perform better. They are more resilient to risks.
I think CSRD strikes a really nice balance. Because while it does mandate that this is something an organisation has to think about, it does leave it quite open to how the organisation achieves and reports on it. You know, they have to do a CSRD report, and there is a little bit of a structure in there to make sure that these numbers are consistent, and the data is audited, but I think there is a lot that companies can run forward with when it comes to CSRD.
Thinking about this more in terms of ESG as opposed to compliance will benefit organisations. Don’t just minimise CSRD to what is tickbox compliance. But really imagine how your organisation can do better. CSRD is a good framework to do that with.
Could you expand on the questions or metrics you had around the challenges with supply chains?
The phrase “supply chain” can be quite scary to hear and to think about because it feels like this amorphous grey area that you don’t really know how to figure out, it has so many tiers – there’s so many layers and levels.
There are so many businesses and even professional service businesses that we work with where supply chain, and supply chain disruption is one of the biggest risks that have crept up.
We’ve seen time and time again that this has a real life impact on everyday customers too, normal people in the street. The last thing any business wants is supply chain disruption, but it’s hard to visualise the interconnectedness of the supply chain. It’s even harder to change potentially long-standing relationships, it’s a worry among some in businesses that adding new expectations to these supplier relationships has the potential to disrupt them.
But CSRD is going to make us think about suppliers more and, in particular, what impact an organisation has on their own supply chain. It can be a bit frightening to pull back that curtain, but CSRD is actually making us do some spring cleaning when it comes to looking through the supply chain. There is no better time really than now to start looking and figuring out how one deals with that challenge, even if it’s been put off for a long time.
Do you think organisations in the long term will start to require suppliers to bake in sustainability metrics in order to work with them?
Putting things into contracts is one of the best ways to start improving that oversight of the supply chain and even going down tiers. Telling your own suppliers, the people you’re working with, that you expect to see minimum levels of ethics when it comes to health and safety, minimum levels of wages, all these sorts of things, particularly when you also go international.
And that’s what CSRD does – you are trying to get people to think about it. Any company that has many moving parts of the supply chain can have an impact. CSRD is putting it on them, to have the impact, to do the right thing; put those things in your contracts, make those commitments and make things better for people, which is ultimately what CSRD is trying to do.
How does CSRD work across the separate environmental, social, and governance pillars?
I think it’s actually a little bit uneven and more about social and governance, which I think is better to be honest. Yes, [the environment is] a huge deal and yes, we’re all doing as much as we can do, but because we’ve mainly worked with professional services firms, environmental often just comes down to “you’ve got your test your water, you’ve got your buildings”. There’s only X amount one can do, and we’ve always tried to encourage people to think beyond just turning off the lights at the end of the day as being the only thing when it comes to sustainability.
There’s actually so much more around ‘S’ and ‘G’ that can be done, and I do think CSRD does put a bit more of an emphasis on what’s material for an organisation. If you’re a mining company, and you’re digging up chunks of the Earth, then obviously environmental is a huge, material issue for you. And your supply chain is all going to be about that. But if you’re a professional services firm, if you’re a big advertising agency, if you’re a big IT company, if you’re a tech giant, then actually social and governance have huge impacts.
We see that in our daily lives nowadays that very large companies have an impact in terms of what they do around their social and governance policies, and I think CSRD does encourage people to think about it. I think it weights ESG a little bit more towards the ‘S’ and ‘G’ because the environmental side has sometimes an oversized view or outsized impact that sometimes a professional services firm or, a non-manufacturing company will look at and think “nothing to do with us because we’re doing everything we can do”. I think it’s a good thing that people are encouraged to think about the social and governance side a bit more.
Data is often seen as one of the most significant challenges in sustainability disclosure, and now CSRD. What are the big challenges?
I think, when it comes to supply chain issues, it’s less about getting the right data than it is about managing all that data in-house. Because we can ask suppliers for this and that information, but actually, the challenge of dealing with all of that and turning it into something that makes sense is one of the scariest things.
But CSRD does require us to use that data. Somehow, we need to put it into annual reports, CSRD reports, and internal reports to compliance teams. We can’t just have that data sitting there in surveys and email chains that people reach out to suppliers to get.
When you’re talking about hundreds, if not thousands, of suppliers, it’s no wonder really that managing all that data can feel like such a challenge. So, getting a good data management system in place is going to be one of the key things to dealing with CSRD compliance.
It’s much easier to see gaps and to run reports at the touch of a button if you have everything on one system. And CSRD compliance is going to make that really important, not just for those CSRD reports, but to provide answers to tenders and PQQs (pre-qualification questionnaires).
If your organisation is part of someone else’s wider supply chain, those questions are going to start coming sooner rather than later. And if you have a good data management system in-house, then you’re going to have a much better time when it comes to dealing with all that.
Aside from a data management system, is there anything else businesses can do?
One thing we try to do is improve people’s supplier onboarding through our Omnitrack software solution. I think that is one of the most important things you can do to get started with something like ESG or CSRD compliance. If you get all your existing suppliers onto the same system, as well as having a good system for onboarding new ones, it will help you get to know those suppliers better. You’ll be able to easily communicate with them, and that’s going to be such a big help.
If you are using something like Microsoft Excel to manage your supplier onboarding, then it is time for an upgrade. It’s time to break up with Excel. It’s been great since the 1990s or whenever it came out, but it’s a different world now. There are so many moving parts to supply chain due diligence, even for a professional services firm. You have to deal with modern slavery statements, health and safety policies, accident data, and you have to cascade all your own standards requirements down the chain.
The better you know your suppliers, the better you’re able to onboard new suppliers. That makes CSRD compliance so much easier.
What are the biggest risks for businesses that are not prepared for CSRD compliance?
Ultimately, I think getting left behind is probably one of the biggest risks to not being ready for CSRD, and particularly for companies that are not necessarily caught by CSRD themselves. If you’ve gone through the CSRD requirements and breathed a sigh of relief that it doesn’t affect you, I would say that’s the wrong approach. Most organisations are part of someone else’s supply chain, and they will need that data ready for when their larger customers come to start demanding that data from them for their own CSRD reports.
When it comes to doing tenders, or when it comes to doing PQQs, businesses which have that information at a touch of a button are going to be in a much better position than someone who has to start searching through filing cabinets for their accident data from five years ago, which their big supplier suddenly needs to know from them.
I think that can really be the difference between winning your next tender, losing out, and getting left behind. It’s just – how well can you organise and present your ESG information?
So ESG is more of a way to remain competitive?
ESG started as a way to look at the risks of environmental, social, and governance that might come up for a business, and how do we mitigate those. And I think ESG as a concept is also a financial risk mitigation measure: how do we make sure that our business doesn’t get left behind and that the world doesn’t move on without us, and we remain competitive?
First of all, take a deep breath. It doesn’t have to be scary. You can start very simply by mapping out your supply chain. Figure out all those moving parts: who’s who, and where is where. That’s half the battle.
Particularly for British businesses who are dealing with all the impacts of Brexit, it’s very difficult to stay competitive anyway. But to stay competitive in the global marketplace with these kinds of difficulties that so many companies and Britain are experiencing, it’s a must-do, it’s a must-have. It’s no longer just a nice-to-have.
Getting good ESG data and then figuring out your gaps, figuring out how you differentiate yourselves in this market: I think for any British businesses looking at how to stay competitive globally, ESG and CSRD in particular, is a no-brainer.
For businesses starting to prepare for CSRD compliance today, what are the first steps?
First of all, take a deep breath. It doesn’t have to be scary. You can start very simply by mapping out your supply chain. Figure out all those moving parts: who’s who, and where is where. That’s half the battle.
You can look at your spending to get a lot of the supply chain data, that’s going to be really helpful for you. Then, you can start to do risk assessments. Risk assessment is a pretty straightforward thing that many people in the compliance world know how to do.
Do risk assessments on all those suppliers. Start with the biggest ones, and go down the list. Look at the ESG risks on your key suppliers. This will give you a good sense of your priorities. Do you need to worry about a timber supplier in Indonesia? Do you need to worry about a mining company in the Congo? Where are these risks within your wider global supply chain?
Once you understand the risks, you can understand how the elements of your own products and services move through that supply chain, and what the risks are at each of those stages. This will help you immeasurably. It’s a kind of big desk exercise, but it’s a great place to start. And it will give you what you need to prioritise how to go forward within the next 12 to 18 months.
Then, you can look at who needs to be audited for ESG compliance. You might realise that your weakest link is a supplier in Bangladesh, for instance. And actually, there have been issues with fires, health and safety issues, and all sorts of other things that could have a serious impact on your organisation. Figure out how to fix that. Look at how to improve it. Do you need to go and visit the site? Do you need to review documents? Do you need to improve the contracts? Or do you need to find a new supplier?
These are the kinds of questions that will come up, and they will feed into your risk mitigation plan for each supplier. This will help you understand what risks might still exist and how to address them. At this point, you want to ask yourself seriously if a supplier has more problems than benefits. Keep all of this under constant review.
Finally, take all of this information and feed it into your annual report and your CSRD report. Investors and the marketplace want to know what your risks are and how you’re dealing with them. You can have a whole list of mitigation measures that you’ve put in place, or you can say, “We decided to move suppliers for this reason or that reason.”
It doesn’t have to be scary. It does take a bit of work, but it’s worth getting started on it because it will give you a much clearer picture of where to go.
How can companies work with VinciWorks with their CSRD compliance?
We have a range of policy templates and free guides, it’s all about making the most of the opportunities of CSRD. So we encourage businesses to download those as a starting point for their own work in CSRD. You can download all of our templates for free and just get that in place. You can use our heavily researched guides and webinars to educate other people within your workforce to adapt to your own ESG and CSRD work.
We also help businesses with their supplier onboarding through our Omnitrack software – this means businesses that need to comply with CSRD can customise their onboarding process with suppliers, from risk assessments to having questions they need for their CSRD checks.
And we also offer an ESG gap analysis process where we’ll take our experience around social and governance in particular for professional services firms mainly. But we’ve worked with all sorts of companies to help them identify gaps and then prepare the kind of first draft of an ESG or CSRD report.
But ultimately, the work has to come from the business. We’re not a consultant who comes in and does it for you. We’re about helping you figure out how to make the most of what the opportunities it presents. That’s why we always say start with training. Because I think it will just get everyone talking in the same language, and I think that is immeasurably helpful.
What other advice would you give to businesses in the sustainability space?
For those that are covered by CSRD, alongside thinking about supplier onboarding issues, starting to look for third-party assurance providers is going to be pretty important. CSRD mandates limited assurance by third parties when it comes to auditing all that data that you’re going to find and put in your report. I think there’s going to be some supply-side issues when it comes to getting the best of those providers to give your business that assurance. Vetting them, and maybe even getting a few locked in sooner rather than later, is probably going to be a sensible thing to think about for CSRD-covered businesses.
For those that are not directly covered by CSRD, gathering that important ESG data which is relevant to your business and relevant to your supply chain is going to be a great way to get started and just get prepared for whatever comes. It’s never a bad thing to have more data available, and knowing where things stand. If you want somewhere to start with that, we’ve got a lot of free guides and courses on vinciworks.com/ESG. And that will help you assess your materiality, understand your ESG impact, the opportunities, how to monitor, report, and progress. All that’s free to download and use.
And I think, as we saw from the survey that we did, those who prepare in advance are always going to be in a better position than those who are just slapping something together last minute.
The time to start is certainly now, no matter your size, no matter where you stand. Think about what’s important for you, think about where you need to focus your efforts, and get started. I think really the time is now.
