With ESG reporting reqs, better safe than sorry

The topic on everyone’s minds at Workiva’s Amplify 2024 event in Denver this week is compliance with ESG reporting regulations, and more specifically, how to possibly prepare for them amid an uncertain political and regulatory environment.

Let’s set the scene: The future of the SEC climate rule is shaky, and hanging over all that is the broader question of the SEC’s (and other regulators’) authority considering the recent Supreme Court reversal of the Chevron deference precedent. Against this backdrop, companies are erring on the side of caution in reporting cyber incidents.

To help make sense of it all, CFO Brew caught up with Steve Soter, Workiva vice president and industry principal, between sessions on Tuesday afternoon.

This interview has been edited for length and clarity.

What is most on Amplify attendees’ minds right now?

I think that there is still some regulatory uncertainty. We’re here in the US, and so I think uncertainty is a big part of what’s top of mind for them. If you’re a large, global multinational...CSRD [the EU’s rule on corporate sustainability reporting] is definitely staring you right in the face, and likely you’ve started to take decisive steps in order to prepare. But I do think regulatory uncertainty for US companies still continues to be a thing. And I think that where companies have sort of landed is [they] have to be prepared for this uncertainty.

What are you hearing from clients and others about the SEC climate rule in the face of all this uncertainty?

What has come across to me is that companies are still thinking about it, and there is still a level of preparation that’s going on in anticipation [of the rule]. If I were thinking about how to prioritize my resources if I were in a financial reporting team, I probably would think about, “How much do I want to focus on SEC versus other things?” What has been pretty conclusive to me is that as companies make that analysis, they are still prioritizing, if not active preparation, certainly an ongoing awareness of climate disclosure to the SEC. There could be some areas where there’s a little more ambiguity…but the thought of getting your Scopes 1 and 2 emissions into your 10-K assurance requirements and everything that goes along to be ready for that, companies are still thinking about that.

If companies are still prioritizing the climate rule and it never comes to be, why would that not necessarily be a waste of time and resources?

I think a couple of reasons, and the biggest is that stakeholders are expecting it. And I use that term broadly, whether that’s customers, or investors, or other parties. We’ve been talking about climate disclosure from a largely regulatory perspective, and that makes sense. That’s been the theme of these sessions. But the reason why I think teams are continuing to prioritize it is that it’s more than a regulatory consideration. Their customers are looking for it…Investors and other stakeholders are looking for it as well. In a large benchmark survey that Workiva did, 88% of institutional investors have said that [they] prioritize investment in companies that provide that level of reporting.

Why are some companies reporting cyber incidents even though they find it’s not financially material?

I think in most cases, it’s because they don’t know and they want a little bit of a hedge. It’s, in that case, probably better to disclose more than less, and the SEC would tell you that, generally speaking, “Yes, that’s right, we’d prefer companies to be disclosing more than less.” And I think . . . it doesn’t paint you into a box to where, “We went through our materiality analysis, we made a conclusion, we didn’t go ahead and disclose it.” But now there’s more information that’s coming: reputational harm, impact to customers, and all the things that would trigger a notion that this could be material. It’s always easier to say something, in that case, rather than to not have said something and wish that you had.