Compliance Issues in Environmental, Social and Governance Matters

Introduction

The growth in environmental, social and governance (ESG) issues in recent years has refocused the minds of investors and boards across the world. As the legal and regulatory landscape around ESG continues to evolve and mature, the compliance issues facing organisations in this area are also developing at pace.

The concept of ESG is capable of extending across a wide mixture of matters, but the term is generally used to refer to the following:

• Environmental: This refers to the environmental impact of an organisation and reflects the recognition that companies are responsible for their contribution to the reality of climate change and other environmental harms. This is widely accepted to extend beyond a narrow focus on managing emissions and includes biodiversity concerns, waste management and the use of raw materials. The legislation in this area – in particular the compliance demands facing organisations - is developing rapidly and the pace of change is likely to increase further.
• Social: This concerns the impact of an organisation on society more widely and relates to the approach taken by companies to manage that impact. As we consider further below, it is this pillar of ESG that presents the greatest scope for organisations to customise their approach and prioritise the issues that are most relevant to their business or particular circumstances. For example, although there is a growing body of legislation that requires organisations to safeguard human rights or otherwise prohibit modern slavery, together with the supervision of bodies such as the Equality and Human Rights Commission in the United Kingdom, the approach to issues such as social mobility, diversity or animal welfare remains largely voluntary.
• Governance: This relates to the general approach of an organisation to corporate governance and considers whether an organisation is able to properly impose the necessary systems and controls for the purposes of discharging its obligations or otherwise meeting its objectives. The failure to realise and maintain proper corporate governance is typically behind most corporate failings that give rise to reputational harm or enforcement risk.

It follows that, in the sense that good corporate governance is an essential pillar of any ESG strategy, ESG issues cut across all aspects of compliance and, in fact, a large number of the underpinning principles set out in other chapters of this book apply equally in the context of ESG. However, there are a number of concepts that relate to compliance in the context of ESG specifically and that require particular consideration. In this chapter, we focus on the relevant standards that ought to be applied for the purpose of ESG compliance; the specific risks that attach in an ESG context, including the prospect of enforcement in relation to ESG-related harms; the particular compliance steps available to mitigate those risks; and the specific challenges posed by investigations into ESG issues.

Relevant standards

The most conceptually challenging aspect of compliance in the context of ESG is typically the process of establishing the relevant principles and standards that apply to a particular organisation. The legislative landscape is evolving rapidly in the United Kingdom, the European Union and elsewhere, but it remains an incomplete picture, which means that voluntary standards and principles are frequently just as important for the purposes of determining the appropriate framework to be imposed. We set out below a summary of the most relevant legal and regulatory standards that apply in respect of ESG issues, with an overview of the voluntary standards and principles most frequently adopted by organisations seeking to establish a compliance function that is responsive to ESG considerations.

Legal and regulatory

The legal and regulatory landscape relating to ESG issues is diverse and encompasses issues ranging from environmental standards frameworks to legislation relating to equality, harassment and discrimination.

We have chosen to focus on two discrete areas that impose relevant standards and that frequently give rise to compliance issues: supply chains and specific reporting requirements.

Supply chains

In terms of failures of corporate governance, the clearest legal risks in the United Kingdom are imposed by the Bribery Act 2010 (BA 2010) and the Criminal Finances Act 2017 (CFA 2017), which create criminal liability for those organisations that fail to prevent (1) persons acting for or on their behalf from committing the offence of bribery or (2) the facilitation of tax evasion. As set out in the chapter covering UK Compliance Enforcement, both statutes impose criminal liability on an extraterritorial basis, which means that the risks are especially pronounced for those organisations with overseas supply chains that may extend into jurisdictions with a weak rule of law, for example.

Likewise, in the United States, the Foreign Corrupt Practices Act 1977 (FCPA) contains specific anti-bribery provisions relating to the bribing of foreign officials and outlaws the failure to maintain accurate books and records. Like the BA 2010, the FCPA is wide-reaching – any company that uses the US financial system in any way in furtherance of a bribe, even if the infraction takes place entirely outside the United States, falls within its jurisdiction.

Although principally a governance issue, the failure to ensure compliance with the necessary anti-corruption standards imposed by the BA 2010 or the FCPA also necessarily has a social impact and – subject to the specific context – may also have an environmental impact. For example, the top 10 countries with the highest rates of deforestation^[2] all currently fall below the global average for corruption risk, according to Transparency International’s Corruption Perception Index, thereby giving rise to the real possibility that corruption may facilitate environmental harms in a supply chain.^[3]

Alongside the criminal liability outlined above, there is also an increasing body of new legislation that imposes reporting and due diligence obligations on organisations in respect of their supply chain operations. For example, in the United Kingdom, the government is planning to introduce secondary legislation, pursuant to the Environment Act 2021, that will impose an obligation on businesses that use ‘forest risk commodities’ in their supply chains to conduct due diligence to assess whether the commodities have been produced on land that is subject to unlawful deforestation. The full list of ‘forest risk commodities’ is subject to public consultation, but is likely to include beef, leather, cocoa, maize, palm oil, rubber and soy.^[4]

The introduction of legislation under the Environment Act 2021 would build on the UK’s Modern Slavery Act 2015 (MSA 2015), which introduced a requirement on larger UK businesses to publish a statement as to whether there was slavery or human trafficking in the organisation or its supply chain.^[5] As it stands, the MSA 2015 does not mandate specific due diligence, although the UK government has committed to reforming this in the short term to make the requirements more demanding.^[6]

More broadly, it seems clear that the legislative trend is towards the imposition of further mandatory due diligence requirements on companies. For example, the European Commission has recently proposed the introduction of a Directive that would require companies to undertake due diligence measures in respect of their operations and supply chains in order to safeguard human rights and mitigate the risk of environmental harms arising.^[7] This reform would follow similar legislation that already exists in a number of EU Member States, including France, which has had a Duty of Vigilance Act since 2017, and Germany, which has introduced a Supply Chain Act that is due to come into force on 1 January 2023.

Reporting obligations

In addition to the above issues that attach specifically to supply chains, there has been a movement in recent years towards the introduction of a range of specific regulatory reporting requirements in a number of specialist sectors. The impact of these obligations is plainly most acute for those subject to regulation; however, we note that, in the absence of a developed legislative framework for ESG concerns, the requirements imposed may nevertheless be relevant to other entities seeking to identify and demonstrate the adoption of appropriate standards (see the section titled ‘Voluntary’, below).

For example, in the financial sector, the European Union introduced the Sustainable Finance Disclosure Regulation, which requires specific disclosures on the environmental impact and sustainability of products and activities.^[8] In contrast, the United Kingdom has endorsed the Financial Stability Board’s Task Force on Climate-related Financial Disclosures (TCFD), which proposes a number of specific climate-related disclosures for use by companies, bank and investors, and has committed to the introduction of TCFD disclosures for relevant organisations by no later than 2025.^[9]

In general, ESG is becoming an increasingly important focus of regulators across the United Kingdom. The Financial Conduct Authority (FCA) and the Competition and Markets Authority (CMA) have each taken steps to demonstrate that ESG principles, and the protection of those principles, falls squarely within their respective regulatory remits. By way of example:

• the FCA has adopted its own ESG strategy, which sets out its target outcomes and the actions it expects to take to deliver them. ESG issues are high on the regulatory agenda with a view to better protecting consumers and other stakeholders from ‘green’ claims made by companies and financial firms, and to support the transition to a more sustainable future. These objectives were reflected in the FCA’s Business Plan for 2021–2022 and reiterated in the FCA’s Business Plan for 2022–2023;^[10] and
• the CMA has published a Green Claims Code, which sets out six principles that businesses must follow in the context of communicating their green credentials. The Code, which is principally derived from the Consumer Protection from Unfair Trading Regulations 2008, forms part of a wider stated strategy by the CMA, from 2022 onwards, to pursue businesses engaged in misleading green claims.^[11]

In relation to climate change and green finance specifically, the FCA introduced TCFD-aligned disclosure rules for certain listed issuers and TCFD-aligned disclosure requirements for asset managers and asset owners, life insurers and FCA-regulated pension providers. Looking to the future, the government’s Roadmap to Sustainable Investing^[12] includes plans to introduce new sustainable disclosure requirements and sustainable investment labels, which the FCA will play a role in implementing.

More broadly, all larger companies in the United Kingdom are now required to annually disclose details of their energy consumption and emissions and, separately, issue an annual statement setting out the basis on which its directors have had regard to wider stakeholder needs, including the impact of the company’s operations on the community and the environment.^[13] Similarly, the United States Securities and Exchange Commission (SEC) is considering imposing mandatory disclosures relating to the environmental impact of regulated entities.^[14]

Voluntary

As noted above, in the absence of a developed legislative framework for ESG concerns, standards and principles are frequently voluntarily adopted by organisations seeking to establish an ESG compliance framework. For example, the latest version of the Bank of England’s Money Markets Code, which effectively applies to anyone involved in the UK financial markets, actively encourages participants to ‘consider basing any [ESG] policy in line with existing credible ESG frameworks’.^[15]

The most important example is probably the UN Guiding Principles on Business and Human Rights (UNGPs), which set out a series of guidelines for the prevention of human rights abuses in the context of business, together with the appropriate remediation steps.^[16] Further to the UNGPs, the Organisation for Economic Co-operation and Development (OECD) has published a set of Guidelines for Multinational Enterprises (the OECD Guidelines),^[17] which align closely to the UNGPs and have been ratified by the United Kingdom, the United States and the majority of EU Member States, among others. The OECD has also published Due Diligence Guidance for Responsible Business Conduct,^[18] which sets out various due diligence standards that can be used by business to mitigate harms. In addition to global standards, the United Kingdom has introduced a Stewardship Code,^[19] which applies on a voluntary basis to asset owners and managers (such as investment managers) and requires signatory companies to disclose various ESG-related issues, including the basis on which material ESG issues have been integrated by reference to the importance of the respective issues.^[20]

Finally, although these examples of voluntary frameworks can be instructive, the critical difference between compliance in an ESG context and other areas is that it is largely open to organisations to develop their own bespoke standards to reflect their particular markets, needs, commitment and scale. As a matter of practice, the adoption of such standards should typically be promulgated within (and without) an organisation as appropriate in order to be an effective exercise in communicating standards.

Risks and enforcement

There is a host of wrongdoing that may give rise to an ESG-related compliance failing, with the risks often materialising by virtue of a failure to comply with applicable reporting obligations or in the course of a company’s supply chain. For example, setting aside possible criminal offences, there are various other harms that may be committed for or on behalf of an organisation, including environmental harms such as pollution, or other environmental damage; human rights abuses; or other workers’ rights abuses, for example sexual harassment or discrimination.

As with other compliance concerns, the triggers for any ultimate investigation may come from a number of sources, although the nature of ESG concerns – which are typically outward-facing and relate to a company’s interaction with the world – means that investigations in this context more frequently originate externally to a company. In particular, the involvement of supply chains and other third parties in many ESG-related issues means that external whistleblowers are often a particular trigger, whereas other issues may move up a board agenda owing to media interest, or even political or shareholder pressure.

In practice, the reputational damage that an ESG issue can present to an organisation is often the principal risk posed by wrongdoing of the kind outlined above, something which inevitably informs any strategy going forward, as set out further below under ‘Investigation and remediation’. It is possible for organisations active in jurisdictions subject to OECD guidelines to be subject to a mediation process following a complaint, although, in the absence of the OECD having any power to impose fines, the enforcement risk remains principally reputational.

Further, in the United Kingdom, the Equality and Human Rights Commission (EHRC), a non-departmental government body, has the power to investigate organisations that are in alleged breach of equality legislation in the United Kingdom. In recent years, the EHRC, which has the power to pursue civil remedies against non-compliant organisations, has conducted investigations into alleged anti-Semitism, discriminatory pay claims and racial inequality within workplaces.

In addition to the examples of harm outlined above, there is also an increasing focus from some regulators on the particular issue of ‘greenwashing’, which carries with it a more direct enforcement risk.

By way of example, in the United Kingdom, alongside the introduction of the disclosure regimes set out above under ‘Legal and regulatory’, the most notable intervention to date is a July 2021 letter sent by the FCA to the chairs of authorised fund managers, stressing the importance of firms avoiding misleading claims in an ESG context.^[21] The reporting obligations imposed (and proposed) by the FCA are also intended to protect against greenwashing. In addition, the FCA has specifically said that it is taking steps to embed ESG considerations in all policy work as well as market oversight, supervision, authorisation and enforcement activities. This will include, for example, incorporating ESG-related questions and criteria in supervisory assessments and engagements, and building ESG-related elements into enforcement models.

In contrast, in the United States, the SEC has identified ‘greenwashing’ as an area of significant focus for 2022, committing to focus on the risk that firms engage in ‘overstating or misrepresenting the ESG factors considered or incorporated into portfolio selection (e.g., greenwashing), such as in their performance advertising and marketing’.^[22]

Mitigation

The compliance measures that have been outlined elsewhere in this book (such as in the chapter covering UK Compliance Requirements) will apply equally, in general, in the context of ESG-related issues. For example, the factors identified in UK government guidance relating to BA 2010 and CFA 2017 all have application in respect of engaging a risk assessment, conducting due diligence on third parties, training relevant persons where appropriate, and monitoring and reviewing the adequacy of the relevant procedures.

However, there are two measures that have particular application in the context of ESG issues. The first concerns the culture of an organisation and the communication of that culture throughout an organisation. As defined by the FCA, culture is ‘the habitual behaviours and mindsets that characterise an organisation’, which reflects the notion that the culture of an organisation relies on ideas, something which is especially important when dealing with voluntary standards or frameworks, as is often the case in respect of ESG.

As set out above, the involvement of supply chains or other third-party relationships often presents the greatest risk in the context of ESG issues, with wrongdoing being committed by third parties beyond the direct control of an organisation, giving rise to serious reputational or legal repercussions. In light of this particular risk area, another increasingly important mitigation measure in this context is ensuring that any contract with a third party expressly reflects the various ESG standards that a company may wish to promote and uphold. This is important because – by contrast to clear legal standards such as the BA 2010 and CFA 2017 – many aspects of an ESG framework may be voluntary or reflect bespoke priorities, aspirations or standards for that organisation, none of which may be appreciated by any contracting third party.

The measures to be included in the contract will necessarily be fact specific, but may extend to requiring the third party to comply with a particular anti-modern slavery or anti-environmental harm policy, or to provide training to employees on the same. As with financial crime compliance generally, it may also be appropriate to require the third party to retain relevant records, or to require auditing rights, which will provide some protection in the event that an issue arises and it is necessary to investigate further.

Investigation and remediation

The incorporation of ESG issues into compliance frameworks has inevitably led to an increasing number of ESG investigations. Although the fundamental investigations process will typically remain the same as a standard internal investigation, there are inevitably specific challenges posed by the ESG context.

The first issue to be addressed will normally be to determine the appropriate standards against which the wrongdoing or issue is to be assessed. It may be that the relevant standard has already been incorporated into an ESG framework by the organisation; however, if not, it will likely be necessary to refer to the sources set out in ‘Relevant standards’, above, in order to consider the appropriate values and principles.

Further, particularly in the absence of prospective enforcement action, careful consideration must be given to the application of legal professional privilege and whether it will be possible to preserve privilege over aspects of the investigation. This may be especially complicated in circumstances where the subject of the investigation presents a reputational risk to the organisation or external stakeholders are otherwise involved. For example, UNGPs identify the importance of transparency and ‘keeping parties to a grievance informed about its progress’^[23] as a specific criterion for the purposes of the effective resolution of complaints pursuant to its framework.

The same issues in respect of external stakeholders are likely to attach in the context of remedial action, in which organisations may want to repair or mitigate reputational damage by communicating outcomes and improved processes. Again, the UNGPs stress that any outcome and remedial action should ‘identify lessons for . . . preventing future grievances and harms’.^[24] In practice, particularly in circumstances in which the principal driver for any investigation is to manage sensitive reputational harm to an organisation, there may be a request to publish any report, which will engage further issues around privilege and the rights of those who may be named.

Footnotes