Internet security giant Symantec reports its current performance well, but lets itself down on past and future targets
Symantec’s latest report reflects a step-change in the company’s thinking and presentation of its corporate responsibility approach and performance. For the first time – the company has been reporting since 2008 – the report is organised around Symantec’s three strategic responsibility priorities: people (employees), world (environment, human rights, sourcing and community) and information (online security). These three focus areas form the basis of the structure of this report, which, at 43 pages, covers a healthy breadth of information in a crisp, coherent and intelligent way, while retaining focus.
As reports go, this has all the positive elements: materiality matrix, input from internal and external stakeholders, clearly laid-out performance data over three financial years, and even a few failures frankly discussed. In fact, this is one of the few reports that lend themselves to reading cover to cover without inducing sleep.
The graphics are clean and unobtrusive, supporting the text with light design elements that aid rather than hinder the flow of reading. Navigation, however, is less easy, with an online GRI index that requires several clicks to locate specific information. In several cases, full GRI disclosure responses are embedded in the GRI index, which makes for disjointed reading. Adding a couple of GRI index pages to the PDF report would save readers time and frustration.
Symantec discloses a materiality matrix, which has changed significantly from its first version published in the 2008 report, where three issues were highlighted as most material: green IT, online safety and privacy/data protection. In 2012, the top issues are stakeholder engagement, climate change, employee satisfaction, talent management and securing information. This is quite a shift in focus, reflecting changes in business priorities and a dynamic global environment, especially in the area of cyber-technology and cyber-risk.
It also reflects quite closely stakeholder feedback which was published on Symantec’s website in December 2011, following an analysis of more than 2,100 responses to Symantec’s 2011 Corporate Responsibility Report. The majority of feedback came from employees, which perhaps explains why two of the five most material issues are related to human resources (compared with none in 2008), but customers, analysts, investors, suppliers and other groups are also represented.
More than 2,000 inputs on a corporate responsibility report is impressive; many companies barely achieve 20 responses to questions about their reporting. Yet more impressive is evidence of good process in determining materiality and aligning corporate responsibility reporting accordingly.
In this latest report, Symantec presents achievement highlights of 2012, and mostly qualitative process-oriented goals for 2013. No reference is made to the previous year’s goals. Perhaps this is due to Symantec’s change in leadership during the course of 2012 and refreshed thinking about Symantec’s responsibility direction.
Despite the changes at the top, Symantec fails to offer evidence of robust planning for performance improvement. In some cases, Symantec acknowledges the complexity of establishing firm targets. For example, the aim to “develop a GHG emissions approach through implementing a global environment management system” is about improving processes not impacts.
Symantec admits that acquisitions have made absolute energy tracking more complex, and a key next step is being able to track the current baseline. Symantec’s global absolute carbon emissions have decreased by 4.5% over a five-year period, and the company is pursuing positive approaches such as LEED certification, now obtained for 88% of Symantec facilities, and Energy Star certification, now in 62% of facilities.
In addition, Symantec has adopted a new power usage effectiveness (PUE) measure, which tracks the ratio of total power used to IT servers and network equipment, which is an interesting approach. However, and notwithstanding this progress, changes in the business are not a plausible reason for failing to set environmental targets for established facilities. There is a sense that Symantec could apply a little more stretch in all of its 2013 objectives, and even take the longer view with multi-year targets which identify improved outcomes and not only different ways of working.
Symantec’s report claims to be in accordance with application level B+ of the GRI framework but no assurance statement is available, and the Symantec website states: “We did not seek external assurance for the report.” Symantec engaged an external organisation to verify all-scopes carbon emissions, and used an external advisory council to provide feedback. While good practice, neither of these equates to full report assurance.
Symantec does a good job of making the case for a most material issue – securing information. From data protection, “hacktivism” and new challenges presented by cloud computing, along with results of a global study on the impacts of cybercrime, Symantec provides context for the company’s continuing involvement in making the internet more secure – the company’s most significant social mission. In this sense, Symantec is getting it right with this 2012 report, delivering an improved platform for future reporting and a basis for more extensive engagement and targeted disclosure.
Follows GRI? Yes, application level B+.
Materiality analysis? Yes
Targets? Few quantitative targets.
Stakeholder input? Yes
Seeks feedback? Yes
Key strengths? Material focus and structure.
Chief weakness? Lack of clear targets.
Pleasant surprise? Stakeholder feedback insights.
June 2013, London, UK
A celebration of sustainability and CSR best practice from around the world