The assurance industry is failing to deliver in some fundamental areas

Accurate information is becoming a currency. There is growing pressure on business for disclosure, driven by factors including regulations on emissions and reporting, the Copenhagen climate conference, the growth of wider society’s expectations, industry consolidation and investor activism.

As a result, companies see assurance as something of a magic bullet that lends credibility to disclosures of environmental, social and governance (ESG) performance.

Unfortunately, the assurance business is ill-equipped to meet the growing demand for its services. Standards are in flux; adherence varies. Statements are often vague and too opaque to be of much use. The potential for conflicts is considerable. And costs can exceed those of reporting itself.

Given these and other concerns, is assurance really worth the effort? It can be, but only if we – sustainability practitioners, reporting organisations, stakeholder groups and the providers themselves – take a cold, hard look at current practices.

Standards exist for a reason

Most assurance providers use one of the two recognised standards: AccountAbility’s AA100AS and ISAE 3000 standard created by the International Auditing and Assurance Standards Board.

Some businesses, however, adhere to no standard in particular. For example, the assurance statement for 3M’s 2008 sustainability report says only that the assurance provider’s review of the report was “informed by” the Global Reporting Initiative G3 Sustainability Reporting Guidelines and “generally accepted industry standards”. GRI G3 is not, however, an assurance standard, and the statement gives no comfort that the provider adhered to any standard at all.

That assurance processes and statements vary so widely militates against comparability – ironically, one of the key objectives of GRI G3. The more detailed the information concerning scope, level of assurance, process, conclusions, recommendations and independence, the more credible the statement and, hence, the report itself. (See Vodafone’s 2008 report for an exemplary assurance statement, issued by audit firm KPMG.) Stakeholders, and investors in particular, need a high level of detail in order to evaluate a reporting organisation’s performance.

The information an assurance provider reviews depends on the remit given to it by the reporting organisation. The problem for stakeholders, however, is that with even the narrowest scope of assurance, a reporting organisation can, under the current sustainability reporting regime, declare its report assured.

Under the GRI G3 application level system, a “+” symbol attached to an application level becomes something of a proxy for reliability. Yet reporting organisations can seek assurance for a narrow slice of data and still claim a GRI application level of A+, B+ or C+.

For example, assurance for Unilever’s 2008 report extended to only eight environmental indicators and two health and safety indicators out of dozens reported. Yet Unilever was able to self-declare a B+ application level for its 2008 report. While neither Unilever nor its assurance provider can be faulted for following GRI guidance, this example highlights a weakness in the GRI application levels that should be remedied in future versions of the GRI guidelines.

Consulting conflicts

Consulting firms that provide report assurance for their consultancy clients place themselves directly in a conflict position, no matter how many firewalls they may erect or systems they have in place to defend against such conflicts. Deborah Evans of LRQA, a non-profit assurance provider, says: “We prevent potential for conflict of interest by only offering assurance, rather than combining assurance with CSR consultancy.” If only others would do likewise.

Where the potential for conflicts exists, it is incumbent on the assurance provider to demonstrate that it has neither a conflict nor the potential for one.

Case in point: in its assurance statement for Dow’s 2008 sustainability report, the assurance provider states merely that it has “confirmed” its independence and that “members of the review team have not provided consulting services to Dow outside of the review”. A better approach would be to state that the firm does no work for the reporting organisation other than assurance. To state otherwise is to invite criticism and diminish the credibility of not only the assurance provider but the report itself.

The cost factor

For many companies just beginning to report, assurance is prohibitively costly. It may also be seen as holding little value where systems and data-collection processes are immature. Cost is likely also to be a factor in many companies’ decisions to seek assurance for only a portion of their sustainability data, such as greenhouse gas emissions or safety figures.

Assurance cost may be legitimately high relative to the rest of the reporting process. It is one activity that cannot be undertaken by internal resources and, done right, is a lot of work. But while not much can be done about the cost itself, a lot can – and should – be done to increase the value, real or perceived, of the assurance process.

Whether provider, reporting organisation, or stakeholder, all parties should work towards more credible assurance. Standards organisations such as the GRI should offer more specific guidance on the assurance level, scope, and statement form needed to comply with the guidelines and give confidence to stakeholders.

In addition, industry bodies such as ICMM and the WBCSD Cement Sustainability Initiative, and others such as the United Nations Global Compact country networks, can play a key role in specifying the standards to be used and the scope and level of assurance that their members should seek.

Assurance providers themselves should be transparent about conflicts and push for a single, global assurance standard. Until that standard emerges, the reporting organisations themselves can take a more active role in realising the promise of assurance.

For starters, they can:

  • require the assurance provider to adhere to both recognised standards;
  • require an assurance statement that strictly adheres to the standards, is transparent, and describes in detail the assurance process and all work undertaken on its behalf;
  • establish that the assurance provider’s duty is to the organisation’s stakeholders – not just the board and management;
  • establish a plan for expanding the scope and level of assurance in each successive reporting period and communicate that plan to stakeholders;
  • refuse to engage as an assurance provider any firm that provides consultancy services to it.

Finally, stakeholders – in particular investors and corporate clients that rely on assurance for assessing the performance of their suppliers and portfolio companies – should advocate for a global assurance standard and insist on strict adherence to it. They should ask tough questions of companies whose report assurance is weak and challenge assurance providers when statements on conflicts fail the sniff test.

These steps will take work and courage, but in the end, they will be well worth the trouble.

Kathee Rebernak is chief executive of Framework:CR, a sustainability strategy and communications firm.



Related Reads

comments powered by Disqus