Knowing what is in motion.
Sustainable practices and responsible business are becoming increasingly important. Consequently, the Mauer Group has taken a major step that not only affects its external appearance, but also reflects its internal self-image.
The decision to revise the corporate design is no coincidence. For the Mauer Group, sustainability is not just a trend or an option, but an integral part of its corporate philosophy. The new colour symbolizes its commitment to a world in which economic success goes hand in hand with corporate responsibility and sustainability. Following the key principle of "operate securely and sustainably", the Mauer Group is emphasizing its ambition to play a pioneering role in sustainable entrepreneurship – whether for customers such as freelancers, medium-sized companies or DAX-listed corporations. Customers benefit, for example, from the comprehensive expertise in auditing and consulting on all aspects of sustainability reporting, which around 15,000 companies in Germany now have to take into account. Special attention is paid to advising and supporting all healthcare professions such as doctors, medical practices and medical centres. Here, the Mauer Group has also built up a first-class network that goes beyond traditional tax consultancy services.
Therefore, the Mauer Group is redefining itself in two strategic areas: As experts in Tax & Auditing (mauer-berater.com), as well as experts in Sustainability Advisory & Governance Risk Compliance (mauer-wpg.com). This expertise is united under one roof at the Reutlingen and Stuttgart locations to accompany companies on their path to a sustainable future.
With a local presence and an international network, the consultants of the Mauer Group support their clients with personality and empathy. Because for them, it is not only the result that matters, but also the path to it. A path characterised by integrity, trust and a shared vision.
Since the end of July 2023, the standards for sustainability reporting under the CSRD have been established. Companies are now diligently preparing for the increased requirements. In this process, there are also opportunities to selectively reduce the effort required for sustainability reporting.
On June 29, 2023, the EU Regulation for Deforestation-Free Supply Chains came into effect. The goal of the regulation is to ensure that raw materials, especially those responsible for deforestation, and products made from them are demonstrably produced on lands that were not deforested after December 31, 2020, and are in accordance with the legal regulations applicable in the country of production.
The implementation of the EU Deforestation Regulation (EUDR) is required by December 30, 2024. Small businesses have an additional 6 months for compliance.
Who is affected?
Primary entities affected include manufacturers, importers, and traders who introduce the following raw materials/products for the first time in the EU:
- Palm oil
Secondary entities in the downstream supply chain are also affected, and they must retain all information serving as evidence for compliance with due diligence obligations, along with the importer's diligence declaration reference number.
What must companies do?
Companies must ensure that relevant raw materials and products meet the following conditions before being placed on the market or exported:
- They are deforestation-free.
- They are produced in accordance with the relevant legal requirements of the producing country.
- A due diligence declaration is available for them.
By submitting the due diligence declaration to the authorities, the company assumes responsibility for ensuring that the products meet the above criteria. Due diligence includes:
- Collection of information, data, and documents to ensure due diligence obligations and the involved market participants.
- Measures for risk assessment.
- Measures for risk mitigation.
Furthermore, the process for risk assessment and mitigation must be thoroughly documented.
In case of information about potential violations, an immediate notification to the relevant authorities and traders is required. If subjected to an inspection by the authorities, they must be supported, for example, by providing access to the premises and allowing inspection of relevant documents.
SMEs should familiarize themselves with their obligations as traders of the defined raw materials/products, as well as market participants related to the seven products – as information obligations apply to them as well. In addition to the German (LkSG) and European Supply Chain Act (CSDDD), which primarily place the responsibility for protecting human rights in the supply chain on European companies, the EUDR now focuses more on environmental protection aspects in the value chain. Ensuring compliance with human rights and environmental protection rules, as mandated by the EU Supply Chain Act, can provide a solid foundation for product-related due diligence under the EU Deforestation Regulation. Companies affected should be mindful of the overlaps between CSDDD and EUDR, as they may need to gather certain information only once.
Medium-sized companies are facing demanding regulations on sustainability from the EU and German lawmakers. Many mid-sized companies are still unprepared for these changes. From 2025, companies with 250 or more employees, a turnover exceeding 40 million euros, and a balance sheet total of 20 million euros must provide detailed information on their sustainability aspects in the management report. Additionally, there is a preliminary draft of an EU Supply Chain Act for these companies.
The European Green Deal compels companies to operate more sustainably and make their business models more transparent. The advancing digitization adds additional pressure. For the Advisory sector, this means: expanding competencies.
While the Supply Chain Due Diligence Act (LkSG) officially applies only to companies with more than 1,000 employees, smaller companies are also affected due to their connections in supply chains. The Federal Office for Economic Affairs and Export Control (BAFA) has released guidance on the exact obligations for SMEs in collaboration with affected companies on June 29, 2023.
Affected companies under the LkSG are obligated to exercise human rights and environmental due diligence. This involves not only assessing their own actions but also those of their direct and indirect suppliers.
Their obligations include:
- Establishing a risk management system
- Conducting regular risk analyses within their own business and among their suppliers
- Implementing preventive measures towards direct suppliers
- Enforcing due diligence measures concerning risks with indirect suppliers
To assist companies in fulfilling these obligations, the Federal Office for Economic Affairs and Export Control has published various guidelines specifying the extent and requirements of these duties.
Obligations for SMEs
The LkSG currently covers all companies with at least 3,000 employees in Germany. From January 1, 2024, companies with at least 1,000 employees in Germany will also be affected and must fulfill the legal obligations.
SMEs themselves are not directly covered by the LkSG but may still come into contact with the law as suppliers. SMEs are defined as companies with up to 249 employees and an annual turnover of up to 50 million euros. They include micro-enterprises, small enterprises, and medium-sized enterprises.
As obligated companies are required to implement due diligence not only within their own business but also with their direct and indirect suppliers, SMEs are often asked to collaborate by obligated companies. This collaboration is typically formalized through contracts due to the legal obligations of the companies and the potential penalties for non-compliance.
Limits of Obligations
When SMEs enter into agreements to collaborate with companies, they should always ensure not to commit to compliance with LkSG regulations but rather to assistance. They can contribute to meeting due diligence requirements in various ways and be involved. However, there are limits to their obligation to collaborate that do not need to be exceeded.
Collaboration within the supply chain can be advantageous for both affected companies and SMEs. SMEs can benefit from early risk detection and assistance with prevention measures. Additionally, SMEs should be prepared to provide evidence and information regarding the compliance with human rights in their operations.
While SMEs are not expected to be directly affected by the planned EU Supply Chain Due Diligence Directive (CSDDD), they may be impacted as suppliers. The proposed regulations of the EU Supply Chain Due Diligence Directive are, however, more extensive and will also increase requirements for verifying indirect suppliers. Given the overall political trend towards a more sustainable supply chain (as evident in the EU Deforestation Regulation, CSRD, CSDDD), it is advisable for SMEs to establish organizational and informational processes.
On January 12, at the invitation of Mauer Unternehmensberatung GmbH, Michael Rampf from Rampf Group, Matthias Gebhard, Managing Director of Bergfreunde GmbH, and the Chief Medical Director and Chairman of the Board of the University Hospital Tübingen (UKT), Prof. Dr. med. Michael Bamberg, met with experts from Mauer GmbH for an insightful business discussion at Hofgut Rosenau in Tübingen.
The discussion focused on the diverse activities and strategies for making their companies more sustainable, as well as the challenges posed by the current wave of regulations.
In our first part of the series "Sustainability according to CSRD," we outlined the basic features of the new directive proposal in November 2021, which includes an external audit, among other things. In the second part, we took a closer look at the concept of double materiality. The following article will now focus on the European Sustainability Reporting Standards (ESRS), the reporting standards of the CSRD.
The purpose of sustainability reporting fundamentally lies in increased transparency for a company's stakeholders, particularly financial stakeholders. To ensure this transparency, as well as comparability, auditability, and the quality of ESG (Environmental, Social, Governance) information in future reports, the CSRD mandates uniform standards across the EU: the European Sustainability Reporting Standards (ESRS). As a reminder, companies previously had the option to choose whether and which of the various existing standards, such as GRI, DNK, or TCFD, they wanted to use.
The ESRS are being developed by an organization, the European Financial Reporting Advisory Group (EFRAG), commissioned by the European Commission. Drafts have already been created in collaboration with entities like the ECB, expert groups from member states, and exchanges with existing standard setters such as GRI, SASB, and TCFD. The final step is adoption as delegated acts, expected to take place by June 2023.
Let's get specific: What do these standards look like now?
Currently, drafts of cross-sectoral standards covering the three sustainability pillars—Environment, Social, and Governance (ESG)—are available. There are also cross-cutting standards explaining general information and requirements. Additionally, sector-specific standards and standards tailored for small and medium-sized enterprises (SMEs) are expected to be developed by mid-2024.
The individual standards follow a similar structure: Firstly, they inquire about the governance structures within the company related to the specific area (e.g., Own Employees), as well as any implemented or planned measures in the respective thematic area. After gathering these qualitative insights, the standards then proceed to include quantitative metrics and targets for the specific area – ranging from greenhouse gas emissions under "Climate Change" to indicators of diversity under "Own Employees," and confirmed incidents of corruption and bribery under "Responsible Business Practices." Each of the five environmental standards concludes by requiring disclosure of potential financial impacts, as well as risks and opportunities associated with the respective thematic area.
An exemplary look at the standard on climate change (ESRS E1): Climate Change
DR E1-1: Transition plan to mitigate climate change
DR E1-2: Policy measures to mitigate climate change and adapt to climate change
DR E1-3: Measures and resources related to climate policy
Metrics and Objectives:
DR E1-4: Objectives related to mitigating climate change and adapting to climate change
DR E1-5: Energy consumption and mix
Energy intensity based on net revenue:
DR E1-6: Gross Scope 1, 2, 3, and total GHG emissions based on net revenue
GHG intensity based on net revenue
DR E1-7: GHG reduction and mitigation projects funded by emission credits
DR E1-8: Internal carbon pricing
DR E1-9: Potential financial impacts of material changes and potential climate-related opportunities
It becomes apparent that the various requirements, known as Disclosure Requirements (DR), are associated with varying levels of effort in collection, aggregation, and presentation. Particularly, some of the metrics initially require the establishment of new, suitable structures and processes – unless they are already being collected. For instance, DR E1-6 demands the disclosure of Scope 3 greenhouse gas emissions, which does not include emissions generated directly within the company but pertains to the upstream and downstream value chain. In contrast, DR E1-5 only requires the presentation of the company's energy consumption and mix in MWh, which is comparatively easy to determine or is often already determined.
The assessment of the potential financial impacts of material changes, as demanded in DR E1-9, encompasses three types of risks/opportunities that the company faces due to climate change in the example above:
- Potential financial impacts of significant physical risks (e.g., heavy rainfall events, heatwaves)
- Potential financial impacts of significant transition risks (e.g., stricter regulations regarding pollutant and CO2 emissions)
- The potential to pursue significant climate-related opportunities (e.g., new markets for technologies to mitigate or adapt to climate change)
A exemplary look into the standard for Employees in the Value Chain (ESRS S2): Employees in the Value Chain
Management of Impacts, Risks, and Opportunities:
DR S2-1 - Policies regarding employees in the value chain
DR S2-2 - Procedures for involving employees in the value chain regarding impacts
DR S2-3 - Procedures for addressing negative impacts and channels for employees in the value chain to express concerns
DR S2-4 - Taking actions regarding significant impacts on employees in the value chain and approaches to mitigate significant risks and pursue significant opportunities related to employees in the value chain, as well as the effectiveness of these measures
Measurement and Objectives:
DR S2-5 - Objectives regarding the management of significant negative impacts, promotion of positive impacts, and the management of significant risks and opportunities
This standard, for example, according to DR S2-3, requires the disclosure of procedures for addressing negative impacts, as well as information about channels for employees in the value chain to express concerns. This raises questions about whistleblower systems that are accessible to third parties and the processes established within the company, as well as concepts for remedial measures. Additionally, the company should describe how it supports or mandates the availability of channels at the workplace of employees in the value chain. With the entry into force of reporting and due diligence obligations under the Supply Chain Due Diligence Act (LkSG), the required information will be available and documented in the affected companies, saving additional effort. Even for companies with fewer than 1,000 employees, these processes should largely be in place as part of quality management. For example, they could include a compliance hotline or email address and regulate communication through supplier requirements.
In the case of social standards, the metrics and goals operate on a more qualitative and extensive level than the environmental standards. The disclosure of time-bound, results-oriented goals regarding the management of significant negative impacts, promotion of positive impacts, and the management of significant risks and opportunities is required. These goals should include, among other things, the base value and year, interim goals, methodology and assumptions, as well as overall progress over time, including how the goal is monitored.
If no objectives are set for a specific topic, it must be indicated whether and when this is planned for the future or reasons must be given why this is not intended.
Many companies are likely to initiate new processes to meet these disclosure requirements, defining measurable and transparently set goals, and, above all, monitoring them. For example, a manufacturing company may set a goal of ensuring living wages for its producers in Asian countries. To achieve this, it introduces a corresponding commitment from the producers and plans to have compliance annually verified by an independent multi-stakeholder initiative on-site. Progress is measured based on the purchasing power parity of the workers in dollars.
The new standards for sustainability reporting under CSRD will pose numerous challenges for many companies. However, upon closer examination, several metrics to be reported can be identified that can be collected with relatively minimal effort. By comparing and incorporating existing management systems that collect and process non-financial information, synergies can be leveraged, and complexity reduced.
Given the increasing relevance of non-financial reporting, the EU aims to expand its requirements. On April 21, 2021, the new draft directive was published under the name Corporate Sustainability Reporting Directive (CSRD). In our series of topics, we will provide comprehensive information about the new CSRD. In the first part of our series, we would like to give you an overview of existing and upcoming obligations for sustainability reporting.
Explanation of the starting point based on the CSR Directive Implementation Act (CSR-RUG):
The reporting on non-financial aspects of corporate activities began in 2017 with the CSR-RUG. In this law, the foundation for expanding the management report of groups or capital market-oriented companies (with more than 500 employees) is established. It is envisaged, in addition to financial content, to publish a non-financial statement to create transparency regarding sustainability-oriented issues. Responsible and sustainable actions of companies should thus be made visible to all and indirectly promoted. The non-financial statement must include information on environmental and social matters, as shown in the table below. The reporting obligation under CSR-RUG can be fulfilled as an extension of the management report or as a separate sustainability report. Non-compliance with the reporting obligation can result in fines of up to 10 million euros, based on the company's turnover and profit.
Minimum content of a non-financial statement according to §289c HGB
In addition to the mentioned contents, it is envisaged that these should be contextualized within the individual context of the company. For this purpose, the following aspects should be described:
- Business model
- Concepts pursued fort he aspectsmentioned above
- Results oft he concepts
- Significant risks affectingsustainability
- Company`s handling oft he risks
- Disclosure of significant non-financialperformance indicators
The new EU directive: Corporate Sustainability Reporting Directive (CSRD)
In recent years, both the EU Commission and the Federal Ministry of Justice and Consumer Protection (BMJV) have conducted examinations on the application of non-financial reporting. These investigations revealed that there is further potential for improvement and standardization in the European Union. On April 21, 2021, the EU Commission published its proposals for the revision of the CSR Directive. They aim in particular to enhance transparency in sustainable areas, responding to the increased demand for sustainability-related information, especially in the context of "green" investment products. The new Corporate Sustainability Reporting Directive (CSRD) contributes to advancing the European economy towards a sustainable and inclusive financial and economic system. The focus is on the equal consideration of the three pillars of sustainability: environment, social, and economic. Below are the key changes introduced by the CSRD proposal compared to the previous EU CSR Directive from 2014.
Overview of the CSRD
The new CSRD directive aims to take a step towards the equal consideration of financial and non-financial content in corporate reporting. This is done in line with the three pillars of sustainability: Ecology, Economy, and Social aspects.
After several attempts, the long-awaited Whistleblower Protection Act came into effect on July 2, 2023. Originally, the Federal Council had refused to approve the law in February 2023, but now the federal and state governments have reached a compromise.
The HinSchG aims to protect individuals who observe and wish to report violations of legal regulations during their professional activities. It prohibits any form of retaliation against whistleblowers. In addition, companies must establish secure channels through which misconduct can be reported.
Now the question arises as to what information companies and the public sector need to be adequately prepared for the Whistleblower Protection Act.
The provisions of the Whistleblower Protection Act apply to which companies?
- Companies with 250 or more employees are immediately subject to the Whistleblower Protection Act, as the new provisions apply to them from the effective date of the law.
- For companies with 50 to 249 employees, there is a deadline until December 17, 2023, to establish a reporting office in accordance with the Whistleblower Protection Act.
- Certain industries such as securities services or insurance must establish an internal reporting office regardless of the number of employees. There is no transitional period for these companies.
Which violations should employees report through the reporting offices?
The Whistleblower Protection Act (HinSchG) does not cover all reports of violations of legal regulations. However, the scope defined by Section 2 of the HinSchG is very extensive.
Violations can be reported against the following regulations:
- Violations of criminal provisions
- Administrative offenses, i.e., violations subject to fines, such as regulations regarding occupational safety and health.
- All violations of national laws of the federal government and the states, serving specific European regulations for implementation, as well as nationally applicable EU legal acts.
- The scope has been expanded to also cover statements by civil servants that are considered a violation of the duty of loyalty to the constitution
What happens in case of non-compliance with the law?
According to §40 of the Whistleblower Protection Act, violations of the fundamental provisions of the law are considered administrative offenses and are subject to fines. The amount of the fine varies depending on the nature of the violation.
- Non-compliance with the Whistleblower Protection Act can be punished with fines of up to 50,000 euros. This includes hindering reporting and communication, unauthorized retaliatory measures, and violation of confidentiality requirements.
- A fine of up to 10,000 euros may be imposed if the confidentiality obligation is negligently disregarded.
- Companies that fail to fulfill their obligation to establish and operate an internal reporting office can be fined up to 20,000 euros.
What options are available to whistleblowers for reporting?
- Companies with up to 250 employees can operate a joint reporting office with other companies.
- The Federal Office of Justice (BfJ) establishes an external reporting office that receives reports from the private sector and the public sector. This reporting office is responsible for the federal government and the states. In certain areas, the Federal Financial Supervisory Authority (BaFin) and the Federal Cartel Office (BKartA) take on specific tasks as specialized external reporting offices with their existing whistleblower systems. Additionally, individual states have the option to establish their own reporting offices.
- According to §14 of the Whistleblower Protection Act (HinSchG), obligated entities can engage external service providers or ombudspersons to perform the tasks of an internal reporting office. This option is particularly relevant for small and medium-sized enterprises, as they often do not have sufficient human resources to meet the extensive requirements.
Is there a priority of internal over external reporting offices?
No. The whistleblower has the option to either contact the company's internal reporting office or the external reporting office established by the authorities.
What rules and deadlines must companies observe upon receiving a report?
The Whistleblower Protection Act establishes the prescribed procedural processes that must be followed upon receiving a report. These include, in particular, the obligation to document, deadlines for feedback to the whistleblower, and further steps such as internal investigations:
- The reporting can be made both orally and in writing, and on the whistleblower's request, it should also be possible to provide the report in person.
- The internal reporting office must confirm the receipt of the report within seven days.
- After confirming receipt, the reporting office is obligated to provide feedback to the whistleblower within three months. This feedback must include detailed information about planned and already taken follow-up measures and explain the reasons for these actions.
- Furthermore, the reports must be comprehensively documented.
Must companies accept anonymous reports according to the law?
There is no explicit obligation to accept anonymous reports. Both internal and external reporting offices are affected by this. A large number of companies that have already implemented whistleblower systems have opted for reporting channels that allow for anonymous reports.
What measures are in place to protect whistleblowers?
In addition to protection against reprisals, the Whistleblower Protection Act includes a significant protective measure in the form of a reversal of the burden of proof in legal disputes. If a whistleblower experiences reprisals after making a report, it is presumed that these reprisals occur due to the report. However, this presumption applies only if the whistleblower explicitly points out the connection. The employer is therefore responsible for proving that there is no connection between, for example, the termination of an employee and their report of misconduct.
What exceptions exist?
The Whistleblower Protection Act does not cover classified information and data subject to medical confidentiality or attorney-client privilege or judicial advisory confidentiality. The Whistleblower Protection Act makes an exception for the confidentiality level "VS-For Official Use Only" when it concerns criminal offenses and these are reported to an internal reporting office. However, this exception does not apply if the tasks of the internal reporting office have been outsourced to a third party.
The European Commission published a directive proposal for an EU Corporate Sustainability Due Diligence (CSDG) law on February 23, 2022. This proposal goes significantly beyond the German Supply Chain Due Diligence Act, which takes effect from January 1, 2023. The aim of the proposal is to promote sustainable and responsible corporate behavior across all global value chains. Companies will be obligated to identify, prevent, mitigate, and address adverse impacts on human rights and the environment resulting from their business activities.
It concerns child labor, inhumane working conditions, wages far below the subsistence level, life-threatening safety standards, handling of toxic substances, and last but not least, environmental protection. The avoidance of degrading working conditions is gaining increasing importance.
The significant difference in the EU draft is that certain companies are intended to be obligated to assess their entire supply chain, including both direct and indirect suppliers. In contrast, the German Supply Chain Due Diligence Act only applies to direct suppliers.
The directive applies to the following EU companies:
Group 1: Companies with at least 500 employees and a net turnover of at least 150 million euros.
Group 2: Smaller limited liability companies in the EU with at least 250 employees, generating their global net turnover of over 40 million euros, at least half of which comes from one of the specified high-risk sectors:
- Textile and leather industry
- Agriculture and forestry
- Food production
- Extraction of raw materials
- Processing of metallic and non-metallic products
- Wholesale trade in mineral resources
The obligations from this directive are intended to take effect for Group 1 two years after the directive's enactment. For companies in Group 2, this deadline is extended to four years.
Additionally, the directive is also intended to apply to third countries operating in the EU, generating turnover equivalent to Group 1 and 2 within the EU.
The EU Corporate Sustainability Due Diligence law aims to achieve the following objectives:
- Fair trade
- Increased due diligence: Examination of origin, manufacturing processes, and impacts on climate and the environment
- Improvement of risk management through early detection of problems and risks
- Legal certainty for companies and interest groups regarding behavior and liability
- Accountability of companies for adverse impacts
- Improvement of access to remedies for those affected by human rights violations and environmental impacts caused by the company
- Expansion of comprehensive due diligence obligations
The EU Commission envisions companies establishing a due diligence system as an integral part of their compliance policy to document compliance with due diligence obligations. This means that the consequences for human rights, climate change, and the environment should be considered in all business decisions. The due diligence obligations outlined in the directive encompass comprehensive monitoring of the entire value chain without specific cause. In case of non-compliance, affected workers should have the opportunity to assert civil liability before the competent courts. This imposes a significant burden of examination and documentation on the companies.
Planned regulations include:
- Implementation of due diligence becoming an integral part of corporate policy
- Identification of actual or potential negative impacts of the supply chain on human rights and the environment
- Prevention or mitigation of potential impacts
- Prevention of actual impacts or reduction to a minimum
- Establishment of a complaint procedure
- Monitoring the effectiveness of strategies and measures to fulfill due diligence
- Public communication about the perception of due diligence
Successes or violations of due diligence are expected to influence the variable remuneration of executives.
Additionally, companies in Group 1 are obligated to consider the limitation of global warming to 1.5°C in line with the Paris Climate Agreement in their business strategy.
National authorities designated by the member states are expected to supervise companies, and in case of violations of due diligence obligations, impose fines based on the turnover of the respective company. In the event of violations, civil liability is also provided for.
With the new EU Supply Chain proposal, the standards for fair trade are being redefined. No child labor, no forced labor, and no environmental pollution. This represents a significant step towards a fair and sustainable economy. However, the implementation of the directive proposal is expected to have significant impacts, especially on medium-sized businesses. It is crucial to act promptly and integrate the planned measures comprehensively within the company.
In the next step, the EU Parliament and EU Council will negotiate the law. If both bodies approve the directive, member states will have two years to transpose it into domestic law. For Germany, this means significantly tightening its own law.
In our first part of the series "Sustainability according to CSRD," we outlined the basic features of the new draft guidelines in November 2021. The following article aims to delve more deeply into the significance of double materiality in the mentioned CSRD reports.
As a reminder:
In the CSRD, with the aim of treating the three pillars of sustainability (environmental, social, and economic) equally, reporting contents are required on the following aspects:
- Environmental matters
- Employee matters
- Social matters
- Respect for human rights
- Combating corruption and bribery
- Governance factors
The content of each aspect is determined by the so-called materiality principle. The interpretation of the associated materiality is measured based on the company-specific manifestation of two criteria. For this reason, this principle is also referred to as the so-called Double Materiality. It is important to first understand the two underlying perspectives.
1.Outside-in Perspective – "Financial Materiality"
- Information necessary for understanding the course of business, the financial performance, or the position of the company.
- Primary stakeholders: Financial investors
2.Inside-out Perspective – "Ecological and Social Materiality"
- Information necessary for understanding the impact of business activities on sustainability aspects.
- Primary stakeholders: Consumers, society, employees, financial investors
Double materiality has already been integrated into the currently applied CSR directive. However, this version stipulates that both aspects must be fulfilled simultaneously. This means that both the outside-in and inside-out perspectives must demonstrate materiality, and consequently, only a small intersection of both perspectives is incorporated into the GRC Sustainability Report. Therefore, no disclosure is required in the report if a company causes significant environmental pollution through its business activities (material in terms of the inside-out perspective) but does not expect any fines in the respective country because it does not violate any existing laws (not material in terms of the outside-in perspective).
The described issue is resolved in the draft of the new directive, the CSRD, by changing the "and-connection" of the mentioned perspectives to an "or-connection" between the outside-in and inside-out perspectives. As a result, significant content from both perspectives must now be reported equally. In the example mentioned above, following the double materiality analysis, there is now materiality in reporting the environmental pollution, even if no existing law is violated. The new formulation of double materiality (sustainability) thus expands reporting obligations and aligns with the requirements of the three pillars of sustainability (environmental, social, and economic)
Particularly noteworthy is the integration into risk management: Many companies may have primarily considered outside-in risks so far, such as risks from unforeseen weather events or stricter regulations. With the CSRD, companies will now explicitly have to integrate inside-out risks into their Risk Management Systems (RMS) and introduce corresponding control measures. This includes addressing issues such as the aforementioned environmental pollution or the company's impact on social inequality, human rights, or biodiversity.
With the new materiality definition, the interests of more stakeholders are covered, shifting reporting from a shareholder perspective to a stakeholder perspective. Many stakeholders (employees, customers, NGOs, etc.) are highly interested in the impact of a company's business activities on sustainability aspects (inside-out perspective). Additionally, more information is now provided for the circle of financial investors, necessary for assessing the investment, than defined by the intersection of the outside-in and inside-out perspectives. The integration of the GRC Sustainability Report into the existing management report of companies, as envisaged by the CSRD, appears as a logical consequence.
The new interpretation of double materiality leads to an expansion of significant and thus reportable content. Both significant aspects of the so-called outside-in perspective and the inside-out perspective are considered equally, instead of a small intersection of both perspectives. This brings the aspects of ecology, social, and economic closer together, aligning with the approach of strong sustainability.
In our next article in the series "Sustainability Report according to CSRD," we will focus on the new EU-wide standards for sustainability reporting.
GRC functions such as risk management are often decoupled from everyday business operations and serve only the formal fulfillment of regulatory requirements. However, they could provide significant added value in entrepreneurial decision-making.
Using software-based Monte Carlo simulation makes it possible to integrate risk management into planning, controlling, and project management. We present our approach on how to achieve this seamlessly in this article.
Is auditing doomed to eternal incremental innovation? Innovation processes create new things or improve existing ones. They are always associated with creativity and a willingness to take risks, and can be a significant driver for economic growth. Companies that can consistently innovate are generally more successful than those that do not.
The legislature does not let compliance departments rest. Risk management, control, and whistleblower systems are demanded, more sustainability information is required, and a closer examination of human rights risks in the supply chain is necessary. To provide a better overview, we present seven innovations in corporate governance in a nutshell.
EU Whistleblower Protection Directive
The EU Directive "on the protection of persons reporting breaches of Union law" requires companies with more than 50 employees to establish internal reporting channels for the submission of unlawful actions or omissions in the business field, while maintaining the confidentiality of the whistleblowers' identities. Furthermore, protection for the whistleblower and affected third parties against reprisals must be ensured. To achieve this, the burden of proof has been reversed: employers must now prove reasons for alleged disadvantages. In addition, internal whistleblowers will no longer be given preference over external whistleblowers in the future – hence, reports can also be directly submitted to external authorities.
The whistleblower must receive confirmation of the receipt of their report, and a comprehensive response regarding the measures taken must be provided within the following three months. If cases of hindrance of reporting, lack of anonymity protection, or reprisals become known, sanctions will be imposed on the company. The design of these sanctions is left to individual member states.
The EU regulation comes into effect on December 17, 2021, with an extended deadline until the end of 2023 for companies with 50 to 249 employees. It is expected to apply unchanged in Germany, as an agreement on a national whistleblower protection law could not be reached.
Supply Chain Due Diligence Act – LkSG
On July 22, 2021, the German Federal Cabinet issued the final version of the Supply Chain Due Diligence Act. This law applies to companies with 3,000 employees or more from the year 2023, and the threshold decreases to 1,000 employees the following year. According to the law, human rights and environmental risks in the supply chain should be identified and assessed through a risk analysis, and appropriate preventive measures should be taken. Preventive measures include, for example, training, inspections, supplier contracts, as well as procurement strategies. To uncover potential violations, there will be a publicly accessible complaint procedure. Through annual reporting, information must be provided on risks, measures, the effectiveness of the assessment, and conclusions – but only concerning the company's own business operations and immediate suppliers. The Supply Chain Due Diligence Act is monitored by the Federal Office for Economic Affairs and Export Control. Furthermore, NGOs and trade unions have the right to file lawsuits in case of violations of due diligence in the supply chain.
For more information, read our article "New Challenge Due to the Planned Supply Chain Law“.
Corporate Sustainability Reporting Directive – CSRD
The CSR Directive Implementation Act (CSR-RUG) has been in effect in Germany since the 2017 business year for large capital market-oriented companies with more than 500 employees, as well as for banks, financial service providers, and insurance companies. It generally obliges these entities to provide non-financial reporting. Now, the amendment to the underlying European directive is on the horizon – and it promises significant expansions.
With the Corporate Sustainability Reporting Directive, which is available as a Commission proposal dated April 21, 2021, sustainability reporting is intended to be elevated to the same level as financial reporting. This involves making external assurance mandatory, as well as publishing it in the management report and introducing a new materiality principle, namely double materiality. Additionally, the new regulation will apply to a much larger number of companies: Starting from 2024, it brings all large companies, i.e., those with more than 250 employees, into compliance for the 2023 business year. The extension to small and medium-sized enterprises (SMEs) subject to the capital market's influence takes three years longer, but from the 2026 business year, the obligation will apply to them as well – with regulations adapted to the size of the business.
Of general interest are the announced uniform, binding reporting standards. These are intended to replace the various guidelines used so far, such as those of GRI or the German Sustainability Code, in favor of EU-wide comparability.
StaRUG: Stabilization and Restructuring Framework for Companies
The Corporate Stabilization and Restructuring Act (StaRUG) has been in effect since January of this year, establishing the obligation for early crisis detection and crisis management. The new regulation applies to all limited liability legal forms and implies that the management must not only continuously monitor potentially threatening developments but also take corresponding countermeasures. This means that corporations are expected to have a risk management system and an internal control system in place
Financial Market Integrity Strengthening Act – FISG
Under the Financial Market Integrity Act of June 3, 2021, there is now an obligation for the introduction and ongoing maintenance of a risk management system and an internal control system for publicly listed companies. These systems are expected to be introduced appropriately and effectively based on the scope of business activities. Furthermore, there is a requirement to establish audit committees, each with two (instead of one) financial experts – one for accounting and one for audit. The audit committee has a direct right to information, and failure to establish it may result in fines for the company. Regarding the audit, there are numerous new regulations on liability, cooperation, and non-audit services. Most provisions of the law came into effect on July 1, 2021. The FISG will also serve as a benchmark for non-listed companies.
Act on the Digitization of the GWB
On January 18, 2021, the Civil Code was expanded with the Act on the Digitization of the GWB, which, among other things, introduces the consideration of compliance programs when determining the amount of (antitrust) fines. According to §81d (1) sent. 2 No. 4 and 5 GWB, measures and efforts by the company to detect or prevent violations should be taken into account in the assessment of the amount of the fine and can thus have a mitigating effect on fines.
Proposal for a Legal Framework for Artificial Intelligence by the European Commission
On April 21, 2021, the European Commission proposed an initial legal framework for artificial intelligence. This includes a ban on the use of artificial intelligence in certain areas or establishes a dependency on the use of certain technical and organizational requirements.
While some new regulations like StaRUG and FISG are already in effect, companies with more than 249 employees should not wait to implement the Whistleblower Directive, as it will be applicable by the end of the year. Additionally, it remains to be seen whether the due diligence and reporting obligations under the Supply Chain Due Diligence Act and the Corporate Sustainability Reporting Directive will apply to them.
On February 12, 2021, the Federal Ministries for Economic Affairs, Labor, and Development presented the draft bill for a German 'Supply Chain Due Diligence Act,' which was approved by the Federal Cabinet on March 3, 2021. The introduction of the Supply Chain Due Diligence Act is considered a done deal and was scheduled for final discussion in the Bundestag on Thursday, May 20, 2021. However, the law was taken off the agenda in the Bundesrat at short notice, as the issue of civil liability had not been resolved.
The aim of the law
is to hold companies accountable for human rights violations within their supply chains. The UN Guiding Principles on Business and Human Rights (UNGPs) envisage the implementation of human rights protection through National Action Plans (NAPs). Since the attempt at voluntary self-regulation by the business sector is considered a failure, the NAP is to be enforced in the form of a law. Companies with more than 3,000 employees are expected to be covered by the law from 2023; from 2024, all companies with more than 1,000 employees will be affected.
The affected companies are expected to conduct a risk analysis in the future, identifying and assessing the risks in their supply chains. Risks to be examined in the companies' own operations and their immediate suppliers include:
- Forced labor,
- Child labor,
- Violation of freedom of association,
- Problematic employment and working conditions,
- Environmental damage
For indirect suppliers, i.e., sub-suppliers throughout the entire chain up to raw material suppliers, there are only graduated auditing obligations, meaning companies only need to take action based on complaints from employees of their indirect suppliers.
Building on a risk analysis, companies are required to implement measures for preventing, minimizing, and addressing negative impacts. Following the principle of 'Enablement before withdrawal,' companies are supposed to seek solutions in cooperation with their suppliers or within the industry. Terminating the business relationship should only be the last resort to avoid human rights violations in the supply chain.
What's new is that risk analysis and follow-up measures are not interpreted as obligations of success, but as obligations of effort. This means that the new obligations do not require the elimination of human rights violations in the company itself and its immediate suppliers, but rather the premise that companies make reasonable efforts to address the grievances. The corresponding risk management should be proportionate.
The affected companies, however, must disclose annual reports on the actual and potential adverse impacts of their business activities on human rights.
A liability for damages of German companies for foreign damage cases of other companies in the global supply chain is not provided for in the draft law. However, under current law, it is possible for third parties to claim damages abroad before German courts. In this case, German courts must apply foreign law and consider local circumstances. The chances of success have been relatively low so far. According to the current government draft, trade unions and non-governmental organizations should be allowed to represent individuals affected by supply chains from both Germany and abroad in German courts, which is likely to increase the likelihood of lawsuits and convictions
Criminal consequences for German companies due to damages caused by suppliers or subsidiaries are not foreseen. Criminal liability is only attributed to the perpetrators themselves. It would be different if agents caused the damage, which could trigger tortious liability. However, suppliers or subsidiaries usually do not fall under the definition of agents.
The responsibility for compliance with the provisions of the Supply Chain Act and corresponding controls will lie with the Federal Office for Economic Affairs and Export Control, which will receive complaints from affected parties.
In the event of violations of the Supply Chain Act, fines and penalties of up to 10% of the company's annual turnover, as well as bans on public procurement for up to three years, are envisaged.
A new bond between Vienna and Reutlingen: The recently formed partnership between the software developer GBTEC and Mauer leads to the bundling of expertise of the two GRC specialists. This ensures that customers receive the best possible support during the planning, implementation, and operation of their active GRC management system.
Mauer brings extensive, domain-specific implementation experience complemented by GBTEC's IT expertise, providing comprehensive services in the field of Governance, Risk, and Compliance (GRC). GBTEC has been specializing in digitizing various GRC disciplines for over 15 years, supporting companies worldwide with the BIC GRC software platform.
"We are committed to offering our clients not only targeted consulting and project support but also a software solution that enables optimal risk and compliance management. With GBTEC, we have found a strong partner capable of addressing all use cases in the GRC domain due to its extensive product portfolio," explains Stephan Mauer, founder, and managing partner of Mauer.
Samuel Brandstätter, Head of Product Line GRC and Managing Director at GBTEC Austria, adds: "Designing and establishing GRC management processes is a comprehensive and crucial undertaking, where many of our clients rely on consulting partners like Mauer. The collaboration of consulting and IT expertise creates valuable synergies, from which our clients can increasingly benefit in the future through the sealing of this partnership."
Mauer and GBTEC both advocate the philosophy that an efficient and effective GRC management system lays the foundation for integral, value-oriented corporate governance. This consensus is the optimal basis for a long-term, successful collaboration between the two GRC specialists.
The GBTEC Austria GmbH is driven by the conviction that the digitization of GRC processes significantly enhances the success of innovative organizations. At the core of their efforts is the efficient integration of these processes into corporate practices and culture.
This is made possible through GBTEC's GRC software, BIC GRC, which offers customers flexible and adaptable custom solutions or easily implementable standard solutions based on their preferences. With BIC GRC, customers have a tool that helps them reliably achieve their goals, deal with uncertainties, act with integrity, and continuously develop the maturity of organizational GRC processes. The world's largest and most successful energy providers, insurance companies, banks, telecommunications, and retail companies trust GBTEC and operate their GRC processes with BIC GRC.
For more information, visit gbtec.com
Since the beginning of 2023, Prof. Dr. Stefan Marx has been a partner and managing director at Mauer Unternehmensberatung GmbH Wirtschaftsprüfungsgesellschaft Steuerberatungsgesellschaft.
Diplom-Kaufmann (MBA equivalent), Prof. Dr. Marx is an auditor and tax consultant, holder of the chair for auditing and accounting, and has been the dean of the Business Administration program (B.Sc.) at the Hochschule für Wirtschaft und Umwelt Nürtingen-Geislingen since September 2019. Before joining Mauer in 2020, Prof. Marx held a leadership position for over 20 years at a Big Four firm in Nuremberg. Here, he increasingly specialized in the field of Corporate Governance: risk management, compliance, internal control systems, and internal auditing.
Diplom Kaufmann (MBA equivalent) Prof. Dr. Marx is an auditor and tax consultant, holder of the chair for auditing and accounting, and has been the dean of the Business Administration program (B.Sc.) at the Hochschule für Wirtschaft und Umwelt Nürtingen-Geislingen since September 2019. Before joining Mauer in 2020, Prof. Marx worked in a leadership role for over 20 years at a Big Four firm in Nuremberg. During this time, he increasingly specialized in the field of Corporate Governance, focusing on risk management, compliance, internal control systems, and internal audit.
In addition to Stephan Mauer and Florian Kalbfell-Werz, Prof. Marx is now the third Managing Partner at Mauer. Stephan Mauer and Florian Kalbfell-Werz are excited to have another highly qualified colleague and professional in the management and shareholder circle of Mauer GmbH. Prof. Marx is responsible for the Governance, Risk, and Compliance (GRC) division at Mauer, which also includes the rapidly growing and regulated ESG (Environmental, Social, and Governance) consulting fields. In Germany alone, around 15,000 companies will have to implement EU regulations in the short term.
Prof. Marx explains: 'The term ESG is often narrowed down to climate neutrality, but it also encompasses the social aspects of corporate action and the principles of value-oriented corporate management. Companies affected must report on these three dimensions of sustainability in the future.' Sustainability-related corporate key figures are then on par with financial key figures. The challenges to processes and integration into the risk management and internal control systems of companies are often underestimated. 'Our goal is to support, improve, and secure companies in these matters,' says the new Managing Partner.
Beyond the integration of sustainability aspects into governance systems, Prof. Marx has been pragmatically and value-oriented in helping Mauer's clients build internal control systems from day one, assessing the effectiveness of risk and compliance management systems. The conduct of internal audits - covering tax to forensic issues - is also an integral part of his repertoire.
The colleagues at Mauer welcome the entry of Prof. Stefan Marx as a Managing Partner and wish him continued success and all the best!