The rise of the S in ESG

Large companies are familiar with a degree of regulation on social issues. The Modern Slavery Act 2015 in the UK (and similar legislation in other jurisdictions) requires some disclosures in relation to modern slavery risks in corporate supply chains. Large companies are also broadly used to complying with certain employee diversity-related disclosure requirements. In the UK, for example, public companies are required by the Listing Rules’ continuing obligations to disclose data on board diversity, and large companies (with 250 or more employees) must disclose their gender pay gap data.

Beyond these relatively discrete and limited requirements however, the S in ESG has been a largely unregulated space. Companies have been encouraged to align with soft law and guidance on social impact, most notably the UN Guiding Principles on Business & Human Rights (UNGPs), but rates of adherence have been low. Companies, in other words, have had a lot of latitude to decide how to manage the impact of their business on people, communities and society and what, if anything, to say publicly about it. 

This is now changing rapidly. Management and disclosure of corporate social impacts are now subject to wide-ranging new laws with much sharper teeth. In this briefing we unpack these developments, show how they are (or ought to be) moving social impact up the risk register and offer some tips for companies navigating this new landscape.

Increasing regulation of the ‘S’ in ESG

New laws regulating the management and/or disclosure of corporate social impacts fall into three main categories.

1. Mandatory ESG disclosure requirements

The first category is new mandatory disclosure requirements that require companies to collect and report much more data about their social impact. Corporate reporting on ESG has been around for some time, but much of it has been voluntary, with companies choosing to align with their preferred reporting standard. In the last 18-24 months, however, we have seen more mandatory ESG disclosure standards coming into force around the world.

The most ambitious – the EU Corporate Sustainability Reporting Directive (CSRD) – which applies to large companies based or with a significant turnover in the EU,¹ contains twelve disclosure standards (two general and ten topical) entailing more than eighty disclosure requirements and more than a thousand datapoints in total. 

Of the ten topical disclosure standards of CSRD, four are social standards which require extensive and detailed disclosures about (i) the company’s own workforce; (ii) workers in the company’s value chain; (iii) affected communities; and (iv) consumers and end-users of the company’s products or services where these topics are material for the company or its value chain.

A topic is material for the purposes of CSRD if it creates financial risks or opportunities for the company or it is an area where the company has actual or potential material impacts on people or planet. 

While only very large companies are directly affected, companies of all sizes will feel the indirect effect of CSRD, as those in scope engage their suppliers, portfolio companies and other business partners to identify the ESG issues that are material to their value chain and begin to request data on those material issues to comply with their own disclosure obligations.

The other leading ESG disclosure regime – the International Sustainability Standards Board Sustainability Disclosure Standards – on which the UK government is planning to base its forthcoming sustainability reporting rules, is more climate-focussed. However, it is expected to include disclosures on social issues in due course.

2. New mandatory standards for human rights due diligence

The second category of regulation that is changing the risks associated with corporate social impact is new mandatory due diligence requirements. 

The key instrument here is the EU Corporate Sustainability Due Diligence Directive (CSDDD), which came into force in July 2024. It requires in scope companies² to do due diligence on their own operations and on their business partners in their ‘chain of activities’³ to identify risks of social and environmental harm, to prevent, mitigate or put a stop to those harms, provide appropriate remediation and to report publicly on their efforts. It effectively codifies many of the soft law UNGPs referenced above.

Companies should note the following key features of the CSDDD:

• While its direct application is limited to the very largest companies, it will have significant indirect impact, as those large companies will need to impose the same higher standards of human rights due diligence on their suppliers. CSDDD also effectively represents best practice, so any company with a valuable brand or reputation – particularly those claiming high standards of ESG performance – are well advised to use it as a roadmap for proactive risk management and to take steps progressively and proportionately to align.
• It is not a “one and done”, pre-contract style due diligence exercise. Human rights due diligence under the CSDDD it is a continuing and dynamic obligation. Impact assessments must be carried out periodically and the effectiveness of due diligence must be monitored.
• CSDDD requires a “risk-based” approach, meaning companies need to identify, prioritise and address the most “salient” risks. Critically, the salience of a risk is assessed based on its severity (i.e., scale, scope, or irremediable character) for those affected and likelihood. The degree of risk involved for the company itself is not relevant. A company should not, for example, prioritise identifying and addressing harms that create the most serious reputational or litigation risks. Effectively assessing the severity and likelihood of adverse human rights impacts from the perspective of those affected will likely require companies to go beyond the traditional desk-based sources of data and information (e.g., adverse press, World Check) often used for counterparty verification.
• The obligation to prevent/mitigate is not limited to adverse impacts that a company causes directly; rather, companies are expected to use their influence to prevent/mitigate impacts caused by a business partner. Influence is a broad concept that could include buyers investing in supplier capacity building and operational infrastructure, improving their own procurement practices and collaborating with fellow buyers or other key stakeholders.
• Remediation of harm in the context of the CSDDD means remediation for affected third parties, not for harms as between the parties (i.e., between a buyer and seller).
• A company may be liable for damages for breach of its obligations towards victims that faced adverse impacts. Companies within scope of CSDDD will be liable to significant fines for failure to comply (up to 5% of net worldwide turnover). The CSDDD also establishes a framework for civil liability, enabling those whose human rights are adversely affected to pursue a civil claim in damages against a company in breach of its obligations.
• Buyers will need their suppliers to meet these new higher standards for human rights and, while there will be a role for contractual clauses in formalising these expectations, the CSDDD is clear that such clauses by themselves will not be sufficient to discharge the due diligence obligation and nor will off the shelf supplier audits. Any contractual assurances must be supported by appropriate measures to verify compliance and companies can use audits but should take steps to ensure they are effective in practice. 

3. Import/export bans

The third category is import/export bans – regulations that stop goods being placed on, brought into or exported from relevant markets if human rights are adversely affected in the course of their production. For example, US lawmakers passed the Uyghur Forced Labor Prevention Act (UFLPA), which bans all companies in the United States from importing goods tainted with Uyghur forced labour in China.

Another new such ban of particular note is the new EU Forced Labour Regulation (“FLR”), which as we previously wrote about, is designed to operate alongside and to reinforce the CSDDD.

The FLR prohibits products made using forced labour being placed on or exported from the EU market. It covers (i) all products, including their components and raw materials; (ii) all companies, regardless of size, sector or location; and (iii) the use of forced labour at any point in the supply chain, including extraction, harvesting, production or manufacturing.

If authorities conclude that forced labour was used, they can prohibit the product from being sold in, or exported from, the EU and order that it be withdrawn and disposed of. Where goods have been removed from the market, they will only be allowed back on the market after the company demonstrates that it has stopped using forced labour in its operations or supply chain and remedied any relevant cases.

Practical guidance for companies

These regulatory developments are quickly ushering in a new era in which companies must think about and manage social issues – both in their direct operations and in their value chain – as core commercial risks and opportunities.

A critical early step is to get the governance of social issues right. In many cases, decision-making on social issues within a business still sits with an employee-led and/or stand-alone committee – it should now move onto the Board agenda and corporate risk register. Businesses should also be very mindful that the regulations outlined above, whether they bite directly or indirectly, represent a significant increase in expectations of business. The process of alignment will take time, and resources should be allocated now in order to future proof business value.

For tailored advice and support, please email your Charles Russell Speechlys contact.

 
[1] EU companies are in scope where they meet two of three criteria on two consecutive annual balance sheet dates: (i) net turnover of more than €50m; (ii) balance sheet total of more than €25m; and (iii) more than 250 employees. Non-EU companies are in scope where they have net turnover of €150m+ in the EU and have an EU subsidiary that meets the criteria applicable to EU companies or a branch in the EU generating more than €40 million net turnover in the preceding year. All companies that have securities listed on an EU regulated market are also in scope. For tailored advice on the scope provisions of the CSRD, please ask your Charles Russell Speechlys contact.
[2] EU companies are in scope if they had more than 1,000 employees and a net worldwide turnover of more than €450m in the last financial year. Non-EU companies are in scope if they had a net turnover in the EU of more than €450m in the financial year preceding the last financial year. For tailored advice on the scope provisions of the CSDDD, please ask your Charles Russell Speechlys contact.
[3] Chain of activities includes activities of the company’s (i) upstream business partners related to producing goods or providing services by the company and (ii) downstream business partners related to the distribution, transport or storage of the company’s products (but not to their disposal).