CSDDD: It’s Not Too Soon To Get Moving

While the EU’s Corporate Sustainability Reporting Directive (CSRD) that took effect in January 2023 is primarily disclosure-oriented, the EU’s Corporate Sustainability Due Diligence Directive (CSDDD) is all about action.

Why start now: If these new rules go into effect more than two years from now, what’s the rush in jumping on the compliance requirements now? The reason is that these requirements are a big deal, and it could take an organization two-plus years to establish the proper processes to comply with them.

Bottom line: By getting started on the substantial CSDDD orchestration effort today, CFOs will help their organizations avoid the heavy lifting and scrambles that have defined more than a few recent CSRD compliance efforts.

___  ____  ___

More organizations around the world have been going to great lengths—whether as required or on a voluntary basis— to disclose their sustainability/ESG practices and risks to customers and stakeholders. Now comes the hard part: taking definitive, concrete steps to strengthen those practices and mitigate those risks in the face of disparate regulatory frameworks in the regional, country and state jurisdictions within the organization’s operating footprint.

Enter the recently enacted Corporate Sustainability Due Diligence Directive (CSDDD) in the European Union (EU). While the EU’s Corporate Sustainability Reporting Directive (CSRD) that took effect in January 2023 is primarily disclosure-oriented, the EU’s CSDDD is all about action.

CSDDD requires companies to perform due diligence on human rights and environmental risks within their operations and value chains. “Due diligence” entails identifying, preventing, mitigating and accounting for human rights and environmental risks. In-scope companies based in the EU and other global regions must begin complying with CSDDD new rules in July 2027.

This timing begs the question: If these new rules go into effect more than two years from now, what’s the rush in jumping on the compliance requirements now? The reason is that, in short, these requirements are a big deal, and it could take an organization two-plus years to establish the proper processes to comply with them. Specifically:

• The scope of CSDDD compliance considerations is enormous, extending throughout operations, subsidiaries and value chains;
• Supplier contracts and service level agreements (SLAs)—primary CSDDD focal points—will need to be adjusted, and those contracts often run for multiple years;
• The directive requires companies to identify, prevent and mitigate the operating risks in question to provide the basis for properly accounting for them—activities that require time to accomplish; and
• Certain CSRD and CSDDD activities can and should be integrated to produce more effective and efficient compliance, versus treating them as separate compliance programs.

And make no mistake, CSDDD compliance calls for the CFO’s involvement and expertise just as much as, if not more than, CSRD compliance.

Unlike CSRD, which requires transparency into environmental, social and governance (ESG) practices in the form of reports, CSDDD requires remediation and mitigation, with fines (up to 5% of global revenue) along with civil liabilities if violations are not corrected. Under CSDDD, businesses intent on operating in the EU must consider their upstream chain (e.g., raw material extraction and production) and, to a lesser extent, the downstream chain (e.g., channel partners and transportation to the end customer).

Big changes affecting thousands of companies

As they assess the CSDDD requirements, CFOs should keep in mind the following key points.

• Non-EU companies also must comply. In addition to EU companies with at least 1,000 employees and annual revenue of at least €450 million, non-EU companies generating more than €450 million of annual revenue in the EU must comply starting in 2027, 2028 or 2029, depending on the amount of their EU revenues (the largest companies begin complying on July 26, 2027). Moreover, out-of-scope companies that are suppliers to or channel partners with organizations that have CSDDD compliance obligations also should expect to be asked to participate in the due diligence activities as an ongoing requirement for doing business.
• Extensive cross-functional coordination is needed. Most CSDDD compliance efforts require the involvement of finance, risk management, supply chain, operations, human resources, IT, internal audit, legal, and compliance leaders, among others. The work will be varied and far-reaching. Among many key activities, supplier codes of conduct need to be adjusted or redrafted. Whistleblower hotlines should be reevaluated. Media reports of human rights violations in certain industries and regions require monitoring. Strategic sourcing capabilities need to be updated, as do third-party risk management governance processes and questionnaires. Training needs to be rolled out. Data collection and reporting activities need to be subjected to the same rigor that finance groups apply to financial reporting. The likelihood and potential impacts of environmental and human rights risks must be quantified. CSRD and CSDDD activities also should be integrated into the enterprise risk management (ERM) framework. (Keep in mind that my rundown here is representative rather than exhaustive.)

• CSDDD requirements will continue to evolve. EU member states have until July 2026 to adopt the directive into national law, so enacted compliance requirements may ultimately vary by country, further complicating efforts. Additionally, CSDDD implementation efforts will likely overlap with current national due diligence regimes (e.g., the French Duty of Vigilance Law, the Dutch Child Labor Due Diligence Law, the UK Modern Slavery Act, the Norwegian Transparency Act, and others). Companies already complying with these laws may be a step ahead in meeting their CSDDD obligations; however, both sets of rules must be addressed in any given country.

Mind the gap—and hidden costs

As I’ve asserted, CFOs and finance teams are taking a lead role in orchestrating the organization’s response to sustainability/ESG regulatory requirements. This should apply to CSDDD compliance, as well. As finance leaders craft a compliance game plan, they should take the following steps.

• Start with a gap analysis. CFOs and their colleagues should first assess how the organization is affected by the CSDDD requirements, determine which due diligence processes and mechanisms are already in place, clarify responsibilities for each aspect of due diligence, and create a plan to close the gap between the current state and the CSDDD-compliant due diligence state. Supplier contracts and SLAs will be a major focus of this scrutiny. In many cases, this work will also identify opportunities for efficiency improvements (e.g., uncovering duplicate responsibilities and activities in supplier onboarding). This initial analysis will also shed light on any resource requirements and supporting technology needs.
• Consider the total costs of remediation. CFOs should calculate costs associated with remediating an environmental or human rights liability—costs that can arise once the company discloses the issue, even when that disclosure does not trigger a regulatory penalty. They also need to tally the cost of both achieving and maintaining compliance on an ongoing basis. In addition, there are costs of non-compliance to consider. CSDDD compliance violations will subject companies to regulatory penalties and civil liabilities, and there are reputational and brand-image erosion issues associated with high-profile, media-persistent developments in this space.
• Look for opportunities to integrate CSDDD compliance with CSRD, ERM and TPRM. Insights and data on supply chain practices that organizations collect from CSDDD due diligence can be disclosed in accordance with CSRD requirements. Another point of overlap: Transition plans required for climate change mitigation reporting under CSRD give organizations a head start on the mandatory climate transition plan required by CSDDD. Given their familiarity and/or oversight of ERM capabilities and third-party risk management (TPRM) activities, CFOs can help ensure that CSDDD requirements are integrated into existing processes while minimizing redundant work.

Finance leaders also will want to leverage their expertise in regulatory reporting, control frameworks and validation processes, data governance, and audit trails (work that happens to be an ideal match for the CFO’s designated ESG controller) to ensure that CSDDD mitigation and accounting actions are based on sound data-driven evidence. They will need to do the same when providing updates to investors and other interested parties on their progress toward CSDDD compliance as effective dates approach.

By getting started on the substantial CSDDD orchestration effort today, CFOs will help their organizations avoid the heavy lifting and scrambles that have defined more than a few recent CSRD compliance efforts.

This article originally appeared on Forbes CFO Network.