From January 2018, around 6000 large organisations in Europe will start reporting non-financial information for the financial year 2017 under the EU Non-Financial Reporting Directive (NFR). The Directive requires organisations to include in their annual report a non-financial statement describing the impact posed by their operations to matters such as environmental, employee, social, corruption, human rights and bribery, and how they manage the principal risks that are involved.
The European Commission published the long awaited Guidelines to the Directive on 26 June 2017 to support companies in the preparation of this non-financial statement. Although they do not refer specifically to enterprise risk management (ERM), the Guidelines mention concepts of risk management. Lene Ritz, Head of Risk for the Danish company Energinet, welcomes the overall approach. She said: “Although the NFR Directive and these guidelines will not drive implementation of ERM, risk managers can be happy about the approach taken, which supports a risk management vision.”
The guidelines do not add any legal requirements to the NFR directive, nor are they mandatory. They do not prescribe reporting guidelines or standards but they recommend a few of them, such as the UN Guiding Principles on Business and Human Rights, ISO 26000, or the German Sustainability Code.
They also take into account the UN COP21 Paris Climate Agreement, with the disclosure of information on the actual and potential impacts of the organisation’s activities on the environment, especially regarding the reduction of greenhouse gas emissions.
The guidelines recommend the use of scenario analyses and appropriate assessments of likelihood. These concepts were not present initially in the NFR Directive, and FERMA argued in our response that an assessment of both the frequency and impact of the identified risks should be included.
Ever increasing transparency requirements for business underline the importance of enterprise-wide risk management as an intelligent tool to ensure that the description and the analysis of risks mentioned in the non-financial statement are relevant and based on high-quality data
Lene Ritz explained that the risk manager could be asked to risk-assess the content of the report and identify the positive or negative impacts that the information can have on the future business. She said that a lot of ERM input can be used to produce the non-financial information in the right risk-based way to comply with the Directive, thanks to the overview of the risk manager of the organisations’ risk registers and the mitigation measures put in place.