CSRD: mastering data & technology

Introduction

In light of the increasing emphasis on sustainable business practices, the European Commission has introduced the Corporate Sustainability Reporting Directive (CSRD). It highlights a dedication to transparency and accountability in corporate reporting regarding Environmental, Social and Governance (ESG) topics. The CSRD hereby acts as a crucial instrument for assessing organizations’ non-financial performance, with the goal of offering stakeholders consistent and trustworthy sustainability information.

With the first reports due in 2025 over the financial year 2024, many organizations are struggling to determine what data is required for their material ESG KPIs (Key Performance Indicators) and whether this data is available within the organization. Additionally, detailed data must be sourced externally as well, as value chain information is required. Moreover, establishing robust calculation metrics for the KPIs expected under CSRD is often more complex than anticipated. This complexity arises, for example, from varying definitions (e.g. the number of hours in FTE) across different countries and the need for conversion (see also the process to define KPIs for ESG in [Pier22]).

Since it is crucial to act promptly, KPMG hosted a CSRD event in May 2024, with a focus on Data & Technology. The event highlighted key themes, including the current status of CSRD reporting and considerations for future state planning. It emphasized business transformation ambitions, focusing on technology, external reporting, and internal performance, and included the need for a Target Operating Model. Additionally, it covered how to organize ambitions in technology and data and controls. Overall the event focused on how to define, collect, manage and process data for solid CSRD reporting, including necessary controls. Representatives of over 30 organizations from a wide range of sectors that are subject to CSRD gained practical and fundamental insights to support them in their business transformation regarding technology and data requirements for ESG reporting.

ESG transformation using a Target Operating Model

“The CSRD reporting journey typically unfolds in several stages, with organizations increasingly concentrating on the implementation and execution phases”, Marco Frikkee (Partner Sustainability Reporting) stated. Whilst the initial phase was predominantly about establishing strategies and assessing applicable metrics and governance (including the double materiality assessment), the subsequent phase focuses on designing and implementing processes, IT solutions, and controls. These steps are critical for achieving the ultimate goals of an integrated ESG reporting process, whereby organizations are able to steer with their adjusted reporting process, controls and fully automated audit-trail (Figure 1).

Figure 1. IT Architecture Scenarios for ESG reporting ([KPMG24]). [Click on the image for a larger image]

However, the CSRD is not merely about KPIs; it is also about organizational improvement. As organizations strive to refine their sustainability practices, it is crucial to set clear targets that are in line with business goals. This goal setting isn’t just a procedural step, it requires strong senior management involvement. They need to ensure that initiatives are realistic and achievable. The overall message of the CSRD event is to keep it simple. To avoid being overwhelmed by the complexity of sustainability issues, organizations should decide on their top three focus areas for sustainability reporting. This approach helps to maintain clarity and directs resources more effectively. Furthermore, it is not enough to simply gather data; providing context to these numbers is crucial. This step enhances the comparability and understanding of reports, allowing stakeholders to see not just what the figures are, but why they matter.

Nonetheless, the ESG reporting journey has only just started and many organizations are in the midst of the transformation to get ready for the first CSRD reporting wave. With the increasing number of complex sustainability topics and corresponding qualitative and quantitative data points, organizations are developing transition and future-state scenarios for their technology-enabled ESG reporting landscape with automated processes, data collection and controls. This is reflected in the varying maturity levels observed across organizations, ranging from basic compliance to a more advanced future state. Typically, higher maturity levels are associated with greater technology integration and automation, while lower maturity levels are marked by predominantly manual processes (Figure 1).

As emphasized earlier, all efforts should lead to compliant reporting. However, the event co-hosts Paul Pieroen (Partner Sustainability Reporting & Transformation) and Tessa Snels (Senior Manager Sustainability Reporting & Transformation) offer a more nuanced perspective. Pieroen explains: “There are two prevailing schools of thought when embedding ESG practices within an organization. The first focuses on ensuring compliance through transparent, verifiable ESG reporting, which is already quite demanding. The second approach is more ambitious, aiming to simultaneously create value for the business, society, and the environment.” This perspective highlights a broader, more dynamic approach to sustainability, beyond mere compliance.

“ESG reporting is about combining external disclosures and internal performance management”, Pieroen states. Organizations must grasp that this disclosure involves not just stating targets but also outlining specific action plans. By integrating CSRD standards into their performance management frameworks, businesses are able to elevate their reporting. Regular cycles – typically annual or even quarterly – are necessary, not just for compliance but to continually manage and adapt sustainability initiatives effectively. Connecting these reporting activities directly to performance management allows an organization to enhance the quality and impact of the disclosure. For example, detailed internal reporting aligned with performance and control cycles enables timely adjustments and strategic decision-making. Ultimately, this integration helps transform external reporting from a statutory obligation to a tool for driving organizational improvement and sustainability (Figure 2).

Figure 2. Target Operating Model ([KPMG24]). [Click on the image for a larger image]

Tessa Snels: “To operationalize all these changes, investing in a tool will not suffice, although technology is one of the aspects to successfully integrate ESG in reporting and performance steering. Organizations are eager to find that silver bullet in tooling: an impressive 65% of organizations indicated that they see digital tools as key to being ready to obtain ESG assurance. However, a successful implementation requires a focus on both the technical implementation and the business transformation aspect.” The KPMG Target Operating Model is able to provide guidance and insight on how ESG practices and transformations affect the business.

Implementing the future state technology & data

With regards to the technical implementation, co-hosts Maurice op het Veld (Partner ESG Data & Tech IT Controls) and Riccardo Altenburg (ESG Data & Tech Lead NL) observe a significant gap between the ambitions of organizations and reality. Many organizations currently work with dispersed or unknown data sources, Excel-driven reporting, manual processes and overall poor data quality. To overcome this gap, organizations should build a solid technology and data backbone for ESG.

While organizations navigate this ESG IT landscape, they should focus on four main areas as part of their CSRD action plan as outlined in Figure 3. For each cluster, it is essential that IT requirements are determined, and the IT architecture is developed accordingly. Each cluster involves specific steps and emphasizes different blocks of the CSRD action plan:

1. E2E ESG platform: the ESG workflow from “data input” to the required “reports and dashboards” should be determined. Begin with an assessment using both internal and external data sources, construct process governance and determine internal and external reporting requirements. This stage includes setting up workflows, enhancing CSRD processes, and facilitating strategic analyses.
2. Data Governance: a focus on the collection and storage of data. Choosing the right data management solutions is critical to ensure accurate and secure data handling.
3. Metric Calculation: using specialized ESG tools, such as Carbon Calculators or Financed Emissions Calculators, to compute key metrics. The development of these solutions in the market is rapidly evolving, with both niche products and large platforms expanding their capabilities.
4. Integration with Core Systems: the ESG operations and activities are increasingly impacting core business systems. Integration with ERP, procurement or HR could become valuable and maybe even necessary, especially considering the value creation school of thought discussed earlier.

Figure 3. ESG Capability Architecture Model ([KPMG24]). [Click on the image for a larger image]

By developing a technology roadmap that includes strategic decisions on end-to-end ESG platforms, data management solutions, specific ESG tools, and core system transformations, organizations can build a robust IT architecture. This allows them to progress from basic CSRD compliance to a future state where integrated ESG reporting drives internal business processes, supported by streamlined reporting, enhanced controls, and a fully automated audit trail.

The remaining challenge is to access the data needed for constructing an organization’s CSRD reporting process. A crucial step in this process involves conducting a thorough Data Readiness Assessment. Organizations need to assess their data readiness comprehensively, identifying sources of ESG data that may have varying interpretations, levels of granularity, and definitions. A well-developed Data Readiness Assessment can help evaluate the quality of data against essential criteria. This involves mapping the data flow, from its origins through its transformation and reporting stages by interviewing data experts on specific material topics. This helps in understanding the journey of the data points and identifying potential gaps or auditability risks. The outcome of this assessment is a detailed report that highlights the current data gaps for the material ESRS topics (European Sustainability Reporting Standards, see [KPMG23]) and provides a roadmap outlining the necessary activities to close these gaps and achieve compliance from a data perspective.

ESG reporting in control

In summary, organizations are undergoing significant business transformations and developing numerous new processes in response to the CSRD. To stay in control and mitigate emerging risks, it is essential for organizations to focus on their ESG controls from the start. Soon the requirements for reliable reporting will increase. For this reason, focus on controls is not merely an additional task but a necessity (see also [Jesse23] about the integration of ESG controls in control frameworks).

There are two crucial aspects to these controls: controls that focus on the ESG data, and controls that focus on the ESG applications and infrastructure (Figure 4). ESG controls should ensure the quality of data input, the transformation of data into meaningful information according to a clear methodology and calculation metrics, and the auditability of the presented results. Unlike financial data, most ESG data is sourced externally from third-party providers, which presents its own challenges regarding data quality. The origin of the data and the methodologies used for processing it are often unclear. Data quality controls are vital for maintaining the integrity and accuracy of ESG reporting.

Figure 4. ESG Control Framework for ESG Processes and Technology ([KPMG24]). [Click on the image for a larger image]

In addition, general IT controls (GITCs) and IT Application Controls (ITACs) should be in place for the applications used, including various IT infrastructures such as cloud environments. These controls are essential for ensuring the reliability and security of the technology supporting ESG reporting. It is important to note that such controls are well-established and routine in financial reporting for decades. Developing a similar mindset for ESG reporting is critical. Organizations should aim to control their ESG data and reporting processes, including the underlying ESG reporting infrastructure, with the same rigor and discipline.

Currently, many organizations face challenges in implementing a ESG reporting infrastructure and processes. Op het Veld observes that his clients typically encounter two major issues: many reporting activities are still performed manually, and there are frequent discussions about data quality. As shown earlier, a live poll conducted during the CSRD event revealed that 50% of the represented organizations are focused only on minimum CSRD compliance. Op het Veld cautions that maintaining the status quo may lead to future challenges, as ESG reporting is not just about external disclosures but also about guiding internal decision-making. Snels and Pieron stress the importance of avoiding year-end surprises when targets are not met. Ideally, ESG performance should be tracked monthly or quarterly – much like financial performance reporting – to enable timely corrective actions. Achieving this requires automation and strong control mechanisms.

Encouragingly, over one-third of the CSRD event attendees indicated that their organizations are working hard to implement an ESG reporting infrastructure and related controls, with a focus on integrating this approach over the next 12 months. To assist organizations, Op het Veld explains the concept of controls as integral to business processes.

For CSRD reporting, environmental, social, and governance topics need technological support for calculations and data storage. High quality data input is complex, and the resulting KPIs are critical. Just as in financial reporting, supporting technologies for ESG reporting require controls. This includes input controls, controls on the operational environment, controls of outsourced activities (e.g. ISAE 3000 reports for data providers) and linkage to KPIs. Structuring controls per ESRS ensures a comprehensive and effective approach.

Summary

To return to the starting point of this article: organizations must clearly define what they want to achieve in their future state. Is your ambition transcending minimum compliance, and how can this be achieved? To reach the future state, technological involvement and automation are a necessity. This enables an organization to realize integrated reporting, which can also be used for internal steering purposes.

The models provided, like the Target Operating Model, can support this broad business discussion very well. Of course, it is essential that organizations act now to arrive to the initial state of “ESG Control Readiness”, but to be ready for the future state – with integrated and reliable reporting – requires much more. “Embedding takes time, and collaboration between departments must be set up to succeed”, Op het Veld stated.

To provide some practical guidance, the attendees of the CSRD event were provided with the seven guiding principles:

1. Controls Integration: Controls Integration should be an integrated part of the ESG implementation program from start
2. Leverage existing frameworks: controls for ESG processes and tooling can be an extension of existing reporting control frameworks
3. Future state and architecture: future state ESG IT architecture is critical for implementing and controlling the ESG tooling and reporting processes
4. Process controls: automated and manual controls are the basis for limited and (future) reasonable assurance
5. Data and interface controls: data (internal and external), interfaces and metrics require validation, and plausibility controls and controls on data providers such as assurance reports.
6. Effective data management is fundamental to internal and external ESG reporting
7. Embedding: awareness and organizational change management are crucial for controls to work