Most European companies relied on their existing enterprise risk management systems to meet the first wave of Corporate Sustainability Reporting Directive requirements, according to a new study from FERMA and Protiviti. The research found that 60% used their ERM risk register as the foundation for identifying and evaluating sustainability risks and opportunities under the Double Materiality Assessment process.

While most companies align their time horizons with existing strategic plans, only 15% apply different timeframes to those suggested by the CSRD. On material risks, 10% of firms disclose fewer than five, 25% list between five and ten, 35% identify between eleven and twenty, and another 25% reporting more than twenty. The most common risks are weather-related operational disruptions, tightening pollution regulations and ethical or social non-compliance in supply chains.

The study also found that 90% of companies had already conducted climate change risk assessments before CSRD took effect, with most using scenarios aligned to Intergovernmental Panel on Climate Change and International Energy Agency pathways.

Regarding internal control systems for sustainability reporting, 74% of companies formalised an ICS for the first time under CSRD. More than half (55%) disclosed related risks, including data errors, weak information quality and incomplete data flows.

Valentina Paduano, chair of FERMA’s sustainability committee and co-supervisor of the report, said: “Risk managers played a key role in the reporting process, applying their expertise in risk identification, evaluation and management to the sustainability reporting framework. By adapting ERM methodologies for sustainability analysis, they emerged as both compliance enablers and strategic contributors to corporate sustainability goals."

FERMA president Philippe Cotelle said the directive should be seen as an opportunity rather than a burden. “This new approach may require further refinement to establish a structured interaction, evolve existing ERM processes by integrating a clear assessment of opportunities alongside risks, ensuring precise definitions of opportunities to reduce the risk of misinterpretation and incorporate evaluations across multiple time horizons, with particular attention to the long term," he noted. "Together, these efforts support an integrated reporting and control system that ensures compliance while enhancing risk management and value creation."

---