Get Ready to Defend Your ESG Claims

On April 28, the SEC charged Brazilian mining company Vale S.A. with making false and misleading claims about the safety of its dams. The SEC complaint alleges a pattern of operational fraud and bad faith coupled with misleading statements in the company’s annual sustainability and environmental, social, and governance (ESG) reports.

You read that right. The SEC is using claims in a company’s ESG disclosures as part of an enforcement action. You probably know that information filed with the SEC is subject to liability standards under the Exchange Act. But ESG information from a corporate social responsibility (CSR) report isn’t filed with the SEC. It’s not even furnished. To some, that implies a substantially lower risk to the content in these disclosures.

It may be time to approach CSR reporting differently. We’re entering a brave new world with an entirely new category of external reporting. Managing the associated risks of ESG reporting and disclosure may require substantially upgraded calculation methodologies,  tighter internal audit alignment, investments in automation and analytics, and continuous root cause analysis. In this world, ESG reporting will have standards at a level approaching those of financial reporting.

CSR Reports Are Evolving

CSR reports are already getting longer and more involved. Today, they often include quantitative reporting, performance against third-party standards and frameworks, and even audit[1] results from public accounting or similarly situated firms. For an illustration of this evolution, check out Chevron’s archive of CSR reports. Curious what a CSR audit looks like? Here’s an example from Netflix.

Then there’s Salesforce, which has released an ESG report that could easily be mistaken for a financial report. It complements Salesforce’s dynamic click-through stakeholder impact report, which walks through the same cadre of topics (including carbon footprint, equality, and social impact). In the Salesforce report, you’ll find references to the company’s governing principles—which reflect ones from the Sustainability Accounting Standards Board (SASB), the Task Force on Climate-Related Financial Disclosures (TCFD), the Global Reporting Initiative (GRI), and other standard setters.

This level of documentation indicates a commitment to transparency and market leadership. But if the reporting rigor isn’t there—think inconsistent calculation methodologies or limited control over the underlying data—the claims in a CSR report could be used against the company. A fair pay issue, a safety incident on the factory floor, or even new information suggesting a much larger carbon footprint might be all it takes to trigger a lawsuit alleging that investors relied on CSR communications in forming investment decisions.

ESG Reporting Is At Least as Tough as Financial Reporting

Companies face similar risks with financial reporting, which is why they manage them with external audits and uniform standards (specifically generally accepted accounting principles, or GAAP). These measures don’t eliminate risk because even classic GAAP financial reporting relies on judgment and complex calculations.[2]

Still, financial reporting is like a leisurely stroll through Central Park compared with ESG reporting. Consider the challenges:

  • Non-standardized calculation methodologies. There are hundreds—if not thousands—of ESG metrics. Even as the SASB, TCFD, GRI, and others push to standardize these, we’re far away from uniform calculation conventions and ways of testing the assumptions underlying the calculations.
  • Weak testing and monitoring tools and institutions. Public accounting and other professional services firms are rushing to stand up testing and review capabilities, but this will take time. Universities are just beginning to adapt their curriculums.
  • Poor systems and centralized tracking. Whereas financial data has become centralized via the maturation of ERP and related systems, most companies aren’t even close when it comes to their carbon footprint and demographic data (respectively, the E and S of ESG).
  • Excessive reliance on third parties for data. Carbon footprint tracking is under pressure to encompass Scope 2 and Scope 3 emissions, which rely on information from various third parties where auditing and data quality testing is extremely difficult.
  • Imperfectly defined internal roles and responsibilities. Accounting, internal audit, investor relations, and any newly created ESG-focused departments must collaborate to produce CSR reports. However, internal processes and functional responsibilities are still largely undeveloped. In addition, staff turnover has impeded the formation of institutional knowledge.

None of this is a reason for inaction. It just shows why honorable intentions and good-faith efforts go only so far when it comes to reporting on ESG topics.

Plan for ESG Litigation

Now let’s come back to the SEC’s complaint against Vale. If even some of the allegations in the complaint are true, this would be alarming and not representative of what takes place at 99.9% of companies. But it does illustrate the types of risks that exist—and why measuring twice not only allows you to cut only once, but avoid getting cut yourself.

In summary, it seems like the SEC has become very interested in the statements that both companies and investment advisers make with respect to ESG. In March 2021, the SEC established the Climate and ESG Task Force within its Division of Enforcement. Since then, this group has been rather busy.

Parts of the SEC’s complaint against Vale hint at the degree to which ESG messaging is under scrutiny.

  • “Vale’s concealment of the true condition of the Brumadinho and other tailings dams caused Vale’s sustainability reports, periodic filings, and other Environmental, Social, and Governance (“ESG”) disclosures to be materially false and misleading.”
  • “Before the collapse of the Brumadinho dam, Vale repeatedly assured investors through SEC periodic filings, presentations, sustainability reports, and ESG webinars that its dams had been audited to address the risk of liquefaction.”
  • “Vale suppressed adverse information about the dam, used flawed and unreliable data to perform safety analyses, strong-armed independent auditors, and ignored international safety standards and best engineering practices that it claimed to follow.”
  • “In its 2017 Sustainability Report issued on April 17, 2018, and made available to investors through its website and referenced in its SEC filings, including Form 6-K filed on May 30, 2018, Vale continued its false narrative of safety.”
  • “Executive Two signed a SOX 404 sub-certification letter, dated February 17, 2017, guaranteeing and certifying that ‘all Internal Controls,’ including the dam safety control concerning dam safety audits, ‘were reviewed, executed and presented satisfactory results regarding the associated risks and are free from significant and material error.’”

As you can see, the SEC is speaking about ESG reporting in the same vein as financial reporting. Note the references to Sarbanes-Oxley 404 certifications and robust, functional internal controls for ESG metrics. This means ESG claims matter and have much more gravitas than many might have assumed.

Enforcement Against Corporations is Only Half the Puzzle

The SEC isn’t exclusively focused on corporations. It’s also directing enforcement actions toward investment advisers and registered funds that use ESG as a marketing or other device.

In May 2022, the SEC charged BNY Mellon Investment Adviser with erroneously claiming that its funds had all gone through an ESG quality review. Earlier in 2022, it charged fintech startup Wahed Invest with (among other things) failing to follow its claimed investment process.

On May 25, 2022, the SEC proposed amendments to rules related to how investment advisers and related entities disclose and categorize their ESG strategies. This takes the SEC’s concern to an entirely new level by creating standardized accountability and a much higher standard overall for funds. It appears the vogue for ESG funds has raised regulatory alarm over the potential to mislead investors.

Implications and Best Practices

So what can you do while the regulatory and legal frameworks for ESG reporting get worked out?

  1. Maintain clean files and work papers. Even weak documentation or calculations that yield conflicting or ambiguous conclusions create risk that can be used adversely in litigation.
  1. Invest in data quality. That includes internal databases, data scrubbing, and global centralization of information. For example, we’re working with companies to integrate data between their applicant tracking and HR information systems to improve the rigor underpinning their pay equity analyses.
  1. Set up automation and controls around tracking. Staff turnover and changing data can undermine process stability.
  1. Get unbiased outside opinions. Especially on sensitive topics like pay equity, it’s important to know what the methodologies and best practices are, and whether they’re being carried out independently with an eye toward continuous improvement and risk management.
  1. Educate your internal audit function. They’ll need to know the technical issues and dimensions so they can help design controls and testing procedures.
  1. Test drive metrics for at least two years. Carbon and social metrics are impacted by a confluence of factors. It takes time to get comfortable with how and why they change over time before going live with them in external reporting.
  1. Invest in executive dashboards and root cause analytics. Dashboards help executives quickly grasp what’s changing and how sensitive a variable is to related factors. Root cause analysis makes it easier to identify new initiatives that have the greatest potential to effect change.
  1. Decide whether to link executive compensation to ESG progress. There are good arguments for and against doing this, whether in the annual bonus plan or the long-term incentive plan. And, of course, there’s the question of which ESG metric to use given that most companies track dozens of them.
  1. Maintain legal privilege on sensitive topics. Analytics and reports on topics from climate to pay equity may flag various items for further consideration. These items are often not cut and dry. Where possible, they should be shielded through privilege to avoid litigators using them in ways never intended.
  1. Monitor public and private litigation trends. The winds of change are strong in all directions. The Supreme Court is expected to rule against Harvard University on affirmative action, which will impact how some organizations consider race and other data when making hiring decisions. Meanwhile, litigation in the pay equity space is changing how companies approach these studies and demonstrates how experts can disagree on such technical topics.

None of these steps are quick or easy, but they will help mitigate risk and drive continuous improvement in how ESG information is obtained, tracked, and presented.


CSR (and related) reports have become more specific and intensely focused on building a multi-year narrative around the organization’s ESG strategies. That’s terrific evidence of corporate and societal progress. Whatever the motivation—a genuine sense of social responsibility or external pressure—even average ESG performance is leaps and bounds better than what existed 10 years ago.

By all accounts, we expect these trends to continue and for there to be consolidation and convergence in the standards and methodologies used. This won’t happen overnight and it will be a winding journey. Our emphasis in this article has been the risk that lurks along that journey and the steps companies can take to mitigate it.

Using Vale as a case study, we discussed how the SEC has become interested in ESG-related disclosures and how litigation pertaining to ESG problems can quickly be transformed into investor lawsuits. In the Vale case, the SEC initiated litigation, whereas other cases can just as easily be initiated privately.

We’re happy to help as you continue to invest in your ESG processes. We support companies primarily with respect to the “S” of ESG, including automating dashboards and trending on diversity and inclusion, conducting pay equity studies, and general advice and guidance on these matters.


[1] In accounting parlance, CSR audit work performed by public accounting or other professional services firms is far from that of a true audit that’s performed for financial reporting purposes. The work conducted on ESG disclosures is usually classified as a “review” and is performed according to review standards established by the AICPA.

[2] The earnings quality literature (promulgated in the 90s, and very much present today) illustrates how various assumptions and conventions behind seemingly objective reporting results color the sustainability and value-relevance of those outcomes. And if you’d really like to have your worldview challenged, check out work by the late Anthony Hopwood. Hopwood was a world-renowned academic at Oxford, University of Chicago, and London School of Economics who kicked off an entire genre of research on the various organizational and social factors influencing the objectivity of financial and managerial reporting.