Todd Hall and Bob White May 11, 2010 Objectives/topics Context setting Credibility why is it critical? Can it be enhanced through verification? What is meant by verification? Is there a common understanding? Verification vs. assurance? Determining the ROI related to assurance. Exploring verification options. Do different types of verification influence perceived/real credibility? Assurance of claims of CSR performance using instruments such as GRI, AA1000AS, ISO 26000. The value of reporting - issues related to the lack of ‘Sustainability Reporting’. ISO 26000 and GRI – verification ISO 26000 – “In Use” Context Setting Much of what I’ll be presenting today comes from experience. In terms of verification OPG; has self assessment, and internal audit programs. has participated in auditor exchange programs with other utilities for over 2o years, and is subject to frequent reviews from regulators, registrars, and assurance auditors. OPG has ISO 9001/14001 & OHSAS 18001 registrations, along with integrated MSs. OPG has been producing SD reports for over 10 years, and has experimented with 3rd party assurance, 2nd party assurance and have provided assurance statements, founded in self declaration. I have 20 years audit experience, & sit on the Board of Directors of the Auditing Association of Canada. Credibility Credibility: the state or quality of being credible. Credible: capable of being believed, worthy of reliance or confidence as to the truth and correctness. Why is credibility critical? Essential for maintaining sound stakeholders relationships which are essential for business success, franchise to operate. It is an attribute of being a responsible corporate citizen. There is little point in expending resources to write the report if it is not perceived as credible. Verification To verify – to prove to be true, to confirm, to establish the truth, correctness or authenticity. Verification should lead to assurance of credibility. Assuming that; the exercise actually gives you what you assume i.e. reliable, and accurate, and you understand the caveats and qualifications stated. Assurance for Verification of Claims - (GRI G3) GRI recommends the use of professional assurance providers, stakeholder panels, and other groups or individuals external to the organization for sustainability reports in addition to any internal resources. ‘External assurance’ refers to activities resulting in published conclusions on the quality of the report & the information contained within it including consideration of underlying processes for preparing it. Differs from activities designed to assess or validate the quality or level of performance of an organization, such as issuing performance certifications or compliance assessments. Assurance Standard - (AA 1000 AS) GRI states that assurance providers may follow professional standards for assurance (AA1000AS), or systematic, documented, & evidence-based processes. AA 1000 AS is intended for use by sustainability assurance practitioners and providers to strengthen the quality & credibility of an organisation’s public disclosures on its sustainability performance. It covers the full range of an organisation’s disclosure & associated performance. It draws from & builds on mainstream financial, environmental & quality-related assurance. Misconceptions Common misconceptions related to 3rd party audits; Registration to an ISO standard is perceived by many as assurance of high quality, or high performance, this is not necessarily the case – ISO 9001 is intended to be assurance of consistent quality. The quality of 3rd party audits is consistently high – and reliable. 3rd party auditors are truly free from influence. Assurance audits are intended to provide stakeholders with high confidence. Independence is Not a Synonym for Credibility 3rd party verification may help demonstrate due diligence, however - blind reliance on 3rd party verifications may undermine the notion of reasonable care. experience has shown that ISO MS registrations do not provide the degree & consistency of assurance that customers require – not credible despite being 3rd party - we satisfy ourselves through audit. when & where we audit is based on our perception of risk & degree of confidence. Assurance Statements 3rd Party Assurance Imagine if you will a multinational organization (ACME) having its 2009 Sustainability Review report evaluated for Inclusivity, Materiality and Responsiveness using the AA1000AS (2008) assurance principles. The organization conducting the assurance review is a well established assurance company. GRI This same report is aligned to the GRI’s G3 sustainability reporting guidelines, to an A+ level. The GRI guidelines help ensure ACME covers relevant topics, identified by a broader range of stakeholders, which are generic to sustainability reporting by any organization. An independent assurance statement was included in the report. What is the real vs. perceived value? Actual vs. Perceived value. What should stakeholders believe? Later in the year of publication the company had a significant event (environmental & H&S). A critical review of the assurance statement reveals the following caveats; The extent of evidence gathering procedures performed is less than that of a reasonable assurance engagement (such as a financial audit) and therefore a lower level of assurance is provided. Work was limited to group level activities. We did not visit any of ACME’s businesses We are not aware of any matters that would lead us to conclude that ACME has not applied the inclusivity principle in developing its approach to sustainability or the responsiveness principle. Nothing has come to our attention that causes us to believe that the data relating to the above topics has not been collated properly from group-wide systems. We are not aware of any errors that would materially affect the data as presented in the Report. We are not aware of any misstatements in the assertions made. We do not accept or assume any responsibility for any reliance any third party may place on the Report. How many stakeholders took the time to understand the caveats and limitations? Did the assurance process meet the perceptions of stakeholders? Reporting - Desirable Attributes Open, honest, transparent and credible. Only the stakeholder can decide whether the report is credible. Perception = reality. Does 3rd party verification improve stakeholder confidence – or perception of credibility? TRANSPARENCY, HONESTY, OPENNESS ARE ATRIBUTES THAT WE STRIVE FOR IN REPORTING. Credibility may be aspired to, but in truth only our stakeholders can determine whether the report is credible in their eyes. How can one achieve credibility? Various groups would have you believe that only through a third party independent verification process can one achieve credibility. I would like to challenge that paradigm and offer some alternative thoughts. 1. 3rd party verification is time consuming and costly. What is the ROI? 2. Do stakeholders really want 3rd party verification or is this a bill of goods sold by those who offer the service. 3. If not a legal or other requirement that you have committed to – then I suggest that credibility can be achieved in a variety of ways. Pro’s & Cons of 3rd Party Assurance Pros: Real or perceived independence & objectivity. Fresh perspective. In theory adds credibility to claims. Cons Costs - schedule, resource and financial (questionable ROI). Loss of opportunity – capacity building to develop and retain the knowledge within the organization. Less intimate knowledge of operations/processes. Perception of credibility where influence can be exerted through financial relationship. Select the Right Tool for the Job Each of us have a variety of tools in our tool box. A good craftsman selects the right tool for the job. While a sledgehammer will drive home a finishing nail it may not be the best fit. How do you pick the best approach? Understand any requirements, other commitments that compels/incents you to get 3rd party verification. Be aware of stakeholder expectations. Identify controls & assess whether they provide the desired level of assurance. Classification of Audit Independence 1st party or internal audits - conducted by or on behalf of the organization and may form the basis of declaration of conformity (19011) independence can be demonstrated by having freedom from responsibility for the activity being audited. 2nd party audits; external audits – conducted by parties having an interest in the organization, such as customers or by others on their behalf. 3rd party audits.; external audits conducted by external independent auditing organizations such as those providing registration or conformity audits. Exploring Verification Assurance Options. Credibility can be achieved a number of ways – engaging stakeholders routinely and having open lines of communication typically builds more credibility than a verified annual report. Chose the right tool for the job. Understand what the verification/assurance statements do and don’t mean. If 3rd party not required consider alternate approaches. perceived assurance; subject knowledge; audit technique knowledge; cost Self Assessment Low high Low Low 1st party Moderate Moderate High Low 2nd party High Moderate High Moderate 3rd Party High Low High High Recommendations Ask yourself whether 2nd or 3rd party audits are truly more independent & reliable – or is this simply a perception. Recommendation 1 Use a “qualified auditor” – someone with the competence to conduct the audit – most are governed by a code of conduct. All should adhere to the principles of auditing – ethical conduct, fair presentation, due professional care, independence and evidence based approach. Recommendation 2 Understand the requirements and select the right approach to achieve the desired results. Do not automatically default to or assume the stakeholders want a 3rd party audit. ISO 26000 and GRI GRI and ISO 26000 clause 6 only GRI addressed in cl. 7.5 Not in GRI: Clause 4: Principles of SR Clause 5: Stakeholder identification and engagement Clause 7: Integration of SR into organization We are using GRI Verification … (ISO 26000:2010 Social Responsibility) 1. Clause ‘7.6.2 Enhancing the credibility of reports and claims about social responsibility’ describes the many ways organizations can enhance the credibility of their reports and claims including: ‘using a rigorous and responsible process of verification by an individual or individuals independent of the process of report preparation, either within the organization or external to it such as stakeholder groups, to undertake the verification process and publishing a statement attesting to the verification as part of the report’ Verification (ISO 26000:2010 Social Responsibility) 2. The verification process could also include reporting conformance to the reporting guidelines of an external organization such as those outlined in the Annex to ISO 26000 3. Annex A contains a non-exhaustive list of voluntary initiatives and tools for social responsibility by the ISO 26000 working group experts using a specific set of criteria that are described in Annex A 4. Two of the many initiatives in Annex A that can be used to enhance creditability are the Global Reporting Initiative (GRI) Sustainability Reporting Framework and AA1000 Assurance Standard (2008) Why ISO 26000 Social Responsibility?... 1. Social Responsibility fits the ISO strategy for standards that are market and globally relevant and create a sustainable world. 2. ISO MOU with ILO, UN Global Compact and OECD 3. Consistent with international treaties and conventions and existing ISO standard, UN Declarations and ILO 4. Over 175 international SR instruments in Bibliography, 5. Over 500 experts in SR from over 100 countries 6. First time ISO used a ‘balanced stakeholder approach’: industry, labour, government, NGOs, consumers, others McDonalds ISO 26000:2010 in Use 1. Canadian Electricity Association: Sustainability 2. Vancouver Olympic Games 2010: CSA Z2010 Sustainable Event standard 3. Responsible Exploration and Mining: DeBeers Canada 4. Canadian Climate Change Adaptation Project 5. Socially Responsible Investing (SRI) 6. Universities: Canada: Ryerson, Toronto, Waterloo, Mexico: Autonoma Metropolitana, Iberoamericana, Guanajuato: ‘Responsible Education’ 7. Seneca College: 46 graduate students assisting 46 companies using ISO 26000 FDIS Contact Todd Hall, OPG 1-416-592-1708 todd.hall@opg.com Bob White, BRI International Inc. 1-416-368-1457 bob@bri.ca