Category Archives: Risk

Fraud in Sustainability/CSR

Fraud is increasingly a topic in our conversations. We have had direct experience with EHS fraud in the past. The most recent occurrence was helping a client unravel an embezzlement scheme using waste disposal as the fraud mechanism. It played out a bit like a made-for-TV movie – not the kind of thing I ever expected to see personally, nor in the 21st century.

New pressures and risks are developing around sustainability/CSR reporting. Although still largely voluntary (certain aspects are mandated in the US, UK and Australia for instance), its business importance has grown dramatically in the past 5 years.

Customers demand more transparency and reporting in their supply chains, and many make procurement decisions based on this information. Many institutional and activist investors carefully review sustainability/CSR disclosures and make decisions using that information. It is now common for shareholder resolutions to be filed related to the disclosures, or lack thereof. Major media outlets have sustainability/CSR desks specifically focused on these matters and who pore over the filings and report on them.

We are finding that there is very little consideration given to fraud assessment or monitoring in this context – so is it even meaningful? We think so, and well known fraud and compliance expert Hui Chen agrees. Let’s apply the Fraud Triangle to supplier CSR performance.

  • Motivation. There is much on the line for businesses and their suppliers in terms of CSR results. As pointed out above, sustainability/CSR disclosures and performance may directly impact revenues, reputation and investor activity. No one wants to be on the wrong end of that. Motivation? Check.
  • Rationalization. It isn’t much of a stretch to see how an individual can rationalize using alternative facts due to the business pressures. In some cases, suppliers in developing countries may rationalize their actions further due to their own cultural setting. But let’s not kid ourselves into thinking that the US is immune itself.
  • Opportunity. There is ample opportunity for motivated suppliers to commit fraud. In some instances, CSR auditors are used to review suppliers. But those hiring audit firms many times severely limit the auditors by imposing minimal scope/effort driven primarily by cost. Suppliers know their customers’ auditors are not enabled to conduct a thorough review, and with pre-scheduled site visits, they have plenty of notice to dress the place up for the auditors.

This is only one example of how fraud can enter into the sustainability/CSR picture. If this isn’t included in your company risk assessments, or considered in the context of CSR/sustainability reporting, it should be.

You Are What Your Suppliers Do: Supplier Actions Make Headlines, Break Business

With companies facing increasing pressure for the actions of every part of their supply chain, demand for – and reliance on – supplier/corporate social responsibility (CSR) audits conducted by third parties has grown rapidly.

Shirts, Phones, Rocks and Shrimp

But there is concern about the quality, reliability and credibility of these audits.

CSR Auditing and Toilet Paper

Is Social Auditing Really Auditing?

Harvard Professor Identifies Factors for Meaningful CSR and Supply Chain Audits

You Don’t Know What Your Suppliers Are Hiding

Companies rely on their CSR audit firm to utilize qualified auditors, employ adequate QA/QC processes and expend adequate time to conduct a reasonable audit. Yet there are no generally-accepted professional CSR audit practitioner standards. Moreover, due to cost pressures, lowest cost audit providers are frequently selected that may not have appropriate auditing skills or training – the largest CSR audit firms conduct tens of thousands of these audits each year. Increasing audit time and costs to improve quality or credibility is typically not realistic – the business model is inherently high-volume, low margin.

Are these audits effective at findings supplier actions that create risks for you? Can a company gain confidence in their CSR audits without adding costs? Is a change in auditors necessary?

Improve Credibility for Disclosures, Media and Customers

Changing audit firms is not necessary, nor is another layer of auditing. Instead, a formalized auditor training program can be a low cost yet effective solution.

The Elm Consulting Group International is expanding our well-proven auditor training program to companies who use CSR/supply chain auditors. The intent of this program is for brands to provide detailed communication and training to their current CSR/supply chain auditors about the company’s requirements for auditor competence, audit quality and processes in order to enhance the credibility of audit information.

Our formalized training for existing CSR auditors builds their client’s confidence in the quality of the work provided. The program is not intended to provide training on specific audit topics such as child labor or worker rights. Instead, the focus is on proven audit techniques such as:

  • Understanding and applying professional skepticism
  • Interviewing and active listening
  • Identifying and responding to non-verbal cues within multi-cultural contexts
  • Evidence sampling methodologies
  • Using information from different sources
  • Verification and recomputation techniques
  • Judging audit evidence quality and limitations
  • Fraud detection
  • Using working papers and audit protocols
  • Writing effective and complete audit findings
  • Audit quality expectations, requirements and processes
  • Maintaining auditor independence, including auditor rotation

Our Qualifications as The Leader in Auditor Training

Our HSE auditor training experience began in the 1980s and we have successfully trained hundreds of external and internal auditors. Elm Principals hold auditor certifications from the US Board of Environmental, Health and Safety Auditor Certification (BEAC, now wholly merged into the Institute of Internal Auditors) and UK Institute of Environmental Management & Assessment, are approved trainers for the IIA EHS auditor certification program and are subject to annual continuing education requirements ourselves. Further, Elm Principals have served in various Board positions in The Auditing Roundtable (merged into the IIA in 2016) and BEAC, including the current BEAC Chair.  More information about our internal audit quality and auditor competence standards is available here.

Give us a call at 678-200-3424 or contact us via email to discuss how we can help you increase confidence in your CSR audits.

It’s Your Turn: Comment on AFL-CIO Report on CSR Failures

Originally published Aril 23, 2013, the organization has reposted its report titled Responsibility Outsourced: Social Audits, Workplace Certification and Twenty Years of Failure to Protect Worker Rights. Perhaps the report reflects a certain agenda, but it also contains interesting information and learnings. It also allows us to look back at a few pivotal events in brand/supplier responsibility history and to gauge what progress, if any, has been made in CSR auditing and accountability. We have not independently verified any of the statements made in this report. The information is taken at face value and as the original author’s intent.

Below are some of the most direct and strongly worded passages concerning CSR audits and auditors. The footnotes can be found in the original document, to which there is a link in the above paragraph.

We welcome all comments and discussion on these statements and look forward to a lively conversation.

In many ways, the CSR industry’s reliance on subcontracting of inspection and verification replicates the structure of the very global corporations it is supposed to monitor. Accountability is frequently lost in the “CSR supply chain,”

[CSR audits are] based mainly on short and cursory visits to factories and no proper discussion with workers.

In the worst such case, nearly 300 workers died and many more were injured in a fire at an Ali Enterprises garment factory in Karachi, Pakistan… Just three weeks before, the factory had been certified as complying with SAI’s SA8000 standards on worker rights and safety. The SAI system approved the Italian company RInA to certify factories. RInA subcontracted the inspection to a local company, RI&CA, and never actually went to Pakistan to approve workplace conditions. Neither SAI, its own technical experts, nor RInA ever had visited the factory, which was not even registered with the government. Yet somehow, Ali Enterprises received global SAI certification and access to contracts with major brands and markets as a socially responsible workplace.

As SAI admits, RInA managed the work being done in Pakistan solely by telephone and meetings outside Pakistan, never going to Pakistan to observe conditions at the factory.7

As of early 2013, there is still no systematic evaluation demonstrating the impact of SA8000 on workers’ rights and workplace standard. A 2011 Harvard study did find that if consumers are told workers’ rights are being respected at SA8000-certified factories, they prefer products from those factories. However, the study analyzed only consumer behavior and did not examine conditions and rights at a single workplace. Such a study only shows that SAI may work as a brand among some consumers and says nothing about workers’ rights.61 The researchers stress that “we have not attempted to evaluate the benefits provided to workers through SA8000 certification of facilities, and to compare these benefits with the additional costs paid by shoppers in terms of higher prices. A full cost-benefit evaluation of the SA8000 model would involve a long-term evaluation of the effects of the program on workers and comparisons with alternative mechanisms….”62 Meanwhile, the use of SA8000 certification has expanded considerably.

The social audit industry depends on a new profession, for which few people are comprehensively trained. The social audit industry has grown to an estimated US$80 billion-a-year activity…

Companies typically prepare for [the audit], setting the stage to present themselves in a favorable
 light during that brief audit, which may take as little as four hours and almost never more than three days.

One experienced ethical trading professional estimated that the average amount of time spent is about five hours for a factory of about 600 workers.87

Nike, GAP and major social audit firm DNV (accredited by SAI) all have been on record since 2005 or earlier admitting that social auditing is largely a failure.99

As long ago as 2001, Jem Bendell, a business school professor and researcher sympathetic to CSR and SA8000, found that for an auditor following SAI’s exhaustive protocol for SA8000, “a thorough investigation of a production site cannot be done in a two- to three-day audit.” He further concluded that: “People who argue that it is possible either don’t know the complexity of the issues, have a very different understanding of the word ‘thorough,’ or have a commercial interest in saying so.”112 Other research since 2001 repeatedly has found audits often receive considerably less time than that.


Cyber Attack on Iron Furnace Controls Causes Physical Damage to Plant

A few years ago, we wrote about how the growth of cyber attacks should be considered when companies assess environmental risk of their operations.  As highlighted in that article, rogue code was discovered before harm was done.

But an iron foundry in Germany was not so lucky.  As reported in this  WSJ article,

The plant’s control systems were breached which “resulted in an incident where a furnace could not be shut down in the regular way and the furnace was in an undefined condition which resulted in massive damage to the whole system,”

This situation should cause concern to anyone responsible for HSE and sustainability matters.  Malicious control of production operations can result in all sorts of nightmare scenarios, especially where the manufacturing operation involves the use of chemicals.  In the most minor case, environmental permit violations and media coverage are probable.  The worst scenario could involve the intentional weaponization of manufacturing by hacking operational controls and intentionally creating another Bhopal or Chernobyl.

We continue to recommend that companies consider these issues when conducting environmental risk assessments of their operations.

Reputation Risk and Conflict Minerals

Respected governance and internal audit expert Norman Marks posted a fascinating article on reputation risk.  He quotes a line from a recent survey that summarizes the main point:  reputation risk is driven by other business risks.  In many ways, he seems to be speaking directly to conflict minerals.  A few of his salient points are below.  Actually, the whole article is so on-point we almost need to quote it in its entirety.

It should be noted that the likelihood of a significant impact on reputation arising from, say, a safety issue is not necessarily the same as the likelihood of other impacts such as fines, lost time, and so on.

In addition, the impact on reputation may be positive while the impact on, say cash flow, is negative!

For example, the decision to divorce the organization from a supplier who is found to have broken the law may adversely impact costs and disrupt delivery of product to the market – while enhancing the reputation of the organization…

… when there is violence in some part of the world, people look to the US, EU, and others for a reaction. It’s not only the action that can affect reputation, but the failure to act

Actions by third parties that are part of the extended enterprise (suppliers, channel parties, agents, and even customers) can affect reputation. This needs to be identified, assessed, and monitored closely as well…

Of course, reputation risk is the basis of the Dodd-Frank Section 1502 conflict minerals disclosure so perhaps there is little surprise that Norman’s comments are so relevant.  Yet in the heat of effort companies are expending for SEC compliance, some may lose sight of this risk.

Reputation risk is a subject we explore specifically and deeply, from many points of view and sources.  We also explicitly drill down into impacts on supplier relationships – both positive and negative*.

Norman refers to the concept of “risk sensing” as a means of identifying and monitoring reputation risk.  We agree – as a matter of fact, given that our experience includes traditional risk management (insurable and non-insurable), this comes naturally to us.

One client has a particular exposure to reputation risk.  We knew this before the engagement because of our pre-engagement research and “risk sensing”.  In reality, this was easy to identify because the company is very well known and recently the subject of significant negative publicity about their core operations.  Because we were aware of this existing situation, significant time was expended discussing potential reputation impacts of conflict minerals matters.  Facilitated discussions took place between many business, communications, PR and procurement leaders (among others), leading the client to a thoroughly-considered conclusion and plan of action.

Norman’s article should be carefully reviewed and considered.  Afterwards, it may be worthwhile to revisit your own assessment of conflict minerals reputation risk.


*  For instance, eliminating suppliers that are not conflict free can result in a consolidation of purchasing power (a positive), but also reduce supply chain resiliency in the event of a disruption, such as what occurred with capacitor manufacturing in 2011 (a negative).

Business Continuity Strains Under Combination of Flooding, Dodd-Frank

After the devastating tsunami in Japan early in 2011, we began exploring the interrelationship of green/ethical procurement (such as conflict minerals) with business continuity/disaster recovery planning.

Now, an article from leading electronics supplier Digi-Key states that lead times are delayed up to almost 6 months for a significant amount of the world’s production of tantalum capacitors as a result of the flooding in Thailand, combined with raw material supply impacts of conflict minerals laws/policies.   Of course, higher prices are also expected.  “Combine those two things together and that put a big strain on the supply of raw materials in the market as well as pricing,” said Joe Porter, vice president tantalum product marketing at Kemet Corp. based in Greenville, S.C.

We continue to believe that significant opportunities exist for business continuity/disaster recovery planning efforts to incorporate growing green/ethical procurement initiatives.  Robust sustainability risk assessment exercises are essential in identifying relevant gaps and areas for improvement.  Feel free to contact us for more information about how we can help.

Demo Version of Conflict Minerals Audit, Program Development Tool Now Available

UPDATE:  For the latest information on the 2012 relaunch of the tool, click here.

Elm has released a demonstration version of its pioneering Self-Implemented Conflict Minerals Audit Preparation© tool, or SICMAP℠.  The demo contains abridged content, but retains the functionality, pragmatic approach and simplicity of the full version.

“While we originally designed SICMAP℠ to assist companies in preparing for audits, we have seen an unexpected interest in use of the tool as a conflict minerals program development guide/framework”, said Lawrence Heim, Elm’s conflict minerals services leader.  “The demo version was made available because of the increased demand and interest.”

To request a copy of the demo version, contact Lawrence Heim at

OECD Backs Up A Step on Conflict Minerals Guidance

IPC has announced a pilot study of the OECD due diligence guidance that will run until June 2012.  Elm confirmed that this study is an OECD-lead study intended to help the OECD identify important changes to their document.

We recently wrote about views expressed by companies who tried to implement the Guidance earlier with little success.  Another post dealt with the inconsistencies between the OECD Guidance and SEC standards for auditors and auditing engagements.

It appears that OECD has capitulated – essentially reverting the status of their “final” standard back to a draft.  While that may be good news to some extent, critical questions arise about the uncertainty it creates in the content of SEC’s upcoming final regulations, as well as how the project timing will impact companies seeking to implement a program to meet 2012 or even 2013 reporting.

House Committee on Financial Services Urges SEC to Adopt “Transitional Implementation” of Conflict Minerals Requirements

In a letter dated July 28, 2011, the leaders of the House Committee on Financial Services submitted additional comments to the SEC on the yet-to-be-finalized conflict minerals regulations.  The Committee Leaders, Congressmen Spencer Bachus, Gary Miller, Robert Dold and Steve Stivers, provided their recommendations on specific elements of a transitional implementation plan for Section 1502 of the Dodd-Frank Act.

Key points brought forth in the letter include:

  • The State Department’s most recent map of Conflict Zone Mines is incomplete, the mine sites are inaccessible, the Congolese Ministry of Mines cannot obtain verifiable information, and the information in the map is insufficient for companies t use in effective due diligence.
  • Creation of a new temporary category – “indeterminate origin.”  This would exempt companies from filing SEC reports when the origin is not possible to ascertain.  Due diligence efforts would still be required and proper filings made once the source is determined.
  • Retaining the  “indeterminate origin” classification as permanent for scrap materials.
  • A call to establish a de minimis standard for conflict minerals.

It is interesting to note that the letter explicitly indicates the need for a  “multi-tiered certification system, especially at the smelter and refinery level”.  Such a program is not required by the law, but may provide a key information element for companies subject to SEC reporting on conflict minerals.

At the same time, it is important to remember that use of/reliance on information from a certification system is simply one element of the program and reporting required.  Additional management processes are still needed for the internal use, management, risk assessment and reporting of that information.  That is sometimes not recognized by those entities who are emphasizing certification systems.

See the letter here:  HFSC ltr to SEC re Conflict Minerals

An Inconvenient Reality For Environmental/Sustainability Professionals?

For years, those of us in the environmental/sustainability profession have sought credible ways and metrics for quantifying the economic value of our efforts, activities and programs.  A myriad of studies completed dating back to the late 1980s attempt to demonstrate “environmental value”.  Most of these studies have shown rather tenuous linkages or used meaningless metrics.

Interestingly, most of these studies link to equity markets – i.e., stock prices.  Maybe because stock prices grab headlines, are tied to compensation or are the target to which Boards and senior executive generally manage.

The problem is that environmental/sustainability matters don’t fit into this model, either because they tend not to be financially material, or they don’t develop economic certainty within the “current quarter” myopia of corporate management, financial markets and analysts.

A recent article on the topic was published in The International News.  The article includes an interview with Kevin Parker, CEO of Deutsche Asset Management (DeAM) on the subject of how capital markets currently view environmental/sustainability risks.  DeAM manages over US$775 billion in assets.

With simplicity, clarity and unquestionable credibility from the financial market viewpoint, Parker made key points in the article and interview:

  • Bond markets are poised to punish polluting companies in the aftermath of the Macondo oil spill and Fukushima nuclear crisis.
  • “The process of re-pricing carbon and environmental risk has begun, because these two events were catastrophic.”
  • By contrast, shorter-term equity and commodity markets have continued to chase high-carbon opportunities, including voracious emerging market demand for coal.
  • But investors in longer-term debt including bonds will increasingly avoid unsustainable companies … an inexorable trend that will push up their borrowing costs.
  • “What this boils down to be risk in capital markets, and capital markets know how to price risk once they understand it.”

Pension investment managers realized this years ago since they emphasize stability and a long-term investment horizon.

But there seems to be far less recognition of this by environmental/sustainability practitioners, as the amount of studies, white papers and pseudo-financial metrics is mounting, with continued emphasis on the equities side of capital markets.  Perhaps the driving forces for this are general economic pressures facing companies are pushing staff to find ways to justify their existence and cost, consultants are trying to come up with that elusive short-term ROI metric for the cost of their services to clients and much of the HSE/sustainability media are vying for limited attention on the part of their readership.

Given Parker’s comments – and the lackluster historical success of valuation of environmental/sustainability matters in the context of stock prices – perhaps it is time to redirect our efforts at finding relevant and credible metrics.

In limited circumstances, financial value of environmental/sustainability initiatives can manifest in material and short-term impacts.  Those instances give practitioners hope of riding those coattails.  But generally, the reality is a little inconvenient.