CCRcorp Sites  

The CCRcorp Network unlocks access to a world of insights, research, guides and information in a range of specialty areas.

Our Sites


A basis for research and practical guidance focusing on federal securities laws, compliance & corporate governance.


An educational service that provides practical guidance on legal issues involving public and private mergers & acquisitions, joint ventures, private equity – and much more.


The “one stop” resource for information about responsible executive compensation practices & disclosure.

Widely recognized as the premier online research platform providing practical guidance on issues involving Section 16 of the Securities Exchange Act of 1934 and all of its related rules.


Keeping you in-the-know on environmental, social and governance developments

The ESG space is so chock full o’ jargon, acronyms and abbreviations it has become something of a joke – even being called a cause of ESG burnout. One term in particular sticks in my craw – “ESG data.” As with so many other things ESG, the definition of ESG data depends on who you ask but in my view, most people – especially those thinking in terms of ratings and the investment/finance world – consider the term to reflect the output of analytical methodologies and screens. 

But I ask this: What is the origin of information that goes into those analytical methodologies and screens?

The Data Within

The genesis of most ESG data is the rated companies themselves through internal data generation, management, review and ultimately external reporting. Errors, omissions and yes, even fraud, that start at the point of data generation enter the “ESG data ecosystem” to which all other stakeholders react. Survey after survey and study after study indicate there is a significant gap in how (or really IF) companies apply meaningful internal controls to their ESG information. The new report from IOSCO discussed this specifically, but for some reason the organization chose not to issue a recommendation related to company internal ESG data validation and instead focused on “streamlining their disclosure processes for sustainability related information to the extent possible.”

I have visited manufacturing locations around the world verifying E&S information, reviewing data collection/monitoring processes and validating publicly reported data. In my estimation, more than 95% of those audits resulted in findings related to data that was (or needed to be) reported externally. Causes of the errors ranged from spreadsheet problems, lack of awareness/training, equipment failures, human errors, disgruntled current/former employees and even intentional deceit. I wrote about a particularly stark example of this previously.

There is even greater risk related to ESG information about or from a company’s suppliers. That information is frequently collected using online supplier surveys/questionnaires or spreadsheets emailed back and forth. The accuracy and quality of supplier responses is heavily dependent upon the knowledge of the person answering those questions. It is common for temps or non-technical administrative staff to be given the task of filling these out and returning them to the data provider or customer. The error rate can be quite high, especially when launching a new survey or when on-boarding new suppliers – and it grows exponentially when those suppliers push the questionnaire down through their own supply chain in order to gather relevant information (e.g., country of origin of metals/minerals, embedded CO2 emissions and human rights violations).

Data From Others

Processors of ESG information talk about using artificial intelligence, blockchain, natural language processing, data mining, internet scraping and other ways of finding and gathering information that is floating around The Matrix. This makes the auditor in me quite nervous. Anyone can post information online – whether that information is false, unproven or speculative. Sometimes it can spark entire movements that become rapidly self-perpetuating (e.g., faked viral videos or political movements that build off emotions without relying on facts). Is ESG data insulated from these problems? No, and anyone who ignores that does so at their peril. 

Indeed, the Public Company Accounting Oversight Board (PCAOB) – the governmental entity that oversees US financial auditors – recognizes exactly this risk and issued new guidance for auditors using what PCAOB calls “evidence from external sources” which I wrote about recently. Even though this guidance applies to financial auditors, it is useful beyond that audience and is very relevant in an ESG context. One example is social media whistleblowing – before such claims are taken as truthful, they should be investigated. In the US, disgruntled workers know well the havoc they can wreak on employers by filing complaints with OSHA or EPA without needing any factual basis for doing so. I saw this happen more than once. Social media has the “advantage” of publicly embarrassing an employer as additional revenge without necessarily having a basis in fact. An article in the Wall Street Journal (subscription required) mentioned this:

… workers and customers, helped by social media and tight labor markets, are able to demand more from companies on issues they once let slide… it is easier to press complaints about child labor in the supply chain, treatment of minorities and women, carbon emissions and crass executive comments.

ESG data processors can apply their own opaque proprietary ways and data sources for filling in holes in company reported information. Some supplier management and procurement systems even claim to obtain or calculate supplier ESG data automatically. Companies appear to be at the mercy of both – yet are either independently audited or validated? IOSCO stated that none of the data providers evaluated in their analysis “implement verification processes on raw ESG data underlying ESG ratings or ESG data products because such processes are resource intensive and may not be possible with available information.” All the major ESG rating firms responded to IOSCO’s consultation. I admit being disappointed that Ashley Alder, Chair of IOSCO, didn’t specifically call out this critical distinction in an article he penned recently.

There is a related but somewhat different question about industry programs, mainly audit schemes focused on specific industry frameworks and needs, such as garment manufacturing, mining and minerals processing. I’ve written previously about risks of relying on these mechanisms without companies performing their own due diligence to confirm those programs are worthy of reliance and subsequent external reporting. An investigation from the Associated Press about Brazilian gold is a recent example. This article from guest contributor Matthew Friedman also gets to difficulties faced by social auditors.

What This Means

There isn’t agreement on what “ESG data” is. Although this train probably left the station long ago, I’d like to see different terms apply to company-generated “original” ESG data versus the information created by others who process/analyze that original data. IOSCO used the term “raw data” for the information originating from companies themselves. The distinction isn’t simply semantics or unimportant. Those in the ESG information ecosystem should use phrasing that in some manner differentiates their output from the information used as inputs, acknowledging where the ultimate source of information is the companies themselves. From there, we can work toward improving the accuracy and quality of that data as the foundation of all else.

Companies being rated need to know when a rating methodology fills in data gaps on its own, and attempt to evaluate that information. Alternatively, that information should be provided by the company directly rather than leaving opportunities for others to fill in the blanks using inconsistent and perhaps unproven methodologies. Raters may not be forthcoming in this regard – companies should initiate conversations with raters to find out where they fill in gaps on their own, and how.

Corporate internal ESG data validation processes must be commensurate with the importance of data. In prior years, internally-generated corporate ESG data quality was far less critical than it is now. Improvements are needed and should include robust validation of information obtained from suppliers, automatically generated via procurement systems and through industry programs.

Back to all blogs

The Editor

Lawrence Heim has been practicing in the field of ESG management for almost 40 years. He began his career as a legal assistant in the Environmental Practice of Vinson & Elkins working for a partner who is nationally recognized and an adjunct professor of environmental law at the University of Texas Law School. He moved into technical environmental consulting with ENSR Consulting & Engineering at the height of environmental regulatory development, working across a range of disciplines. He was one… View Profile