Stakeholders want details about the culture fostered by the company related to compliance, including whether adequate training is a priority.
Transparency Criteria #61 for the ESG report states: “The company discusses its ethics and compliance culture.” And related to this cultural component is Transparency Criteria #65 for the ESG report, which states: “Ethics/code of conduct training requirements are disclosed, including who is trained and how often.”
Both GRI and SASB have training disclosure requirements, giving credence to the notion that this is a topic that stakeholders want to learn about for each company:
- Code of conduct training disclosures elicited by frameworks/rankings:
- GRI asks for disclosure about training on anti-corruption policies (205-2) and human rights policies (410-1)
- SASB disclosures related to business ethics and professional integrity topics ask about policies and practices, including employee awareness and training programs
- CSRD requires information about policies for training on business conduct, including who is trained and frequency
- S&P Global CSA asks about training about discrimination and harassment
- MSCI ratings methodology asks about scope of training on anti-corruption and business ethics standards
- Cybersecurity training disclosures elicited by frameworks/rankings:
- SASB disclosures related to data security topics ask about employee training
- S&P Global asks about employee awareness training
- MSCI ratings methodology – scope of training employees on data security or privacy-related risks and procedures
Here’s a bullet from Cigna’s 2023 Form 10-K (page 45) about cybersecurity training:
