The ESG compliance deadlines auditors miss

Three years ago, I was working with a bank. Not a tiny one. A real, grown-up financial institution with a proper finance team, experienced auditors, and the kind of governance infrastructure you'd expect from a regulated business. We'd been brought in to develop a full revenue-reinforcing sustainability strategy, starting with a double materiality assessment and working through into strategy-setting and delivery planning.

As part of that work, we did what we always do at the start of an engagement: a quick horizon scan. Before you can set a strategy, you need to understand the guardrails and “must dos”. What legislation is the company already subject to? What is coming? Where are the gaps?

What came up was that this company had recently crossed the threshold for SECR disclosures. The Streamlined Energy and Carbon Reporting framework applies to any large UK company meeting at least two of the following three criteria in a given financial year: more than 250 employees, annual revenue above £36 million, or a balance sheet total above £18 million. Cross two of those lines in any financial year and SECR disclosures must appear in the Directors' Report for that same year. There is no grace period. The obligation exists from the moment the threshold is crossed.

Nobody had flagged it. Not their accountants. Not their auditors. Not anyone inside the business.

The timing, by pure luck, meant we could act. They were still finalising their annual report and accounts. They'd also, thankfully, been measuring their greenhouse gas emissions for a couple of years (to gain their “carbon neutral” badge, back when those were fashionable), so the underlying data existed. We were able to piece together compliant SECR disclosures in time. But if we’d started working with them a few weeks later, the report would have gone out non-compliant.

I've thought about that case many times since. Because it would be easy to frame it as an unusual situation, a one-off, something that happens to companies with particular gaps in their governance. But I've found the opposite to be true. The more horizon scanning we do, the more often we find the same pattern. Regulations crossed without anyone noticing. Obligations sitting in a grey area between finance, sustainability and company secretary, with none of them feeling squarely responsible for them. Things that matter legally, reputationally, and increasingly to investors, being missed not out of negligence but because sustainability still sits as something separate rather than fully embedded in the business.

More recently, we did a refreshed horizon scan for a different client at the request of their Board Audit Committee chair. Two things surfaced. The first was a modern slavery statement that was several years out of date, with no process in place to update it annually or have it signed off by a board member, as the legislation requires. An old version was sitting on their website, quietly uncompliant. The second was that they will fall into scope for the next ESOS compliance deadline, which requires an energy audit by a qualified assessor. They now have time to prepare.

Neither of these companies was disorganised. Neither was particularly under resourced for their size. They had phenomenal people in the influential roles. They simply didn’t have ESG compliance embedded into the responsibilities of the right people across the business.

Not helped by the fact that ESG requirements are relatively new, have changed a lot in recent years, and continue to evolve.

That's the gap. Not complicated, but systemic. ESG compliance obligations don't announce themselves when a threshold is crossed. SECR doesn't send a letter. ESOS doesn't appear on your calendar. The modern slavery statement legislation doesn't remind you that another year has passed. The responsibility for knowing sits with the company, and in practice, it sits with no one in particular.

The broader advisory ecosystem has been slow to close this gap. Accountants and auditors are excellent at the things they're trained to verify. Sustainability consultants are often brought in to work on strategy or isolated reports or initiatives, not to take responsibility holistically for compliance. Legal advisers tend to be reactive rather than prospective. The result is that a growing company can cross several material compliance thresholds in a single financial year and not find out until it’s too late.

What I've come to believe, from years of doing this work, is that compliance is not a sustainability problem. It's a governance problem. It belongs in the same conversation as risk management and board oversight, not in the ESG workstream that reports to the sustainability lead. The regulations that most often get missed are foundational obligations with real legal teeth. Missing a SECR disclosure is a breach of the Companies Act, with potential personal liability for directors.

For companies with investors, and particularly for those approaching an exit or IPO, the stakes are higher still. Compliance gaps discovered in due diligence are not just an inconvenience. They become evidence of governance weakness at precisely the moment when governance is being scrutinised.

The solution isn’t complicated. It requires someone to be looking, regularly, with a clear picture of where the thresholds sit and a systematic way of checking whether the company has crossed them. The absence of that process explains almost every compliance gap we've found.

We built the Perigon ESG Compliance Tool because we were doing this analysis manually for every client, and we thought the scan itself should be accessible to any company that wanted it. It's free, it takes about three minutes to complete, and it produces a personalised report of the obligations that apply to your company's specific profile. You can try it here (or by pasting https://www.perigonpartners.co.uk/esg-compliance-tool into your browser).

Frequently asked questions

How do I know which ESG regulations apply to my company?

The primary triggers are company size, industry and ownership model. Most of the obligations that get missed are size-based: employee count, annual revenue, and balance sheet size. The complication is that different regulations use different thresholds, and a company can cross one without crossing another. Checking where you stand requires mapping your current figures against each set of criteria separately. That is exactly what the Perigon ESG Compliance Tool does.

What happens if a company has already missed a SECR deadline?

Non-compliance with SECR is a breach of the Companies Act, and personal liability can fall on directors. The practical steps are to take legal advice, establish what data exists, and report as soon as possible. The disclosure itself is not technically complex. The data collection is the work. Companies that have been measuring energy use or greenhouse gas emissions for any other purpose, even informally, are often better placed than they think. The key is not to wait.

Are these obligations relevant to private companies, or only listed ones?

SECR, ESOS, gender pay gap reporting, and the modern slavery statement all apply on the basis of company size, not listing status. A PE-backed company with 300 employees and £50 million in revenue carries the same obligations as a listed company of equivalent size. The assumption that these are listed-company concerns is one of the reasons private companies get caught out.

We have a sustainability team. Shouldn’t they be across this?

Possibly, but the ownership is often less clear than it appears. Sustainability teams typically focus on strategy, reporting against known frameworks, and voluntary initiatives. Compliance horizon scanning sits at the intersection of legal, finance, regulatory relations and governance, and in most companies it does not have a clear owner. The fact that a sustainability team exists does not guarantee that anyone is tracking which statutory thresholds the company has crossed. It is worth asking the question directly rather than assuming it is covered.

How often should a company be doing this kind of horizon scan?

At minimum, annually. For growing companies, any significant change in headcount, revenue, or balance sheet should prompt a check, because crossing a threshold mid-year still triggers the obligation for that financial year. Companies approaching a fundraise, acquisition, or exit should also run a scan before the process begins. Compliance gaps are significantly easier to address before they become due diligence findings.

‍