Governance Briefing — July 12, 2023

On 12 July 2023, the Securities and Exchange Board of India (SEBI) issued Circular SEBI/HO/CFD/CFD-SEC-2/P/CIR/2023/122 introducing the Business Responsibility and Sustainability Report (BRSR) Core and phased value chain reporting obligations. The circular distils 49 key environmental, social, and governance (ESG) indicators from the broader BRSR framework and mandates external assurance, starting with the top 150 listed entities by market capitalisation in FY 2023-24. It also obliges large issuers to extend disclosures to their upstream and downstream partners. Boards must therefore elevate ESG governance, mobilise finance and sustainability teams to produce auditable data, and integrate privacy safeguards so personal information collected from suppliers, employees, and customers can be retrieved for data subject access requests (DSARs) without compromising confidentiality.

BRSR Core complements the comprehensive BRSR introduced under the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015. While the full BRSR contains 143 indicators, the Core subset prioritises metrics deemed critical for investor decision-making and national sustainability goals. It covers greenhouse-gas emissions, energy intensity, water and waste management, gender and diversity, wages, occupational health and safety, human rights practices, and anti-corruption governance. SEBI requires limited assurance on these indicators using the Institute of Chartered Accountants of India’s Standards on Assurance Engagements (SAE 3000/3400) or equivalent frameworks, signalling a shift from voluntary narrative reporting to verified sustainability performance.

Governance requirements

Boards should embed BRSR Core oversight into audit and risk committee charters. They must approve the assurance provider selection, review independence safeguards, and ensure the scope covers entity-level operations and, over time, value chain partners representing at least 75 percent of purchases or sales by value. Directors should insist on integrated reporting calendars that align sustainability metrics with financial closing processes, enabling timely disclosure in annual reports. As SEBI expects the top 150 listed entities to provide limited assurance for FY 2023-24, boards must monitor readiness dashboards that track data availability, control gaps, and remediation plans. Minutes should capture challenge around methodologies, especially for just transition indicators, living-wage assessments, and human-rights grievance mechanisms that intersect with labour law and privacy obligations.

SEBI’s phased timeline expands assurance to the top 250 listed entities in FY 2024-25, the top 500 in FY 2025-26, and the top 1,000 in FY 2026-27. Value chain reporting begins as a comply-or-explain requirement for the top 250 from FY 2024-25, with limited assurance required from FY 2025-26 onward. Governance frameworks must therefore extend oversight beyond corporate boundaries, incorporating supplier audits, partner codes of conduct, and contractual clauses that oblige data sharing for BRSR metrics. Boards should review whether existing sustainability committees have the mandate and expertise to evaluate value chain risks, including forced labour, data protection, and greenhouse-gas accounting for Scope 3 emissions.

Implementation roadmap

Implementation leads should organise work into five streams: materiality and controls, data architecture, assurance enablement, value chain mobilisation, and privacy alignment. The materiality stream must confirm that enterprise-level sustainability priorities align with the 49 BRSR Core indicators, updating risk registers and policies on climate, social welfare, and governance. Control owners should map each metric to existing internal controls—such as energy metering, payroll systems, occupational health logs, or whistle-blower platforms—and document control design, frequency, and evidence retention in a Sarbanes-Oxley-style controls matrix.

The data architecture stream should integrate ESG data into enterprise resource planning (ERP) or sustainability management platforms. Finance and IT teams must establish master data definitions (for example, intensity ratios per crore of revenue), calculation methodologies consistent with Bureau of Energy Efficiency or GHG Protocol guidance, and audit trails capturing data lineage. Implementing application programming interfaces (APIs) or robotic process automation (RPA) can reduce manual errors when collating supplier questionnaires or HR data. Metadata tagging should highlight records containing personal information—employee salaries, grievance redressal logs, or union membership data—so privacy teams can maintain records of processing activities and DSAR response inventories.

Assurance enablement requires early engagement with external auditors. Companies should perform dry runs of BRSR Core reporting for FY 2022-23 to test data readiness, share process narratives, and agree on sampling approaches. Internal audit can perform readiness assessments, verifying meter calibrations, waste manifests, and policy documentation. Because SEBI expects reporting in the prescribed Extensible Business Reporting Language (XBRL) format, technology teams must validate taxonomy mappings and ensure filing portals capture digital signatures. Implementation plans should include crisis-playbook scenarios in case assurance identifies significant deficiencies, specifying board-level communication and investor disclosures.

The value chain mobilisation stream must identify high-priority suppliers and distributors contributing to the 75 percent coverage threshold. Procurement should update supplier codes to mandate ESG data submission, audit cooperation, and privacy compliance. Contracts should reference Indian privacy statutes—currently the Information Technology Act and forthcoming Digital Personal Data Protection Act—and specify DSAR assistance obligations, including timelines and secure data-transfer protocols. Companies should provide training and capacity-building support to micro, small, and medium enterprises (MSMEs) in their supply chain, recognising that smaller partners may lack measurement systems. Digital portals should enable suppliers to upload emissions, wages, and human-rights data securely, with automated validation checks.

Privacy alignment must run in parallel. Many BRSR Core indicators touch personal data—gender diversity ratios, median wages, attrition rates, and incident logs. Data-protection officers should update privacy notices to explain ESG reporting purposes, legal bases (legitimate interest or legal obligation), and retention periods. DSAR playbooks should specify how to retrieve ESG-related data, redact co-worker information, and respond to objections when employees decline consent for optional disclosures. If companies rely on anonymisation to share workforce metrics externally, privacy teams must document techniques and re-identification risk assessments. For value chain data, organisations should ensure cross-border transfers comply with Indian and foreign privacy regimes, especially when suppliers operate in jurisdictions with stricter requirements like the EU GDPR.

Monitoring, assurance, and disclosure

SEBI expects companies to disclose BRSR Core and value chain information in annual reports and on corporate websites, alongside management discussion and analysis (MD&A) sections. Investor relations teams should prepare narrative context explaining year-on-year performance, target trajectories, and remediation actions when metrics deteriorate. Because SEBI has linked BRSR to the Stewardship Code and mutual fund ESG schemes, issuers should anticipate investor engagement meetings focusing on assurance findings, data quality, and governance oversight. Companies should also coordinate with credit rating agencies and banks that may integrate BRSR data into sustainability-linked financing covenants.

Continuous monitoring is essential. Sustainability offices should track leading indicators—percentage of metrics with complete data, assurance adjustments raised, supplier coverage achieved, and DSAR requests referencing ESG information. Dashboards should integrate with enterprise risk management tools to trigger escalation when data gaps threaten assurance timelines. Internal audit and compliance functions should perform periodic reviews of supplier due diligence, whistle-blower handling, and grievance mechanisms, ensuring policies align with the National Guidelines on Responsible Business Conduct (NGRBC) principles that underpin BRSR.

Finally, organisations should plan for future regulatory evolution. SEBI has signalled its intention to move from limited assurance to reasonable assurance over time and to align BRSR with global frameworks such as the International Sustainability Standards Board (ISSB) and the EU Corporate Sustainability Reporting Directive (CSRD). Companies that invest early in robust governance, data, and privacy infrastructure will be better positioned to meet these heightened expectations, maintain stakeholder trust, and demonstrate that sustainability disclosures can withstand both capital-market scrutiny and DSAR obligations.