Scope 3 is coming: CIOs take note

Even though sustainability can be an amorphous organizational pursuit, it’s becoming more of an urgent priority all industries must clearly define. Whether that’s through internally motivated ESG efforts or imposed regulations, CIOs, in particular, find themselves increasingly central figures in sustainability initiatives. And scope 3 reporting—an account of carbon emissions across the supply chain to build equipment, provide professional expertise, or deliver a subscription service—may be the most rigorous and challenging requirement. While scope 3 reporting won’t be mandatory anywhere before 2024, the hard work to prepare has already begun in some organizations—even though the blueprint isn’t yet finalized.

“Scope 3 reporting will come as a shock to a lot of technology leaders,” says Niklas Sundberg, CIO of global solutions at Swedish conglomerate Assa Abloy. “I think this is going to be even more massive than GDPR. Companies will be required to publish real numbers about sustainability across the supply chain—and much of the data will come from IT procurement.”

The Greenhouse Gas (GHG) Protocol Initiative, a multi-stakeholder partnership of businesses, NGOs, governments, and other players was formed in 1998 to define standards and frameworks, including three different scopes for reporting. Scope 1 is on direct emissions from sources owned or controlled by an organization, including emissions from company-owned power generators. Scope 2 is on all indirect emissions resulting from an organization’s energy consumption, including emissions from the company’s energy provider. And scope 3 reporting for one company depends on scopes 1 and 2 reporting from the next company upstream in the supply chain. Or it could mean getting scope 3 reporting from the next company upstream when the supply chain is deeper than just one step, which is usually the case.

In Europe specifically, EU taxonomy for sustainable activities has been in force since July 2020. The goal is to reach a climate-neutral economy in the EU by 2050, with an intermediate milestone of a 55% reduction in emissions by 2030. Companies in Europe are required to start scope 3 reporting in 2024 with data from 2023, so collecting that data starts now. In the US, on the other hand, the Securities and Exchange Commission (SEC) published a rule proposal in March 2022 calling for companies to start gathering scope 3 emission data as early as in 2024 for reporting in 2025. While this is not yet law, the fact that the SEC made such a proposal is a good indicator that it will be soon.

Regardless of the timeline of in-country regulators, US companies doing business in Europe already have to adhere to the same rules as their European counterparts. And some organizations have already started doing scope 3 reporting regardless of mandates. They do so knowing that many investors and customers want to limit their business to companies that are committed to sustainability efforts.

Scope 3 reporting specifically places a heavy burden on many CIOs because IT is a large part of procurement for many companies outside of manufacturing, where business is about buying raw material and component parts from the supply chain and converting them into products. Furthermore, IT accounts for most of the energy expenditure for a lot of organizations—and it’s getting worse. With each new generation of the sophisticated applications companies have come to depend on—applications, such as machine learning and data analytics—compute requirements soar to new heights.

In the short term there will be cascading errors and double counting. But once the kinks are ironed out, third-party consultants will be able to put together an accurate picture that traces carbon emissions across supply chains. The big consulting firms already have their eyes on what this can do for their businesses. They know that GHG reporting—and particularly scope 3—will be a lucrative field of expertise that they can market to IT leaders.

The race is on in Europe with the US following suit

The large companies, who for one reason or another have started to report, depend on emissions numbers from their suppliers. This in turn puts pressure on everybody in the supply chain to do their own reporting, even if they’re not yet required to do so by law.

“One of the challenges with scope 3 is a lot of vendors in your supply chain can’t disclose this information today,” says Sundberg, who echoes these points in his new book Sustainable IT Playbook for Technology Leaders. “Nobody can tell you how much CO2 emission is embedded in some of the more popular software—for example, how much is consumed for one user to run Office 365 for a year. If you have 50,000 Office 365 users, there are no metrics to help you make the calculation at this point.”

IT leaders generally need to get numbers from suppliers in four different categories: hardware vendors, software vendors, professional service providers, and cloud providers. The large hardware vendors usually have the numbers readily available. Software vendors don’t know where to start. Professional service providers, once they overcome the tedium, can get a good count by tracking down things like emissions incurred during travel. As for cloud services, some of the large cloud providers have the numbers ready—and for those who don’t, a third party can calculate emissions based on geographic location and the type of equipment used.

Organizing for sustainable IT

Many companies in Europe have built teams to address IT sustainability and have appointed directors to lead the effort. Gülay Stelzmüllner, CIO of Allianz Technology, recently hired Rainer Karcher as head of IT sustainability.

“My job is to automate the whole process as much as possible,” says Karcher, who was previously director of IT sustainability at Siemens. “This includes getting source data directly from suppliers and feeding that into data cubes and data meshes that go into the reporting system on the front end. Because it’s hard to get independent and science-based measurements from IT suppliers, we started working with external partners and startups who can make an estimate for us. So if I can’t get carbon emissions data directly from a cloud provider, I take my invoices containing consumption data, and then take the location of the data center and the kinds of equipment used. I put all that information to a rest API provided by a Berlin-based company, and using a transparent algorithm, they give me carbon emissions per service.”

Internally speaking, the head of IT sustainability role has become more common in Europe—and some of the more forward-thinking US CIOs are starting to see the need in their own organizations.

“Europe is a step ahead,” says Srini Koushik, CTO of Rackspace Technology in the US. “We’re a global company, so we already started our preparations for scope 3 reporting. Our approach has been if we can meet the European standard, then we’ll be a year or two ahead of the rest of US organizations.” Hiring chief sustainability officers is the way to go, he adds, but the question remains how that person fits into the hierarchy. “That will depend a lot on the industry,” he says.

In many industries, such as finance, IT is a big part of overall procurement. It makes sense to have a role dedicated to sustainability reporting into the CIO. However, in other industries, such as manufacturing, where much of the procurement occurs outside of IT, it makes more sense to have a chief sustainability officer separate from IT.

Large companies have already begun working on scope 3 reporting, and this has already started to put pressure on smaller partners. “Companies do a calculation on how much overhead they have to put in to make up for suppliers that don’t give them enough information,” says Koushik. “If the supplier isn’t worth that overhead, they’ll change suppliers.”

Once people settle on reporting and investors, and customers start to see which companies are doing well on CO2 emissions, companies will start to re-evaluate their suppliers—and that’s exactly the reason behind the reporting. But not everybody is onboard yet. Too many companies lack in-house expertise.

“I know so many IT leaders who are not familiar with the GHG protocol,” says Koushik. “Now is a good time for them to get started.”

Starting now means jumping ahead on what will likely become an important part of IT leadership in the future. CIOs who get behind may have to rely on consulting firms to track and report on GHG emissions. That could be the right decision. But the decision to outsource such an important activity should be a deliberate act, rather than just a knee-jerk reaction.

Data Governance, Green IT, IT Governance