Symantec’s Cecily Joseph Shares Lessons Learned from a Decade of CSR Reporting

 

Symantec, the Silicon Valley-based cybersecurity company, just released its tenth Corporate Responsibility Report. Cecily Joseph, VP of corporate responsibility, has led Symantec, and in fact, the sustainability reporting community at large, using quality sustainability reporting standards to drive sustainability programing now for 10 years running. 3p went behind the scenes to gain insights on reporting best practices, highlights from this year’s report, and trends coming around the corner.

Symantec started out strong, winning the Ceres-ACCA Sustainability Reporting award for “Best First Time Report” in 2008. Joseph explains her team got a few things right from the start, and she has since picked up additional best practices in reporting. Here are her highlights:

Keep it short. Symantec’s first CR Report was upwards of 70 pages; Today’s report is only 30.

Listen to stakeholders. Symantec works closely with stakeholders to find out what information is important to them. In the early reporting years, Symantec’s CR department would interview stakeholders and take on most of the report writing. Today, stakeholders take the first pass at drafting report material, as the CR team learned stakeholders are often closer to what’s happening on the ground.

Engagement with stakeholders is a key component of the Global Reporting Initiative's best practices -- one many companies neglect to do rigorously due to time constraints. Symantec has unlocked the key to making stakeholder engagement work for reporting too.

Create a reporting committee. Symantec has built an extensive CR reporting committee that includes representatives from multiple departments, making the reporting process more inclusive. “We see them as a CR committee in general, not just as a reporting committee. The CR department itself is small, and our work depends on CR being integrated throughout the company,” explains Joseph.

Don’t be afraid to set goals, even if you don’t meet them. Joseph notices many companies are hesitant to set goals because they are scared they won’t meet them. “I have found it is important to make public goals - this keeps us on track for continuous improvement and keeps us accountable to our stakeholders. We aren't always able to achieve every goal, but setting them helps push us towards progress.”

Leverage report material 365. “We don’t just publish the report and walk away; we leverage the material for a full year, and it becomes the basis for most of our CR communications,” shares Joseph. She now sees CR information show up in different ways across the company, including in Symantec’s recruiting materials, which is exactly how her team intends for the CR Report to be used. However, this didn’t happen overnight; it takes time for employees to keep CR information top of mind. This is another example of why stakeholder engagement can pay dividends for a strapped department. By engaging employees in the process, they are more likely to see the report as a resource they can use in their jobs.

Don’t let reporting consume you. Symantec’s reporting season can last up to eight months. “You can’t spend all that time focused on the CR Report – you have to build and run programs!” says Joseph. “We learned over the years to integrate reporting into the general flow of all the other work we are doing.”

Operationalize your data collection process. Joseph acknowledges that data collection is the hardest part about reporting and suggests investing the time to put a good system in place up front. Conducting a materiality analysis is a vital first step to identifying priority issues to include in a report; then data must be collected from busy employees and management. Symantec employees are cooperative, but getting them comfortable and used to the data collection and reporting process took time. “Now they expect it and it’s a part of their job and what we do as a company each year,” says Joseph.

Use the GRI framework. Joseph sees this as a valuable tool that can be leveraged to bring a certain order and consistency to a report. “If you haven’t used this tool before, it may seem overwhelming. I encourage you to take the time to figure it out,” says Joseph. She wants to dispel the myth that a company must report on all GRI indicators; only issues identified as priority should be reported on, and this is where conducting a materiality assessment comes in handy.

 

Highlights from Symantec’s 2017 CR Report

Reaching STEM education goal early. In FY2017, Symantec reached its goal early to educate one million students in STEM education by 2020. “Part of our success came from the energy that’s out there around STEM education,” says Joseph. “People realize we need to build a pipeline and equip our young people with the skills that are needed for STEM jobs that continue to grow.” She notes that cybersecurity is particularly hot job market, with one million jobs currently available. Symantec launched a STEM initiative in 2014, Symantec Cyber Career Connection (Symantec C3), to bring more young adults, people of color, veterans, and women—all of whom are underrepresented in cybersecurity—into cybersecurity careers.

Ahead of schedule on greenhouse gas emissions reduction target. Symantec is well on track to meet or exceed its ten-year goal to reduce GHG emissions by 30 percent by 2025, with a target of reaching three percent per year. In FY2017, Symantec reduced its emissions by 15 percent (bringing the total to 19 percent). This has primarily been the result of its workforce planning team’s efforts on energy use reduction through site consolidation and creating more efficient spaces in existing buildings, its ‘cloud’ team’s efforts to decrease the footprint of data centers, and renewable energy projects. The company also became a signatory to the Science Based Targets initiative, committing Symantec to reducing its Scope 3 (supply chain) emissions.

Challenges to tackle

As Symantec values transparency, Joseph highlights challenges the company faced in FY2017, including namely the setbacks to its diversity and employee engagement goals. She believes this was due to the enormous changes Symantec has gone through in recent years, including divestitures, acquisitions and changes to the leadership team. Its employee engagement numbers dropped ten percent, putting the company behind in achieving its target of averaging four volunteer hours per employee. To remedy this, Symantec launched Service Time, which grants employees five paid days off each year to volunteer, and redoubled efforts around its second Global Service Week (GSW), a dedicated company-wide week of service.

 

Additionally, Symantec’s diversity numbers are not where the company had hoped they would be. As a tech company, Joseph sees it as critical that Symantec continue to bring in and retain more women and people of color. In FY2017, the new CEO, Greg Clark, signed the CEO Action for Diversity & Inclusion Pledge with more than 300 CEOs around the world. “It was important for our employees to see that we have a new leader who is very committed to diversity and inclusion,” says Joseph. Symantec is also piloting bias trainings and working to further integrate diversity and inclusion into the company’s recruiting efforts.

Emerging Trends in CSR Reporting

More companies are willing to acknowledge challenges and failures. Joseph notices more companies willing to publicly discuss struggles and missteps in their CSR efforts. “Other companies have stepped up and shared their challenges, and this has given us the courage to start conversations and do things we probably wouldn’t have been able to do before,” says Joseph. “The more we talk about our common challenges, the more we can learn from each other, and make progress together.” Joseph shares that transparency is critical to Symantec’s brand and reputation because trust is at the core of what it does as a cybersecurity business. “We have to build trust with our customers, employees, and other stakeholders,” she explained.

A spotlight on diversity and inclusion. Joseph sees diversity moving beyond the standard questions of what companies are doing internally for current and prospective employees, to include companies asking themselves what they are doing to impact women’s empowerment, LGBTQ rights, and racial equity in society at large. “The expectations on companies to get involved will continue to grow,” notes Joseph.

Privacy and data protection are fast becoming material issues. At a minimum, every company has an obligation to protect its employee and customer data, says Joseph. “Today, there is much more of an expectation that companies talk about this through a corporate responsibility lens.” This is especially true for an IT company like Symantec. However, Joseph finds that U.S. companies in many sectors have work to do to catch up to European companies on this trend.

Integrated reporting will continue to grow, but not negate separate CSR reporting. Joseph recognizes the value of integrated reporting and looking at financial reporting with a CSR perspective, but doesn’t see the standalone sustainability report going away. “In a sustainability report, you might find emerging issues or a narrative that couldn’t be part of an integrated reporting framework.” Joseph has found that regulations around financial reporting are stricter, and that Symantec can be more aggressive with its goals and broader in issue area content in its CR Report.

Companies are going digital. Symantec is relying more and more on its website and other creative digital mediums to tell a cohesive and ongoing CSR story and provide information in an easy-to-access format. Printed reports are getting shorter and becoming a thing of the past.

The best sustainability reports will walk a fine line: reporting on the past while setting goals for the future; sharing hard data while putting it in context with images and stories. Ultimately, the best sustainability report is the one that serves stakeholders and drives an organization forward with shared commitment and purpose. Symantec's sustainability reporting is a shining example.