Three years ago, I was working with a bank. Not a tiny one. A real, grown-up financial institution with a proper finance team, experienced auditors, and the kind of governance infrastructure you'd expect from a regulated business. We'd been brought in to develop a full revenue-reinforcing sustainability strategy, starting with a double materiality assessment and working through into strategy-setting and delivery planning.
As part of that work, we did what we always do at the start of an engagement: a quick horizon scan. What legislation is the company already subject to? What is coming? Where are the gaps?
What came up was that this company had recently crossed the threshold for SECR disclosures. The Streamlined Energy and Carbon Reporting framework applies to any large UK company meeting at least two of the following three criteria in a given financial year: more than 250 employees, annual revenue above £36 million, or a balance sheet total above £18 million. Cross two of those lines and SECR disclosures must appear in the Directors' Report for that same year. There is no grace period.
Nobody had flagged it. Not their accountants. Not their auditors. Not anyone inside the business.
The timing, by pure luck, meant we could act. They were still finalising their annual report and accounts. They'd also been measuring their greenhouse gas emissions for a couple of years, so the underlying data existed. We were able to piece together compliant SECR disclosures in time. But if we'd started working with them a few weeks later, the report would have gone out non-compliant.
I've thought about that case many times since. Because it would be easy to frame it as an unusual situation. But I've found the opposite to be true. The more horizon scanning we do, the more often we find the same pattern. Regulations crossed without anyone noticing. Obligations sitting in a grey area between finance, sustainability and company secretary, with none of them feeling squarely responsible.
More recently, we did a refreshed horizon scan for a different client at the request of their Board Audit Committee chair. Two things surfaced. First, a modern slavery statement that was several years out of date, with no process in place to update it annually or have it signed off by a board member. Second, they will fall into scope for the next ESOS compliance deadline. They now have time to prepare.
Neither of these companies was disorganised. They simply didn't have ESG compliance embedded into the responsibilities of the right people.
That's the gap. Not complicated, but systemic. ESG compliance obligations don't announce themselves when a threshold is crossed. SECR doesn't send a letter. ESOS doesn't appear on your calendar. The responsibility for knowing sits with the company, and in practice, it sits with no one in particular.
What I've come to believe is that compliance is not a sustainability problem. It's a governance problem. It belongs in the same conversation as risk management and board oversight. Missing a SECR disclosure is a breach of the Companies Act, with potential personal liability for directors.
For companies with investors, and particularly for those approaching an exit or IPO, the stakes are higher still. Compliance gaps discovered in due diligence become evidence of governance weakness at precisely the moment when governance is being scrutinised.
The solution isn't complicated. It requires someone to be looking, regularly, with a clear picture of where the thresholds sit and a systematic way of checking whether the company has crossed them. The absence of that process explains almost every compliance gap we've found.
We built the Perigon ESG Compliance Tool because we were doing this analysis manually for every client. It's free, takes about three minutes, and produces a personalised report of the obligations that apply to your company's specific profile.
How do I know which ESG regulations apply to my company?
The primary triggers are company size, industry, and ownership model. Most missed obligations are size-based: employee count, annual revenue, and balance sheet size. Different regulations use different thresholds, and a company can cross one without crossing another. Checking where you stand requires mapping your current figures against each set of criteria separately — that is exactly what the Perigon ESG Compliance Tool does.
What happens if a company has already missed a SECR deadline?
Non-compliance with SECR is a breach of the Companies Act, and personal liability can fall on directors. Take legal advice, establish what data exists, and report as soon as possible. Companies that have been measuring energy use or greenhouse gas emissions for any other purpose are often better placed than they think. The key is not to wait.
Are these obligations relevant to private companies, or only listed ones?
SECR, ESOS, gender pay gap reporting, and the modern slavery statement all apply on the basis of company size, not listing status. A PE-backed company with 300 employees and £50m revenue carries the same obligations as a listed company of equivalent size. The assumption that these are listed-company concerns is one of the main reasons private companies get caught out.
We have a sustainability team — shouldn't they be across this?
Possibly, but the ownership is often less clear than it appears. Sustainability teams typically focus on strategy, reporting against known frameworks, and voluntary initiatives. Compliance horizon scanning sits at the intersection of legal, finance, and governance — in most companies it does not have a clear owner. The fact that a sustainability team exists does not guarantee that anyone is tracking which statutory thresholds the company has crossed.
How often should a company be doing this kind of horizon scan?
At minimum, annually. For growing companies, any significant change in headcount, revenue, or balance sheet should prompt a check, because crossing a threshold mid-year still triggers the obligation for that financial year. Companies approaching a fundraise, acquisition, or exit should also run a scan before the process begins — compliance gaps are significantly easier to address before they become due diligence findings.
