A step-by-step field guide with real challenges and sector-specific insights
When people think of ESG and sustainability reporting, they picture smokestacks and factories. But India’s IT, AI, and large services companies face an equally complex and far less discussed set of challenges under BRSR. This guide is written for sustainability managers, company secretaries, CFOs, and compliance heads navigating that reality.
The instinctive reaction in the sector is often: ‘We don’t have smokestacks. This doesn’t apply to us the same way.’ That assumption is costly.
What is BRSR and Why It Matters to Your Sector
The Business Responsibility and Sustainability Reporting (BRSR) framework, introduced by SEBI, requires India’s top listed companies to disclose their Environmental, Social, and Governance (ESG) performance in a structured, verifiable format. It replaced the earlier BRR framework and significantly raised the bar for what companies must measure, disclose, and increasingly have independently assured.
Here is why the ‘it does not apply to us’ assumption breaks down in practice for IT and services companies:
| Energy & carbon footprint
Large data centres, always-on server farms, and AI model training workloads can generate significant Scope 1 & 2 emissions — often larger than many mid-sized manufacturing operations. |
Supply chain obligations
IT companies sourcing hardware, cloud services, or operating large vendor ecosystems face BRSR supply chain sustainability disclosure requirements — even when the product is software. |
| Social disclosures at scale
With tens of thousands of employees, contractors, and gig workers, the social pillar like OHS, wages, diversity, wellbeing — generates some of the most complex assurance challenges in the sector. |
Governance under scrutiny
India’s large services and platform companies face intensifying scrutiny on board independence, data governance, and business ethics — all of which have direct BRSR disclosure dimensions. |
BRSR Core Assurance — Phased Timeline
BRSR Core is the subset of high-priority ESG indicators that SEBI has earmarked for mandatory independent assurance: GHG emissions, energy intensity, water footprint, waste, gender diversity, wage equality, OHS, and supply chain sustainability.
| Financial Year | Companies Covered | Requirement | Status |
| FY 2023–24 | Top 150 listed companies | Mandatory BRSR Core Assurance | ✔ Completed |
| FY 2024–25 | Top 250 listed companies | Mandatory BRSR Core Assurance | ✔ Completed |
| FY 2025–26 | Top 500 listed companies | Mandatory BRSR Core Assurance | ✔ Active |
| FY 2026–27 | Top 1,000 listed companies | Mandatory BRSR Core Assurance | ⏳ Upcoming |
| What is BRSR Core?
Assurance on BRSR Core must be conducted by a Practising or accredited ESG assurance provider. The focus is on high-materiality indicators most prone to greenwashing; not the entire BRSR report. Think of it as the audited financial statements within a broader annual report. |
The Step-by-Step BRSR Process
The following process reflects what actually works in practice. Based on field experience with IT companies, large government-linked digital services organisationsand AI platform businesses going through their first and second BRSR cycles.
| 1 | Step 1: Define your organisational and operational boundary
Decide what entities, locations, and operations are in scope. For a large IT company with subsidiaries, captive units, and leased office campuses across 15 cities, this is not a trivial exercise. Every boundary decision must be documented and disclosed — unexplained exclusions are one of the most common assurance findings. |
| 2 | Step 2: Conduct an ESG gap assessment
Map what you currently measure against what BRSR Core requires. In most IT and services organisations, energy and emissions data exist somewherebut rarely in consolidated, auditable form. OHS data is typically fragmented. Supply chain ESG data often does not exist at all. |
| 3 | Step 3: Build your data collection system
Assign one data owner per BRSR Core indicator. Establish a monthly data capture rhythm, not a once-a-year sprint. For large IT companies with facilities spread across multiple states, this typically requires a centralised ESG data template distributed to each facility administrator with a defined cut-off date. Move away from email-and-spreadsheet workflows wherever possible. |
| 4 | Step 4: Establish ESG governance
Form an internal ESG committee or working group with representation from Facilities, HR, Finance, Legal, and IT-Operations. BRSR reporting fails most often when it lives only with the sustainability team. Leadership sign-off ideally at the board or MD level — is increasingly expected by assurance providers and investors. |
| 5 | Step 5: Draft your BRSR disclosure
Complete all sections which includes, General Disclosures, Management & Process Disclosures, and Principle-wise Performance Disclosures. For BRSR Core indicators, ensure every data point is backed by source documentation, methodology notes, and an internal review sign-off. Narrative quality matters: vague disclosures attract assurance queries. |
| 6 | Step 6: Commission independent BRSR Core assurance
Engage an accredited assurance provider early — not two weeks before your annual report deadline. Provide the assurance team with a complete evidence pack: utility bills, HR reports, contractor data, board resolutions, and policy documents. Treat assurance as a collaborative process, not an inspection. The better your documentation, the faster and cleaner the engagement. |
Challenges Specific to IT, AI & Large Services
Having worked through multiple BRSR engagements in this sector, the following challenges come up repeatedly and they are distinct from what manufacturing or infrastructure companies face.
Challenge 1 — The data centre emissions problem
Energy consumption and Scope 1 & 2 GHG emissions are BRSR Core mandatory disclosures. For large IT and AI companies operating their own data centres or consuming significant cloud infrastructure, this should be straightforward. In practice, it is not.
| 📋 FIELDINSIGHT ·IT Infrastructure / Large Technology Services |
| During a BRSR Core assurance engagement with a large technology services company, the facilities team provided electricity consumption data from their corporate HQ and regional offices but had not included the co-located data centre facility, which ran on a separate utility billing contract managed by a different team. |
| The data centre accounted for substantial amount of total electricity consumption. It was simply missing from the BRSR submission. The issue was not intentional.The data centre was treated as a ‘technical operations’ asset, not a ‘facilities’ asset, so it fell outside the facilities team’s data collection process. |
| → Lesson: Map every electricity meter and billing contract in your organisation before beginning data collection. The boundary must follow the energy, not the org chart. |
Challenge 2 — Counting the uncounted workforce
BRSR requires disclosures on permanent employees, contract workers, and workers employed through third-party contractors on company premises. For large IT and services companieswhich routinely operate with significant contract and vendor-managed workforces defining ‘who counts’ is genuinely complex.
| 📋 FIELDINSIGHT ·Large Digital Services Platform |
| A large digital services organisation had a disclose about permanent headcount. However, their total on-premises workforce including outsourced security, housekeeping, IT support contractors, and call centre agents exceeded and almost leads to double the count which was reported earlier. |
| BRSR requires disclosure of both categories. The HR team had robust data on permanent employees but had no reliable count of third-party contract workers across their multi-city operations. They resolved this by issuing a mandatory data call to all facility management and outsourced service vendors, requiring monthly headcount reports tied to vendor invoices. It took two months to establish reliable figures. |
| → Lesson: HR data is not the same as workforce data. Build a vendor-reported headcount system before assurance season, not during it. |
Challenge 3 — OHS in a white-collar context
Occupational Health & Safety data including Lost Time Injury Frequency Rate (LTIFR) and near-miss reporting is a BRSR Core indicator. IT and services companies often assume their OHS risk is low and that data collection will be simple. Both assumptions create problems during assurance.
| 📋 FIELDINSIGHT ·IT Services / BPO / Large Call Centre Operations |
| During assurance of OHS data for a large BPO Sector, it emerged that the company’s formal incident reporting system had recorded zero lost-time injuries over the year. However, the company’s own internal medical centre logs showed few incidents that technically met the LTIFR reporting threshold including sprains, slips, and ergonomic injuries but none of which had been routed through the formal safety management system. |
| Employees had used the walk-in medical room informally, without filing incident reports. The company was not misrepresenting data deliberately. The safety reporting culture assumed LTIFR applied to ‘serious accidents,’ not to sprained wrists from poorly set up workstations. |
| → Lesson: Ergonomic injuries, slip-and-fall incidents, and medical centre visits in office environments all count. Align your OHS definitions to GRI 403 standardsand train employees to report, not just visit the medical room. |
Challenge 4 — The AI-specific energy disclosure gap
AI companies and those running large machine learning workloads face an emerging challenge that current BRSR guidance does not fully address: how to disclose the energy and emissions footprint of model training and inference. This is becoming a live issue during assurance as providers probe the completeness of energy disclosures.
| 📋 FIELDINSIGHT ·AI Product Company / Enterprise Software |
| An AI-focused technology company disclosed energy consumption for its offices and co-location servers but did not include the significant cloud compute costs associated with model training runs conducted on third-party cloud infrastructure. The assurance team raised this as a scope completeness query.Cloud-based compute that the company directs and pays for may fall within Scope 2 (market-based) or Scope 3 emissions depending on the methodology applied. |
| The cloud infrastructure was managed by the engineering team, not the facilities team, and billed through a central cloud spend budget with no energy kWh breakdown. Cloud providers were approached for carbon and energy reporting data with varying degrees of success. |
| → Lesson: If your company runs AI workloads on cloud infrastructure, start requesting energy and emissions reporting from your cloud providers now. AWS, Google Cloud, and Azure all have carbon footprint reporting tools — but the data must be actively requested and reconciled. |
Challenge 5 — Supply chain disclosures when your supply chain is digital
BRSR’s supply chain sustainability requirements were designed with physical supply chains in mind. For IT and services companies whose primary suppliers are SaaS vendors, cloud providers, freelance platforms, and staffing agencies, defining what constitutes a ‘significant supplier’ for ESG disclosure purposes is a genuine grey area ;- one that assurance providers will probe.
| 📋 FIELDINSIGHT ·Enterprise Technology Platform |
| A large enterprise technology platform company initially reported having ‘no significant supply chain ESG risks’ because their product was software. During the assurance gap review, it emerged that their top five suppliers by spend included a hardware device manufacturer (for field devices distributed to clients), two staffing agencies supplying contract engineers, and a facilities management company operating across seven office locations. |
| The staffing agencies had no documented ESG policies, and no supplier ESG assessment had ever been conducted. The company had to initiate a supplier ESG screening process mid-assurance cycle. |
| → Lesson: ‘We are a software company’ does not exempt you from supply chain ESG obligations. Start by ranking suppliers by annual spend, then apply ESG screening to the top 20. The answer to ‘do we have supply chain ESG risks?’ is almost never genuinely ‘no.’ |
The Business Case — Why This Is Worth Doing Well
The most common pushback in the IT and services sector is that BRSR is a compliance cost with no business return. That has not held up in practice.
| “Our global client asked us for a copy of our ESG assurance report before renewing a multi-year contract. We had one. Our competitor did not.”
— Head of Sustainability, large IT services company (field observation, FY24) |
Export and global client qualification
Global enterprise clients particularly in Europe and North Americaare now routinely including ESG supplier assessments in contract renewals and RFPs. For IT services companies chasing large outsourcing contracts, an assured BRSR report is increasingly a differentiator and, in some tender processes, a threshold requirement.
Green financing and ESG-linked credit
Several large Indian banks and international lenders now offer sustainability-linked loans (SLLs) tied to ESG performance metrics. Assured BRSR disclosures provide the baseline data that makes an SLL negotiation possible. IT companies with significant capex needs particularly for data centre build-outs are beginning to access this instrument.
Investor positioning
ESG-screened funds including domestic ESG mutual funds and international institutional investors are using BRSR data to filter and weight holdings. For companies in the top 250 listed entities, this is not abstract. BRSR quality is showing up in analyst conversations and investor due diligence calls.
Operational insight as a by-product
Multiple companies have discovered significant inefficiencies during their first serious BRSR data collection exercise. One large IT campus found that its weekend HVAC shutdown policy was not actually being implemented resulting in approximately 11% excess energy consumption that had never been flagged because no one was measuring it at that level of granularity.
What to Prioritise First — A Quick Reference
If you are beginning your BRSR journey or preparing for your first assurance engagement, this is what field experience consistently shows you should prioritise:
| Month 1–2: Boundary & data audit
Map every entity, facility, and billing contract in scope. Identify who currently holds each BRSR Core data point. This surfaces gaps before the data collection scramble begins. |
Month 2–4: Data system setup
Build a standardised monthly ESG data template. Assign one owner per indicator. Start monthly capture — do not wait until year-end to collect a full year’s data retrospectively. |
| Month 4–8: Governance & policy
Formalise your ESG governance — committee structure, board oversight, and policy documentation. These are evidence points assurance providers will look for. |
Month 8–12: Assurance preparation
Engage your assurance provider 2–3 months before the report deadline. Prepare a full evidence pack. Run an internal pre-assurance review to resolve gaps before the formal engagement. |
| BRSR is not going away, and the IT and services sector is no longer peripheral to its scope. The mandatory assurance requirements expanding to the top 500 and then 1,000 companies will draw in a large proportion of India’s listed technology and services businesses over the next two years.
The companies that do this well are not the ones with the largest sustainability teams. They are the ones that started early, built clean data systems, assigned clear ownership, and treated ESG reporting as a business function but notas a last-minute compliance exercise. Field experience consistently shows that the first BRSR cycle is the hardest. The second is manageable. By the third, companies that built the foundations properly are spending a fraction of the time and producing meaningfully better disclosures, with the investor, client, and financing benefits that follow. |
This article is part of a practitioner series on BRSR reporting and ESG assurance in India. All field observations are drawn from real engagements; identifying details have been changed to preserve confidentiality. This does not constitute formal legal or regulatory advice.