Vendor Risk Management & ESG Related Risk

Vendor Risk Management and ESG Risk

The Emerging Importance of ESG-Related Risk

Environmental, social, and governance (ESG) and its role in vendor risk management have gained prominence this past year as the awareness for environmental and social issues grows. ESG helps examine how an organization contributes to and performs on environmental, social, and ethical challenges, and the overall governance of the organization. ESG touches on issues ranging from human rights and labor laws, health and safety, privacy of personal information, corruption and bribery, and the organization’s carbon footprint and environmental practices 

Regulators have recently started to put a strong emphasis on environmental, social, and governance (ESG) and it is evolving into a key emphasis for organizations from board room discussions down into operations and culture of the organization. In Europe, ESG has steadily been gaining momentum and the entrance of a new presidential administration in the United States has opened the country up to advancements in ESG reporting.   

A recent Global Network of Director Institutes (GNDI) 2020-2021 Survey Report indicated that the COVID-19 pandemic will increase board focus on ESG and sustainability. There is significant pressure on organizations to do ESG reporting. This comes from government legislatures, regulators and governing enforcement bodies, associations, and investors. But the challenge today is there is no one authoritative standard to do ESG reporting.  

There are a variety of competing standards for ESG reporting, such as the Global Reporting Initiative (GRI), the Sustainability Accounting Standards Board (SASB), Carbon Disclosure Project (CDP), and the International Integrated Reporting Council (IIRC). This is further complicated by further standards being proposed by the World Economic Forum (WEF), International Financial Reporting Standards (IFRS), as well as the European Union.  

Perhaps it is necessary to integrate these standards into a single framework, but this will take a few years to address if done at allThe pressure on organizations is real, however, and they have to act. The best approach is to create a harmonized framework that fits the organization and grow and adapt it as a recognized harmonized standard is developed over the next few years. 

ESG is a serious issue that organizations need to address. It impacts their culture, investor and stakeholder relations, as well as their overall reputation with their clients and the broader world. 

The World Economic Forum (WEF) listed ESG risks at the top of their Global Risk Report and the significance of ESG is only expected to grow as the United States joins Europe in implementing environmental regulations and responds to the current health and safety crisis in the pandemic and prepares to mitigate future pandemics 

The challenge for ESG reporting is the extended enterprise. Business is no longer defined by commercial property and employees. Modern business is an extended array of third-party relationships. Organizations are becoming aware that their ESG risks extend across a web of third-party relationships, and often nesting themselves in layers of sub-contracting relationships and deep supply chains.  

The Evolution of ESG 

The list of regulations involving ESG has significantly increased over the years, and ESG is evolving into a growing regulatory burden for organizations, which can impact the organization’s reputation, relationships with investors, and the overall continuity of organizations. Some of the regulations that impact ESG include but are not limited to:  

  • Australia Modern Slavery Bill 
  • UK Modern Slavery Act  
  • The 2010 California Transparency in Supply Chains Act  
  • Dutch Child Labor Due Diligence Act 
  • US Conflict Minerals 

Government regulators are also picking up on this. The European Union has its Directive on Corporate Due Diligence and Accountability, which Germany already has legislation to make this German law. The law is more than internal practices and includes the extended enterprise in scope. It will require that organizations conduct ongoing due diligence of third-party relationships for environmental and human rights practices in ESG. 

Organizations need to start an ESG strategy as part of the third-party risk management (TPRM) processImplementing ESG reporting and due diligence into the organization’s TPRM program allows the organization to leverage the process, technology, and information that already exists. Organizations need a robust and agile framework that delivers a holistic view into the extended enterprise and can deliver automated ESG assessments and continuous monitoring of information across the organization and its relationships. 

Implementing ESG reporting and assessments into your TPRM program doesn’t just avoid potential compliance penalties or regulatory action, it’s also a smart move that aligns the organization to the future and allows it to operate with more efficiency, effectiveness and agility.   

Optimizing the Organization’s TPRM Program for the Future 

The ultimate goal of any TPRM program is to build greater understanding, vision, and insight into the extended enterprise and align the organization’s strategic and operational goals with GRC and ESG initiatives. To accomplish this, the organization must build a framework and strategy that aligns and connects the entire organization and the extended enterprise to better identify and mitigate risks as they emerge, and these risks now include ESG reporting and control in third-party relationships. 

With initial and ongoing due diligence of third-party relationships, organizations should assess the third parties: 

  • Ethics: A close review and alignment of the third-parties code of conduct and culture with the organization is needed to ensure that the third party is committed to the same principles of conduct that the organization is. Ethics are not just a matter of compliance, but also stretch into social activism and justice. Issues such as diversity and inclusion continue to grow in prominence, and a lack of due diligence into diversity and inclusion throughout the extended enterprise can result in severe reputational damage in this day and age and ultimately affect the bottom line. In financial services, for example, we now see regulators transforming the ethical issue of diversity into a legitimate compliance obligation for organizations 
  • Environmental practices: This includes the third party’s approach and commitment to environmental stewardship, climate change, and the reduction of their carbon footprint. Leveraging third-party certifications can help your organization incorporate data from intelligence providers, such as EcoVadis, and integrate it with the organization’s TPRM functions into an information architecture that delivers a holistic approach – providing complete visibility and awareness into risk across relationships and supply chains and breaking down siloes within manual solutions and inadequate processes.  
  • Bribery and corruption: Initial and ongoing due diligence is needed to ensure that the third party is not on watch lists, sanction lists, politically exposed persons list. The goal is to ensure that the third-parties ethics and practices are in place and is not entangled in bribery, corruption, money laundering, and fraud.  
  • Labor and human rights: There is a significant focus on human rights to address modern slavery as well as remediate discrimination and harassment. Assessments and monitoring need to be done to ensure the third party has a commitment to the shared values of human rights and labor practices that the organization does.  
  • Data protection and privacy: An aspect of ESG is the protection and control of personal information. Assessments need to be regularly conducted to ensure the organization has the right controls and practices in place to address the privacy and data protection of individuals. 
  • Nested relationships: The challenge is that the extended enterprise nests itself in relationships. This includes sub-contracting relationships as well as deep supply chains. Assurance is needed that the third party is doing the same level of assessments and due diligence on its third parties that it relies on to deliver services and goods to the organization.  

Responsibility and potential consequences within TPRM for ESG cannot be outsourced, and the demand for sustainability and diversity continues to grow. According to EcoVadis, 91% of companies are taking sustainability into account when making purchasing decisions, and 85% of consumers are now more likely to purchase from a company with a reputation for sustainability or diversity.  

Developing an integrated approach to TPRM and ESG will further drive increased effectiveness and efficiency, as well as agility, specifically in regard to identifying key third parties in the organization’s extended enterprise and the risks associated with the services they provide. Collaboration is also paramount across organizations as technology solutions become a more mainstream way to manage third-party relationships to monitor and mitigate third-party risk exposure. 

A strong and integrated TPRM process that integrates ESG, supported by an information and technology architecture, is becoming a necessity for organizations. An effective approach requires complete visibility and understanding of the interconnectedness of business relationships and their ESG risk exposure. Third-party risk management is likely to become more integrated across risk management, business operations, and resiliency as the business comes together to address ESG as part of its shared values, commitments, and culture.