Third Party Risk Management - Consultancy, Assessment & Advisory

Vendor Risk Management & ESG Related Risk

Dynamic Due Diligence TPRM framework ESG risk

The Emerging Importance of ESG-Related Risk

Environmental, social, and governance (ESG) and its role in vendor risk management have gained prominence this past year as the awareness for environmental and social issues grows. ESG helps examine how an organisation contributes to and performs on environmental, social, and ethical challenges, and the overall governance of the organisation. ESG touches on issues ranging from human rights and labour laws, health and safety, privacy of personal information, corruption and bribery, and the organisation’s carbon footprint and environmental practices.  

Regulators have recently started to put a strong emphasis on environmental, social, and governance (ESG) and it is evolving into a key emphasis for organisations from board room discussions down into operations and culture of the organisation. In Europe, ESG has steadily been gaining momentum and the entrance of a new presidential administration in the United States has opened the country up to advancements in ESG reporting.   

A recent Global Network of Director Institutes (GNDI) 2020-2021 Survey Report indicated that the COVID-19 pandemic will increase board focus on ESG and sustainability. There is significant pressure on organisations to do ESG reporting. This comes from government legislatures, regulators and governing enforcement bodies, associations, and investors. But the challenge today is there is no one authoritative standard to do ESG reporting.  

There are a variety of competing standards for ESG reporting, such as the Global Reporting Initiative (GRI), the Sustainability Accounting Standards Board (SASB), Carbon Disclosure Project (CDP), and the International Integrated Reporting Council (IIRC). This is further complicated by further standards being proposed by the World Economic Forum (WEF), International Financial Reporting Standards (IFRS), as well as the European Union.  

Perhaps it is necessary to integrate these standards into a single framework, but this will take a few years to address if done at all. The pressure on organisations is real, however, and they have to act. The best approach is to create a harmonised framework that fits the organisation and grow and adapt it as a recognised harmonised standard is developed over the next few years. 

ESG is a serious issue that organisations need to address. It impacts their culture, investor and stakeholder relations, as well as their overall reputation with their clients and the broader world. 

The World Economic Forum (WEF) listed ESG risks at the top of their Global Risk Report and the significance of ESG is only expected to grow as the United States joins Europe in implementing environmental regulations and responds to the current health and safety crisis in the pandemic and prepares to mitigate future pandemics.  

The challenge for ESG reporting is the extended enterprise. Business is no longer defined by commercial property and employees. Modern business is an extended array of third-party relationships. Organisations are becoming aware that their ESG risks extend across a web of third-party relationships, and often nesting themselves in layers of sub-contracting relationships and deep supply chains.  

The Evolution of ESG 

The list of regulations involving ESG has significantly increased over the years, and ESG is evolving into a growing regulatory burden for organisations, which can impact the organisation’s reputation, relationships with investors, and the overall continuity of organisations. Some of the regulations that impact ESG include but are not limited to:  

Government regulators are also picking up on this. The European Union has its Directive on Corporate Due Diligence and Accountability, which Germany already has legislation to make this German law. The law is more than internal practices and includes the extended enterprise in scope. It will require that organisations conduct ongoing due diligence of third-party relationships for environmental and human rights practices in ESG. 

Organisations need to start an ESG strategy as part of the third-party risk management (TPRM) process. Implementing ESG reporting and due diligence into the organisation’s TPRM program allows the organisation to leverage the process, technology, and information that already exists. Organisations need a robust and agile framework that delivers a holistic view into the extended enterprise and can deliver automated ESG assessments and continuous monitoring of information across the organisation and its relationships. 

Implementing ESG reporting and assessments into your TPRM program doesn’t just avoid potential compliance penalties or regulatory action, it’s also a smart move that aligns the organisation to the future and allows it to operate with more efficiency, effectiveness and agility.   

Optimising the Organisation’s TPRM Program for the Future 

The ultimate goal of any TPRM program is to build greater understanding, vision, and insight into the extended enterprise and align the organisation’s strategic and operational goals with GRC and ESG initiatives. To accomplish this, the organisation must build a framework and strategy that aligns and connects the entire organisation and the extended enterprise to better identify and mitigate risks as they emerge, and these risks now include ESG reporting and control in third-party relationships. 

With initial and ongoing due diligence of third-party relationships, organisations should assess the third parties: 

Responsibility and potential consequences within TPRM for ESG cannot be outsourced, and the demand for sustainability and diversity continues to grow. According to a recent study, 91% of companies are taking sustainability into account when making purchasing decisions, and 85% of consumers are now more likely to purchase from a company with a reputation for sustainability or diversity.  

Developing an integrated approach to TPRM and ESG will further drive increased effectiveness and efficiency, as well as agility, specifically in regard to identifying key third parties in the organisation’s extended enterprise and the risks associated with the services they provide. Collaboration is also paramount across organisations as technology solutions become a more mainstream way to manage third-party relationships to monitor and mitigate third-party risk exposure. 

A strong and integrated TPRM process that integrates ESG, supported by an information and technology architecture, is becoming a necessity for organisations. An effective approach requires complete visibility and understanding of the interconnectedness of business relationships and their ESG risk exposure. Third-party risk management is likely to become more integrated across risk management, business operations, and resiliency as the business comes together to address ESG as part of its shared values, commitments, and culture.

You’re Only As Strong As Your Weakest Link

There’s never been a more vital time to ensure the security of your organisation and the cyber supply chain you rely on. DVV Solutions are here to help with a range of managed services and solutions proven to improve your ability to assess, analyse and manage more third-party risk domains at scale.

For more information on enhancing oversight of your supply chain risks:

Call Us+44 (0) 161 476 8700

Contact Us: Complete our Contact Form, or

Learn more about What We Do

This article was originally published by ProcessUnity and is shared with their kind permission