The Emerging Importance of ESG-Related Risk
Environmental, social, and governance (ESG) and its role in vendor risk management have gained prominence this past year as the awareness for environmental and social issues grows. ESG helps examine how an organisation contributes to and performs on environmental, social, and ethical challenges, and the overall governance of the organisation. ESG touches on issues ranging from human rights and labour laws, health and safety, privacy of personal information, corruption and bribery, and the organisation’s carbon footprint and environmental practices.
Regulators have recently started to put a strong emphasis on environmental, social, and governance (ESG) and it is evolving into a key emphasis for organisations from board room discussions down into operations and culture of the organisation. In Europe, ESG has steadily been gaining momentum and the entrance of a new presidential administration in the United States has opened the country up to advancements in ESG reporting.
A recent Global Network of Director Institutes (GNDI) 2020-2021 Survey Report indicated that the COVID-19 pandemic will increase board focus on ESG and sustainability. There is significant pressure on organisations to do ESG reporting. This comes from government legislatures, regulators and governing enforcement bodies, associations, and investors. But the challenge today is there is no one authoritative standard to do ESG reporting.
There are a variety of competing standards for ESG reporting, such as the Global Reporting Initiative (GRI), the Sustainability Accounting Standards Board (SASB), Carbon Disclosure Project (CDP), and the International Integrated Reporting Council (IIRC). This is further complicated by further standards being proposed by the World Economic Forum (WEF), International Financial Reporting Standards (IFRS), as well as the European Union.
Perhaps it is necessary to integrate these standards into a single framework, but this will take a few years to address if done at all. The pressure on organisations is real, however, and they have to act. The best approach is to create a harmonised framework that fits the organisation and grow and adapt it as a recognised harmonised standard is developed over the next few years.
ESG is a serious issue that organisations need to address. It impacts their culture, investor and stakeholder relations, as well as their overall reputation with their clients and the broader world.
The World Economic Forum (WEF) listed ESG risks at the top of their Global Risk Report and the significance of ESG is only expected to grow as the United States joins Europe in implementing environmental regulations and responds to the current health and safety crisis in the pandemic and prepares to mitigate future pandemics.
The challenge for ESG reporting is the extended enterprise. Business is no longer defined by commercial property and employees. Modern business is an extended array of third-party relationships. Organisations are becoming aware that their ESG risks extend across a web of third-party relationships, and often nesting themselves in layers of sub-contracting relationships and deep supply chains.
The Evolution of ESG
The list of regulations involving ESG has significantly increased over the years, and ESG is evolving into a growing regulatory burden for organisations, which can impact the organisation’s reputation, relationships with investors, and the overall continuity of organisations. Some of the regulations that impact ESG include but are not limited to:
- Australia Modern Slavery Bill
- UK Modern Slavery Act
- The 2010 California Transparency in Supply Chains Act
- Dutch Child Labor Due Diligence Act
- US Conflict Minerals
Government regulators are also picking up on this. The European Union has its Directive on Corporate Due Diligence and Accountability, which Germany already has legislation to make this German law. The law is more than internal practices and includes the extended enterprise in scope. It will require that organisations conduct ongoing due diligence of third-party relationships for environmental and human rights practices in ESG.
Organisations need to start an ESG strategy as part of the third-party risk management (TPRM) process. Implementing ESG reporting and due diligence into the organisation’s TPRM program allows the organisation to leverage the process, technology, and information that already exists. Organisations need a robust and agile framework that delivers a holistic view into the extended enterprise and can deliver automated ESG assessments and continuous monitoring of information across the organisation and its relationships.
Implementing ESG reporting and assessments into your TPRM program doesn’t just avoid potential compliance penalties or regulatory action, it’s also a smart move that aligns the organisation to the future and allows it to operate with more efficiency, effectiveness and agility.
Optimising the Organisation’s TPRM Program for the Future
The ultimate goal of any TPRM program is to build greater understanding, vision, and insight into the extended enterprise and align the organisation’s strategic and operational goals with GRC and ESG initiatives. To accomplish this, the organisation must build a framework and strategy that aligns and connects the entire organisation and the extended enterprise to better identify and mitigate risks as they emerge, and these risks now include ESG reporting and control in third-party relationships.
With initial and ongoing due diligence of third-party relationships, organisations should assess the third parties:
- Ethics: A close review and alignment of the third-parties code of conduct and culture with the organisation is needed to ensure that the third party is committed to the same principles of conduct that the organisation is. Ethics are not just a matter of compliance, but also stretch into social activism and justice. Issues such as diversity and inclusion continue to grow in prominence, and a lack of due diligence into diversity and inclusion throughout the extended enterprise can result in severe reputational damage in this day and age and ultimately affect the bottom line. In financial services, for example, we now see regulators transforming the ethical issue of diversity into a legitimate compliance obligation for organisations.
- Environmental practices: This includes the third party’s approach and commitment to environmental stewardship, climate change, and the reduction of their carbon footprint. Leveraging third-party certifications can help your organisation incorporate data from intelligence providers and integrate it with the organisation’s TPRM functions into an information architecture that delivers a holistic approach – providing complete visibility and awareness into risk across relationships and supply chains and breaking down siloes within manual solutions and inadequate processes.
- Bribery and corruption: Initial and ongoing due diligence is needed to ensure that the third party is not on watch lists, sanction lists, politically exposed persons list. The goal is to ensure that the third-parties ethics and practices are in place and is not entangled in bribery, corruption, money laundering, and fraud.
- Labor and human rights: There is a significant focus on human rights to address modern slavery as well as remediate discrimination and harassment. Assessments and monitoring need to be done to ensure the third party has a commitment to the shared values of human rights and labour practices that the organisation does.
- Data protection and privacy: An aspect of ESG is the protection and control of personal information. Assessments need to be regularly conducted to ensure the organisation has the right controls and practices in place to address the privacy and data protection of individuals.
- Nested relationships: The challenge is that the extended enterprise nests itself in relationships. This includes sub-contracting relationships as well as deep supply chains. Assurance is needed that the third party is doing the same level of assessments and due diligence on its third parties that it relies on to deliver services and goods to the organisation.
Responsibility and potential consequences within TPRM for ESG cannot be outsourced, and the demand for sustainability and diversity continues to grow. According to a recent study, 91% of companies are taking sustainability into account when making purchasing decisions, and 85% of consumers are now more likely to purchase from a company with a reputation for sustainability or diversity.
Developing an integrated approach to TPRM and ESG will further drive increased effectiveness and efficiency, as well as agility, specifically in regard to identifying key third parties in the organisation’s extended enterprise and the risks associated with the services they provide. Collaboration is also paramount across organisations as technology solutions become a more mainstream way to manage third-party relationships to monitor and mitigate third-party risk exposure.
A strong and integrated TPRM process that integrates ESG, supported by an information and technology architecture, is becoming a necessity for organisations. An effective approach requires complete visibility and understanding of the interconnectedness of business relationships and their ESG risk exposure. Third-party risk management is likely to become more integrated across risk management, business operations, and resiliency as the business comes together to address ESG as part of its shared values, commitments, and culture.
You’re Only As Strong As Your Weakest Link
There’s never been a more vital time to ensure the security of your organisation and the cyber supply chain you rely on. DVV Solutions are here to help with a range of managed services and solutions proven to improve your ability to assess, analyse and manage more third-party risk domains at scale.
For more information on enhancing oversight of your supply chain risks:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
Learn more about What We Do
This article was originally published by ProcessUnity and is shared with their kind permission