Today, organizations are increasingly challenged to address environmental, social and governance (ESG) practices and reporting. Stakeholders, customers and regulators want to ensure that the companies they interact with and invest in share the same values and commitments that they do. The heart of ESG is about the integrity of the organization. What the organization commits to – the organization’s obligations whether voluntary, regulatory or contractual – is a reality throughout the organization.
ESG covers a wide spectrum of a company’s conduct:
The greatest ESG challenge in organizations is the extended enterprise. Today’s modern organization is not about brick-and-mortar walls and traditional employees. The modern organization is an extended web of third-party relationships of suppliers, vendors, contractors, outsourcers, service providers, temporary workers, brokers, agents, dealers, intermediaries and partners. In fact, while walking down the halls of an organization and sitting in meetings you might find that half the people you interact with are not employees, but third parties. This is further complicated when these relationships nest themselves in subcontracting relationships and nested supply chains.
Regulators are particularly focused on ESG compliance, and there have been aspects of ESG in regulations for quite some time. A few anti-bribery and corruption (ABAC) examples include the United States’ Foreign Corruption Practices Act (FCPA), the United Kingdom’s Bribery Act (UKBA), and France’s Sapin II. There are human rights laws and regulations as well, including the U.S. Uyghur Forced Labor Prevention Act, the UK Modern Slavery Act, the U.S. Conflict Minerals Law under the Dodd Frank Act, and the California Transparency in Supply Chains Act. And of course, ESG includes privacy related laws such as the European Union’s Global Data Protection Regulation (GDPR), California’s Consumer Data Protection Regulation (CDPR), and many more. Every one of these regulations touches on facets of ESG and each impacts the extended enterprise of third-party relationships.
Now we are seeing even broader ESG regulations. The European Union is moving forward with the Directive on Corporate Due Diligence and Accountability, which will most likely become final legislation this summer. This requires ongoing due diligence within the organization and throughout its extended third-party relationships for environmental and human rights initiatives and reporting. Germany has already moved forward with its law to support this in the German Due Diligence Act, which also will be finalized this summer. The German law is often referred to as the Supply Chains Act as the dominant focus is on ESG practices across an organization’s third-party relationships.
Managing ESG Risks Across the Extended Enterprise
This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.
The writing is on the wall: organizations need to start structuring their ESG strategies, processes and reporting. This is particularly critical in the context of complexity of the extended enterprise. Some key components that need to be addressed in third-party governance and risk management are:
The reality is that the modern organization with its web of third-party relationships cannot realistically manage ESG processes and deliver timely insight with manual processes that manage this in documents, spreadsheets and emails. Relying on manual processes will bog the organization down in inefficiency, lack of insight into risks, and things slipping through cracks and getting missed. Organizations need a robust information and technology architecture for third-party governance, risk management and compliance to deliver on ESG due diligence and reporting across the extended enterprise.