ESG and Risk Management in the Extended Enterprise: A Quick Guide

Today, organizations are increasingly challenged to address environmental, social and governance (ESG) practices and reporting. Stakeholders, customers and regulators want to ensure that the companies they interact with and invest in share the same values and commitments that they do. The heart of ESG is about the integrity of the organization. What the organization commits to – the organization’s obligations whether voluntary, regulatory or contractual – is a reality throughout the organization.

What is ESG?

ESG covers a wide spectrum of a company’s conduct:

• E = Environmental: Measures and reports on the organization’s values and commitments regarding stewardship of the natural world and environment. It includes reporting and monitoring of the organization’s environmental initiatives for climate change, waste management, pollution, resource use and depletion, greenhouse gasses, and such.
• S = Social: Measures and reports on the organization’s values and commitments regarding how it treats people. This includes employee and customer/partner relations, human rights (e.g., anti-slavery), diversity and inclusion, anti-harassment and discrimination, the privacy of individuals (both employees and others), working conditions and labor standards (e.g., child labor, forced labor, health and safety), and how the company participates and gives back to society and the communities it operates within.
• G = Governance: Measures and reports on the culture and behaviors of the organization in context and alignment to its values and commitment. This includes finance and tax strategies, whistleblower and reporting of issues, resiliency, anti-bribery and corruption, security, board/executive diversity and structure, and overall transparency and accountability.

The greatest ESG challenge in organizations is the extended enterprise. Today’s modern organization is not about brick-and-mortar walls and traditional employees. The modern organization is an extended web of third-party relationships of suppliers, vendors, contractors, outsourcers, service providers, temporary workers, brokers, agents, dealers, intermediaries and partners. In fact, while walking down the halls of an organization and sitting in meetings you might find that half the people you interact with are not employees, but third parties. This is further complicated when these relationships nest themselves in subcontracting relationships and nested supply chains.

ESG Compliance

Regulators are particularly focused on ESG compliance, and there have been aspects of ESG in regulations for quite some time. A few anti-bribery and corruption (ABAC) examples include the United States’ Foreign Corruption Practices Act (FCPA), the United Kingdom’s Bribery Act (UKBA), and France’s Sapin II. There are human rights laws and regulations as well, including the U.S. Uyghur Forced Labor Prevention Act, the UK Modern Slavery Act, the U.S. Conflict Minerals Law under the Dodd Frank Act, and the California Transparency in Supply Chains Act. And of course, ESG includes privacy related laws such as the European Union’s General Data Protection Regulation (GDPR), California’s Consumer Data Protection Regulation (CDPR), and many more. Every one of these regulations touches on facets of ESG and each impacts the extended enterprise of third-party relationships.

Now we are seeing even broader ESG regulations. The European Union is moving forward with the Directive on Corporate Due Diligence and Accountability, which will most likely become final legislation this summer. This requires ongoing due diligence within the organization and throughout its extended third-party relationships for environmental and human rights initiatives and reporting. Germany has already moved forward with its law to support this in the German Due Diligence Act, which also will be finalized this summer. The German law is often referred to as the Supply Chains Act as the dominant focus is on ESG practices across an organization’s third-party relationships.