ESG and Risk Management in the Extended Enterprise: A Quick Guide

Environmental, social and governance practices are under increasing regulatory scrutiny. How well is your third-party risk management program structured to assess these risks?
Michael Rasmussen
GRC Analyst & Pundit, GRC 20/20 Research
April 26, 2021
Blog esg risk management 0421

Today, organizations are increasingly challenged to address environmental, social and governance (ESG) practices and reporting. Stakeholders, customers and regulators want to ensure that the companies they interact with and invest in share the same values and commitments that they do. The heart of ESG is about the integrity of the organization. What the organization commits to – the organization’s obligations whether voluntary, regulatory or contractual – is a reality throughout the organization.

What is ESG?

ESG covers a wide spectrum of a company’s conduct:

  • E = Environmental: Measures and reports on the organization’s values and commitments regarding stewardship of the natural world and environment. It includes reporting and monitoring of the organization’s environmental initiatives for climate change, waste management, pollution, resource use and depletion, greenhouse gasses, and such.
  • S = Social: Measures and reports on the organization’s values and commitments regarding how it treats people. This includes employee and customer/partner relations, human rights (e.g., anti-slavery), diversity and inclusion, anti-harassment and discrimination, the privacy of individuals (both employees and others), working conditions and labor standards (e.g., child labor, forced labor, health and safety), and how the company participates and gives back to society and the communities it operates within.
  • G = Governance: Measures and reports on the culture and behaviors of the organization in context and alignment to its values and commitment. This includes finance and tax strategies, whistleblower and reporting of issues, resiliency, anti-bribery and corruption, security, board/executive diversity and structure, and overall transparency and accountability.

The greatest ESG challenge in organizations is the extended enterprise. Today’s modern organization is not about brick-and-mortar walls and traditional employees. The modern organization is an extended web of third-party relationships of suppliers, vendors, contractors, outsourcers, service providers, temporary workers, brokers, agents, dealers, intermediaries and partners. In fact, while walking down the halls of an organization and sitting in meetings you might find that half the people you interact with are not employees, but third parties. This is further complicated when these relationships nest themselves in subcontracting relationships and nested supply chains.

ESG Compliance

Regulators are particularly focused on ESG compliance, and there have been aspects of ESG in regulations for quite some time. A few anti-bribery and corruption (ABAC) examples include the United States’ Foreign Corruption Practices Act (FCPA), the United Kingdom’s Bribery Act (UKBA), and France’s Sapin II. There are human rights laws and regulations as well, including the U.S. Uyghur Forced Labor Prevention Act, the UK Modern Slavery Act, the U.S. Conflict Minerals Law under the Dodd Frank Act, and the California Transparency in Supply Chains Act. And of course, ESG includes privacy related laws such as the European Union’s General Data Protection Regulation (GDPR), California’s Consumer Data Protection Regulation (CDPR), and many more. Every one of these regulations touches on facets of ESG and each impacts the extended enterprise of third-party relationships.

Now we are seeing even broader ESG regulations. The European Union is moving forward with the Directive on Corporate Due Diligence and Accountability, which will most likely become final legislation this summer. This requires ongoing due diligence within the organization and throughout its extended third-party relationships for environmental and human rights initiatives and reporting. Germany has already moved forward with its law to support this in the German Due Diligence Act, which also will be finalized this summer. The German law is often referred to as the Supply Chains Act as the dominant focus is on ESG practices across an organization’s third-party relationships.

Managing ESG Risks Across the Extended Enterprise

This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.

Read Now
Blog managing esg 1021

How ESG Impacts Third-Party Relationships

The writing is on the wall: organizations need to start structuring their ESG strategies, processes and reporting. This is particularly critical in the context of complexity of the extended enterprise. Some key components that need to be addressed in third-party governance and risk management are:

  • Scope of ESG. There is no one-size-fits-all ESG program that is good for organizations across industries and of different sizes. While there are common elements, the ESG risks in financial services are different from those in a petroleum company. Each organization is going to have look at the nature of the organization and define their ESG scope and program based on its risk and regulatory profile.
  • Categorization of third parties by ESG risk. To address ESG in the extended enterprise requires a clear understanding of what types of relationships the organization has, where in the world these relationships operate, and the risks each relationship brings in context of ESG to the organization.
  • Initial due diligence. Organizations will need a documented and established process to onboard new relationships. This requires validating the relationship against external ESG database checks such as watch/sanction lists, politically exposed persons lists, security ratings, financial ratings, and reputation/brand lists. It will also require a thorough assessment of third parties through an onboarding assessment questionnaire and may require onsite inspections/audits in some areas. As part of this process, it is necessary that the third-party acknowledge and attest/agree to related policies such as a supply chain/vendor code of conduct.
  • Ongoing due diligence. The challenge is that due diligence/assessment is not a one-time activity, but a continuous, ongoing process. This involves regular consistent third-party database checks as well as periodic assessments through questionnaires and inspections. Database checks of third parties against lists can be done on a daily continuous basis, while periodic assessments surveys are typically done on an annual basis. However, when key risk indicators are triggered, such as an issue found in one supplier, it may kick off an assessment outside the periodic assessments.
  • ESG reporting. This whole process comes back to having a defensible ESG reporting capability. The organization needs to be able to provide a clear picture into ESG across their extended third-party relationships and have this role up into the broader organizational ESG reporting and disclosure processes.

The reality is that the modern organization with its web of third-party relationships cannot realistically manage ESG processes and deliver timely insight with manual processes that manage this in documents, spreadsheets and emails. Relying on manual processes will bog the organization down in inefficiency, lack of insight into risks, and things slipping through cracks and getting missed. Organizations need a robust information and technology architecture for third-party governance, risk management and compliance to deliver on ESG due diligence and reporting across the extended enterprise.

Michael rasmussen
Michael Rasmussen
GRC Analyst & Pundit, GRC 20/20 Research

Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 28+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo