RFP Toolkit for Third-Party Risk Management Solutions: Free Customizable Template and Scoring Sheet!

ESG Compliance: Understanding the Patchwork of ESG Regulations

Proper oversight of ESG requires expertise in third-party risk management and compliance with associated regulations. Here's an overview of ESG compliance standards enacted by various governments, as well as major legislation currently under consideration.
By:
Scott Lang
,
VP, Product Marketing
May 09, 2022
Share:
Blog esg compliance 0522

ESG (Environmental, Social and Governance) has become an increasingly pivotal area of consideration for organizations in recent years. Almost all large companies are expected to meet reporting and audit requirements by investors, boards of directors, and increasingly by governments. The goal of managing ESG initiatives is for public companies to ensure their long-term sustainability. Accordingly, ESG topics can include:

  • Climate change and sustainability (E)

  • Social justice, pay equity, and worker protections (S)

  • Good governance, anti-bribery and corruption, and diversity – both in the workforce and at the Board of Directors level (G)

Management of ESG goes hand-in-hand with risk and compliance. Proper oversight of ESG requires expertise in third-party risk management and compliance with associated regulations. Companies’ ESG responsibilities and management of third-party risk heavily intersect due to the complexity of modern-day supply chains. This post covers compliance standards enacted by various governments, as well as major legislation currently under consideration.

ESG Compliance and Third-Party Risk Management

Why does ESG compliance matter for third-party risk management (TPRM)? ESG compliance requirements aim to address operational risk that impacts third parties and their extended supply chains. Public companies often have a legal responsibility to consider their third-party and extended supply chain ESG practices. They also need information to evaluate risks stemming from non-compliance with core ESG regulations.

ESG Compliance Requirements

Most ESG compliance requirements mandate reporting rather than direct action to address ESG concerns. However, two new regulations coming out of Germany and the European Union (EU) are quickly reshaping the landscape (see below for more). In addition, many ESG compliance requirements currently focus on investment and financial institutions, which are often the initial industries to face new categories of regulations.

ESG compliance requirements can largely be broken down into four categories:

  1. Requirements for organizations to disclose ESG performance and practices

  2. Requirements for investors to consider ESG as part of their investment planning

  3. Specific laws that touch on parts of ESG but are not focused on ESG themselves

  4. Requirements for organizations to audit and manage their business practices and supply chains

International regulators, particularly in the EU, are becoming increasingly concerned with ESG. Established laws such as the U.S. Foreign Corrupt Practices Act (FCPA) and UK Bribery Act deal with elements of ESG, but governments are now directly legislating requirements that encompass large swaths of ESG, from creating mandatory reporting requirements to actively ensuring corporations incorporate ESG into core decision making.

ESG Transparency & Reporting Compliance Requirements

Modern Slavery Act 2015

The Modern Slavery Act of 2015 is a UK law focused on preventing human trafficking, modern slavery, and forced labor in UK supply chains. Organizations are required to annually communicate their practices to ensure that forced labor and other forms of involuntary servitude are not taking place in their businesses or supply chains. The "Transparency in Supply Chains" section of the Act (Part 6, Section 54) defines what information organizations are required to disclose:

  • the organization’s structure, its business and its supply chains;

  • its policies in relation to slavery and human trafficking;

  • its due diligence processes in relation to slavery and human trafficking in its business and supply chains;

  • the parts of its business and supply chains where there is a risk of slavery and human trafficking taking place, and the steps it has taken to assess and manage that risk;

  • its effectiveness in ensuring that slavery and human trafficking is not taking place in its business or supply chains, measured against such performance indicators as it considers appropriate;

  • the training about slavery and human trafficking available to its staff.

Non-Financial Reporting Directive (NFRD) and The Corporate Sustainability Reporting Directive (CSRD)

NFRD was passed in 2018 and creates a set of reporting requirements for large EU organizations. Under NFRD, entities are required to provide regular updates regarding their ESG practices across multiple domains. Companies are allowed to choose the framework or standards which they report against based on industry fit. Large organizations with operations in the EU are required to disclose their records on:

  • environmental matters

  • social matters and treatment of employees

  • respect for human rights

  • anti-corruption and bribery

  • diversity on company boards (in terms of age, gender, educational and professional background)

In April of 2021, the EU released a draft directive known as the Corporate Sustainability Reporting Directive (CSRD). CSRD represents a substantial amendment to NFRD and is designed to increase both the scope and requirements of large EU companies. If adopted, CSRD would:

  • Expand the number of organizations to all large companies in the EU and all companies listed on EU markets (with the exception of certain narrowly defined micro-companies)

  • Mandate that organizations produce their ESG reports based on specific standards enacted by the EU

  • Mandate an audit of reported information

  • Require that companies produce the information in a format that is machine-readable and can feed into the EU’s capital markets union action plan

On-Demand Webinar: Managing Third-Party ESG Risk Across the Extended Enterprise

This webinar, delivered by Michael Rasmussen, GRC Analyst & Pundit, GRC 20/20 Research, details third-party ESG strategies and processes in the extended enterprise.

California Transparency in Supply Chains Act (CTSCA)

The California Transparency in Supply Chains Act was one of the first laws created to enable consumers to hold companies responsible for modern slavery and human trafficking in their supply chains. Enacted on January 1, 2012 the Act requires that companies meeting the following criteria post annual, public disclosures on the steps they take to combat forced labor in their supply chains:

  • Companies which identify themselves as a retailer or manufacturer on their tax returns AND

  • Meet the legal definition of doing business in California AND

  • Have annual worldwide gross receipts exceeding $100,000,000

Under the Act, companies are required to provide regular disclosures about their efforts to prevent modern slavery in five key areas:

1. Verification: The organization engages in the verification of supply chains to verify that human trafficking and modern slavery aren’t present.

2. Audits: That the organization conducts audits of supply chains and third, fourth, and Nth parties to ensure compliance with organizational standards for supply chain transparency and governance.

3. Certification: That the organization requires third-parties to affirmatively certify that materials as well as vendors abide by laws and regulations in their own countries regarding forced labor and modern slavery.

4. Internal Accountability: That the organization maintains and enforces internal controls to ensure that employees and contractors meet company standards for avoiding modern slavery in the supply chain.

5. Training: That the organization provides supply chain & management personnel with training on avoiding human trafficking, forced labor, and modern slavery in the organizational supply chain.

Sustainable Finance Disclosure Regulation (SFDR)

The Sustainable Finance Disclosure Regulation went into effect in March of 2021 and is aimed at creating more transparency around ESG for financial organizations. SFDR applies to insurance, investment, banking, and other financial firms operating within the EU.

Financial entities are required to provide detailed guidance, presented in a format in accordance with standards set out in the regulation, on how they reduce any harm that may result from their investments in the environment or society more broadly. SFDR aims to:

  • Standardize ESG reporting across EU financial institutions

  • Improve transparency and accountability for sustainability claims made by financial institutions

  • Enable investors and clients to make informed comparisons between various financial institutions based on sustainability comparisons

CSRD applies to financial organizations that meet 2 of the following 3 criteria:

  • >250 Employees

  • >€40M in Annual Turnover

  • >€20M in Total Assets

Or

  • Listed companies on EU marketplaces (except for micro-companies with less than 10 employees or below 20 million euros in turnover)

Key Supply Chain Transparency Considerations for Third-Party Risk Management Programs

Organizations can suffer enormous reputational damage, in addition to fines and liability for forced labor found in the supply chain. It is critical that third-party risk management professionals ensure visibility throughout the supply chain. TPRM Programs should ensure not only to consider third parties, but also perform a careful examination of fourth, and Nth party vendors in the extended supply chain.

Anti-Bribery and Anti-Corruption (ABAC) Compliance Requirements

U.S. Foreign Corrupt Practices Act

The Foreign Corrupt Practices Act relates directly to corporate governance and poses significant penalties for organizations that attempt to bribe foreign officials. FCPA prohibits organizations from bribing or otherwise unduly influencing foreign officials or candidates for office in order to gain or retain business. FCPA applies to corporate shareholders, company offices, and employees and can extend to actions almost anywhere in the world.

Violating FCPA can result in individual criminal liability with up to 5 years in prison for individuals found guilty, and up to $2,000,000 in fines per violation for corporations.

Bribery Act of 2010 (UK)

Companies that do business in the UK need to ensure their policies, systems, and training and development programs are in compliance with the Bribery Act of 2010. The Bribery Act applies to all companies that do business in the UK, regardless of the country where the bribery activity takes place.

The act contains four types of offenses:

1) Offering or giving a bribe to another person.

2) Being bribed by another person.

3) Bribing a foreign public official.

4) A corporation failing to prevent bribery by associated persons.

The penalties for violating this act can be serious. For individuals, 10 years imprisonment and/or a fine is the maximum penalty. For corporate offenses, the maximum penalty is an unlimited fine. Corporate offenses can also entail other serious consequences including debarment from contracts, disqualification of company directors, and asset confiscation.

Key ABAC Considerations for Third-Party Risk Management Programs

ABAC shouldn’t be anything new to third-party risk management departments. However, many organizations only consider ABAC compliance when onboarding new vendors without monitoring risk throughout the lifecycle of the contract. Consider using a third-party risk management platform that enables you to practice continuous ABAC monitoring across the vendor lifecycle.

5 Strategies to Reduce Supplier Reputational Risk

Discover which reputational risks to watch out for, what penalties to avoid, and how to automate and simplify your reputational risk management initiatives.

Read Now
Featured resource reduce supplier reputational risk

Beyond Reporting: Laws that Mandate Affirmative ESG Action

U.S. Conflict Minerals Law (Section 1502 of the Dodd-Frank Act)

The Dodd-Frank Act was enacted to increase oversight of the banking industry after the 2008 U.S. financial crash. Section 1502 of the Dodd-Frank Act mandates that publicly traded companies disclose their use of conflict minerals including titanium, tin, gold, and tungsten.

Under the law, if conflict minerals are “necessary to the functionality or production of a product”, companies must be transparent about their use. These elements are often mined in conflict zones, and the trade of conflict minerals is linked to armed conflicts in Congo and other nearby countries.

Companies that profit from these minerals have a responsibility to investigate their supply chains, identify risks regarding conflict minerals, and report their findings and efforts to the SEC (U.S. Securities and Exchange Commission). There are two criteria a company must meet for their law to apply to them: 1) They file reports with the SEC under the Securities Exchange Act, and 2) The minerals are “necessary to the functionality or production of a product,” whether the products are directly manufactured by the company or if they are manufactured under third-party contracts.

If a company meets both pieces of criteria, they must conduct a Reasonable Country of Origin Inquiry for their vendors and suppliers of fine minerals, establish a process for due diligence, obtain an audit (specifically, an IPSA - independent private sector audit), and file a report with the SEC. Although assessing the source of minerals is outside the scope of companies’ main operations, failing to do so entails reputational, operational, and financial risks.

German Supply Chain Due Diligence Act

Set to be enacted on January 1, 2023, the German Supply Chain Due Diligence Act aims to better protect international human rights and the environment. The act is one of many other recent laws aiming to eliminate forced labor on a global scale and improve working conditions within supply chains. It focuses specifically on protection from modern slavery, forced labor, and child labor. It also aims to protect workers from dangerous work conditions including harm caused by pollutants, exposure to toxic chemicals, and unsafe disposal of hazardous waste.

Along with the European Corporate Due Diligence Draft Directive, the German Supply Chain Due DIligence Act represents a significant shift in the approach of governments to ensuring ESG Compliance. Reporting requirements are rapidly being superseded by laws that place a significant burden on organizations to both monitor and eliminate worker and environmental abuse from their supply chains.

ESG risk management is a major component of the requirements under The Supply Due Diligence Chain Act. Under the act, companies are obligated to conduct rigorous assessments to ensure due diligence regarding human rights and environmental standards. The first step under the act is analyzing and assessing risks within supply chains. This analysis must be conducted a minimum of once per year, and also every time the company takes on a new product or service. Risk areas specified in the act include the following:

  • Environmental Damage

  • Minimum Wage

  • Child labor and forced labor

  • Unlawful seizure of land and waters

  • Torture

  • Discrimination

  • Freedom of association

  • Problematic employment and working conditions

  • Occupational health and safety

Starting in January 2023, companies with activities in Germany that have more than 3,000 employees will be impacted by the German Supply Chain Due Diligence Act. Covered companies must update their processes for supply chain due diligence and align activities with the stipulations of the act. Ensuring compliance is crucial for ESG due diligence.

European Corporate Due Diligence Draft Directive

On February 23, 2022, the EU released draft legislation aimed at promoting transparency and ESG into EU supply chains. If adopted as currently written, the European Corporate Due Diligence Directive would constitute one of the most sweeping regulations and will affect ESG throughout the supply chain. Organizations would be required to:

  • Integrate due diligence into policies

  • Identify actual or potential adverse human rights and environmental impacts

  • Prevent or mitigate potential impacts

  • Bring to an end or minimize actual impacts

  • Establish and maintain a complaints procedure

  • Monitor the effectiveness of the due diligence policy and measures

  • Publicly communicate on due diligence.

EU member states will be instructed to create civil and financial penalties for companies that fail to comply, and victims would be granted a private right of action against organizations for failures that could have been avoided with appropriate due diligence measures.

Additionally, the draft directive requires that companies with more than 500 employees and in excess of 150 million euros of revenue per year “need to have a plan to ensure that their business strategy is compatible with limiting global warming to 1.5 °C in line with the Paris Agreement.”

Key Considerations for Third-Party Risk Management Programs

If enacted as written, the European Corporate Due Diligence Draft Directive and German Supply Chain Due Diligence laws will create sweeping change for entities operating within the EU. Affected organizations will need to perform a thorough review of their current supply chain, and create documented processes for eliminating forced labor and environmental degradation throughout the extended supply chain. We expect that the European Corporate Due Diligence Directive will likely solidify ESG as a major component of an effective TPRM compliance program.

ESG Compliance Enforcement

Today, much ESG compliance is a voluntary activity, but this “‘soft law”’ is likely to quickly become “‘hard law”’ in the future as various government regulators both in the U.S. and European Union move forward to implement new ESG regulations.

What started out as a way to discourage investing in companies that did not have an ESG focus has now evolved to positive momentum and greater investments flowing into companies that have high ESG measurements. These metrics have also made their way into executive briefings at annual company reporting events.

Next Steps for ESG Compliance

For large organizations, having a focused, dedicated approach to ESG is becoming a requirement. A good place to start is to look at ESG risks at every stage of your supplier relationships, and consider:

  • Using ESG criteria when making new vendor sourcing decisions

  • Identifying which ESG compliance requirements apply to your organization

  • Onboarding and tiering vendors based on their ESG scores to help dictate further diligence

  • Building a vendor profile that includes current ESG ratings and scores visible throughout the enterprise

  • Continually assessing and monitoring third parties against specific ESG requirements such as supplier reputation, sanctions, geo-political issues, financial governance, and transparency

  • Building regulatory-specific reporting against standards and requirements

Companies need to be proactive to effectively manage ESG risk. Ensuring that third-party risk management programs incorporate ESG risk management enables companies to position themselves well for the day when (not if) ESG regulations are implemented.

To learn how Prevalent can help you achieve your ESG compliance goals, request a demo today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo