ESG (Environmental, Social and Governance) has become an increasingly pivotal area of consideration for organizations in recent years. Almost all large companies are expected to meet reporting and audit requirements by investors, boards of directors, and increasingly by governments. The goal of managing ESG initiatives is for public companies to ensure their long-term sustainability. Accordingly, ESG topics can include:
Climate change and sustainability (E)
Social justice, pay equity, and worker protections (S)
Good governance, anti-bribery and corruption, and diversity – both in the workforce and at the Board of Directors level (G)
Management of ESG goes hand-in-hand with risk and compliance. Proper oversight of ESG requires expertise in third-party risk management and compliance with associated regulations. Companies’ ESG responsibilities and management of third-party risk heavily intersect due to the complexity of modern-day supply chains. This post examines ESG compliance regarding third-party risk, covers current compliance standards, as well as major legislation currently under consideration.
ESG compliance requires organizations to adhere to specific environmental, social, and governance (ESG) standards set by regulations and legislation. It involves the adoption of sustainable, ethical, and responsible practices, including the reporting of ESG activities, effective third-party risk management, and aligning business operations with ESG values. This ensures companies address their environmental impact, uphold social justice, practice good governance, and secure their long-term sustainability.
Why does ESG compliance matter for third-party risk management (TPRM)? ESG compliance requirements aim to address operational risk that impacts third parties and their extended supply chains. Public companies often have a legal responsibility to consider their third-party and extended supply chain ESG practices. They also need information to evaluate risks stemming from non-compliance with core ESG regulations.
Most ESG compliance requirements mandate reporting rather than direct action to address ESG concerns. However, two new regulations coming out of Germany and the European Union (EU) are quickly reshaping the landscape (see below for more). In addition, many ESG compliance requirements currently focus on investment and financial institutions, which are often the initial industries to face new categories of regulations.
ESG compliance requirements can largely be broken down into four categories:
Requirements for organizations to disclose ESG performance and practices
Requirements for investors to consider ESG as part of their investment planning
Specific laws that touch on parts of ESG but are not focused on ESG themselves
Requirements for organizations to audit and manage their business practices and supply chains
International regulators, particularly in the EU, are becoming increasingly concerned with ESG. Established laws such as the U.S. Foreign Corrupt Practices Act (FCPA) and UK Bribery Act deal with elements of ESG, but governments are now directly legislating requirements that encompass large swaths of ESG, from creating mandatory reporting requirements to actively ensuring corporations incorporate ESG into core decision making.
The Fighting Against Forced Labour and Child Labour in Supply Chains Act, also known as S-211, is a law that requires Canadian government institutions and select private sector entities to, “report on the measures taken to prevent and reduce the risk that forced labour or child labour is used by them or in their supply chains.” The Act also provides for an inspection regime to enforce its provisions. As with the UK Modern Slavery Act, Australia Slavery Act, and similar laws, the Act aims to contribute to the global fight against forced labour, child labour and other forms of modern slavery.
The Modern Slavery Act of 2015 is a UK law focused on preventing human trafficking, modern slavery, and forced labor in UK supply chains. Organizations are required to annually communicate their practices to ensure that forced labor and other forms of involuntary servitude are not taking place in their businesses or supply chains. The "Transparency in Supply Chains" section of the Act (Part 6, Section 54) defines what information organizations are required to disclose:
the organization’s structure, its business and its supply chains;
its policies in relation to slavery and human trafficking;
its due diligence processes in relation to slavery and human trafficking in its business and supply chains;
the parts of its business and supply chains where there is a risk of slavery and human trafficking taking place, and the steps it has taken to assess and manage that risk;
its effectiveness in ensuring that slavery and human trafficking is not taking place in its business or supply chains, measured against such performance indicators as it considers appropriate;
the training about slavery and human trafficking available to its staff.
NFRD was passed in 2018 and creates a set of reporting requirements for large EU organizations. Under NFRD, entities are required to provide regular updates regarding their ESG practices across multiple domains. Companies are allowed to choose the framework or standards which they report against based on industry fit. Large organizations with operations in the EU are required to disclose their records on:
environmental matters
social matters and treatment of employees
respect for human rights
anti-corruption and bribery
diversity on company boards (in terms of age, gender, educational and professional background)
In April of 2021, the EU released a draft directive known as the Corporate Sustainability Reporting Directive (CSRD). CSRD represents a substantial amendment to NFRD and is designed to increase both the scope and requirements of large EU companies. If adopted, CSRD would:
Expand the number of organizations to all large companies in the EU and all companies listed on EU markets (with the exception of certain narrowly defined micro-companies)
Mandate that organizations produce their ESG reports based on specific standards enacted by the EU
Mandate an audit of reported information
Require that companies produce the information in a format that is machine-readable and can feed into the EU’s capital markets union action plan
Third-Party Risk and ESG: What You Need to Know Now That It’s Happening
In this webinar, Bob Wilkinson, CEO of Cyber Marathon Solutions and former CISO at Citigroup, takes a deep look at what ESG really means for third-party risk.
The California Transparency in Supply Chains Act was one of the first laws created to enable consumers to hold companies responsible for modern slavery and human trafficking in their supply chains. Enacted on January 1, 2012 the Act requires that companies meeting the following criteria post annual, public disclosures on the steps they take to combat forced labor in their supply chains:
Companies which identify themselves as a retailer or manufacturer on their tax returns AND
Meet the legal definition of doing business in California AND
Have annual worldwide gross receipts exceeding $100,000,000
Under the Act, companies are required to provide regular disclosures about their efforts to prevent modern slavery in five key areas:
1. Verification: The organization engages in the verification of supply chains to verify that human trafficking and modern slavery aren’t present.
2. Audits: That the organization conducts audits of supply chains and third, fourth, and Nth parties to ensure compliance with organizational standards for supply chain transparency and governance.
3. Certification: That the organization requires third-parties to affirmatively certify that materials as well as vendors abide by laws and regulations in their own countries regarding forced labor and modern slavery.
4. Internal Accountability: That the organization maintains and enforces internal controls to ensure that employees and contractors meet company standards for avoiding modern slavery in the supply chain.
5. Training: That the organization provides supply chain & management personnel with training on avoiding human trafficking, forced labor, and modern slavery in the organizational supply chain.
The Sustainable Finance Disclosure Regulation went into effect in March of 2021 and is aimed at creating more transparency around ESG for financial organizations. SFDR applies to insurance, investment, banking, and other financial firms operating within the EU.
Financial entities are required to provide detailed guidance, presented in a format in accordance with standards set out in the regulation, on how they reduce any harm that may result from their investments in the environment or society more broadly. SFDR aims to:
Standardize ESG reporting across EU financial institutions
Improve transparency and accountability for sustainability claims made by financial institutions
Enable investors and clients to make informed comparisons between various financial institutions based on sustainability comparisons
CSRD applies to financial organizations that meet 2 of the following 3 criteria:
>250 Employees
>€40M in Annual Turnover
>€20M in Total Assets
Or
Listed companies on EU marketplaces (except for micro-companies with less than 10 employees or below 20 million euros in turnover)
Organizations can suffer enormous reputational damage, in addition to fines and liability for forced labor found in the supply chain. It is critical that third-party risk management professionals ensure visibility throughout the supply chain. TPRM Programs should ensure not only to consider third parties, but also perform a careful examination of fourth, and Nth party vendors in the extended supply chain.
The Foreign Corrupt Practices Act relates directly to corporate governance and poses significant penalties for organizations that attempt to bribe foreign officials. FCPA prohibits organizations from bribing or otherwise unduly influencing foreign officials or candidates for office in order to gain or retain business. FCPA applies to corporate shareholders, company offices, and employees and can extend to actions almost anywhere in the world.
Violating FCPA can result in individual criminal liability with up to 5 years in prison for individuals found guilty, and up to $2,000,000 in fines per violation for corporations.
Companies that do business in the UK need to ensure their policies, systems, and training and development programs are in compliance with the Bribery Act of 2010. The Bribery Act applies to all companies that do business in the UK, regardless of the country where the bribery activity takes place.
The act contains four types of offenses:
1) Offering or giving a bribe to another person.
2) Being bribed by another person.
3) Bribing a foreign public official.
4) A corporation failing to prevent bribery by associated persons.
The penalties for violating this act can be serious. For individuals, 10 years imprisonment and/or a fine is the maximum penalty. For corporate offenses, the maximum penalty is an unlimited fine. Corporate offenses can also entail other serious consequences including debarment from contracts, disqualification of company directors, and asset confiscation.
ABAC shouldn’t be anything new to third-party risk management departments. However, many organizations only consider ABAC compliance when onboarding new vendors without monitoring risk throughout the lifecycle of the contract. Consider using a third-party risk management platform that enables you to practice continuous ABAC monitoring across the vendor lifecycle.
Align Your TPRM Program with Expanding ESG Regulations
Download this guide to review current and future ESG standards and legislation, and learn how to prepare your TPRM program for compliance.
The Dodd-Frank Act was enacted to increase oversight of the banking industry after the 2008 U.S. financial crash. Section 1502 of the Dodd-Frank Act mandates that publicly traded companies disclose their use of conflict minerals including titanium, tin, gold, and tungsten.
Under the law, if conflict minerals are “necessary to the functionality or production of a product”, companies must be transparent about their use. These elements are often mined in conflict zones, and the trade of conflict minerals is linked to armed conflicts in Congo and other nearby countries.
Companies that profit from these minerals have a responsibility to investigate their supply chains, identify risks regarding conflict minerals, and report their findings and efforts to the SEC (U.S. Securities and Exchange Commission). There are two criteria a company must meet for their law to apply to them: 1) They file reports with the SEC under the Securities Exchange Act, and 2) The minerals are “necessary to the functionality or production of a product,” whether the products are directly manufactured by the company or if they are manufactured under third-party contracts.
If a company meets both pieces of criteria, they must conduct a Reasonable Country of Origin Inquiry for their vendors and suppliers of fine minerals, establish a process for due diligence, obtain an audit (specifically, an IPSA - independent private sector audit), and file a report with the SEC. Although assessing the source of minerals is outside the scope of companies’ main operations, failing to do so entails reputational, operational, and financial risks.
Set to be enacted on January 1, 2023, the German Supply Chain Due Diligence Act aims to better protect international human rights and the environment. The act is one of many other recent laws aiming to eliminate forced labor on a global scale and improve working conditions within supply chains. It focuses specifically on protection from modern slavery, forced labor, and child labor. It also aims to protect workers from dangerous work conditions including harm caused by pollutants, exposure to toxic chemicals, and unsafe disposal of hazardous waste.
Along with the European Corporate Due Diligence Draft Directive, the German Supply Chain Due DIligence Act represents a significant shift in the approach of governments to ensuring ESG Compliance. Reporting requirements are rapidly being superseded by laws that place a significant burden on organizations to both monitor and eliminate worker and environmental abuse from their supply chains.
ESG risk management is a major component of the requirements under The Supply Due Diligence Chain Act. Under the act, companies are obligated to conduct rigorous assessments to ensure due diligence regarding human rights and environmental standards. The first step under the act is analyzing and assessing risks within supply chains. This analysis must be conducted a minimum of once per year, and also every time the company takes on a new product or service. Risk areas specified in the act include the following:
Environmental Damage
Minimum Wage
Child labor and forced labor
Unlawful seizure of land and waters
Torture
Discrimination
Freedom of association
Problematic employment and working conditions
Occupational health and safety
Starting in January 2023, companies with activities in Germany that have more than 3,000 employees will be impacted by the German Supply Chain Due Diligence Act. Covered companies must update their processes for supply chain due diligence and align activities with the stipulations of the act. Ensuring compliance is crucial for ESG due diligence.
On February 23, 2022, the EU released draft legislation aimed at promoting transparency and ESG into EU supply chains. If adopted as currently written, the European Corporate Due Diligence Directive would constitute one of the most sweeping regulations and will affect ESG throughout the supply chain. Organizations would be required to:
Integrate due diligence into policies
Identify actual or potential adverse human rights and environmental impacts
Prevent or mitigate potential impacts
Bring to an end or minimize actual impacts
Establish and maintain a complaints procedure
Monitor the effectiveness of the due diligence policy and measures
Publicly communicate on due diligence.
EU member states will be instructed to create civil and financial penalties for companies that fail to comply, and victims would be granted a private right of action against organizations for failures that could have been avoided with appropriate due diligence measures.
Additionally, the draft directive requires that companies with more than 500 employees and in excess of 150 million euros of revenue per year “need to have a plan to ensure that their business strategy is compatible with limiting global warming to 1.5 °C in line with the Paris Agreement.”
If enacted as written, the European Corporate Due Diligence Draft Directive and German Supply Chain Due Diligence laws will create sweeping change for entities operating within the EU. Affected organizations will need to perform a thorough review of their current supply chain, and create documented processes for eliminating forced labor and environmental degradation throughout the extended supply chain. We expect that the European Corporate Due Diligence Directive will likely solidify ESG as a major component of an effective TPRM compliance program.
Today, much ESG compliance is a voluntary activity, but this “‘soft law”’ is likely to quickly become “‘hard law”’ in the future as various government regulators both in the U.S. and European Union move forward to implement new ESG regulations.
What started out as a way to discourage investing in companies that did not have an ESG focus has now evolved to positive momentum and greater investments flowing into companies that have high ESG measurements. These metrics have also made their way into executive briefings at annual company reporting events.
How Does ESG Fit Into Your TPRM Program?
Our 14-page guide shares a best practices framework for incorporating ESG into your third-party risk management program.
For large organizations, having a focused, dedicated approach to ESG is becoming a requirement. A good place to start is to look at ESG risks at every stage of your supplier relationships, and consider:
Using ESG criteria when making new vendor sourcing decisions
Identifying which ESG compliance requirements apply to your organization
Onboarding and tiering vendors based on their ESG scores to help dictate further diligence
Building a vendor profile that includes current ESG ratings and scores visible throughout the enterprise
Continually assessing and monitoring third parties against specific ESG requirements such as supplier reputation, sanctions, geo-political issues, financial governance, and transparency
Building regulatory-specific reporting against standards and requirements
Companies need to be proactive to effectively manage ESG risk. Ensuring that third-party risk management programs incorporate ESG risk management enables companies to position themselves well for the day when (not if) ESG regulations are implemented.
To learn how Prevalent can help you achieve your ESG compliance goals, request a demo today.
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024
Consider these best practices to ensure third-party service providers adequately protect your customer NPI data.
09/04/2024