Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

How to Reduce ESG Risks from Vendors and Suppliers

A new analyst report from GRC 20/20 shares best practices for mitigating ESG risks in your third-party ecosystem.
Scott Lang
VP, Product Marketing
October 13, 2021
Webinar ES Gacrossenterprise 0922

Third-party environmental, social and governance (ESG) risk assessments are an important way to ensure that your company works with partners that share its values. At the same time, they can help to head off reputational damage, operational disruptions, and regulatory penalties stemming from ESG issues in your supply chain.

However, The Prevalent 2021 Third-Party Risk Management study revealed that only 45% of companies actively track ESG risks in their extended ecosystems. What’s keeping organizations from assessing third-party ESG risks?

In this article, we outline the third-party ESG regulatory environment; uncover common hurdles to ESG risk assessments; and share some best practices for addressing ESG in your third-party risk management program.

Third-Party ESG Regulatory Oversight is Expanding

Although ESG risks aren’t new, lawmakers are getting more aggressive in enacting legislation to address environmental threats, hiring and labor inequities, and corporate governance issues (e.g., bribery and corruption). Examples include:

  • California Transparency in Supply Chains Act requires companies to disclose their efforts to ensure that the goods they sell are not produced by workers who are forced into servitude.
  • European Corporate Due Diligence Act aims to unify European Union (E.U.) member states’ approaches to enforcing human rights and environmental laws at the weakest points in organizations’ value chains: their third-party relationships.
  • U.K. Bribery Act encourages companies to validate supplier anti-bribery practices with external verification and monitoring.
  • U.K. Modern Slavery Act requires organizations to publish an annual statement detailing the steps taken to ensure that modern slavery is not taking place in the business or their supply chain.
  • U.S. Foreign Corrupt Practices Act improves corporate governance practices by requiring companies listed in the U.S. to keep records and maintain internal accounting controls to detect transactions that could be considered as bribery.

Each of these laws outlines tangible penalties for offending companies, and some also impose liabilities on organizations that contract the services of offenders.

Manual Assessment Processes Complicate Third-Party ESG Assessments and Reporting

The Prevalent study showing that less than half of companies actively track ESG risks also revealed that 42% of organizations still use spreadsheets to assess their third parties. Collecting environmental impact statements, hiring guidelines, and governance practices from large vendor communities can be a crushing manual process with no way to consistently reveal, score or weight risks. Relying on manual processes saddles risk management teams with inefficiencies, limits actionable insights, and can result in important risks bring overlooked.

Managing ESG Risks Across the Extended Enterprise

This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.

Read Now
Blog managing esg 1021

Best Practices for Third-Party ESG Risk Assessments

Public scrutiny of ESG practices is on the rise, and penalties for ESG shortfalls are getting more severe. This increased focus has exposed the cracks in manual approaches to evaluating ESG risks from vendors and suppliers. So, how can you ensure that your organization is insulated from these risks?

GRC 20/20 has published new report, Managing ESG Risks Across the Extended Enterprise, that reviews the most important best practices to consider when determining how to expand third-party risk management to include ESG risks. Here’s a preview of some of the best practices you’ll find in the report.

  • Profile vendors to scope assessments: Categorizing third parties based on industry, location, services performed, and regulatory profile can help to prioritize and plan your ESG risk assessments.
  • Perform initial due diligence: During the onboarding phase, check the new vendor against ESG databases such as watch/sanction lists, politically exposed persons list, security ratings, financial ratings, and reputation/brand lists.
  • Execute ongoing due diligence: Go beyond initial database checks by conducting automated third-party assessments that leverage regulatory-specific questionnaires and require evidence for validation.
  • Report on key ESG requirements: Conduct regulatory-specific reporting and align ESG risks against cybersecurity, data privacy, and financial risks for a more holistic view of each third party.

The report goes on to identify key capabilities in the Prevalent Third-Party Risk Management Platform that deliver on these best practices.

Next Steps for Third-Party ESG Risk Management

For a complete analysis of third-party ESG risks and how Prevalent can help, download Managing ESG Risks Across the Extended Enterprise, learn more about our ESG solutions, or request a demo today.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo