EU Corporate Sustainability Reporting Directive (CSRD): Third-Party Risk Management Considerations

The EU has adopted new sustainability reporting standards. Follow these best practices to simplify and get ahead of third-party supplier and vendor ESG assessment requirements.
Scott Lang
VP, Product Marketing
February 09, 2023
Compliance csrd

In November 2022, the European Union (EU) Parliament adopted the Corporate Sustainability Reporting Directive (CSRD), a new law that will require companies to report on environmental, social and governance (ESG) matters, including those that arise from their supply chains, as part of their regular company disclosures. This new reporting was developed to address long-standing concerns that non-financial reporting among EU firms was inconsistent and failed to produce reliable progress toward sustainability goals.

Firms required to report on the new standards include large EU companies with more than 250 employees and €40 million in turnover and/or more than €20 million in total assets, as well as all listed companies that have to report against existing Non-Financial Reporting Directive (NFRD) requirements. Reporting begins in January 2025 using 2024 data, so now is the time to consider how the mandate will impact your third-party risk management program.

This post examines the CSRD’s new sustainability standards and provides best practices recommendations for getting ahead of the inevitable third-party vendor and supplier ESG reporting requirements.

CSRD Reporting Standards

The European Financial Reporting Advisory Group (EFRAG), a supporting organization to the EU Council, has been tasked with helping to develop requirements that will inform reporting obligations. The requirements are called European Sustainability Reporting Standards (ESRS) and generally align with traditional environmental, social and governance (ESG) categories, including:

  • Environment: climate change; pollution; water and marine resources; biodiversity and ecosystems; and resource use and the circular economy
  • Social: own workforce; workers in the value chain; affected communities; and consumers and end users
  • Governance: governance, risk management and internal control; and business conduct

In addition, the law includes “cross-cutting standards” including strategy and business model; governance and organization; impacts, risks and opportunities; implementation measures covering policies, targets, actions and action plans; allocation of resources; and performance measurement.

In general, reporting requirements must examine sustainability risk affecting the company, and the company’s impact on society and the environment. Disclosures should also:

  • Be certified by an external auditor
  • Align with EU Taxonomy
  • Be delivered in a single management report that is machine readable

Companies will be required to publish separate sustainability statements as part of their regular management reports. Therefore, to address the reporting requirements against published targets, organizations will need to conduct a thorough due diligence process that includes not only their own internal initiatives, but also those of their third-party vendors, suppliers and partners.

Prepare for CSRD Compliance: Best Practices for ESG and Third-Party Risk Management

To better position your organization to report against your third parties’ ESG impacts, consider these four best practices:

1. Include ESG requirements in supplier contracts to enforce adherence

Since sustainability reporting will now be mandatory, include enforceable ESG provisions in your third-party vendor and supplier contracts. Centralizing ESG provisions in a platform will enable you to automatically create and track key performance indicators (KPIs) against acceptable ESG thresholds and alert suppliers proactively if they are falling short of agreed-upon measures, thereby reducing possible future reporting burdens.

2. Build a comprehensive supplier profile to centralize key ESG metrics

Centralizing key vendor metrics into a single source of the truth and making it available to all internal teams responsible for managing supplier relationships, improves accountability and simplifies reporting. ESG-specific data to centralize can include:

  • Environmental: High-level ESG scores and any information on ecological violations
  • Social: Modern Slavery statements and business insights
  • Governance: Corruption Perception Index (CPI) scores, regulatory findings, and sanctions that could signal poor corporate governance

Managing ESG Risks Across the Extended Enterprise

This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.

Read Now
Blog managing esg 1021

3. Perform assessments against third-party ESG policies and practices

Next, go beyond initial database checks by conducting third-party risk assessments that leverage regulatory-specific questionnaires and require evidence for validation. Leveraging an automated platform for assessing, analyzing and scoring vendors against acceptable ESG risk thresholds saves time and enables mapping to multiple reporting regimes such as the International Sustainability Standards Board’s (ISSB) Sustainability Disclosure Standards or the U.S. Securities and Exchange Commission’s (SEC) proposed new climate-related disclosure requirements.

Third-party risk management platforms will enable you to extend role-based access to external auditors, and include built-in remediation guidance to recommend to vendors and suppliers to get them into compliance with your company’s policies.

4. Continuously monitor vendors and suppliers for potential ESG problems

Once assessments are complete, enable continuous vendor monitoring in specific ESG domains to validate the effectiveness of their policies. Commonly used monitoring sources include:

Monitoring these sources individually can be real headache, so look for continuous monitoring solutions that centralize this data and automatically correlate it against assessment findings for internal governance policies.

Next Steps to Meet CSRD Third-Party Risk Management Requirements

The Prevalent Third-Party Risk Management Platform includes capabilities to assess third parties against a number of ESG topics with built-in questionnaire templates, and validate the findings with continuous external monitoring into vendor practices. Prevalent enables you to:

  • Rapidly pre-screen vendors against important ESG measures using continuously updated risk profiles
  • Centralize the onboarding, distribution, discussion, retention, and review of vendor contracts, ensuring consistent enforcement and measurement of ESG requirements
  • Build supplier profiles by tapping into 550,000+ sources of vendor intelligence, plus a feed reporting on the ESG status of 12,000 companies
  • Track and quantify inherent risks for all onboarded suppliers
  • Assess suppliers against ESG criteria using industry-standard questionnaires, the Prevalent Compliance Framework (PCF), or customizable questionnaires
  • Continuously monitor suppliers for reputation and sanctions, financial governance and transparency, and politically exposed persons (PEPs), correlating assessment results and continuous monitoring intelligence
  • Take actionable steps to reduce ESG risk with built-in remediation recommendations and guidance
  • Store and distribute energy, pollution, diversity, accounting and conflict of interest policy documents and more for dialog and attestation
  • Report on ESG requirements using built-in regulatory reporting templates

For more on how Prevalent can help you prepare for the EU Corporate Sustainability Reporting Directive, request a demo today.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo