In November 2022, the European Union (EU) Parliament adopted the Corporate Sustainability Reporting Directive (CSRD), a new law that requires companies to report on environmental, social and governance (ESG) matters, including those that arise from their supply chains, as part of their regular company disclosures. This new reporting was developed to address long-standing concerns that non-financial reporting among EU firms was inconsistent and failed to produce reliable progress toward sustainability goals.
Firms required to report on the new standards include large EU companies with more than 250 employees and €40 million in turnover and/or more than €20 million in total assets, as well as all listed companies that have to report against existing Non-Financial Reporting Directive (NFRD) requirements. Reporting begins in January 2025 using 2024 data, so now is the time to consider how the mandate will impact your third-party risk management program.
This post examines the CSRD’s new sustainability standards and provides best practices recommendations for getting ahead of the inevitable third-party vendor and supplier ESG reporting requirements.
The European Financial Reporting Advisory Group (EFRAG), a supporting organization to the EU Council, has been tasked with helping to develop requirements that will inform reporting obligations. The requirements are called European Sustainability Reporting Standards (ESRS) and generally align with traditional environmental, social and governance (ESG) categories, including:
In addition, the law includes “cross-cutting standards” including strategy and business model; governance and organization; impacts, risks and opportunities; implementation measures covering policies, targets, actions and action plans; allocation of resources; and performance measurement.
In general, reporting requirements must examine sustainability risk affecting the company, and the company’s impact on society and the environment. Disclosures should also:
Companies will be required to publish separate sustainability statements as part of their regular management reports. Therefore, to address the reporting requirements against published targets, organizations will need to conduct a thorough due diligence process that includes not only their own internal initiatives, but also those of their third-party vendors, suppliers and partners.
To better position your organization to report against your third parties’ ESG impacts, consider these four best practices:
Since sustainability reporting will now be mandatory, include enforceable ESG provisions in your third-party vendor and supplier contracts. Centralizing ESG provisions in a platform will enable you to automatically create and track key performance indicators (KPIs) against acceptable ESG thresholds and alert suppliers proactively if they are falling short of agreed-upon measures, thereby reducing possible future reporting burdens.
Centralizing key vendor metrics into a single source of the truth and making it available to all internal teams responsible for managing supplier relationships, improves accountability and simplifies reporting. ESG-specific data to centralize can include:
Managing ESG Risks Across the Extended Enterprise
This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.
Next, go beyond initial database checks by conducting third-party risk assessments that leverage regulatory-specific questionnaires and require evidence for validation. Leveraging an automated platform for assessing, analyzing and scoring vendors against acceptable ESG risk thresholds saves time and enables mapping to multiple reporting regimes such as the International Sustainability Standards Board’s (ISSB) Sustainability Disclosure Standards or the U.S. Securities and Exchange Commission’s (SEC) proposed new climate-related disclosure requirements.
Third-party risk management platforms will enable you to extend role-based access to external auditors, and include built-in remediation guidance to recommend to vendors and suppliers to get them into compliance with your company’s policies.
Once assessments are complete, enable continuous vendor monitoring in specific ESG domains to validate the effectiveness of their policies. Commonly used monitoring sources include:
Monitoring these sources individually can be real headache, so look for continuous monitoring solutions that centralize this data and automatically correlate it against assessment findings for internal governance policies.
The Prevalent Third-Party Risk Management Platform includes capabilities to assess third parties against a number of ESG topics with built-in questionnaire templates, and validate the findings with continuous external monitoring into vendor practices. Prevalent enables you to:
For more on how Prevalent can help you prepare for the EU Corporate Sustainability Reporting Directive, request a demo today.
Leverage these best practices to address NIS2 third-party risk management requirements.
12/03/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024