Third-party relationships can present a great deal of risk to businesses in terms of ESG, but seven in 10 compliance leaders believe that third parties pose ‘no risk’ to ‘a little risk’.

Strong governance, achieved through risk-proportionate processes and controls, is the key to building ethical and responsible business practices. From both a legal and reputational perspective, this goes beyond the business and its immediate employees, and extends to its suppliers, consultants, agents, partners and even customers.

When it comes to reputational, regulatory and civil liability risk, this creates a huge challenge: businesses are potentially liable for the actions of their third-party partners, and without systems and controls, can be exposed to the consequences of their actions. For example, if a contractor that your organization works with does not abide by the standards and regulations required within its own business or supply chain, your organization can suffer reputational damage, and even potential litigation. Growing regulation that compels businesses to take responsibility for their wider value chain is designed to encourage companies to exert a positive influence and spread ethical behavior through their vast corporate networks.

Third-party risk is a significant component of any ESG framework and should always be considered. Key stakeholders and customers will hold you accountable for how you are driving ESG principles within your third-party partnerships, so it is more important than ever that the risk they present is acknowledged and assessed.

Lisa LeCointe-Cephas
SVP, Chief Ethics and Compliance Officer and Office of General Counsel, Merck

Hogan Lovells insight
Crispin Rapinet, Partner, London

Corruption creates clear environmental and social risks. Licenses or permits procured by way of a bribe compromise public safety; contracts awarded following the exchange of brown envelopes distort the economy; lax regulation, oversight or supervision following a facilitation payment place the workforce at risk. Where responsibility for any of these activities is delegated to a third party, the legal and reputational risks are as real as if they were undertaken by an organization directly.

Indeed, in many jurisdictions, including the UK, such actions on the part of a third party would legally bind the organization on whose behalf they act. Notwithstanding the legal risk, the reputational impact is also far reaching. Many consumers, stakeholders and investors will not differentiate between the sub-contractor that provides a child workforce to its multi-national conglomerate, and the multi-national organization itself.

Acknowledgment is overdue

Third parties can often be the most significant contributors to a corporate’s ESG impact, whether through negligent pollution at a JV's company factory, or human rights abuses deep in the supply chain.

However, compliance leaders are not always reacting to this risk. In our research, the majority of compliance leaders – seven in 10 – believe that third-party relationships pose ‘a little risk’ to ‘no risk’ to their business with regards to ESG, and not even a third (29%) see there being ‘a fair amount’ of risk. Strikingly, just 1% perceive third-party relationships as posing a ‘great deal’ of risk to their business in terms of ESG. Surprisingly, only 21% of those in the lifestyle and consumer industry – arguably one of the most exposed industries due to vast, complex global supply chains and particular scrutiny of the industry’s ethics – believe third-party relationships pose a great deal or a fair amount of risk.

How much risk do third-party relationships pose to your organization?

A core issue is the complexity of ESG management. Expectations and requirements are still being realized, and there is a diverse patchwork of ESG regulation on a regional, national, international and industry level. These various frameworks have different legal effects, with some legally binding and some not. This unsettled landscape – with many moving parts that are not always moving in the same direction – can be difficult to navigate. Some countries already require ESG due diligence to be conducted on certain third parties, and that mandatory obligation is at the core of the draft EU Corporate Sustainability Due Diligence Directive - which will have a massive impact on multinationals when it comes into force. Without standardized protocols and a clear way forward, ESG risk management – a task already made difficult by stretched compliance teams – becomes even more onerous.

The complexities around third-party risk may also be preventing organizations from appreciating the level of impact. For example, there is a difference in the typical profile of third parties that pose an ESG risk versus those that pose an AB&C risk, therefore compliance teams will need to look at third parties and relationships with a different lens. For businesses with complex or specialized supply chains, it may also be hard for them to walk away from suppliers if they do find an issue, adding pressure to compliance teams. Practical complexities around bringing together third-party questionnaires and all the different components often create additional complications.

The EU Corporate Sustainability Due Diligence Directive will be an important catalyst for an increased corporate focus on third-party risk. It has the potential to have an impact as significant as GDPR.

Moira Thompson Oliver
Human Rights Lead, Vodafone Group 

The tide is turning

Our findings indicate that compliance leaders are aware that third-party ESG risk will need greater attention in the future, with 22% forecasting their organization’s level of risk will increase in the next 12 months, rising to 34% anticipating increased risk in the next 18 months. Just one in five compliance leaders do not see their level of risk increasing at all.

Organizations see third-party risk increasing in the more distant future – over the next year, and two years.

Organizations with more established ESG management protocols appear to recognize the possible impact and ramifications of third parties on ESG regimes and their success more than those with less established policies. Those with high-maturity schemes are more likely to perceive a higher amount of risk from third-party relationships: 32% say it poses a ‘great deal’ or a ‘fair amount’ of risk, compared to 23% with low-maturity schemes and 28% with medium-maturity schemes. This suggests that perhaps third-party risks become more apparent to organizations as they develop a greater understanding of their own ESG compliance context.

These are not new risks, and they are relevant today as well as in the future. But the fact that many compliance leaders plan to increase their focus on ESG risk is a reflection of both increasing pressure from legislation and regulation – with regulators and other stakeholders solidifying their positions – and an increasing awareness of the importance of ESG factors within organizations. The fact that many leaders plan to take more action ‘tomorrow’ may also point towards the challenges of navigating an uncertain and fast-moving landscape.

There is currently no legislation to help you quantify the full spectrum of ESG risks around third parties and it is then hard to define the risk appetite, as there is no law to guide you. It is a topic that is still discussed at board level in terms of how they quantify risk. But ultimately, despite legal insight, it is a business decision, and the difficulties with quantifying the risks can make it difficult to bring focus.

Neill Cooke
Head of Ethics and Compliance - Civil Aerospace, Rolls-Royce

In any case, compliance leaders cannot hope that ESG risk will wait to strike until their attention is ready and their organization’s position is stronger. With impending regulation – and existing reputational risk – this shift in focus cannot come quickly enough.

Hogan Lovells solution

Having integrated teams that assess third parties holistically can make due diligence processes more effective and efficient. Integrated teams will have sight of the different relationships and their risks, mapping them across the various due diligence obligations.

Hogan Lovells insight
Calvin Ding, Partner, Shanghai

As part of strong governance, proportionate, documented and up-to-date third-party due diligence is essential. This allows for the selection of ethical and responsible third parties who share the values of the corporate engaging them. The levels of enquiry will differ based on sector, service, geography and other factors, and the necessary controls to mitigate third-party risks will also vary depending on risk exposure. However, third-party risks should not be overlooked.