Part one: Evaluating ESG third-party risk

Strong governance, achieved through risk-proportionate processes and controls, is the key to building ethical and responsible business practices. From both a legal and reputational perspective, this goes beyond the business and its immediate employees, and extends to its suppliers, consultants, agents, partners and even customers.

When it comes to reputational, regulatory and civil liability risk, this creates a huge challenge: businesses are potentially liable for the actions of their third-party partners, and without systems and controls, can be exposed to the consequences of their actions. For example, if a contractor that your organization works with does not abide by the standards and regulations required within its own business or supply chain, your organization can suffer reputational damage, and even potential litigation. Growing regulation that compels businesses to take responsibility for their wider value chain is designed to encourage companies to exert a positive influence and spread ethical behavior through their vast corporate networks.

Acknowledgment is overdue

Third parties can often be the most significant contributors to a corporate’s ESG impact, whether through negligent pollution at a JV's company factory, or human rights abuses deep in the supply chain.

However, compliance leaders are not always reacting to this risk. In our research, the majority of compliance leaders – seven in 10 – believe that third-party relationships pose ‘a little risk’ to ‘no risk’ to their business with regards to ESG, and not even a third (29%) see there being ‘a fair amount’ of risk. Strikingly, just 1% perceive third-party relationships as posing a ‘great deal’ of risk to their business in terms of ESG. Surprisingly, only 21% of those in the lifestyle and consumer industry – arguably one of the most exposed industries due to vast, complex global supply chains and particular scrutiny of the industry’s ethics – believe third-party relationships pose a great deal or a fair amount of risk.

How much risk do third-party relationships pose to your organization?

A core issue is the complexity of ESG management. Expectations and requirements are still being realized, and there is a diverse patchwork of ESG regulation on a regional, national, international and industry level. These various frameworks have different legal effects, with some legally binding and some not. This unsettled landscape – with many moving parts that are not always moving in the same direction – can be difficult to navigate. Some countries already require ESG due diligence to be conducted on certain third parties, and that mandatory obligation is at the core of the draft EU Corporate Sustainability Due Diligence Directive - which will have a massive impact on multinationals when it comes into force. Without standardized protocols and a clear way forward, ESG risk management – a task already made difficult by stretched compliance teams – becomes even more onerous.

The complexities around third-party risk may also be preventing organizations from appreciating the level of impact. For example, there is a difference in the typical profile of third parties that pose an ESG risk versus those that pose an AB&C risk, therefore compliance teams will need to look at third parties and relationships with a different lens. For businesses with complex or specialized supply chains, it may also be hard for them to walk away from suppliers if they do find an issue, adding pressure to compliance teams. Practical complexities around bringing together third-party questionnaires and all the different components often create additional complications.

The tide is turning

Our findings indicate that compliance leaders are aware that third-party ESG risk will need greater attention in the future, with 22% forecasting their organization’s level of risk will increase in the next 12 months, rising to 34% anticipating increased risk in the next 18 months. Just one in five compliance leaders do not see their level of risk increasing at all.

Organizations see third-party risk increasing in the more distant future – over the next year, and two years.

Organizations with more established ESG management protocols appear to recognize the possible impact and ramifications of third parties on ESG regimes and their success more than those with less established policies. Those with high-maturity schemes are more likely to perceive a higher amount of risk from third-party relationships: 32% say it poses a ‘great deal’ or a ‘fair amount’ of risk, compared to 23% with low-maturity schemes and 28% with medium-maturity schemes. This suggests that perhaps third-party risks become more apparent to organizations as they develop a greater understanding of their own ESG compliance context.

These are not new risks, and they are relevant today as well as in the future. But the fact that many compliance leaders plan to increase their focus on ESG risk is a reflection of both increasing pressure from legislation and regulation – with regulators and other stakeholders solidifying their positions – and an increasing awareness of the importance of ESG factors within organizations. The fact that many leaders plan to take more action ‘tomorrow’ may also point towards the challenges of navigating an uncertain and fast-moving landscape.

In any case, compliance leaders cannot hope that ESG risk will wait to strike until their attention is ready and their organization’s position is stronger. With impending regulation – and existing reputational risk – this shift in focus cannot come quickly enough.