Identifying and Assessing Vendor ESG Risk

You may be familiar with the term ESG, which represents the environmental, social, and governance practices and risks that aren’t usually disclosed in an organization’s financial statements. Many regulatory bodies are introducing guidelines that require organizations to disclose their ESG metrics for greater transparency. The UK and EU have already implemented several ESG regulations, while the U.S. is currently developing its own.

Beyond the regulatory environment, more and more organizations are recognizing and evaluating these risks. They’re voluntarily offering ESG transparency and reporting to investors and the general public. This emerging trend is based on the belief that an organization's treatment of nature and use of natural resources, relationships with people and communities, and adherence to ethical and legal standards all significantly impact the organization's long-term value and the investors who support it.

This transparency doesn't end with the organization but moves to their entire supply chain. It's crucial for organizations to understand vendor ESG risks and how to identify them. Let's dive into how you can achieve this.

Understanding the Different Types of Vendor ESG Risks

ESG is not just limited to the organization, but also extends to the ESG practices and risks of vendors, suppliers, service providers, and other business relationships instrumental to the organization. Organizations should avoid assuming that the ESG standards of a vendor automatically match their own.

If vendor ESG risks aren’t managed properly, they can potentially harm the organization's public image and business operations if they violate labor or environmental laws.

Here are the three ESG risks that your organization should be aware of:

• Environmental risks consider an organization’s environmental impact, including resource use, conservation, product lifecycle, disposal, and recycling. Factors include carbon footprint, energy efficiency, water usage, and toxic substance management.
• Social risks include relationships with people and revolve around issues such as preventing modern slavery, promoting equity and gender equality, maintaining good labor practices, respecting human rights, and ensuring customer and consumer rights.
• Governance risks involve analyzing an organization's management, ethics, accountability structures, code of conduct, policies, and risk management. It also encompasses tax strategy, lobbying efforts, financial influence, and preventing bribery and corruption.

If your organization is practicing ESG transparency and reporting, it’s crucial to factor in the ESG risks in your third-party network. While this may be a new practice for some organizations, now is an excellent opportunity to begin identifying vendor ESG risks. Continue reading to discover how to do this effectively.

4 Steps to Take Before Identifying and Evaluating Vendor ESG Risks

1. Identify any relevant ESG regulatory requirements. Identifying if your organization is subject to any ESG-related regulations is essential. If your organization is subject to ESG regulations, it must act based on the regulations set in place. Keep in mind you may be subject to laws and regulations in countries where you do business, like the EU or UK. 
2. Understand your organization’s ESG goals and objectives. Before starting ESG transparency and reporting, organizations must prioritize identifying and addressing ESG risks and concerns important to stakeholders. Understand the reasons for ESG reporting and ensure your vendor goals align with what is being measured and reported. Avoid asking vendors to follow practices your organization doesn't follow. Ensure vendor risk management ESG requirements align with your organization’s requirements for consistent reporting.
3. Determine which vendor relationships are in scope. When it comes to ESG reporting, it's not feasible to involve every type of third-party relationship. Your organization needs to determine which vendors should be obligated to provide ESG reporting. This could be based on factors such as risk rating, expenditure, or the type of product and service. Whatever criteria are chosen, it's vital to apply them consistently. By reducing the number of third-party relationships in scope, you can ensure that vendor risk management teams concentrate on relationships with the highest ESG risk and impact.
   
   Pro Tip:  When determining vendor scope for ESG transparency and reporting, it’s essential to consider the higher ESG risks associated with certain industries, products, services, and geographic locations. You should review the products and services your organization purchases, the risk that may be hidden in the supply chain, and the geographies where your vendors are located or conduct business.
   
   
   For example, businesses operating or sourcing labor from the following top 10 countries or sectors have an increased risk of modern slavery in their supply chains:
   
4. Engage your ESG subject matter experts. Get guidance from an ESG subject matter expert (SME) to develop your vendor risk questionnaire and identify necessary ESG documents for due diligence. During formal vendor risk reviews, SMEs can also provide professional opinions on vendor ESG practices and controls. Consider seeking external ESG resources if expertise isn’t readily available within your organization.

Identifying Vendor ESG Risks

After identifying vendors in scope for your ESG initiatives, it’s important to have a reliable method for identifying and assessing the severity of ESG risks. The best way to do this is through a standardized ESG vendor risk questionnaire. 

Examples of questions to include in your questionnaire are:

• Has the organization conducted a baseline assessment of its carbon/GHG footprint and implemented any measures to make any reductions?
• Does the organization take responsibility for the environmental impacts of their products throughout their lifecycle? For example, are available disposal options considered for the product at the end of life?
• Does the organization have any policies or processes in place to identify, assess, and address risks across the organization and its supply chain concerning human rights, labor standards, and modern slavery or human trafficking?
• Does the organization comply with International Labor Organization (ILO) standards?

Your vendor risk management team should consult with a qualified ESG SME during the development of these tools to ensure the creation of comprehensive questionnaires that align with your organization's goals and objectives. SMEs can also identify the specific types of ESG due diligence documentation your third parties should provide along with their completed questionnaires.

The ESG questionnaire can be completed by a vendor as part of preliminary vetting or as part of the formal due diligence process. Like any other vendor risk review that is part of formal due diligence, the SME should review the risks and the quality of the vendor’s controls. They should also review the questionnaire and due diligence documentation.

Vendor Red Flags to Look for With ESG Risk 

As you complete your vendor due diligence, there are common red flags to look for. Depending on your organization's risk appetite, you may decide to put more controls in place or forego working with the vendor.

Here are four common red flags:

1. No ESG policy – The lack of transparent ESG policies make it difficult to assess potential social and environmental risks your organization may face.
2. Greenwashing – The vendor markets itself with terms such as "eco-friendly," "sustainable," "organic," and "fair trade" without providing any evidence, certification, or reporting to support these claims.
3. Questionable labor practices – All workers, including those with language barriers or illiteracy, should know their rights. Information accessibility should go beyond noticeboards. Migrant workers particularly face serious issues, including debt bondage, lack of documentation and effective grievance mechanisms, and poor living and working conditions. These concerns must be addressed for fair and safe working conditions.    
4. Lack of traceability for raw materials, goods, or products – Third parties should be able to trace the origin of products, including all suppliers and production facilities.

Because ESG covers such a wide range of considerations, when issues arise with a vendor's ESG, there’s not a “one-size-fits-all” solution for remediation. The best action plan to prevent surprises and issues is to avoid doing business with questionable entities. This means getting educated on the issues, having access to qualified subject matter experts, and thoroughly researching the ESG policies, practices, and reporting for those third parties posing the most risk to your organization.