Incorporating Third-Party Risk Management Into Your ESG & CSR Strategy

Over the past several years, pressure from consumers and regulators has pushed organizations to make environmental, social, and governance (ESG) and corporate social responsibility (CSR) goals a top priority. CSR goals, as well as ESG transparency and reporting, naturally extend to an organization's vendors. However, effectively implementing CSR and ESG requirements for your vendors requires a lot of careful assessment, planning, and communication.

Lay the Foundation for CSR and ESG Objectives and Standards

Organizations seeking to incorporate CSR and ESG into a vendor portfolio first must have their own internally identified objectives and reporting standards. Once established, organizations must determine how internal requirements will transform into external vendor requirements.

From there, it’s important to determine which vendors will be expected to participate. Identifying the appropriate vendors or vendor types is no easy task, and third-party risk management teams play a crucial role in this vital process. It may be that your organization chooses to include only specific types of vendors, such as manufacturers, logistics companies, or vendors with extended supply chains. Maybe the decision will be to select vendors that account for a specific amount of operational expense. Perhaps the decision will be for elevated risk vendors to participate. Whatever the method, integrating ESG goals into your vendor risk management structure should not be rushed, and the organization will need to take time to consider several factors.

Where to Begin With CSR and ESG: 11 Questions to Consider

Figuring out where to begin can be difficult. Here are a few considerations that can begin to point you in the right direction and determine which activities you will need to take:

1. What are CSR/ESG specific requirements? Are there specific goals and objectives or are transparency and reporting the goal?
2. Which vendors or vendor types will be required to participate?
3. How do you plan to tell your vendors about the policy changes? When will you tell them?
4. What documentation or reports will your vendors be required to produce to show compliance?
5. Who will review the documentation provided by the vendors? Are they a CSR or ESG SME?
6. Will your organization provide training for your vendors regarding the updated requirements?
7. Will vendors be expected to comply with all new requirements at once or through a stepwise approach?
8. How much time will the vendors have to comply with the new standards?
9. Will vendors be penalized if they do not comply or cannot meet the new requirements?
10. How will adding an ESG and CSR initiative affect your existing third-party risk management policies and standards?
11. How will new ESG or CSR requirements change your standard contract requirements?

Establish Vendor Standards

As a first step, you should determine which standards you’ll hold your vendors to, and what metrics you’ll use to measure their compliance and performance. You’ll need to define which specific vendors or vendor types will be included and why.

It’s essential to consider and document how this new requirement will fit into your risk assessment, due diligence, and periodic review processes. Consider if you can use your existing questionnaires or if you will need to develop new ones. Determine how your organization is going to collect and review the documentation. Identify who is on point to review the information and determine what constitutes "acceptable." It’s also essential to understand how the vendor data will be incorporated into your organization's ESG data. How will you deliver aggregated vendor data? You will also need to consider if changes to your governance documents are necessary, especially your policy and program documents.

Modifying your vendor contract's terms will help protect your organization from third-party risks related to ESG and CSR regulations. Work with your legal team to include clauses and conditions to ensure legality and enforceability regarding modern slavery and adherence to your organization's ESG standards and practices.

Communicate With Your Vendor

After you’ve determined your standards and laid the foundation for the integration process, you’ll need to communicate with your vendor to inform them about the upcoming changes. Effective communication is key to making a successful transition.

Providing detailed CSR/ESG requirements and information, coupled with vendor education or training, will increase the likelihood that vendors will comply with the new requirements. In addition, providing multiple vendor training methods such as live webinars, self-service online training, and self-study materials will also improve vendor participation. Keep in mind that CSR and ESG are new for many vendors, so expect a lot of questions and be prepared to answer them.

It's wise to consider giving your vendors an extended timeframe to adjust and comply with the changes. During this time, you might consider allowing for a test period in which you can assess the reporting process and remedy any errors that might be present. This timeframe is crucial, allowing your vendors to make the necessary arrangements and gather the proper resources to report on the requested data.

As your organization's ESG and CSR goals extend to your vendors, it's essential to ensure they remain informed of the changes in requirements and processes. Navigating the transition process may be challenging. However, by informing and preparing your vendors through effective communication channels and setting clear expectations, you set your vendor CSR/ESG initiatives up for success.