Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


SEC Climate-Related Disclosure Requirement Highlights and Third-Party Considerations

6 min read
Featured Image

Climate-related disclosures have steadily gained prominence in recent years, with regulations currently established in the EU and California. Many organizations have anticipated regulations at the U.S. federal level for almost two years since the SEC first proposed its rule on climate-related disclosures in 2022. The wait is now over. On March 6, 2024, the SEC issued The Enhancement and Standardization of Climate-Related Disclosures for Investors.

One of the most notable differences between the proposed rule and final rule is the exclusion of Scope 3 emissions, which would have significantly influenced an organization’s third-party risk management (TPRM) practices. Despite this exclusion, environmental, social, and governance (ESG) risk continues to be an important area to explore in third-party risk management.

This blog will cover some of the highlights of the final rule, which will give you a better understanding of the type of data your organization might be expected to disclose. Although the final rule doesn’t include Scope 3 emissions, we’ll offer some compelling reasons why ESG awareness is still important to consider in your third-party risk management program and some next steps for third-party compliance.

Note: Text from the final rule is noted in italics.

Highlights of the SEC Climate-Related Disclosure Final Rule  

The final rule clocks in at over 800 pages, much of which contains the proposed rule and commentary that was collected from over 24,000 letters. As with any regulation, organizations are advised to read and understand the text to ensure they’re meeting the expectations and requirements. 

Here are 5 highlights to note:  

  1. Types of emissions – The final rule states that organizations must disclose Scope 1 and Scope 2 emissions. Scope 1 emissions are also known as “burn” and refer to those that are controlled or owned by the organization. Gas emissions from an organization’s vehicles would be an example of Scope 1. Scope 2 emissions, or “buys,” refer to the energy an organization purchases, like electricity for a facility. 

    Note: Organizations are not required to disclose Scope 3 emissions, according to the final rule. Scope 3 emissions are essentially those that are produced by your third-party vendors, or anything beyond what your organization burns or buys.  
  2. Material climate-related risks – A registrant is required to provide a description of any climate-related risks that have materially impacted or are reasonably likely to have a material impact on the registrant, which includes the organization’s strategy, operations, and financial condition. Materiality can be a difficult term to deconstruct, but the final rule gives some guidance, stating that a material matter would be considered important by a reasonable investor. In other words, a material matter would have a significant impact on an investor that’s making decisions on buying or selling securities. 

    Pro Tip: Since material matters can also impact business strategies and operations, it may help to think of this concept in terms of criticality. This requirement might be worth researching further to determine whether any overlap exists between your organization’s critical vendors and material climate-related risks.  
  3. Risk management processes – Understanding what’s considered material or critical to your organization is just one piece of the puzzle. An organization is also expected to disclose any existing processes for the identification, assessment, and management of material climate-related risks. The final rule emphasizes that it doesn’t offer a prescriptive approach to managing climate-related risks because there isn’t a “one-size-fits-all” model that works for every organization and industry. A comprehensive TPRM program that details your processes and procedures would be an effective strategy to help identify material third-party climate risks.
  4. Oversight responsibilities – The board of directors and senior management are expected to be involved in overseeing and managing the organization’s climate-related risks. Organizations are required to disclose a description of a board of directors’ oversight of climate-related risks and management’s role in assessing and managing climate-related risks. This requirement closely aligns with other regulatory expectations such as the Interagency Guidance on Third-Party Relationships about the board and senior management’s involvement in critical third-party activities.
  5. Targets and goals – In response to climate-related risks, many organizations may choose to set targets and goals, which will then need to be disclosed. For instance, an organization might set a goal related to energy or water usage. In this case, the final rule requires disclosure, as applicable, of how the registrant intends to meet its climate-related targets or goals. The disclosure should include details such as the scope of the activities, a timeline for when the goal or target will be met, and how the organization will track its progress.

sec climate related disclosure requirement highlights third-party considerations

3 Reasons for Continued ESG Awareness in Third-Party Risk Management 

Scope 3 emissions might not be a requirement in the SEC’s final rule, but this doesn’t necessarily mean they can be ignored altogether. Here are three reasons why Scope 3 emissions and other third-party ESG risks should continue to be integrated into your third-party risk management program: 

  1. Expanding regulations and standards – California requires the disclosure of Scope 3 greenhouse gas (GHS) emissions in the Climate Corporate Data Accountability Act, while the EU requires its own Scope 3 disclosures in the Corporate Sustainability Reporting Directive (CSRD). Some organizations may also want to meet the sustainability reporting standards developed by the International Sustainability Standards Board (ISSB). Keeping Scope 3 emissions and ESG risk within your third-party risk management program will help keep your organization prepared for future regulations that may be established in the years to come.
  2. Shareholder expectations – Many organizations continue to make commitments to voluntarily report ESG metrics to their shareholders. This commitment might come from a desire to improve transparency with investors, create a competitive advantage, or even to encourage other organizations to follow in their footsteps with their own reporting. Managing ESG risk will ensure you have the necessary data to meet shareholder expectations.  
  3. Reputation management – ESG risk encompasses a variety of issues, from clean energy and water conservation, human rights and labor practices, and anti-corruption and anti-bribery initiatives. Consider a situation where one of your vendors violated human rights by using child labor in their supply chain. Even though this violation wasn’t directly attributed to your organization, it can still harm your reputation and brand. The public, including potential customers and investors, may view your organization unfavorably because of its association with this vendor. 

Next Steps for Third-Party ESG Compliance 

Some of your third parties may not be held to the same regulatory expectations of climate-related disclosures. It’s still important to consider how they can potentially create compliance issues for your organization. 

Here are next steps to get started with third-party compliance:  

  • Identify your critical third parties – This will help you understand which third parties should be in scope for your disclosure requirements. A critical third party is one whose failure or extended outage would have a significant impact on your organization or customers. 
  • Begin the conversation – Reach out to your critical third parties and begin the conversation on why your organization has implemented certain ESG goals, requirements, and practices. This would also be a good opportunity to gather information on your third parties’ preparedness for ESG disclosures. Consider distributing a survey to better understand whether your third parties have any ESG practices in place. 
  • Develop a plan of action – If you discover some of your third parties are unprepared for ESG practices and disclosures, consider creating a plan of action for compliance. In general, you won’t need to create separate ESG standards for your third parties to follow. Many organizations will just want to ensure their vendors are meeting the same standards. Make sure to include relevant details in your plan that your third party can follow, such as roles and responsibilities, reporting requirements, and timelines for compliance.

The SEC’s climate-related disclosure requirements provide further evidence that regulators are focusing more on ESG risks. Even with the current absence of Scope 3 emissions from the SEC’s final rule, there’s still good reason to integrate third-party vendors in your ESG efforts.   

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo