Vendor Risk Management and ESG: Should ESG Be Part of Due Diligence?

Everyone is talking about ESG these days, but what exactly is ESG, and what role can it play in vendor risk management? To begin, the acronym ESG refers to Environmental, Social, and Governance, which are three key factors that contribute to measuring the sustainability and ethical impacts of an organization’s business practices. 

ESG frameworks are intended to help organizations assess and disclose their sustainability and ethical practices and represent a more stakeholder-centric approach to doing business. In addition to customers, organizational stakeholders include employees, suppliers, and communities worldwide affected by the practices and decisions of an organization. Investors also play a significant role and are the driving force for many organizations’ ESG efforts.

Many investors are interested in ESG data as part of a broader calculation to estimate an organization’s long-term value. And other investors simply desire to invest in companies with better sustainability practices. Moreover, ESG has become increasingly important to the workforce as candidates are increasingly evaluating potential employers' ESG practices, ethics, and values before applying for and accepting employment. 

What Does ESG Consider? 

The following further explains environmental, social, and governance issues: 

• Environmental issues include how an organization utilizes, replenishes, and conserves natural resources, and considers things like carbon footprint, energy efficiency, water use, and treatment of toxic substances. It also takes into consideration the lifecycle of a product, including its ultimate end-of-life disposal or recycling.
• Social issues include an organization’s relationship with people, including customers, employees, investors, and communities. Considerations include things like the prevention of modern slavery or forced labor, equity and gender equality, general labor practices, and respect for human rights. Social also includes customer and consumer rights such as the right to safe products, privacy, and fair treatment.
• Governance issues speak to how the organization is managed, its ethics, and moral standards. It considers the structures to hold people accountable. Governance includes things like the code of conduct, policies, and governance. And issues include tax strategy, lobbying, how much money is spent to influence politics and policy, and prevention of bribery and corruption. Risk Management is also a key component of governance.

How Does ESG Relate to Vendor Risk Management?  

As with any third-party risk, organizations today must now also consider the environmental, social, and governance risks associated with their third-party relationships and supply chains. Third-party vendors and suppliers have the potential to severely impact an organization’s operations, finances, regulatory compliance, and reputation.  Therefore, ESG is becoming an increasingly important component of a vendor’s risk profile.

Should ESG be Considered in Vendor Due Diligence? 

ESG presents yet another set of risks that should be considered and evaluated during the vendor due diligence process. However, ESG maturity is still relatively low for many organizations, which can further obscure and slow the efforts of vendor management teams seeking to gather and analyze a third party’s ESG data. It may also be complicated by a lack of ESG subject matter expertise within the organization. Most often, there are obstacles when attempting to implement vendor ESG due diligence because there is an absence of clear ESG objectives, direction, and collaboration within the company. If an organization’s own ESG’s objectives and requirements are vague or poorly structured, it becomes that much harder to hold its vendors to a consistent standard.

Implementing ESG Into Vendor Risk Management

Considering some of these challenges, how should vendor management teams begin to integrate ESG into their due diligence practices? The good news is that there are some simple and practical solutions for getting started.

Begin With the Basics 

1. Understand what your organization is doing regarding ESG. Are the current objectives focused on ESG transparency and reporting? What dimensions of ESG are being measured and reported? Vendor management's due diligence efforts will be more effective if they’re consistent with the organization's broader ESG objectives and evaluate the same vendor ESG risks. For example, if your organization measures and reports its carbon footprint, it would be appropriate to also gather this information from your vendors. The important thing to remember here is that you shouldn’t ask your vendors to have ESG practices that your organization itself does not have.
2. Identify your ESG Subject Matter Expert. You’ll need the assistance of a qualified ESG Subject Matter Expert to help develop your ESG vendor risk questionnaire and identify the types of ESG documents required for due diligence. Of course, you also need access to the ESG SME to perform vendor risk assessments and provide their qualified opinion on a vendor’s ESG practices and controls. Keep in mind that many organizations do not have this specific expertise on staff, so it may be necessary to engage external ESG experts and resources. Vendor management teams must stand firm and demand these resources before integrating vendor ESG into the due diligence process. To ensure the right outcomes and protect your organization, access to specific ESG expertise is essential.
3. Determine which vendors will be in scope for ESG Due Diligence. It’s not practical or useful to include all vendors in your ESG scope. Your organization must decide which vendors should be required to provide ESG due diligence information. Perhaps your organization will review vendors by risk rating, dollars spent, or product and service type. Whatever criteria are used, it’s important to be consistent. Limiting the scope of vendors can also ensure that vendor teams are focusing on those vendor relationships with the greatest ESG risk and impacts.
4. Get a baseline. Once you’ve identified the vendors who are in scope for ESG due diligence, it’s important to understand if the vendor has its own ESG practices and if so, what those efforts look like. Gathering this information is paramount, as it can help vendor management teams better estimate the time and effort necessary to move between the initial vendor ESG due diligence implementation and a business-as-usual environment. This can be accomplished in one of two ways: 
   
   Option 1 – Survey your vendors and ask two simple questions:
   
   
   • Does your organization currently have established ESG practices or reporting? If so, describe these efforts and any ESG reporting.
   • Does your organization currently have a published modern slavery or forced labor statement detailing the risks existing in your vendor relationships and supply chain, the ways in which your organization prevents these practices, and the effectiveness of your efforts? If so, please provide a copy of the statement.
   While not overly comprehensive, this approach can still help your vendor management team identify which vendors have ESG practices and which ones will need to develop them. Vendor management teams can then develop communications and vendor education to inform vendors of developing requirements and the estimated timeline for compliance.
   
   Option 2 – Develop a vendor ESG due diligence questionnaire and send it to all in-scope vendors.
   
   This approach can be initially time-consuming as it requires vendor management teams to work with SMEs to develop the questionnaire upfront. But can provide many more details about a vendor’s specific ESG practices and can help vendor management teams further refine their focus related to vendor ESG due diligence.
   
    For example, a vendor that is in scope, but currently has no ESG practices and has no contractual obligations regarding ESG, may need a different approach than a vendor with a good level of ESG maturity who is willing to provide reporting. And along with the more comprehensive questionnaire, vendor management teams must decide if they will, at the same time, request ESG due diligence documentation to prepare for a formal SME review. And then there is the matter of queuing and completing those reviews.

Longer Term ESG Considerations 

As the organization’s ESG practices mature and vendors are brought into scope, it’s essential to consider how the incorporation of ESG will affect the vendor management framework beyond due diligence. Other considerations include:

• Integrating ESG into early vendor vetting
• Contractual requirements for vendor ESG
• Vendor ESG monitoring
•  Vendor ESG non-compliance
• Roles and responsibilities of the vendor owner pertaining to ESG
• The inclusion of vendor ESG in board and senior management reporting  
• Regulatory changes that can alter current requirements

ESG has evolved into a key consideration for many organizations across a wide range of sectors. Moreover, ESG risk applies not only to an organization but to its vendors as well. As such, vendor management teams everywhere are feeling the pressure to incorporate vendor ESG into their regular due diligence processes and vendor management practices. 

Vendor management teams can begin by understanding the organization’s ESG goals and objectives and working with a qualified ESG SME to develop the right tools to identify vendor ESG risks and the controls necessary to mitigate them. The process of developing and implementing these processes does not happen overnight. Still taking steps to get started on ESG basics is a great strategy for any vendor management team.