How ESG Legislation Will Shape Risk Programs

Dean Alms


February 1, 2023

new regulation targets ESG across the supply chain

Ethical consumption is a type of consumer-based activism that involves purchasing from companies that support sustainability and ethical practices, and it is clearly on the rise. According to 2022 data from Forrester, 37% of adults surveyed in the United States said that concerns about climate change affect their purchasing decisions. Investors, regulators and employees also increasingly demand that companies act as environmental stewards; prioritize employee safety, product and process compliance; and exhibit good corporate governance.

The importance of sustainable practices is not new, and most organizations have had some type of corporate social responsibility (CSR) program in place since they began gaining popularity in the 1970s. Within CSR programs, responsibility was usually focused internally and within local communities, and these programs were managed by human resources or marketing departments.

As companies and regulators increasingly focus on a broader approach to ethics, however, there has been a shift to environmental, social and governance (ESG) programs. These programs are generally managed by risk and compliance departments, acknowledging that an organization’s responsibility for risks extends beyond internal factors. Under ESG programs, more attention is paid to supply chains and actions taken by third parties, agencies and other entities that companies do business with.

Existing ESG regulations are in effect around the world today. The California Transparency in Supply Chains Act, for example, ensures that large retailers and manufacturers are required to disclose information to consumers regarding their efforts to eliminate slavery and human trafficking from their supply chains. In addition, the U.N. Guiding Principles on Business & Human Rights recognizes states’ obligations to respect and protect human rights and requires businesses to comply with applicable laws and protect human rights.

There is also a growing list of ESG mandates that businesses are now preparing for. These include the recently passed Uyghur Forced Labor Prevention Act, which requires companies importing materials or products from the Xinjiang Uyghur Autonomous Region of China to conduct sufficient due diligence to ensure that their goods were not produced using forced labor.

In Germany, the Supply Chain Due Diligence Act requires companies to take responsibility for the actions of all their supply chain partners. It went into effect on January 1 and covers more ESG ground than just the issue of slave labor. There are a host of compliance requirements, including mandatory changes in business practices, disclosures and reporting measures. Noncompliance could result in fines of between €400,000 and €800,000, or up to 2% of the company’s annual revenues. The act requires companies to meet many key obligations, including:

  • Establishment of a risk management system that analyzes a company’s human rights and environmental risks, and risks of direct suppliers
  • Appointment of an in-house representative for human rights who is responsible for monitoring risk management in supply chains
  • Performance of regular risk analysis at least once a year, and on an ad-hoc basis as needed
  • Adoption of human rights policies outlining how the company will fulfill the act’s requirements, its priorities for human rights and environmental risks, and expectations for employees and suppliers
  • Establishment of preventative measures for the organization and direct suppliers by implementing procurement and purchasing practices, delivering training, and establishing control measures to verify compliance
  • Enforcement of remedial actions if a protected legal position is violated
  • Establishment of a complaint procedure for notification of human rights violations, enabling people to report violations in their own business area or that of a direct supplier
  • Due diligence measures for indirect supplier risks, if misconduct occurs
  • Documentation and reporting of due diligence obligations annually, which must be made publicly available

This kind of increasing focus on governance is being adopted by other countries, including as part of the recent European Commission proposal for a directive on corporate sustainability due diligence, which aims to foster responsible corporate behavior with regard to human rights and environmental considerations throughout global value chains. But, as seen in details of the German Due Diligence Act, many new regulations are not just reporting requirements. On the contrary, they will require organizations to conduct the appropriate risk-based approach to due diligence and either address issues or face penalties.

Organizations need to take other considerations into account as well. Many of these new ESG acts and guidance have global implications, affecting not only companies headquartered in the region, but also those with operations or third parties there.

These regulations also have teeth. The European Union’s new ESG regulation, for example, will give victims of human rights violations the right to take EU companies to court, and establishes that remediation proposals by companies cannot prevent stakeholders from bringing civil proceedings to court.

In addition, extensive due diligence and initial and continuous monitoring of all activities are key components to many new ESG-related regulations on the horizon. Having an effective third-party risk management (TPRM) program will be critical for assessing, monitoring and mitigating ESG risks within direct third parties and other entities down the supply chain. Companies must develop a strategic alignment framework to distill these complex factors into a streamlined plan of record and assess the organization’s readiness for an ESG program. The framework should include:

  • Establishing an ESG charter: The risk priorities and needs of each company are different, and some industries have special considerations in terms of manufacturing, distribution and supply chains. Your ESG program should start with a well-defined charter that sets the purpose, business objectives and scope around current risk profiles, how third parties are utilized and managed, and which ESG regulations must be adhered to.
  • Creating an ESG roadmap: A map of your company’s ESG program will provide a clear starting point and outline the implementation phases for your risk priorities with continuous checkpoints. This plan will enable companies to better visualize and track their progress across their ESG program.
  • Securing organizational alignment: A successful ESG program is not created and implemented in a silo. A meaningful and effective program requires cross-functional collaboration within your company and strong relationships with your third parties to ensure governance and compliance requirements are met. Defining the roles and responsibilities needed across procurement, IT compliance, legal and HR to deliver on your program is a critical part of building an ESG culture that ensures corporate commitment. The sincerity of intent will pay dividends. 
  • Drafting solution blueprints: There are many factors that need to be considered as part of initiating and meeting compliance requirements for a given risk area. Mapping out the stakeholders (internal and external), functionality, technologies and integrations involved for a select risk domain informs and gives definition to the business processes required to make it happen.

Dean Alms is chief product officer at Aravo.