Assessing Third-Party ESG Risks

Marion Jones


April 3, 2023

Assessing Third-Party ESG Risks

Environmental, social and governance (ESG) concerns have never been more important to companies that want to protect against reputation and regulatory risks. However, many companies do not consider how third-party vendors they contract with can affect their ESG profiles. By incorporating basic ESG due diligence evaluations into third-party risk assessments, companies can protect themselves from inheriting unknown risks from vendors and other partners.

A Growing Focus on ESG Issues

The increased public attention on ESG issues is unlikely to be a short-term fad. Global ESG assets are expected to grow from an estimated $35 trillion in 2022 to $50 trillion by 2025, according to a Bloomberg Intelligence report. In addition, a 2022 University of Oxford and Protiviti poll of global business executives found that 64% expected corporate spending on managing environmental risks to increase in the coming years.

Oxford and Protiviti also found that 78% of business executives believe ESG reporting will become mandatory in the next decade. This would further cement ESG as a long-term concern for businesses and could potentially lead to hefty penalties for ESG violations for issues like environmental pollution, workplace harassment and data privacy violations. In fact, regulatory activity has already started to ramp up. In 2021, for example, the U.S. Securities and Exchange Commission (SEC) announced that it was creating an enforcement task force focused on ESG issues, and would be paying particular attention to climate-related risks. It also issued a proposal last year that would require publicly listed companies to include more extensive disclosures on climate-related risks within their regulatory filings.

Evaluating and Minimizing Third-Party ESG Risks

According to a 2020 Mastercard study, the average third-party risk manager was responsible for assessing over 50 new vendors each year in addition to managing already contracted vendors. And some companies can have more than 5,000 third-party vendors. Such large volumes of third-party relationships mean third-party risk evaluations are often limited to immediate security concerns like ensuring third parties have baseline security controls in place, but do not extend to ESG-related issues.

Organizations cannot assume third parties hold themselves to the same ESG standards they do. They also must remember that they inherit any ESG risk from a third party with which they do business. For example, if a vendor for an organization is found to have violated labor or environmental laws, it can negatively impact the contracting organization’s public image in addition to the vendor’s. Further, losing a key vendor can seriously degrade the organization’s business operations. Under some circumstances, such as cases of human trafficking or violations of the Uyghur Forced Labor Prevention Act, the organization could also be held at least partially criminally or civilly liable for the vendor’s misconduct.

Organizations can begin to evaluate third-party ESG risks by taking the following steps:

1. Identify the ESG risks that are relevant to your organization and important to your stakeholders. Companies should first determine which ESG risks their company may be exposed to and which issues are important to their employees, board members, customers and other stakeholders. Companies should also understand what ESG-related regulations, if any, they may need to follow. The identification step is especially important if an organization has limited resources and needs to understand which areas have the greatest risk exposure and must be prioritized.

ESG issues are constantly changing, so it is essential to regularly reevaluate ESG priorities and obligations. For example, following Russia’s invasion of Ukraine in February 2022, doing business with firms affiliated with the Russian government became unpalatable to many companies and their investors. New legislation and regulations may also force businesses to reevaluate ESG risks.

2. Gather ESG risk information on vendors from internal and external sources. Once companies identify which ESG issues are most important, the next step is to gather data on vendors to evaluate risks associated with these issues. This data collection should be conducted through both internal or external sources. For example, companies often have vendors complete questionnaires to identify and evaluate security concerns and controls. Including ESG-related topics in these questionnaires could help organizations understand how a third party evaluates its ESG risks and any mitigation steps it takes.

Organizations are increasingly releasing their own ESG reports, which can also be a good starting point when evaluating a vendor’s ESG profile. According to the Governance and Accountability Institute, more than 90% of S&P 500-indexed companies and a growing number of companies in the Russell 1000 index now publish sustainability reports.

Organizations can also utilize outside auditors to help evaluate a third party’s ESG risks and mitigation efforts. Many organizations have emerged in recent years that regularly evaluate and score companies on their ESG exposure and mitigation efforts. Outside evaluation and auditing can provide another level of assurance to an organization’s stakeholders that is it taking ESG risks seriously.

3. Assess ESG risks systematically. Once companies have a system in place to collect data on a third party’s ESG risks, they should use a standardized scoring method to assess the data and determine an acceptable level of risk. A systematic scoring method will help companies evaluate a third party’s inherent risk, which is the risk posed by the third party absent any controls. It will also help identify the residual risk, or the risk level that remains from the third party after controls and other mitigation efforts are in place. Multiple tools are available that integrate and evaluate third-party data to improve risk assessment and decision-making.

Using a standard scoring mechanism to assess third parties can help companies determine if a vendor poses enough ESG risk to require further evaluation, assess how effective mitigation efforts are, and ensure that the risk posed by the third party does not exceed the organization’s risk appetite.

Evaluating ESG risks can seem like a daunting task to already overworked risk management teams. However, by incorporating systematic ESG-related assessments into already established due diligence procedures, organizations can add a layer of protection to ensure they are not exposed to unknown ESG risks from third parties.

Marion Jones, CISSP, CRISC, is a technology consultant focused on third-party risk management and cybersecurity, and previously worked for the U.S. federal government in the intelligence and law enforcement fields.