ESG is about to ROCK the Third-Party Risk World
The extended enterprise defines business today. An organization is not defined by brick and mortar walls and traditional employees. The organization is a web of third-party relationships of suppliers, vendors, outsourcers, service providers, distributors, contractors, consultants, brokers, dealers, agents, and more. The actions and behavior of these third parties impact and shape the reputation and brand of the organization. Their risk issues are the organization’s risk issues.
Third-party risk programs are about to change significantly. In the past, there was a dominant focus on information security and privacy risk in these relationships. They also were fragmented where different departments monitored and managed their silos of risk without seeing the big picture of risk across a third-party relationship. This is changing. A growing array of regulations will restructure how organizations define and manage risk in the extended enterprise.
Particularly, there are pending directives and legislation that have an expansive scope expected to be passed this summer. This is the EU Directive on Mandatory Human Rights, Environmental, and Good Governance Due Diligence alongside Germany’s corresponding Corporate Due Diligence Act. These are SIGNIFICANT pieces of legislation that are expected to become law in the next few months.
The scale and impact of these laws will be global. Think EU GDRP (global data protection regulation) in scope. Organizations around the world have had to respond to GDPR because they have EU citizen data. These two pieces of legislation have a potentially global impact with significant teeth.
Consider that the governing EU directive, which is to become country law in each EU member country, is projected to impact any organization with operations in Europe (but does not have to be headquartered in Europe) with more than 250 employees and/or more than €50 million in annual revenue. So if an organization has any presence in Europe regardless of where it is headquartered, it will have to address the requirements coming from this directive. Germany’s legislation is the first EU country legislation to support this directive and is expected to become law in the same timeframe that the EU directive gets finalized.
These laws are more than reporting requirements; they will have teeth. They are NOT like the United Kingdom Modern Slavery Act and California’s Transparency in Supply Chains Act. These new laws are expected to have significant enforcement penalties and sanctions and large administrative fines (similar to anti-trust and GDPR fines). They require thorough and continuous due diligence of third-party relationships in the context of environmental practices, social and human rights, and governance to address corruption.
Here are a few excerpts from the published notes on the draft directive:
- For the purposes of this Directive, due diligence should be understood as the obligation of an undertaking to take all proportionate and commensurate measures and make efforts within their means to prevent adverse impacts on human rights, the environment, or good governance from occurring in their value chains, and to address such impacts when they occur.
- In practice, due diligence consists in a process put in place by an undertaking in order to identify, assess, prevent, mitigate, cease, monitor, communicate, account for, address, and remedy the potential and/or actual adverse impacts on human rights, including social, trade union and labour rights, on the environment, including contribution to climate change, and on good governance, it its own operations and its business relationships in the value chain.
- Due diligence should not be a ‘box-ticking’ exercise but should consist of an ongoing process and assessment of risks and impacts, which are dynamic and may change on account of new business relationships or contextual developments.
This is going to fundamentally change and restructure third-party risk management programs. I have advocated that organizations need to move beyond scattered silos of third-party risk oversight to create an integrated third-party GRC (governance, risk management, and compliance) program. This unifies a single approach to govern risk in third-party relationships and delivers a 360° contextual awareness of risk in relationships. It also is more than risk management; it is also about the governance of these relationships to ensure they reliably achieve objectives, address uncertainty, and act with integrity in each relationship in the extended enterprise.
The writing is on the wall, as the EU GDPR changed the world’s understanding and approach to privacy; this new EU directive and Germany’s law will change how organizations manage and monitor risk in the extended enterprise. Organizations should start defining an integrated strategy for third-party GRC to address these forthcoming requirements in a unified and consistent approach.
Chair & Founder, Neo Group; DoD Board, Reserve Forces Policy Board; Founder & Board Member, Supply Wisdom
3 年We are already starting to see evidence in customer requests. Do you think the demand will be for continuous monitoring of ESG risks rather than an annual disclosure only?
GRC, Cyber and Infosec Programme Architect | Archer IRM | Risk Quantification, Operational Resilience , ESG | CISM, ISO27001, DORA, PS21/3, GDPR, NIST | Archer IRM
3 年Interestingly Thomas and I spoke at the IBM Regtech Summit on this with Supply Wisdom's, John Bree & Victor Meyer on the latest risk report from the World Economic Forum, which showed a shift towards 3rd Party and ESG Risk and the need for continuous monitoring. Especially in terms of adverse media alongside the traditional cyber and financial risks. We have seen responsible Financial Institutions adopt the Equator Principles in their investment strategies. It's good that that lens is now looking at the supply chain too and Governments are beginning to legislate on ESG as they are now doing with Privacy. Thanks for posting. ??