In today’s business landscape, you should be concerned not only with your own reputation and brand, but the reputations of your third party suppliers. Stakeholders are demanding transparency on ESG risks throughout their entire value chain, including you and your suppliers.
“ESG programs and third-party risk management require speed to insight relative to the supply chain ecosystem. This need for speedy insight poses a challenge if ESG and TPRM are not aligned in their approaches, data and assessments across the supply chain. This is especially important as ESG reporting is becoming a regulatory mandate. So, any enterprise that cannot monitor and report on both ESG and third-party risks places itself in the cross hairs of regulators and activist shareholders, and at higher operational risk.” Joseph Martinez, CPO BNYMELLON (Retired), CSP and C3PRMP
How can ESG-related risks that originate with third-party suppliers directly affect you as the buyer? Buying from a supplier that violates ESG regulations or contract undertakings can impact your profitability and reputation. As a buyer, you are at risk if you do not understand your vendor’s practices as they relate to ESG in the areas of human rights, climate change, responsible resource utilization, and more. You need to use ESG filters to screen suppliers, and their suppliers, during the onboarding process, and continuously monitor ESG performance throughout the supply life cycle.
Make or Buy?
There are many reasons that a company makes the decision to buy a product or service from a supplier rather than sourcing it internally. The product may be one that is essential, but not in the company’s core competencies. An example is IT solutions. If you produce household appliances, among your core competencies are customer intelligence, product design and engineering, manufacturing excellence, and distribution and logistics to get the product to market. IT solutions are required in every phase of your business, but you are not the one best suited to conceive, develop, and perfect them. Thus, you turn to multiple providers, who are experts in the field of IT solutions.
Relying on third parties to provide IT solutions permits you to fund and manage R&D efforts that enable you to compete in what matters most to you, which is producing appliances that delight customers and keep them coming back for repeat sales. It allows you to avoid having to invest in IT R&D.
However, relying on third party IT solutions also presents risks to your organization. You need the data that is captured, analyzed, transmitted, and stored using these solutions to be available continuously. You need to be sure that it is accurate and cannot be manipulated. You also need reasonable assurances that it cannot be hacked or exfiltrated outside your organization. In choosing your third party IT providers, these are some of the risks you need to anticipate, discuss, and manage.
This simplified concrete example is helpful for purposes of illustration. In reality, though, third party risk analysis and management is a complex endeavor. There are many potential risk categories. As an ESG practitioner, it is helpful to me to categorize these risks into environmental, social and governance buckets.
Sticking with the appliance manufacturing scenario, you may track the carbon footprint of your own operations, but what do you know about your suppliers’ greenhouse gas emissions? If you have a goal to lower the GHG emissions associated with your product, you need to know the answer to that question, otherwise achieving your own goal is at risk. Third party due diligence can supply the answer.
Also consider the metals that you buy from global third party sources to use in manufacturing. You have the metals tested to ensure that they are of a quality that satisfies your manufacturing requirements. Do you also know the environmental practices of the mining and processing operations that the metal went through before it reached your factory floor? If your brand is associated with clean environmental practices, you would not want poor environmental stewardship at the mine or smelter to tarnish your reputation.
Other third party environmental risks that you might need to manage include water and waste management, energy source and type, and transportation and logistics.
A troubling social risk is the use of forced or child labor by your supply chain partners. You risk damage to your reputation if this form of labor is exposed.
Beyond reputational risk, forced and child child labor is illegal in many of the places where it is practiced. In fact, the Forced Labor Protocol, which requires signatory countries to implement legislation aimed at eliminating forced labor practices, has been ratified by 58 countries. U.S. law prohibits the importation of goods produced with forced labor. In addition, the U.S. has a law that specifically targets Uyghur forced labor. Further, California has its own Transparency in Supply Chains Act that requires covered companies to report on their efforts to eradicate human trafficking and slavery in their supply chains. Other countries that have adopted anti-slavery or supply chain transparency legislation include the UK, Germany, and The Netherlands.
If you do business with a supplier that uses child or forced labor, you face the risk of being held accountable for your supplier’s illegal practices, and of your supplier being shut down by authorities if their practices are uncovered.
On the selling side of the supply chain equation, you risk not being able to fulfill contractual commitments to your customers if your customer agreements include provisions aimed at reducing child labor.
Other forms of social risk include illegal employment discrimination, harassment and bullying, worker safety, and personal data protection.
Laws, policies and norms play a significant role in third party risk management. It begins with knowing the law, the terms of your own contracts, and the voluntary standards that apply to your business practices. You also need to have a system in place to guide behavior within your organization so that you can satisfy contractual requirements. Not meeting contractual obligations in your customer contracts, such as no child labor in your supply chain, can lead to loss of revenue. Doing business with a third party that is on the sanctions list of a government whose laws you are subject to can lead to fines, penalties, and even loss of trade privileges.
A third party governance risk that has loomed large in the U.S in recent years is compliance with import and export laws. Other governance risks include compliance with procurement rules, particularly for government contractors, and, more generally, alignment with your company’s ethical expectations and core values.
Using an ESG Framework to Uncover Risk
Using an ESG framework for identifying risk helps tease out types of risk that may lie hidden in your supply chain. Knowing what the risks are is the first step toward successfully eliminating the ones that can and should be eliminated, such as illegal practices, and managing the others to preserve your company’s reputation, brand, and revenues.
© 2022 Clear Strategy Co.