Why and How are Compliance Officers Bringing ESG into Their Third-Party Due Diligence Programmes?


Post By: Emily Morgan, Associate Director, Control Risks

Whether it is referred to as sustainability, ethical responsibility, or CSR, it seems as though everyone is currently talking about environmental, social and governance (ESG) concerns, and for good reason. In this article, we will take a look not only at the reasons behind this growing trend but also explore some very specific adjustments you can make to bring ESG into your broader compliance programme.

The growing interest in the compliance space links to increasing public awareness and resulting reputational risk as well as greater checks and balances being put in place by regulatory bodies. The signing of the UN Paris Agreement by world leaders in 2016 was the start of a new wave, with the latest to jump on board being the EU who are expected in the next year to release regulations calling on European companies to conduct ESG due diligence as part of their onboarding process.

While regulations are still nascent and enforcement is low, more and more organisations are starting to take ESG more seriously rather than treat it as ‘soft’ or optional. After all, this is exactly how the anti-bribery and corruption (ABC) regulatory environment we know today emerged. The US adopted the FCPA in 1977, and while not widely enforced initially, it gathered momentum and other countries soon started to follow suit. Over several decades we’ve seen enforcement increasing in both frequency and size, most recently with Goldman Sachs receiving a $3.3bn penalty, and with the former president of Terra Telecommunications Corp receiving one of the longest FCPA-related prison sentences of 15 years in 2011. Not many companies today would run the risk of taking ABC risk management lightly.

For many organizations, ESG concerns are managed separately from ABC risk, with specialist sustainability or labour rights teams focusing on the monitoring and training of third parties after the onboarding is complete. As ESG becomes more of a central concern, we expect to see a shift in how companies handle it internally. The question many organisations are now asking themselves is whether they could be doing more upfront as part of their wider due diligence and onboarding process.

In the same way that sanctions, financial crime, and ABC risks, while distinct, are often assessed under one cohesive compliance due diligence process, it makes sense to also join forces on the supply-chain and broader third-party due diligence and look at ESG at the same time. In fact, more and more organisations are considering how they can best capitalise on those synergies and build efficiencies by bringing the teams together under one roof, with a few looking to merge them completely.

There are a few key considerations if you are considering integrating ESG into your broader due diligence process:

  1. Questionnaires. ESG-related information will need to be gathered both internally on the relationship type and externally from the third party itself. Rather than duplicating efforts and reaching out to your third parties more than once, this can be achieved through simply adjusting your current, tried and tested questionnaires, to capture additional ESG concerns. We recommend including questions around how diversity is handled, what environmental goals a third party has, and what safeguards are in place against modern slavery, to name just a few.
  2. Workflows. Key risk indicators for ABC will be different than those for ESG: suppliers may be considered very low risk from an ABC perspective, for example, but when it comes to ESG, supply chain is a major risk area. It makes sense to have one cohesive workflow if possible, but that leaves the challenge of ensuring these different risk factors are captured and assessed appropriately. This is the value of a technology solution which can take the same information and automatically calculate a different score for the different types of risk, be it environmental, social or governance/ABC.
  3. Due diligence: Much in the ESG space is conducted through assessing self-reported information provided by the third parties but there is also value in supporting this with independent checks to better understand and verify a company’s ESG footprint and approach. However, external due diligence must be conducted in recognition that these risk areas are not always closely regulated, monitored, and reported in the public domain. Using a methodology that provides more nuanced profiling of your company’s approach to ESG coupled with an assessment of the broader context in which they operate can provide a more complete picture.
  4. Organisational approach: Not all companies will choose to fully merge their ESG teams with their broader compliance teams. It is important that each organisation finds the right set-up for it based on the factors driving its ESG interest, the specific risk profile and tolerance of the organisation and the type of work they do and where. If the teams do remain separate, there may still be some efficiencies and synergies to be gained across the two.

In summary then, recent and expected shifts in the regulatory landscape make it pertinent to start thinking about how your organisation will choose to handle ESG concerns. It makes sense to incorporate them into your existing due diligence process but there are some key considerations to be made about if and how you will choose to integrate that into your compliance programme, not least how the different elements of ESG risk can translate differently across your third-party population. The key challenge, however, will be rationalising your approach within your organisation so no matter how you choose to proceed, clearly documenting your decision-making process will be vital.