How are compliance officers bringing ESG into third-party due diligence programmes?

Whether it is referred to as sustainability, ethical responsibility, or CSR, it seems as though everyone is currently talking about environmental, social and governance (ESG) concerns, and for good reason.  In this article, we will take a look not only at the reasons behind this growing trend but also explore some very specific adjustments you can make to bring ESG into your broader compliance programme.

The growing interest in the compliance space links to increasing public awareness and resulting reputational risk as well as greater checks and balances being put in place by regulatory bodies. The signing of the UN Paris Agreement by world leaders in 2016 was the start of a new wave, with the latest to jump on board being the EU who are expected in the next year to release regulations calling on European companies to conduct ESG due diligence as part of their onboarding process. 

While regulations are still nascent and enforcement is low, more and more of our clients are starting to take ESG more seriously rather than treat it as ‘soft’ or optional. After all, this is exactly how the anti-bribery and corruption (ABC) regulatory environment we know today emerged. The US adopted the FCPA in 1977, and while not widely enforced initially, it gathered momentum and other countries soon started to follow suit. Over several decades we’ve seen enforcement increasing in both frequency and size, most recently with Goldman Sachs receiving a $3.3bn penalty, and with the former president of Terra Telecommunications Corp receiving one of the longest FCPA-related prison sentences of 15 years in 2011. Not many companies today would run the risk of taking ABC risk management lightly. 

For most companies we work with, ESG concerns are managed separately from ABC risk, with specialist sustainability or labour rights teams focusing on the monitoring and training of third parties after the onboarding is complete . As ESG becomes more of a central concern, we expect to see a shift in how companies handle it internally. The question many of our clients are now asking themselves is whether they could be doing more upfront as part of their wider due diligence and onboarding process.  

In the same way that sanctions, financial crime, and ABC risks, while distinct, are often assessed under one cohesive compliance due diligence process, it makes sense to also join forces on the supply-chain and broader third-party due diligence and look at ESG at the same time. In fact, more and more of our clients are considering how they can best capitalise on those synergies and build efficiencies by bringing the teams together under one roof, with a few looking to merge them completely. 

There are a few key considerations if you’re wanting to bring ESG into your broader due diligence process: 

1. Questionnaires. ESG-related information will need to be gathered both internally on the relationship type and externally from the third party itself. Rather than duplicating efforts and reaching out to your third parties more than once, this can be achieved through simply adjusting your current, tried and tested questionnaires, to capture additional ESG concerns.  In this vein, we at Control Risks built on our ABC internal and external questionnaire templates to include questions around how diversity is handled, what environmental goals a third party has, and what safeguards are in place against modern slavery, to name just a few.
   
    
2. Workflows. Key risk indicators for ABC will be different than those for ESG: suppliers may be considered very low risk from an ABC perspective, for example, but when it comes to ESG, supply chain is a major risk area. It makes sense to have one cohesive workflow if possible, but that leaves the challenge of ensuring these different risk factors are captured and assessed appropriately. This is the value of a technology solution which can take the same information and automatically calculate a different score for the different types of risk, be it environmental, social or governance/ABC. 
   
    
3. Due diligence: Much in the ESG space is conducted through assessing self-reported information provided by the third parties but there is also value in supporting this with independent checks to better understand and verify a company’s ESG footprint and approach. However, external due diligence must be conducted in recognition that these risk areas are not always closely regulated, monitored and reported in the public domain. As a result, we have developed a specific methodology to provide more nuanced profiling of the company’s approach to ESG and couple this with an assessment of the broader context in which they operate. We conduct a specialist review of the media and key NGO and regulatory sources as well as reviewing the company’s own public reporting, analysing what it reveals about its management of and attitude towards the full range of ESG-related risks. We then use industry ratings rooted in international standards , and our own proprietary country ratings to assess each of environmental, social and governance risk associated with the third party’s operations. We can also conduct on-the-ground reference checks to gain further insight from the relevant business community on the third-party’s ESG approach. This means that even if only limited information is found or published by the third party in the public domain, our clients can gain a reliable indication of the overall level of ESG risk the third party faces and subsequently poses. 
   
    
4. Organisational approach: Not all companies will choose to fully merge their ESG teams with their broader compliance teams. It is important that each organisation finds the right set-up for it based on the factors driving its ESG interest, the specific risk profile and tolerance of the organisation and the type of work they do and where. If the teams do remain separate, there may still be some efficiencies and synergies to be gained across the two. This is why we have developed our ESG assessment as a distinct section of our overall compliance-driven reports, ordered as an add-on, to allow for report-sharing and budget splitting between different teams. 

In summary then, recent and expected shifts in the regulatory landscape make it pertinent to start thinking about how your organisation will choose to handle ESG concerns. It makes sense to incorporate them into your existing due diligence process but there are some key considerations to be made about if and how you will choose to integrate that into your compliance programme, not least how the different elements of ESG risk can translate differently across your third-party population. The key challenge, however, will be rationalising your approach within your organisation so no matter how you choose to proceed, clearly documenting your decision-making process will be vital.