Another onerous task or a boon? How is sustainability risk getting formalised and what can it bring to the table for third-party risk management?
Thanks to the emerging economic trends of the past three decades, third-party risk management (TPRM) has become a top operational risk priority.
First of all, globalisation created sprawling and hence often obscure supply chains. Outsourcing, one of globalisation’s main features, shifted responsibility further from manufacturers and service-providers while bringing unprecedented profit growth.
The more recent “platform economy” enabled by digital technology requires the collaboration of a wide array of partners and vendors, as well as the sharing of technology and data between them. And cloud computing, the biggest game changer of digital transformation, can involve storing even mission-critical data outside the perimeter of the company, thus bringing cybersecurity into sharp focus.
In the pre-digital transformation days, when consumers cared only about getting good value for their money, third parties had little visibility. Until footages of sweatshops and articles about labourers toiling away for a pittance on plantations on distant continents became available, third-party risk was an issue that corporations could avoid reckoning with.
Compare this to how environmental and ethical expectations of third parties, and indeed any corporate players, have recently become extremely nuanced. Today, providing decent wages and working conditions is regarded as the baseline.
When it comes to human rights and the environment, for example, no aspect or implication, whether direct or remote, is overlooked. A clothes manufacturer’s support of gay rights can get tarnished if their Pride-themed line had been made in countries punishing homosexuality.
Another example is how some companies are nowadays getting squeamish about their insurers and dumping them if they underwrite risks of businesses engaged in fossil fuels. Even special third parties, such as sponsors, are being brought under close scrutiny and rejected if they are associated with sectors stigmatised by climate change.
The urgency of integrating sustainability risk into TPRM
TPRM, despite being around for some time, still has its persistent problem areas. One of the classical setbacks is that the identification and assessment of the risks that vendors pose – whether reputational or compliance- or cybersecurity-related – are rather difficult thanks to their tendency to drag their feet and provide sporadic information when required to self-assess.
To make TPRM less time-consuming, pre-completed assessments are available through risk exchanges, and so are vendor-chasing services and automated risk assessment platforms.
Yet, the assessment of risk is only as accurate as the information fed into the system. And when it comes to environmental, social- and governance-related risks, it seems even harder to establish what controls your third parties have in place and make an accurate management of the risks that trading with them involves.
There are several reasons for this. First, many companies see sustainability risk isolated from traditional risk management. Experts often report being asked whether they provide sustainability risk management services, as if it was an entirely different area of expertise.
Also, there are consistent discrepancies in disclosing and communicating sustainability risk. As the time horizon for sustainability risk is two to four times as long as for general risk, it’s often felt that they don’t have materiality – or relevance – to the operation of the business.
Therefore, as an earlier report from the Cambridge Institute for Sustainability Leadership pointed out, risks discussed in sustainability reports often don’t make it into corporate risk disclosures or risk registers.
However, feedback coming from consumers as boycotts, from investors as divestiture and in the form of penalties from authorities, have the potential to lend materiality to sustainability risks that have been passed on to society up until now. Or, if companies remain in denial about them, they may morph into financial risk and impact the bottom line rather negatively.
The gathering momentum for sustainability reporting
The regulation of environmental and social risk may sound like a double-edged sword for TPRM. They make the sustainability aspect of third-party risk assessment easier for businesses, especially in the long run, and reporting harder for third parties. But the current global and digital economic system is so complex and interconnected that, more often than not, a business having third parties is also a third party to other enterprises or organisations.
In the light of broader stakeholders’ and societal interests, a regulated space with a manageable number of standards and clear-cut rules is undeniably of huge benefit, and recent developments show that this is going to be the direction of travel.
Consider the EU’s planned update to its Non-Financial Reporting Directive, significantly ramping up mandatory sustainability reporting as well as the recommendations of the Financial Stability Board’s Task Force on Climate-Related Financial Disclosure (TCFD), which the EU Directive also integrates.
These are the same recommendations referenced by Chancellor of the Exchequer Rishi Sunak on 10 November, when he announced that from 2023, all publicly listed UK companies with a premium listing will be required to “comply or explain”, a rule all three documents mentioned share. It means that if a business believes a certain environmental risk has no materiality, they need to justify it.
The fact that the idea of mandatory climate reporting is gaining wide public support from financial institutions, end-user businesses and governmental departments alike is a guarantee that it’ll bring significant improvement in the quality of reporting this time round. (The UK’s move has support from BlackRock – the world’s biggest asset management company – while 1,500 organisations back the TCFD guidance.)
Social reporting is likely to follow suit. Paris-based global consultancy Mazars pointed out early on in the Covid crisis how businesses are being watched closely and evaluated on their efforts to mitigate the social damage of the pandemic: whether they deserve kudos for absorbing some of the social shock or have adopted “bunker mentality that included cancelling orders and forcing premature redundancies on vulnerable suppliers”.
Those managing third-party risks may at first feel overwhelmed by this shift toward mandatory sustainability risk management. A new reporting framework with established standards, however, may free a lot of their time in the long run and make the assessment of third-party risks faster and their management more efficient.
To learn more about the TCFD recommendations, visit www.cdsb.net/tcfd-implementation-guide.
by Zita Goldman