Third-party risk management (TPRM) involves identifying, assessing, and controlling risks linked to outsourcing to vendors, suppliers, contractors, or partners. These risks can affect operational performance, financial stability, regulatory compliance, and reputation. Effective TPRM programs ensure third parties meet the organization’s standards and requirements, minimizing potential disruptions and adverse outcomes. 

The significance of TPRM has increased substantially in recent years, driven by the growing complexity and interconnectivity of modern supply chains. According to KPMG International’s 2022 research, which surveyed 1,263 senior TPRM professionals across six sectors and 16 countries, territories, and jurisdictions worldwide, TPRM is a strategic priority for 85% of businesses, up from 77% before the outbreak of the pandemic [1]. Additionally, In a Gartner survey of 100 executive risk committee members in September 2022, 84% of respondents said that third-party risk “misses” resulted in operations disruptions, underscoring the critical need for robust TPRM frameworks [2]. 

In the context of ESG (Environmental, Social, and Governance) criteria, third-party risk management is equally crucial. Ensuring that third parties comply with ESG standards is vital for maintaining the sustainability and ethical integrity of an organization’s operations. With increasing regulatory scrutiny and growing consumer demand for responsible business practices, integrating TPRM into ESG initiatives allows businesses to more effectively manage risks and promote a positive environmental and social impact. This alignment not only safeguards an organization’s reputation but also contributes to long-term resilience and success. 

Understanding Third-Party Risk in ESG  

Let’s start by exploring third-party risk, which refers to potential threats and vulnerabilities that arise when an organization outsources services or functions to external entities, such as vendors, suppliers, contractors, or business partners. These risks can manifest in various forms, including operational disruptions, financial losses, legal liabilities, regulatory breaches, and reputational damage. Essentially, third-party risk arises from relying on external parties whose actions, controls, and practices may not fully align with the hiring organization’s standards or expectations. As businesses increasingly depend on global supply chains and interconnected networks, the importance of robust third-party risk management systems becomes paramount. These systems ensure resilience, compliance, and sustained operational integrity, thereby protecting the organization from the myriad risks associated with third-party dependencies. 

Environmental, Social, and Governance (ESG) factors are crucial in third-party risk assessment and management. With over 70% of companies relying on outsourcing to streamline operations, third-party vendors and suppliers significantly impact an organization’s ESG profile and reporting. However, many third-party risk professionals struggle to integrate third-party data into their ESG transparency and reporting efforts. This challenge is understandable, given the scarcity of practical guidance on the topic. TPRM teams must prepare for the inevitable integration of ESG considerations, but the question remains: how can they effectively achieve this? 

Environmental Risks 

Environmental risks refer to the potential impact of an organization’s operations on the natural environment. These can include pollution, depletion of resources, carbon emissions, and waste management issues. When it comes to third-party risk management, identifying and assessing these risks is crucial as they can impact an organization’s environmental sustainability goals. 

• Pollution: Third parties can contribute to environmental pollution through activities such as manufacturing, waste disposal, and transportation. This can result in air, water, and soil contamination, which can harm ecosystems and public health. 
• Carbon Emissions: Third-party operations can significantly contribute to greenhouse gas emissions. Partnering with companies that have high carbon footprints can undermine an organization’s efforts to reduce its overall environmental impact. 
• Waste Management Issues: Inadequate waste management practices by third parties can lead to the improper disposal of hazardous and non-hazardous waste. This can create environmental hazards, regulatory compliance issues, and damage the reputation of the partnering organization. 
• Non-compliance with Environmental Regulations: Third parties that fail to adhere to local and international environmental regulations can expose an organization to legal liabilities, fines, and sanctions. This non-compliance can also tarnish the organization’s image and stakeholder trust. 
• Supply Chain Risks: Third parties in the supply chain can introduce environmental risks through practices like unsustainable farming, illegal logging, and mining. These practices can have far-reaching impacts on global environmental sustainability. 
• Reputation Damage: Associating with third parties that have poor environmental track records can harm an organization’s reputation. Stakeholders, including customers and investors, may view the organization as complicit in environmentally harmful practices. 

One notable example of pollution from third-party actions is the BP oil spill in the Gulf of Mexico in 2010. BP outsourced operations to subcontractors like Transocean and Halliburton, whose failures contributed to one of the worst environmental disasters. The spill led to extensive water contamination, devastating marine life, and long-lasting damage to the Gulf’s ecosystems. Another example is the emissions scandal involving Volkswagen’s third-party suppliers. Volkswagen used software from third parties to cheat emissions tests, allowing their vehicles to emit pollutants up to 40 times above the limit. This “Dieselgate” scandal caused severe environmental damage and brought significant legal and financial repercussions for Volkswagen. These incidents highlight the need for strict scrutiny and compliance checks on third-party operations to ensure alignment with environmental goals and regulations. 

Social Risks 

Social risks, also referred to as societal or community risks, encompass the impact of an organization’s actions on society and local communities. These can include labor practices, human rights violations, and impacts on marginalized groups. Third-party risk management teams must assess social risks to protect their organizations from legal, reputational, and operational disruptions. 

• Labor Practices: Third parties may engage in exploitative labor practices, such as forced or child labor, to reduce costs. This can reflect poorly on the partnering organization’s ethical standards and jeopardize its relationships with customers and stakeholders. 
• Human Rights Violations: Third-party operations may cause or contribute to human rights abuses, such as discrimination, unsafe working conditions, and denial of worker rights. These violations can lead to legal consequences and harm the organization’s reputation. 
• Non-compliance with Labor Laws: Partnering with third parties that do not comply with labor laws can expose organizations to legal liabilities and penalties. It can also damage the organization’s reputation as a responsible employer. 
• Supply Chain Risks: Third-party suppliers may engage in human rights abuses, such as sourcing materials from conflict zones or using exploitative working conditions. This can create significant reputational risks for the partnering organization. 
• Reputation Damage: Aligning with third parties that engage in social risks can damage an organization’s reputation and undermine its efforts towards responsible practices. This can result in loss of trust from stakeholders, including customers, investors, and employees. 

One notable example of a human rights violation involving third-party operations is the use of child labor in cocoa production for Nestle products. In 2015, Nestle faced a lawsuit for allegedly using child labor in its supply chain. The company’s failure to address these allegations promptly resulted in significant reputational damage and legal consequences. Another example is the Rana Plaza tragedy, where over 1,100 workers were killed when a garment factory collapsed in Bangladesh. The factory was producing clothes for companies such as Walmart and Primark, exposing the unethical labor practices of their third-party suppliers. This incident brought to light the importance of responsible sourcing and supply chain management for organizations. 

Governance Risks 

Governance risks, also known as corporate governance risks, involve the internal policies and procedures that an organization follows to manage third-party relationships effectively. These risks can arise from poor management practices, inadequate oversight, and lack of accountability, leading to financial losses, reputational damage, and regulatory penalties. Third-party risk management teams must ensure that governance practices are robust to mitigate potential risks and safeguard the organization’s interests. 

• Lack of Due Diligence: Failing to conduct thorough due diligence on third parties can result in partnerships with entities that do not meet the organization’s standards or comply with regulations. This can lead to financial losses and reputational damage. 
• Weak Oversight and Monitoring: Insufficient oversight of third-party activities can result in non-compliance with contractual terms, regulatory requirements, and ethical standards. Continuous monitoring is crucial to ensure third-party adherence to the organization’s governance policies. 
• Conflict of Interest: Partnerships with third parties may pose conflicts of interest that can compromise decision-making processes and erode stakeholder trust. Transparent governance practices are necessary to identify and mitigate such conflicts. 
• Cybersecurity and Data Privacy Concerns: Third-party relationships can introduce risks related to data breaches and cyberattacks. Implementing stringent cybersecurity measures and data privacy protocols is vital to protect sensitive information. 
• Reputation Damage: Poor governance practices in managing third-party relationships can lead to reputational damage, affecting the organization’s credibility and stakeholder trust. Ensuring strong governance frameworks is key to maintaining a positive reputation. 

One example of governance risks is the Wells Fargo account fraud scandal, where inadequate governance practices allowed employees to create millions of unauthorized accounts to meet sales targets. This scandal resulted in significant financial penalties, legal repercussions, and damage to Wells Fargo’s reputation. Another example is the collapse of Enron, which occurred due to poor corporate governance, lack of transparency, and unethical practices by its third-party auditors. This led to one of the largest corporate bankruptcies in history and highlighted the critical importance of strong governance structures in preventing such failures. 

Final Thoughts 

In today’s interconnected business landscape, managing third-party risks is crucial to safeguarding an organization’s legal standing, reputation, and operational efficiency. Social and governance risks are two of the primary concerns that risk management teams must address. From unethical labor practices and human rights violations to weak governance frameworks and inadequate oversight, these risks can have significant negative impacts if not properly managed.  

High-profile cases, such as the use of child labor in Nestle’s supply chain or the governance failures in Wells Fargo and Enron, underscore the necessity for due diligence, robust monitoring, and strong ethical practices. Organizations must be proactive in their approach, ensuring that their third-party relationships are managed with the utmost integrity and compliance. 

Looking ahead, implementing Environmental, Social, and Governance (ESG) criteria into third-party risk management programs is becoming increasingly important. In our next blog, we will explore the steps needed to integrate ESG principles into your organization’s risk management strategy effectively. Stay tuned for actionable insights and best practices to enhance your third-party risk management framework. 

 

Sources: 

[1] https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2022/01/third-party-risk-management-outlook-2022.pdf 

[2] https://www.gartner.com/en/newsroom/press-releases/2023-02-21-gartner-survey-shows-third-party-risk-management-misses-are-hurting-ororganizations