6 stages to successfully manage ESG third-party risk
ESGCompliance 15 August, 2023

6 stages to successfully manage ESG third-party risk

ESG factors are often used to evaluate a company’s commitment to sustainable operations. Whether that’s the environmental factors that offer insight into an organization’s environmental impact, the social component of an organization’s treatment of its stakeholders, or the governance factors that assess whether a company’s internal processes ensure the organization, and its employees, act with professionalism and integrity. Internal audit plays a role in this and must consider and, ultimately, understand their organization’s appetite for ESG risk, especially as it relates to vendor third-party risk management.

What is third-party risk?

A third party is defined as any business entity that (often, but not always) has a written agreement with an organization to provide products or services to their customers or on behalf of the company. And while these third parties — software providers, general suppliers, delivery and cleaning services, call centers, consultants, and contractors — help businesses fill gaps in current capabilities, increase efficiency, and more, internal audit teams must ensure that their organization accounts for all potential risks, including ESG risks, introduced by leveraging third parties.

What is ESG risk?

When it comes to ESG risk, it is not as straightforward as internal auditors might like. It will be impossible to understand how individual risks are impacted by third parties if you don’t understand your own organization’s ESG risk program as an initial requirement. Be sure to review the vendor's third-party risk management policy and understand your organization’s contracting process to ensure that third-party risk requirements (including ESG risks) are covered. And while internal auditors can’t utilize the same risk controls as if these activities were happening in-house, they should expect to see adequate controls and the necessary assurances aimed at reducing these risks.


TeamMate+ ESG

ESG assurance

Build a strong ESG assurance foundation with a future-ready internal audit solution.

The key stages to successfully manage third-party relationships

These stages include the following:

  1. Due diligence and evaluation: This is where an organization builds a business case or requests additional information to identify possible partners and areas of potential risk. The due diligence process and evaluation stage should be a defined and well-documented process within an organization.
  2. Onboarding and operationalizing: Once due diligence is complete, a vendor is selected, and contracts are signed, the next stage is to get the relationship up and running. As soon as the third party is declared operational, the business owner is expected to manage the relationship.
  3. Monitoring: Monitoring is a critical step in the vendor third-party risk management process. Throughout the relationship, the business owner periodically evaluates whether the vendor’s performance meets expectations. There may be performance metrics to measure success in terms of productivity, efficiency, or return on investment that have been established during the due diligence and onboarding process. Any changes or updates to that vendor agreement should be made note of to keep the organization informed of any potential risks. Additional considerations during the monitoring stage include:
    1. Governance: This is straightforward, but it’s worth mentioning that it also includes IT risk and, particularly data governance, especially as more organizations dive into cloud services. It’s critical to ensure that data privacy rules and regulations are complied with, data is secure and protected, and that data from third parties is complete, accurate, and reliable.
    2. Legal contract compliance: Ensure the contract is in writing and, more importantly, that mechanisms are in place to comply with the contract’s essential terms. Legal, Procurement, or the Business Unit may be responsible for the ongoing monitoring of all legal and contractual obligations for both the organization and the obligations of the third party. Auditors can also verify that “right to audit” clauses are included in contracts where appropriate and can ensure that those clauses are being leveraged on a risk-based approach.
    3. Business operations satisfaction: Continue to measure the relationship against the risk requirements that have been established. This stage may require a large amount of record-keeping and documentation. The business should periodically assess the third-party relationship and determine the level of satisfaction. Measurement back to the original drivers should be completed and documented to ensure the organization is receiving the level of service and/or quality of the product that was originally agreed upon.

Internal audit teams can play an important oversight role in ESG third-party risk management. While they might not be making specific vendor management decisions, they should be involved in making sure proper due diligence is followed when selecting vendors. And once vendor relationships are in place, internal audit teams can monitor these arrangements to ensure organizations aren’t opening themselves up to new risks and providing assurance that controls are operating effectively. 

Subscribe below to receive monthly Expert Insights in your inbox

For auditors who are challenged to improve audit productivity while delivering strategic insights, TeamMate provides expert solutions, delivered with premium professional services, to auditors around the globe and in every industry.
Back To Top