ESG factors are often used to evaluate a company’s commitment to sustainable operations. Whether that’s the environmental factors that offer insight into an organization’s environmental impact, the social component of an organization’s treatment of its stakeholders, or the governance factors that assess whether a company’s internal processes ensure the organization, and its employees, act with professionalism and integrity. Internal audit plays a role in this and must consider and, ultimately, understand their organization’s appetite for ESG risk, especially as it relates to vendor third-party risk management.
What is third-party risk?
A third party is defined as any business entity that (often, but not always) has a written agreement with an organization to provide products or services to their customers or on behalf of the company. And while these third parties — software providers, general suppliers, delivery and cleaning services, call centers, consultants, and contractors — help businesses fill gaps in current capabilities, increase efficiency, and more, internal audit teams must ensure that their organization accounts for all potential risks, including ESG risks, introduced by leveraging third parties.
What is ESG risk?
When it comes to ESG risk, it is not as straightforward as internal auditors might like. It will be impossible to understand how individual risks are impacted by third parties if you don’t understand your own organization’s ESG risk program as an initial requirement. Be sure to review the vendor's third-party risk management policy and understand your organization’s contracting process to ensure that third-party risk requirements (including ESG risks) are covered. And while internal auditors can’t utilize the same risk controls as if these activities were happening in-house, they should expect to see adequate controls and the necessary assurances aimed at reducing these risks.