6 stages to successfully manage ESG third-party risk

The key stages to successfully manage third-party relationships

These stages include the following:

1. Due diligence and evaluation: This is where an organization builds a business case or requests additional information to identify possible partners and areas of potential risk. The due diligence process and evaluation stage should be a defined and well-documented process within an organization.
2. Onboarding and operationalizing: Once due diligence is complete, a vendor is selected, and contracts are signed, the next stage is to get the relationship up and running. As soon as the third party is declared operational, the business owner is expected to manage the relationship.
3. Monitoring: Monitoring is a critical step in the vendor third-party risk management process. Throughout the relationship, the business owner periodically evaluates whether the vendor’s performance meets expectations. There may be performance metrics to measure success in terms of productivity, efficiency, or return on investment that have been established during the due diligence and onboarding process. Any changes or updates to that vendor agreement should be made note of to keep the organization informed of any potential risks. Additional considerations during the monitoring stage include:
   1. Governance: This is straightforward, but it’s worth mentioning that it also includes IT risk and, particularly data governance, especially as more organizations dive into cloud services. It’s critical to ensure that data privacy rules and regulations are complied with, data is secure and protected, and that data from third parties is complete, accurate, and reliable.
   2. Legal contract compliance: Ensure the contract is in writing and, more importantly, that mechanisms are in place to comply with the contract’s essential terms. Legal, Procurement, or the Business Unit may be responsible for the ongoing monitoring of all legal and contractual obligations for both the organization and the obligations of the third party. Auditors can also verify that “right to audit” clauses are included in contracts where appropriate and can ensure that those clauses are being leveraged on a risk-based approach.
   3. Business operations satisfaction: Continue to measure the relationship against the risk requirements that have been established. This stage may require a large amount of record-keeping and documentation. The business should periodically assess the third-party relationship and determine the level of satisfaction. Measurement back to the original drivers should be completed and documented to ensure the organization is receiving the level of service and/or quality of the product that was originally agreed upon.

Internal audit teams can play an important oversight role in ESG third-party risk management. While they might not be making specific vendor management decisions, they should be involved in making sure proper due diligence is followed when selecting vendors. And once vendor relationships are in place, internal audit teams can monitor these arrangements to ensure organizations aren’t opening themselves up to new risks and providing assurance that controls are operating effectively.