×

Why Aligning ESG, ERM, and Third-party Risk Management is Key to Creating Value

Download Now

INTRODUCTION

The whole is greater than the sum of its parts.

From pandemics to climate change, many of the risks we face today are compound risks, connected to each other, and affecting multiple parts of the business simultaneously. These risks often unfold in quick succession and require escalating effort to manage. Keeping these risks in check calls for a robust risk management approach– one that provides the frameworks, standards, processes, controls, and reporting that can adapt to and apply across diversifying and emerging risk categories. 

One of the most talked about business challenges in recent times are environmental, social, and governance (ESG) practices. ESG is a rapidly evolving practice that encompasses a wide range of issues, including defining and reporting your organization’s carbon emissions, sustainability, and diversity and inclusion initiatives to name a few. As more companies are being held accountable for their ESG performance by investors, consumers, communities, and regulators, the demand for greater transparency and accountability is increasing. Known risk management practices, disciplines, and analytics can be beneficial to ESG practitioners working toward improved standards, reporting, and market acceptance.

Third-party risk management (TPRM) is an important element within the reporting scope of an ESG initiative because we now know that for many organizations, most of their carbon emissions come from their supply chain. Yet, passing the buck onto suppliers isn’t an acceptable option. Today’s investors, regulators, and consumers hold first parties as accountable for third-party failures as much as if not more than the third parties themselves, making it imperative to extend GRC disciplines across the third-party ecosystem. 

Ultimately, the connections between enterprise risk management (ERM), ESG, and TPRM is inescapable. Where a company may be perceived as having ESG risks, a standardized ERM approach can help them manage and mitigate the potential reputational fall-out. Similarly, where a company's relationships with a third party may impact its ESG performance, an integrated TPRM program under the umbrella of or applying best practices gleaned from an ERM program can help ensure that those relationships are managed in a responsible and sustainable manner. 

ESG and TPRM are both standalone risk categories, yet are increasingly interwoven into larger governance, risk, and compliance (GRC) and enterprise risk management programs. We expect deeper interconnectivity and interdependencies to emerge across these components into the whole. What’s already evident is that with effective and integrated ERM processes, companies can build more sustainable businesses, optimize third-party relationships, and create long-term value for all stakeholders.

The Changing Nature of Risks

In 2020, climate change didn’t even figure in the top 10 risk concerns of CEOs around the globe. Just two years later, it was cited as a top 5 risk with 33% of CEOs stating that they were very concerned or extremely concerned about climate change’s impact. Today, 65% of directors say that ESG is part of the board’s ERM discussions. This is a good sign because ESG risks today:

The Changing Nature of Risks

ESG risks don’t always have to manifest as a headline-making anti-diversity scandal or an oil rig explosion. Almost every business practice today has some element of ESG embedded in it. Whether it’s the use of non-renewable energy sources, or unfair recruitment practices, or unsustainable waste disposal methods – all of it can add up to damage customer and investor perceptions of a brand.

ESG risks in the extended enterprise

To know just how significant third-party ESG risks have become, look no further than the regulatory landscape. In the last few years, we’ve seen a surge of new and potential mandates focusing on human rights and environmental due diligence in supply chains. From the EU’s proposed directive on sustainable corporate governance, to Canada’s draft supply chain transparency law, to Germany’s Supply Chain Due Diligence Act – more regulations are pushing companies to take responsibility for social and environmental violations across their third-party ecosystem. 

By linking existing TPRM practices with your ESG program, you can better understand how third parties impact your ESG ratings, which suppliers contribute the most ESG risks, what commonalities are shared by ESG and TPRM regulations, and more. The idea is to build a coordinated cross-functional approach that can minimize operational redundancies, while also making risk management more cost-efficient and agile. 

The next step is to integrate ESG and third-party risks into your ERM framework. The resulting holistic risk view can help you make better-informed strategic decisions that not only catalyze business growth, but also strengthen trust with all stakeholders.

Despite greater awareness of ESG issues, 41% of organizations still have only a low level and ad hoc capability to assess and prioritize risks in their extended enterprise.

Connecting the Dots Across ESG, ERM, and TPRM

In the past, ESG and third-party risks were typically managed in silos. But today, companies are fast realizing just how interconnected these risks are, and how they affect multiple parts of the enterprise, while also amplifying the impact of other risks. For example, an unsustainable food supply chain – which combines both environmental and supplier risks – could result in raw material shortages or worse, contaminated food supplies. This, in turn, could impact food production, consumer satisfaction, and brand perception. 

The converse is also true – other enterprise risks affect ESG and third-party risks. For example, a cyberattack on a chemical facility could result in hazardous waste being leaked into surrounding ecosystems. A pipeline breach could cause fuel shortages. The compounding elements of risks today make it essential for businesses to better understand where, how, and at what intensity risk lives across their entire value chain. 

Understanding these interdependencies is key to organizational resilience. It’s about stepping back and looking at the big picture. If you don’t know your risk universe fully, you may never be able to connect the dots and understand what matters most to your business objectives. Some executives, for instance, might see ESG as a drain on their organization’s time and resources. But leaders who understand how ESG touches and impacts multiple aspects of their business – as well as their stock price – are likely to have a different perspective.

When established ERM practices are applied to ESG and TPRM, it becomes easier to see how various factors such as employee welfare, raw material sourcing, production practices, and waste management can impact your overall risk profile and either hinder or help your business strategies and objectives. It helps that ESG and TPRM align well with ERM practices like risk identification, materiality assessments, metrics monitoring, and reporting. Both can be easily embedded into your ERM framework and processes to create a blueprint that can be operationalized across the enterprise.

Connecting the Dots Across ESG, ERM, and TPRM

The Opportunities of a Connected Approach

For years, ERM was about preserving value, or protecting the business against adverse events. But today, it’s also about creating value, and driving business success. So, even as you use ERM to mitigate the downside impact of ESG and third-party risks, remember that both sets of risks also present multiple opportunities to evaluate and improve your business practices in a way that brings long-lasting business advantage.

Consider the following: 

  • A more inclusive approach to hiring could reduce employee turnover, and improve innovation 
  • Waste recycling can help you minimize raw material costs, and save on taxes 
  • Stronger community involvement can help you enhance brand awareness as well as employee morale 
  • Better visibility into third-party ESG risks can help you forge the right partnerships, and minimize inefficiencies in your supply chain 
  • A commitment to carbon neutrality can help you strengthen customer loyalty, and improve access to capital

Integrating ERM with ESG and TPRM brings additional business benefits, including:

The Opportunities of a Connected Approach

How to Get Started

Having understood the value of an integrated approach, here are some ways to build those connections between ERM, ESG, and TPRM

  • Create a single source of risk truth: ESG and third-party risks ultimately represent business risks – so, treat them as such. If you don’t already have a centralized risk register as part of your ERM program, build one. Map your risks together and understand how they impact and influence each other. Then, link them to the associated controls, testing processes, business units, assets, and objectives for a more nuanced understanding of your risk universe
  • Improve cross-functional collaboration: Consider implementing a GRC platform that can help all your teams – be it risk management, procurement, sustainability, compliance, or HR – to seamlessly communicate and coordinate ESG risk management activities. The better your teams work together, the more prepared your organization will be for all the risks that come its way. 
  • Establish strong risk frameworks and methodologies: Best-in-class ERM frameworks are built around multiple risk pillars, including strategic, operational, financial, compliance and environmental. They also use a range of qualitative and quantitative methods – including a megatrend analysis, SWOT study, ESG materiality assessments, stress testing, and a what-if scenario analysis. These procedures enable a more complete assessment of risk exposure. 
  • Keep your taxonomies consistent: Having a common risk taxonomy enables risk management and sustainability professionals across locations to have more meaningful conversations around risks and opportunities. 
  • Examine various risk dimensions: Look at ESG and third-party risks from different angles. How do your internal operations and supply chain impact the environment and community? How do environmental and social changes in the external world impact your business? Conduct vulnerability assessments to determine the propensity of your business to be adversely affected by an ESG risk. 
  • Get the first line involved: Your front-line employees going about their day-to-day operations are often the first to spot a potential ESG risk – be it non-inclusive hiring practices, or a falsification of emissions test data. Establish simple mechanisms for them to capture and report these issues. Ensure that the data flows to the right people quickly, so that the risk is proactively mitigated. 
  • Automate wherever possible: With risks and threats striking faster than ever, you can’t afford to wait months or even weeks for the results of a risk assessment. Find ways to automate ESG and third-party risk measurement, monitoring, and reporting within your ERM program – so, you can act on the right risks, faster.

How MetricStream Can Help

MetricStream helps you capitalize on the synergies between ERM, ESG, and TPRM by integrating all of them on a connected GRC platform. You can easily connect the dots to understand how ESG risks impact other business risks across the enterprise and third-party ecosystem. At the same time, you can manage ERM, ESG, and TPRM as standalone programs with robust risk assessments, monitoring, and reporting tools.

MetricStream ERM software can help you:

  • Accurately understand your risk exposure at various levels of the enterprise 
  • Quantify risk impact through multi-dimensional risk and control assessments 
  • Achieve forward-looking risk visibility with predictive risk metrics and indicators 
  • Make smarter and more risk-aware decisions with powerful analytics, heat maps, reports, and dashboards

With MetricStream ESGRC software, you can:

  • Centrally manage and map ESG standards, frameworks, and disclosure requirements 
  • Use a centralized risk library and framework to manage ESG risks, while also simplifying risk assessments and analysis 
  • Automatically capture and aggregate ESG metrics for consistent reporting and trend analysis 
  • Use AI to identify ESG issues, uncover similarities, and prevent their recurrence

Finally, MetricStream TPRM software enables you to:

  • Gain an integrated, real-time view of your extended enterprise, including third- and fourth-party risks
  • Automate third-party information gathering, onboarding, real-time monitoring, risk assessments, compliance evaluations, and risk mitigation 
  • Deepen visibility into third-party risk through globally sourced and trusted content

Conclusion

If you manage ESG separately from TPRM or ERM, you may still be able to meet your objectives. But you’ll also end up adding new programs, procedures, controls, and systems which are not only costly and often redundant – they also weigh down the business. Plus, managing any kind of risk data in silos hampers overall risk visibility.

 The best part about linking ESG to TPRM and ERM is that you don’t have to reinvent the wheel. You already have frameworks and processes in place that can be aligned to your ESG objectives. Also, by layering ESG into a proven ERM program, you can make sustainability and social responsibility a natural part of daily operations, and not simply a compliance or marketing activity.

At the end of the day, ESG is about balancing purpose and profitability. The more you know about your ESG risks – how they affect different parts of your business in different ways, and how they interact with other risks – the more value you can create for your business, your stakeholders, and the planet at large.

References

6 steps to building an effective ERM framework to encompass ESG risk - Michelle Uwasomba, Principal, Consulting Enterprise Risk, Ernst & Young LLP, August 30, 2022 

How to integrate ESG risk into risk management – EY podcast 

How Does ESG Inform ERM? - GRC World Forums, May 19, 2022 

Applying enterprise risk management to environmental, social and governance-related risks – Executive summary, COSO, WBCSD, October 2018

The whole is greater than the sum of its parts.

From pandemics to climate change, many of the risks we face today are compound risks, connected to each other, and affecting multiple parts of the business simultaneously. These risks often unfold in quick succession and require escalating effort to manage. Keeping these risks in check calls for a robust risk management approach– one that provides the frameworks, standards, processes, controls, and reporting that can adapt to and apply across diversifying and emerging risk categories. 

One of the most talked about business challenges in recent times are environmental, social, and governance (ESG) practices. ESG is a rapidly evolving practice that encompasses a wide range of issues, including defining and reporting your organization’s carbon emissions, sustainability, and diversity and inclusion initiatives to name a few. As more companies are being held accountable for their ESG performance by investors, consumers, communities, and regulators, the demand for greater transparency and accountability is increasing. Known risk management practices, disciplines, and analytics can be beneficial to ESG practitioners working toward improved standards, reporting, and market acceptance.

Third-party risk management (TPRM) is an important element within the reporting scope of an ESG initiative because we now know that for many organizations, most of their carbon emissions come from their supply chain. Yet, passing the buck onto suppliers isn’t an acceptable option. Today’s investors, regulators, and consumers hold first parties as accountable for third-party failures as much as if not more than the third parties themselves, making it imperative to extend GRC disciplines across the third-party ecosystem. 

Ultimately, the connections between enterprise risk management (ERM), ESG, and TPRM is inescapable. Where a company may be perceived as having ESG risks, a standardized ERM approach can help them manage and mitigate the potential reputational fall-out. Similarly, where a company's relationships with a third party may impact its ESG performance, an integrated TPRM program under the umbrella of or applying best practices gleaned from an ERM program can help ensure that those relationships are managed in a responsible and sustainable manner. 

ESG and TPRM are both standalone risk categories, yet are increasingly interwoven into larger governance, risk, and compliance (GRC) and enterprise risk management programs. We expect deeper interconnectivity and interdependencies to emerge across these components into the whole. What’s already evident is that with effective and integrated ERM processes, companies can build more sustainable businesses, optimize third-party relationships, and create long-term value for all stakeholders.

In 2020, climate change didn’t even figure in the top 10 risk concerns of CEOs around the globe. Just two years later, it was cited as a top 5 risk with 33% of CEOs stating that they were very concerned or extremely concerned about climate change’s impact. Today, 65% of directors say that ESG is part of the board’s ERM discussions. This is a good sign because ESG risks today:

The Changing Nature of Risks

ESG risks don’t always have to manifest as a headline-making anti-diversity scandal or an oil rig explosion. Almost every business practice today has some element of ESG embedded in it. Whether it’s the use of non-renewable energy sources, or unfair recruitment practices, or unsustainable waste disposal methods – all of it can add up to damage customer and investor perceptions of a brand.

To know just how significant third-party ESG risks have become, look no further than the regulatory landscape. In the last few years, we’ve seen a surge of new and potential mandates focusing on human rights and environmental due diligence in supply chains. From the EU’s proposed directive on sustainable corporate governance, to Canada’s draft supply chain transparency law, to Germany’s Supply Chain Due Diligence Act – more regulations are pushing companies to take responsibility for social and environmental violations across their third-party ecosystem. 

By linking existing TPRM practices with your ESG program, you can better understand how third parties impact your ESG ratings, which suppliers contribute the most ESG risks, what commonalities are shared by ESG and TPRM regulations, and more. The idea is to build a coordinated cross-functional approach that can minimize operational redundancies, while also making risk management more cost-efficient and agile. 

The next step is to integrate ESG and third-party risks into your ERM framework. The resulting holistic risk view can help you make better-informed strategic decisions that not only catalyze business growth, but also strengthen trust with all stakeholders.

Despite greater awareness of ESG issues, 41% of organizations still have only a low level and ad hoc capability to assess and prioritize risks in their extended enterprise.

In the past, ESG and third-party risks were typically managed in silos. But today, companies are fast realizing just how interconnected these risks are, and how they affect multiple parts of the enterprise, while also amplifying the impact of other risks. For example, an unsustainable food supply chain – which combines both environmental and supplier risks – could result in raw material shortages or worse, contaminated food supplies. This, in turn, could impact food production, consumer satisfaction, and brand perception. 

The converse is also true – other enterprise risks affect ESG and third-party risks. For example, a cyberattack on a chemical facility could result in hazardous waste being leaked into surrounding ecosystems. A pipeline breach could cause fuel shortages. The compounding elements of risks today make it essential for businesses to better understand where, how, and at what intensity risk lives across their entire value chain. 

Understanding these interdependencies is key to organizational resilience. It’s about stepping back and looking at the big picture. If you don’t know your risk universe fully, you may never be able to connect the dots and understand what matters most to your business objectives. Some executives, for instance, might see ESG as a drain on their organization’s time and resources. But leaders who understand how ESG touches and impacts multiple aspects of their business – as well as their stock price – are likely to have a different perspective.

When established ERM practices are applied to ESG and TPRM, it becomes easier to see how various factors such as employee welfare, raw material sourcing, production practices, and waste management can impact your overall risk profile and either hinder or help your business strategies and objectives. It helps that ESG and TPRM align well with ERM practices like risk identification, materiality assessments, metrics monitoring, and reporting. Both can be easily embedded into your ERM framework and processes to create a blueprint that can be operationalized across the enterprise.

Connecting the Dots Across ESG, ERM, and TPRM

For years, ERM was about preserving value, or protecting the business against adverse events. But today, it’s also about creating value, and driving business success. So, even as you use ERM to mitigate the downside impact of ESG and third-party risks, remember that both sets of risks also present multiple opportunities to evaluate and improve your business practices in a way that brings long-lasting business advantage.

Consider the following: 

  • A more inclusive approach to hiring could reduce employee turnover, and improve innovation 
  • Waste recycling can help you minimize raw material costs, and save on taxes 
  • Stronger community involvement can help you enhance brand awareness as well as employee morale 
  • Better visibility into third-party ESG risks can help you forge the right partnerships, and minimize inefficiencies in your supply chain 
  • A commitment to carbon neutrality can help you strengthen customer loyalty, and improve access to capital

Integrating ERM with ESG and TPRM brings additional business benefits, including:

The Opportunities of a Connected Approach

Having understood the value of an integrated approach, here are some ways to build those connections between ERM, ESG, and TPRM

  • Create a single source of risk truth: ESG and third-party risks ultimately represent business risks – so, treat them as such. If you don’t already have a centralized risk register as part of your ERM program, build one. Map your risks together and understand how they impact and influence each other. Then, link them to the associated controls, testing processes, business units, assets, and objectives for a more nuanced understanding of your risk universe
  • Improve cross-functional collaboration: Consider implementing a GRC platform that can help all your teams – be it risk management, procurement, sustainability, compliance, or HR – to seamlessly communicate and coordinate ESG risk management activities. The better your teams work together, the more prepared your organization will be for all the risks that come its way. 
  • Establish strong risk frameworks and methodologies: Best-in-class ERM frameworks are built around multiple risk pillars, including strategic, operational, financial, compliance and environmental. They also use a range of qualitative and quantitative methods – including a megatrend analysis, SWOT study, ESG materiality assessments, stress testing, and a what-if scenario analysis. These procedures enable a more complete assessment of risk exposure. 
  • Keep your taxonomies consistent: Having a common risk taxonomy enables risk management and sustainability professionals across locations to have more meaningful conversations around risks and opportunities. 
  • Examine various risk dimensions: Look at ESG and third-party risks from different angles. How do your internal operations and supply chain impact the environment and community? How do environmental and social changes in the external world impact your business? Conduct vulnerability assessments to determine the propensity of your business to be adversely affected by an ESG risk. 
  • Get the first line involved: Your front-line employees going about their day-to-day operations are often the first to spot a potential ESG risk – be it non-inclusive hiring practices, or a falsification of emissions test data. Establish simple mechanisms for them to capture and report these issues. Ensure that the data flows to the right people quickly, so that the risk is proactively mitigated. 
  • Automate wherever possible: With risks and threats striking faster than ever, you can’t afford to wait months or even weeks for the results of a risk assessment. Find ways to automate ESG and third-party risk measurement, monitoring, and reporting within your ERM program – so, you can act on the right risks, faster.

MetricStream helps you capitalize on the synergies between ERM, ESG, and TPRM by integrating all of them on a connected GRC platform. You can easily connect the dots to understand how ESG risks impact other business risks across the enterprise and third-party ecosystem. At the same time, you can manage ERM, ESG, and TPRM as standalone programs with robust risk assessments, monitoring, and reporting tools.

MetricStream ERM software can help you:

  • Accurately understand your risk exposure at various levels of the enterprise 
  • Quantify risk impact through multi-dimensional risk and control assessments 
  • Achieve forward-looking risk visibility with predictive risk metrics and indicators 
  • Make smarter and more risk-aware decisions with powerful analytics, heat maps, reports, and dashboards

With MetricStream ESGRC software, you can:

  • Centrally manage and map ESG standards, frameworks, and disclosure requirements 
  • Use a centralized risk library and framework to manage ESG risks, while also simplifying risk assessments and analysis 
  • Automatically capture and aggregate ESG metrics for consistent reporting and trend analysis 
  • Use AI to identify ESG issues, uncover similarities, and prevent their recurrence

Finally, MetricStream TPRM software enables you to:

  • Gain an integrated, real-time view of your extended enterprise, including third- and fourth-party risks
  • Automate third-party information gathering, onboarding, real-time monitoring, risk assessments, compliance evaluations, and risk mitigation 
  • Deepen visibility into third-party risk through globally sourced and trusted content

If you manage ESG separately from TPRM or ERM, you may still be able to meet your objectives. But you’ll also end up adding new programs, procedures, controls, and systems which are not only costly and often redundant – they also weigh down the business. Plus, managing any kind of risk data in silos hampers overall risk visibility.

 The best part about linking ESG to TPRM and ERM is that you don’t have to reinvent the wheel. You already have frameworks and processes in place that can be aligned to your ESG objectives. Also, by layering ESG into a proven ERM program, you can make sustainability and social responsibility a natural part of daily operations, and not simply a compliance or marketing activity.

At the end of the day, ESG is about balancing purpose and profitability. The more you know about your ESG risks – how they affect different parts of your business in different ways, and how they interact with other risks – the more value you can create for your business, your stakeholders, and the planet at large.

6 steps to building an effective ERM framework to encompass ESG risk - Michelle Uwasomba, Principal, Consulting Enterprise Risk, Ernst & Young LLP, August 30, 2022 

How to integrate ESG risk into risk management – EY podcast 

How Does ESG Inform ERM? - GRC World Forums, May 19, 2022 

Applying enterprise risk management to environmental, social and governance-related risks – Executive summary, COSO, WBCSD, October 2018

lets-talk-img

Ready to get started?

Speak to our GRC experts Let’s talk