A crucial part of any organisation’s ESG (Environment, Social, and Governance) framework is third-party risk management (TPRM). Although you may have your own house in order regarding an environmental strategy, and you pay strict attention to regulatory compliance, if one of your suppliers or partners is not so conscientious, they can undo all your hard work. A quick Google search shows hundreds of examples such as:

• Despite its commitment to reform its supply chains, Tesco has been found selling Brazilian meat even though it had prtomised to ban it over deforestation fears, leading to accusations it has been “greenwashing”.
• Ikea’s main supplier (again in Brazil) was accused of environmental damage.
• Fast fashion giant Shein was rejected by the New York Stock Exchange due to its alleged connections with forced labour of the Uyghur population in the Xinjiang region of China.

TPRM falls under the ‘Governance’ pillar of your company’s ESG. To assist you with creating a risk management strategy for third parties connected to your organisation, we have answered some of the most common FAQs on this topic below.

What is ESG?

ESG is an umbrella term for a broad range of environmental, social, and governance factors against which investors and consumers can assess the behaviour of companies. It was primarily used in the financial sector, but it has now been adopted by almost every industry, including fossil fuel, transport and logistics, technology, chemicals, manufacturing, retail and electronics.

An ESG framework consists of:

• Environment – the business’s impact on the environment and climate change, considering factors including a company’s carbon footprint, its effect on biodiversity, and its production of wastes and pollution.
• Social – the management of relationships with stakeholders, including providing good working conditions and fair wages for employees, positively impacting the community, and being accountable for the acts and omissions of global supply chain partners. Inclusivity, data protection and privacy, and services to the community should also be considered.
• Governance – how the organisation is managed, including meeting its regulatory and reporting compliance/requirements and its risk management policies and procedures.

What is a third party?

A third party is any person or entity that your organisation works with. This includes suppliers, manufacturers, service providers, business partners, affiliates, distributors, resellers, agents, and vendors.

Are third-party risks increasing?

In our experience, yes. The reasons for this are two-fold. Firstly, the pandemic, inflation, rising interest rates, the Ukraine/Russian war and instability in the Middle East have resulted in organisations outsourcing more and more functions to reduce internal costs. Secondly, Regulators heavily scrutinise how companies manage outsourcing and general third-party risk. Fines for compliance breaches can reach hundreds of millions of pounds. However, the most destructive penalties, in the form of reputational damage, are largely intangible, leading to loss of consumer, investor, and supplier confidence.

Does my business have a legal duty to ensure third parties are compliant with UK legislation?

Certain Acts and Regulations such as the UK GDPR and the Bribery Act 2010, obligate organisations to ensure their agents and other third parties comply with regulatory provisions. For example, under the UK GDPR, Controllers of personal data must ensure third-party Processors have policies and procedures in place to meet the Regulation’s requirements, and this assurance must be in writing.

What are the most common mistakes made when assessing third-party risk?

Although Boards are paying increasing attention to TPRM, few C-Suite members have complete oversight of every organisation and person the company is doing business with and the risks they impose. However, although more questions about third-party risks are being asked, what we find tends to happen is that the responsibility for TPRM falls to the Chief Procurement Officer, leading to the strategy and framework being dominated by the risk posed by suppliers. A robust and effective TPRM strategy needs to analyse risks posed by all third parties and apply the four Ts of risk management: tolerate, terminate, treat, or transfer to each identified area of vulnerability.

How do I improve my company’s third-party risk management strategy?

The first step towards a holistic, effective TPRM strategy and framework is identifying:

1. Who are the third parties attached to your organisation, and
2. What risks do they pose?

For example, if you are instructing a new business to perform your data processing, not only do you need to evaluate the risks in terms of compliance with the UK GDPR, but also any risks associated with cybersecurity, greenwashing, treatment of employees, human rights, and financial and operational stability. A framework should then be put in place that clearly outlines the risks and who owns them, and an emergency response should a particular risk materialise.

Technology is also a key consideration. Although smaller companies can manage TPRM using spreadsheets, large, multi-site organisations need to invest in risk management technology to put an effective strategy and framework in place and ensure it is regularly updated and any changes communicated to relevant stakeholders.

Concluding comments

Establishing a successful third-party risk management strategy and framework is a resource-hungry commitment. Having an independent advisor to manage the process allows your company’s resources to be directed to other profit-making areas. Furthermore, your organisation will benefit from having an objective, holistic view of your business’s risks.

At 43Legal, we have the knowledge and resources to undertake a comprehensive risk management process. We can also advise and represent you if a third-party dispute develops. We will resolve the dispute quickly and cost-effectively while protecting your best interests.

To learn more about any matters discussed in this article, please email us at [email protected] or phone 0121 249 2400.

The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article, please contact 43Legal.