Do you know how green your third-party service providers are?
That’s the question risk and vendor procurement managers at fund management firms, banks and broker-dealers must soon answer correctly or face reputational and regulatory consequences, say legal and data experts in environmental, social and governance policies. The vendors can be anyone from a fund administrator, custodian bank, offshore operations center, or data storage facility to an audit or legal firm. There could be hundreds of third-party service providers to worry about, so risk and procurement managers need to figure out the most cost-effective approach to evaluate the ESG performance of their vendors. “The amplifying effect of the supply chain impacts both the opportunity to improve and the risk of non-compliance,” says Simon Chard, managing director of IHS Markit’s Know Your Third Party (KY3P) service providing third-party risk analysis. “Each of the suppliers has its own set of employees, facilities and an extended footprint that can grow exponentially depending on their suppliers.” Therefore, it is difficult to avoid an ESG failure at any point.
ESG data tends to capture non-financial information such as company management of energy and water use, waste generation, employee rights and working conditions. It includes almost everything that may reflect how companies are operating within society and the environment. The need to incorporate ESG into third-party risk analysis is driven by two concurrent factors: consumer demand and regulatory requirements. “As customers and investors become more ESG-conscious, they want their financial institutions to follow suit,” says Chris Wright, managing director of the business improvement performance solution at global consultancy Protiviti in New York. “That expectation extends to third-party service providers which can expose their clients to hidden ESG risks, such as natural resource depletion, human rights violations, and corruption.”
Financial firms must live up to their promises.” Although there is currently no federal statute requiring financial firms to keep track of the ESG maturity of their third-party service providers, if a company makes public pronouncements about its ESG philosophy and metrics, it must verify that its vendors are not engaging in practices that undermine the firm’s pronouncements,” says Pamela Palmer, an attorney in the law firm of Troutman Pepper in Los Angeles specializing in corporate governance. Guilt by association could cost financial firms lucrative clients, and regulatory penalties for fraud. ESG-conscious firms will have a competitive advantage by attracting like-minded investors and consumers.
The US Securities and Exchange Commission has put corporate disclosure of ESG policies on its list of priorities and is expected to draft specific regulations soon. SEC Chairman Gary Gensler has cited disclosure of climate risk as a goal and other SEC officials have highlighted the importance of ESG disclosures to investors. In March 2021 John Coates, acting director of the SEC’s Division of Corporation Finance, said the SEC should lead the creation of an ESG disclosure system which balances principles with metrics. Over the past few months the regulatory agency’s examiners have also been asking asset managers about their ESG policies and disclosures.
Europe appears to be ahead of the curve when it comes to ESG disclosure and incorporating ESG into supply chain analysis, and US firms could end up having to comply with the EU’s guidelines if they do business on the continent. Europe’s new Sustainable Finance Disclosure Directive calls for asset managers to explain the role of ESG in their investment decisions and prove they are as green as they claim. The UK’s Modern Slavery Act, adopted in 2015, requires firms which do business in the UK with a minimum annual revenue of BP36 million to ensure their businesses are free from modern slavery such as forced labor, servitude. and human trafficking. Effective January 2023, Germany’s Supply Chain Act mandates that companies in Germany with more than 3,000 employees prove that they and their suppliers observe human rights and environmental due diligence obligations. The human rights obligations include the avoidance of child labor and slavery while the environmental obligations include the prevention of soil, water, and air pollution. The legislation imposes fines of up to two percent of annual revenues for firms which violate any of its provisions if they have over E400 million in annual revenues; companies with lower annual revenues can be fined up to E800,000.
The European Parliament is eager to use Germany’s example as a pan-European model and has drafted legislation which would require all companies based in the EU to continually assess whether their operations “cause, contribute, or are directly linked to any potential or adverse impacts on human rights, the environment, or good governance.” Each EU member state will enforce the Corporate Due Diligence and Corporate Accountability Directive, with sanctions based on a firm’s annual turnover. Penalties for non-compliance can include seizure of assets. As is the case with many other EU directives, there would be a two-year transition period before the legislation came into full force.
Although the US is unlikely to match Europe’s stringent policies when when it comes to monitoring the ESG maturity of third-party vendors, financial firms are becoming more proactive in incorporating ESG data into their risk metrics. “ESG data can be looked at similarly to cybersecurity risk and data privacy in making an evaluation of a vendor’s merits in onboarding and ongoing monitoring,” says Gwendolyn Williamson, a partner in the law firm of Perkins Coie in Washington, D.C. who focuses on ESG disclosure for investment funds. The data is reviewed by two players– the front-line vendor procurement department which is responsible for contract negotiations and the risk management department which analyzes whether the vendor is suitable for the firm. Suitability has historically reflected whether the vendor can flawlessly do the work for which it is paid and the likelihood it will make a mistake that will ultimately cost the financial institution. However, when it comes to ESG criteria suitability has taken on a whole new meaning. “In the case of ESG. suitability relates to how closely the vendor’s philosophy and actions match the financial firm’s value system and how it is trending,” says Daniel Maloney, director of the North America third party risk practice at global consultancy Accenture in New York. “The vendor may not initially fulfill the financial firm’s criteria, but improvement will go long way to convincing the financial firm it is committed to ESG.”
Not only must financial firm decide which vendors to tackle fist, but also what ESG-related questions to ask and how to evaluate the responses. “Mapping which vendors are in the supply chain is critical to determining who will receive which questions,” says Chris Paulison, a managing director in Protiviti’s internal audit and financial advisory practice. Vendors can be divided into multiple categories depending on how critical they are to day-to-day operations, how important they are to achieving the ESG goals, or where they fit in the supply chain. Tier One vendors are direct suppliers to the firm, while Tier two vendors are suppliers of the suppliers and Tier three vendors are suppliers of the suppliers of the suppliers. “Firms can send off a general set of ESG-related questions to Tier One vendors and depending on the responses ask more targeted questions when red flags emerge or pose specific questions based on the interest of the financial institution,” says Amy Antoniolli, an attorney who leads the ESG practice at Schiff Hardin in Chicago.
A financial firm’s analysis of the vendor s only as good as the information it receives. “Financial firms must rely on vendors to transmit certain data as they incorporate upcoming mandatory ESG disclosures, such as on climate risk, making the vendor’s performance even more critical,” says Shelli Willis, a partner at the law firm of Troutman Pepper in Atlanta specializing in corporate governance. Ask the right questions and you’ll get the right answers is the motto. The ESG-related questions will likely be written by the risk management department; only the largest financial institutions have dedicated ESG research groups. The questions can range from the basic “do you have an ESG policy” to the specific how do you measure your carbon emissions or how do you evaluate your diversity and inclusion. “So far, it appears that although most of the regulatory interest has been on climate risk, most of the ESG-related questions posed by financial firms to their vendors relate to diversity, equality, and inclusion,” says Nicole Crum, who chairs the corporate governance and board advisory practice of Sullivan & Worcester in Washington, D.C. “Diversity doesn’t always equate to inclusion, and it is up to the vendor to demonstrate that there are diverse voices and perspectives in deciding how a business is run. If there aren’t the vendor should demonstrate a plan.”
What happens after the answers come back? A lot of blood, sweat, and tears. Financial institutions will need to set up their own metrics– or scoring system– to determine whether the answers meet their criteria. If they don’t, they will have to ask the vendor for clarification or do some more research. ESG rating agencies typically score vendors separately on the E, the S, and the G, characteristics of their ESG policies. Other firms, such as ProcessUnity and IHS Markit’s K3YP, help forward, receive and analyze the responses to questions devised by each of the two service providers. ProcessUnity has incorporated the scores from ESG ratings agency EcoVadis into its vendor risk management platform. For firms that want a deeper dive into the processes of their vendors, IHS Markit incorporates its own proprietary ESG data sets to enable further analysis. ProcessUnity and K3YP provide clients with an audit trail of the ESG information collected and scores calculated in case a regulator wants to know.
ESG rating agencies and third-party solutions may sound like a quick fix, but they aren’t. “The same vendor may receive different scores from different ratings agencies because of diverse methodologies,” says Mark Davies, the London-based partner of data consultancy Element-22. Firms typically use multiple ESG rating agencies for ESG analysis and rely on only one to make a final decision for each dimension. How do they know which one is right? The choice is often based on market perceptions of each agency’s strengths, according to Davies. As a rule of thumb the largest discrepancy between ESG ratings agencies is in the S or social category, because there are fewer benchmarks. “Some vendors might score low in the E, or environmental, category because climate risk is a new concept,” says Maloney. “Vendors may not be up to speed on mitigating their climate impact.”
A financial firm must decide whether to accept the third-party scores as gospel or rely on them to validate its own scores. The firm must then decide how to interpret the scores within its own risk framework to determine whether the are sufficient to pass the risk management department’s muster or whether to ask a vendor for any improvements. “Transparency is critical to the decision-making process,” says Sean Cronin, chief executive of Boston-based ProcessUnity. “The vendor’s methodology in measuring its ESG maturity needs to be understood and a game plan for improving ESG scores must be made, if necessary.”
Regardless of whether the financial firm uses its own scores, third-party scores, or a combination of the two it must eventually decide whether to keep the vendor or end the relationship. “There should be contractual provisions which set the ESG expectations of the service provider,” recommends Antoniolli. “Divorce can be expensive, so it is more likely that the financial firm will require that the vendor make improvements by a certain timeframe as a condition of maintaining the relationship.” Divorce can also have broader ramifications, such as passing along the ESG risk to competitors. “The supplier will move to another buyer, perhaps offering its goods at a lower price,” cautions Olivier Jan, a partner in Deloitte’s advisory services for sustainable finance in France. Taking a “responsible business” approach, he argues, will protect the reputation of the buyer’s industry and send a message to peers and other clients that change is possible.
Whether the vendor will be given further leeway if it still can’t change its color to the shade of green the financial firm wants fast enough is likely to become an inter-office sore spot. “The business line, risk management, and vendor procurement departments must come to an agreement,” says Cronin. The business line might be more lenient, because of the difficulty of finding a new service provider, while the risk management department could be hard-nosed. The vendor procurement department will often be caught in the crossfire between the two warring parties. Who wins will depend on whether the risk management department can be persuaded that the business needs of the firm outweigh the shortcomings of the vendor. Vendor procurement managers at several US financial firms tell FinOps Report that the business line will likely win if no comparable vendor can be found.
Ultimately when it comes to understanding the ESG performance of a third-party vendor, relationship management appears to be just as important as evaluation. It’s a lot easier not to start a relationship than to end one. Once the relationship begins, trying to change the mindframe of the vendor is the best option. Until now the ESG maturity of vendors has not weighed heavily in managing vendor risk. However, as consumers, investors, and more importantly regulators have their say, financial firms may have to make a lot more effort to ensure that their vendors fit into their ESG strategy. How a financial firm measures a vendor’s ESG performance will become tricky in the absence of standards. Until that happens, a best effort might be the only option