Analyst Insight: ESG processes need to cover a company’s entire operation, including the choices it makes about all of its third parties and their associated supply chains. 

ESG can be defined as a risk-management and investment-governance framework that seeks to evaluate the associated financial threats to a company’s value. It provides an “outside-in” perspective that’s best described as an investor-and company-centric framework — one that seeks to de-risk portfolios and increase a company’s economic resilience.

There has quite rightly been an increased drive for improvement with regard to companies’ environmental and social activities, and their multi-tier supply chains: Poor results are clear as day. For example, Westpac was fined $1 billion for the failure to notify regulators of more than 20 million international transactions that potentially breached anti-money laundering and counter-terrorism finance laws, and worst of all included the financing of child trafficking. This failure occurred during a time when the bank claimed to be focused on exposing human rights abuses. The bank was attacked by the public as insincere, by backing worthy causes while failing to police its own ethics. 

This example and many others highlight the need to address environmental and social issues in the context of an appropriate governance process, which reflects the multi-functional and multi-tier nature of the challenge. Governance is called out as part of ESG, but it feels forgotten in a world where the “E” and the “S” have taken over headlines about important topics like carbon emissions and modern slavery.

Without a clear and comprehensive governance framework, environmental and social activities are at best likely to be sub-optimal, and at worst totally counterproductive. To build a comprehensive governance framework, at a minimum, the following three components need to be considered:

Engaged top management. Companies need to ensure that there are adequate resources and corporate alignment across various functional silos, such as procurement, risk and operations. Most ESG strategies are top-down, but execution, reporting, evaluation and process improvement need to be built from the bottom up. Appropriate engagement ensures that strategies are supported with adequate budgets, resources and timelines.

We saw the consequences of poor senior-management engagement and governance processes with the recent failure of Silicon Valley Bank. A number of parties that were not convinced by ESG investing sought to partly pin the bank’s problems on its ESG efforts. The bank had made a $5 billion commitment to sustainable finance and carbon-neutral operations, but governance failings played a more important role. For example, apparently the bank had no chief risk officer from April 2022 until early January 2023, and there were quick, unplanned stock sales made by the chief executive officer in early 2023.

An appropriate governance matrix. Governance framework needs a RACI (responsible, accountable, consulted, informed) matrix, clearly setting out roles of all involved, together with the associated stakeholder map. This is important for large corporations, especially when it hasn’t been made clear who, for example, should take action when vendor or supply chain risk is discovered, and who’s responsible for informing stakeholders that such action took place.

It's worth pointing out that even where an organization has clarity over its own RACI framework, critical third parties such as strategic suppliers or partners should also be informed. Without this, ESG activities are likely to be ineffective and inefficient, leading to regulatory fines or other financial implications.

Another recent example of governance failure occurred when Deutsche Bank’s supervisory board became unhappy over delays in improving internal controls by their CEO, who took a €1 million hit to his annual bonus. The bank had apparently only met 64% of its wider ESG targets.

Process transparency and reporting. Companies need to establish underlying key performance indicators governing critical third parties and suppliers. To ensure a sustainable approach, they must understand how technology and data capability are embedded in support of the overall governance approach. What’s needed:

• Data to assess third parties or suppliers, segmented around the relevant risks that they represent. 
• Technology that provides audit controls and a workflow engine. 
• Technology-supporting processes assessing third parties from a negative risk indicator, derived from environmental controversies, adverse media, jurisdictional risk, regulatory violations and social media activity.
• Technology considering positive risk indicators associated with critical third parties or suppliers — for example, an environmental certificate by a respected agency or body.

The governance solution should be designed to automate a risk-based approach that can be extended to include plans for corrective action. Ideally, it should ideally include the tracking and management of relevant tasks, workflow, enhanced due diligence, document provision, policy provision, business interaction status and other mechanisms such as onsite audit support.

Governments are getting tougher around governance failures. Witness, for example, recent actions by the German government in relation to Russian sanctions, involving a series of dawn raids on suspected premises in February 2023. These raids were on both companies and individuals for potential breaches of the sanctions.

A better understanding of the effectiveness of the governance structure within an organization can provide useful insights into the effectiveness of its third-party or supply chain risk management. This structure is fundamental to prioritizing efforts to address environmental and sustainability agendas. Following are some examples:

• Governance failings within an organization are more likely to become public than, say, a sustainability issue, because of regulatory framework transparency. They can also be an indicator of more serious issues to follow.
• Similarly, a critical supplier’s poor governance history increases the likelihood that the supplier is hiding other issues that could impact the organization. Such suspicions warrant an audit visit, or at least a higher level of due diligence.
• Where a significant number of governance issues are identified in a supplier’s area and are coming to light through the media, it might be appropriate to remove that supplier from the supply chain.

As you broaden your risk analysis into ESG, it’s important to keep in mind that corporate governance driven by top management, and supported by business processes and technology, is fundamental to the establishment of any successful ESG program. There’s a substantial cost involved in getting internal controls and governance reporting wrong. We should be talking GES and not ESG — getting governance right first —as the building block for everything else.