9 minute read 15 Apr 2021
Woman on a bike in wind farm

How to manage ESG risk across your third-party ecosystem

By Justin Boehm

Senior Manager, Consulting, Ernst & Young LLP

Inclusive risk and markets leader – empowering colleagues, family and friends through teaming and relationship building.

9 minute read 15 Apr 2021

What organizations can do now to mitigate environmental, social and governance (ESG) risk amid accelerated change.

In brief:

  • Amid heightened investor scrutiny around ESG matters, now is the time to reimagine third-party risk management (TPRM) strategies.
  • Entities must embed ESG thinking into their TPRM and procurement life cycles to drive compliance and mitigate risk.
  • These efforts will also drive long-term value creation while increasing transparency and accountability. 

The value of sustainable and resilient business practices has never been so evident. Current and emerging disruptions underscore the importance of being able to respond to systemic shocks, while the COVID-19 pandemic has exposed weaknesses across the third-party ecosystem (e.g., suppliers, vendors, consumers, partnerships, alliances, fourth parties).

Social and climate issues are at the forefront globally, and we expect this trend to continue to accelerate. In the US, there has been a quick and decisive shift with the Biden administration’s re-alignment with the Paris climate agreement. The global, and now US, focus on these issues is a strong indicator of more to come on a policy and regulatory front that will further increase the focus on sustainability across the financial and nonfinancial sectors.

These factors lead many to consider the transition risks (e.g., financial and commercial impacts of the shift to a greener economy) and the resilience of organizations and their third-party ecosystem to respond to similar disruptions in the future while recognizing the upside opportunity of the directional shift across stakeholders.

Business leaders increasingly indicate that third-party risk and resilience are the key issues keeping them up at night. This, combined with the current environment of multiple pressure points driving the change agenda, is why a growing number of business leaders are asking these four questions:

  • How will the ongoing pandemic and future disruptions impact the resilience of the organization’s third parties?
  • How will today’s challenges affect the financial health of the organization’s global third-party ecosystem?
  • How will environmental, social and governance (ESG) issues impact the organization’s third-party risk management (TPRM) going forward?
  • How will the organization focus ongoing monitoring to keep pace with the shifting landscape?
Graphic of how will your third party risk program adapt through accelerating complex change

One topic noted above — ESG considerations — is top of mind for many leading organizations, but it has received limited attention in relation to TPRM. Although interest in ESG matters continues to grow, leaders must also consider a holistic approach to bring their ESG commitments to life through their TPRM programs beyond the focus of supply chain sustainability and transparency — enabling the business to recognize the upside opportunity to lead the way toward a sustainable future.

ESG focus areas defined

ESG topics are used to measure the sustainability and ethical impact of an investment in an organization. Key ESG considerations include climate change, carbon footprint, socioeconomic factors (trafficking, modern slavery), corporate responsibility, diversity and inclusion, community investment, executive compensation, ethics, and board accountability.

Heightened stakeholder focus on ESG matters

Many predict that heightened stakeholder focus on ESG matters will continue and cascade to a company’s broader third-party ecosystem. According to the EY Climate Change and Sustainability Services (CCaSS) fifth global institutional investor survey, 72% of investors conduct a structured and formal review of nonfinancial disclosures, while approximately 40% said companies do not adequately disclose ESG-related risks. Investors surveyed say that there is a missing connection between ESG reporting and mainstream financial information provided. This connection is crucial, as it provides investors with insight into how companies plan to create, measure and communicate long-term value.

The survey also found that usage of nonfinancial information to determine value has been trending upward. 

Beyond disclosures, financial institutions and consumers are increasing their focus on ESG matters. According to the EY Future Consumer Index, about 33% of consumers surveyed said their choices would be guided by environmental or social concerns, while over half of banks cited environmental issues and climate change as key emerging risks — up over 40% year over year.¹  While stakeholder focus is increasing, the degree of disclosures and related quality is lagging. Per the 2019 EY Global Climate Risk Disclosure Barometer, 54% of the 970 companies surveyed disclose climate change-related risks, with only 27% of those disclosures across governance, strategy, risk management and metrics considered high quality. This demonstrates a significant gap in the integration of climate risk and associated impacts into the overall enterprise risk management process, including the third-party ecosystem.

This increased focus on ESG considerations, along with investor concerns that companies do not adequately disclose ESG-related risks, should put an organization’s third-party ecosystem front and center.

The ESG ecosystem continues to evolve, with recent market-driven and regulatory developments impacting stakeholder expectations for transparency on ESG performance. Companies seeking to meet these expectations need to define their sustainable procurement strategies and execute them with confidence. Companies that do so can expect improved resilience and risk management while also accelerating the global market for sustainable and ethical goods, encouraging more responsible business practices and helping to build a better working world.
Velislava Ivanova
EY US Climate Change and Sustainability Services Leader


of investors surveyed say that nonfinancial performance has played a pivotal role in their investment decision-making over the past 12 months, either frequently or occasionally.

And the proportion of investors who say this happens frequently jumped to 43% from 34% in 2018.
EY CCaSS fifth global institutional investor survey

The need to integrate ESG matters into TPRM and procurement life cycles

Every ESG commitment the organization makes should be embedded across the three lines of the business and supported by respective third parties, and leadership should be able to validate that these third parties are aligned with its ESG posture in the market — supporting the organization’s strategic priorities. For example, if the organization commits to reducing its carbon footprint, abiding by global modern slavery acts, or improving diversity and veteran inclusiveness, it is imperative for its third-party ecosystem to be aligned with these principles to manage the respective transition (e.g., brand, regulatory) risks. This will facilitate compliance with applicable laws and regulations, while mitigating the risk to the brand around accusations of “greenwashing,” “social washing” or similar forms of misrepresentation.

At least 125 countries, including half of the G20 international forum, have committed to net-zero carbon emissions by 2050, underscoring that sustainability efforts and ESG thinking are here to stay. This is why organizations must confirm that their third parties’ approach to ESG matters is aligned with that of the organization. Leading by example to help build a better working world, the global EY organization will be carbon negative in 2021 and net zero in 2025, requiring 75% of its third-party suppliers (by spend) to set science-based carbon reduction targets no later than fiscal year 2025 (click here to learn more).

Increased transparency and awareness of ESG-related third-party risks also improve end-to-end visibility and resilience of the third-party ecosystem. For example, a company with social or climate risk trend visibility across its third-party ecosystem may be better prepared to respond and recover from an incident by shifting activities to another location and/or third party in advance of or in response to that incident. In early 2020, companies struggled to adapt when third parties were unable to provide services due to production shutdowns, and countries around the world faced shortages of essential supplies.

There are three key steps to embed an ESG mindset in an organization’s TPRM program to facilitate alignment and integration with its strategy and objectives:

Graphic of TPRM program to facilitate alignment and integration

Leading ESG practices for the road ahead

Organizations that incorporate an ESG posture into their TPRM programs stay one step ahead of the game and minimize negative impacts as investors, regulators and consumers place increasing focus on ESG concerns while also recognizing the upside opportunity of ESG programs. For instance, this approach may improve lending terms and enable the global growth of sustainable finance (e.g., financial services that incentivize the integration of long-term ESG criteria into business decisions). ESG-incentivized loans have grown in popularity around the world, including within Europe, Australia and Singapore. Conversely, a reduced focus on ESG considerations may adversely impact access to capital as this lack of insight may drive investors to raise an organization’s risk profile, ultimately hindering growth.

Regulatory developments are indicating future trends

Regulators who championed increased banking regulations and legislation in the past are looking at enhancing ESG oversight, signaling what is to come across both the financial services and nonfinancial services sectors that may further impact TPRM-related regulation. For example, in the European Banking Authority (EBA) 2018 Annual Report, the EBA identified sustainable finance as a key focus area in the coming years, including “how ESG considerations can be incorporated into the regulatory and supervisory framework of EU (European Union) credit institutions.”

In the United States, the New York Department of Financial Services (NYDFS) issued guidance on how financial institutions should address climate change. In a letter issued on October 29, 2020, the NYDFS highlighted several climate-related risks for consideration, including transition risk, physical risk, risks to depository and non-depository institutions, and the possibility that traditional risk management tools may not sufficiently address the distinctive characteristics of climate change.

Social risks are also of concern to regulators. When questioned about the importance of representation of people of color and women in the insurance industry, NYDFS Superintendent Linda Lacewell stated, “To the extent that we as a regulator oversee the safety and soundness of financial institutions under our purview, it’s well within our prerogative to say — and we do — how are you doing on diversity? Because that makes you a stronger institution, and it’s of interest to us as we look at how you are dealing with all the evolving risks and challenges.”²

At the same time, in August 2020, the US Securities and Exchange Commission (SEC) adopted final amendments to modernize Regulation S-K disclosures. One amendment to Item 101(c) requires registrants to provide a description of their human capital resources to the extent that such disclosure would be material to an understanding of their business.³ This includes the number of persons employed by the registrant, as well as any human capital measures or objectives that the registrant focuses on in managing the business. While the amendments also addressed other disclosures relating to business, legal proceedings and risk factors, then-SEC Chairman Jay Clayton noted that he was “… particularly supportive of the increased focus on human capital disclosures, which for various industries and companies can be an important driver of long-term value.”⁴ Other ESG factors and requirements have been around since 2010, with the last Regulation S-K updates covering climate change. The new presidential administration in the US has shifted the focus to further enhance these requirements to cover human capital, and there will likely be enhanced scrutiny of these topics in the future.

Beyond meeting investor and regulatory expectations, organizations should be prepared to face evolving consumer attitudes toward ESG considerations. According to the EY Megatrends 2020 report, Gen Z identified climate change, pollution and the loss of natural resources as important global issues. The report predicts that Gen Z activists are likely to continue to emerge and demand action from businesses and governments around the globe. Consequently, adoption of ESG business practices will not only boost an organization’s brand image but will also enhance its ability to attract and retain talent as future generations join the workforce.

  • Show references#Hide references

    ¹“10th Annual IIF/EY Global Risk Management Survey,” Institution of International Finance website, iif.com/Publications/ID/3638/10th-Annual-IIFEY-Global-Risk-Management-Survey, accessed 4 March 2021.

    ²“NYDFS regulator plans to engage more directly on diversity with insurers, banks," S&P Global Market Intelligence website, spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/nydfs-regulator-plans-to-engage-more-directly-on-diversity-with-insurers-banks-60697893, accessed 7 March 2021.

    ³“SEC Adopts Rule Amendments to Modernize Disclosures of Business, Legal Proceedings, and Risk Factors Under Regulation S-K,” SEC website, sec.gov/news/press-release/2020-192, accessed 4 March 2021; “Modernization of Regulation S-K Items 101, 103, and 105,” SEC website, sec.gov/rules/final/2020/33-10825.pdf, accessed 4 March 2021.



As ESG considerations continue to grow in prevalence, so will the urgency for management to incorporate ESG thinking into the TPRM framework to enable the organization’s strategy and manage transition risk. Anticipating the next ESG-related focus area is key to long-term business growth, third-party diversity across the ecosystem and overall risk management. Organizations must focus not only on determining their ESG commitments but also on aligning their TPRM programs and procurement processes with those commitments to facilitate accountability across the third-party ecosystem.

About this article

By Justin Boehm

Senior Manager, Consulting, Ernst & Young LLP

Inclusive risk and markets leader – empowering colleagues, family and friends through teaming and relationship building.