EU Corporate Sustainability Reporting Directive (CSRD): Third-Party Risk Management Considerations
In November 2022, the European Union (EU) Parliament adopted the Corporate Sustainability Reporting Directive (CSRD), a new law that requires companies to report on environmental, social and governance (ESG) matters, including those that arise from their supply chains, as part of their regular company disclosures. This new reporting was developed to address long-standing concerns that non-financial reporting among EU firms was inconsistent and failed to produce reliable progress toward sustainability goals.
Firms required to report on the new standards include large EU companies with more than 250 employees and €40 million in turnover and/or more than €20 million in total assets, as well as all listed companies that have to report against existing Non-Financial Reporting Directive (NFRD) requirements. Reporting begins in January 2025 using 2024 data, so now is the time to consider how the mandate will impact your third-party risk management program.
This post examines the CSRD’s new sustainability standards and provides best practices recommendations for getting ahead of the inevitable third-party vendor and supplier ESG reporting requirements.
CSRD Reporting Standards
The European Financial Reporting Advisory Group (EFRAG), a supporting organization to the EU Council, has been tasked with helping to develop requirements that will inform reporting obligations. The requirements are called European Sustainability Reporting Standards (ESRS) and generally align with traditional environmental, social and governance (ESG) categories, including:
- Environment: climate change; pollution; water and marine resources; biodiversity and ecosystems; and resource use and the circular economy
- Social: own workforce; workers in the value chain; affected communities; and consumers and end users
- Governance: governance, risk management and internal control; and business conduct
In addition, the law includes “cross-cutting standards” including strategy and business model; governance and organization; impacts, risks and opportunities; implementation measures covering policies, targets, actions and action plans; allocation of resources; and performance measurement.
In general, reporting requirements must examine sustainability risk affecting the company, and the company’s impact on society and the environment. Disclosures should also:
- Be certified by an external auditor
- Align with EU Taxonomy
- Be delivered in a single management report that is machine readable
Companies will be required to publish separate sustainability statements as part of their regular management reports. Therefore, to address the reporting requirements against published targets, organizations will need to conduct a thorough due diligence process that includes not only their own internal initiatives, but also those of their third-party vendors, suppliers and partners.
Prepare for CSRD Compliance: Best Practices for ESG and Third-Party Risk Management
To better position your organization to report against your third parties’ ESG impacts, consider these four best practices:
1. Include ESG requirements in supplier contracts to enforce adherence
Since sustainability reporting will now be mandatory, include enforceable ESG provisions in your third-party vendor and supplier contracts. Centralizing ESG provisions in a platform will enable you to automatically create and track key performance indicators (KPIs) against acceptable ESG thresholds and alert suppliers proactively if they are falling short of agreed-upon measures, thereby reducing possible future reporting burdens.
2. Build a comprehensive supplier profile to centralize key ESG metrics
Centralizing key vendor metrics into a single source of the truth and making it available to all internal teams responsible for managing supplier relationships, improves accountability and simplifies reporting. ESG-specific data to centralize can include:
- Environmental: High-level ESG scores and any information on ecological violations
- Social: Modern Slavery statements and business insights
- Governance: Corruption Perception Index (CPI) scores, regulatory findings, and sanctions that could signal poor corporate governance
Managing ESG Risks Across the Extended Enterprise
This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.
3. Perform assessments against third-party ESG policies and practices
Next, go beyond initial database checks by conducting third-party risk assessments that leverage regulatory-specific questionnaires and require evidence for validation. Leveraging an automated platform for assessing, analyzing and scoring vendors against acceptable ESG risk thresholds saves time and enables mapping to multiple reporting regimes such as the International Sustainability Standards Board’s (ISSB) Sustainability Disclosure Standards or the U.S. Securities and Exchange Commission’s (SEC) proposed new climate-related disclosure requirements.
Third-party risk management platforms will enable you to extend role-based access to external auditors, and include built-in remediation guidance to recommend to vendors and suppliers to get them into compliance with your company’s policies.
4. Continuously monitor vendors and suppliers for potential ESG problems
Once assessments are complete, enable continuous vendor monitoring in specific ESG domains to validate the effectiveness of their policies. Commonly used monitoring sources include:
- Sanctioned companies lists such as the U.S. Office of Foreign Assets Control (OFAC), the UK Sanctions List, the EU Consolidated List of Sanctions
- Individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries, as published in the US Specially Designated Nationals (SDN) and Blocked Persons
- Financial reporting such as shareholder funds, beneficial ownership, profit and loss, and pledges to sustainability funds – all of which single greater levels of financial transparency and accountability
Monitoring these sources individually can be real headache, so look for continuous monitoring solutions that centralize this data and automatically correlate it against assessment findings for internal governance policies.
Next Steps to Meet CSRD Third-Party Risk Management Requirements
The Prevalent Third-Party Risk Management Platform includes capabilities to assess third parties against a number of ESG topics with built-in questionnaire templates, and validate the findings with continuous external monitoring into vendor practices. Prevalent enables you to:
- Rapidly pre-screen vendors against important ESG measures using continuously updated risk profiles
- Centralize the onboarding, distribution, discussion, retention, and review of vendor contracts, ensuring consistent enforcement and measurement of ESG requirements
- Build supplier profiles by tapping into 550,000+ sources of vendor intelligence, plus a feed reporting on the ESG status of 12,000 companies
- Track and quantify inherent risks for all onboarded suppliers
- Assess suppliers against ESG criteria using industry-standard questionnaires, the Prevalent Compliance Framework (PCF), or customizable questionnaires
- Continuously monitor suppliers for reputation and sanctions, financial governance and transparency, and politically exposed persons (PEPs), correlating assessment results and continuous monitoring intelligence
- Take actionable steps to reduce ESG risk with built-in remediation recommendations and guidance
- Store and distribute energy, pollution, diversity, accounting and conflict of interest policy documents and more for dialog and attestation
- Report on ESG requirements using built-in regulatory reporting templates
For more on how Prevalent can help you prepare for the EU Corporate Sustainability Reporting Directive, request a demo today.
It All Starts Here
Ready to see how Prevalent can take the pain out of your TPRM program? Request a free, no-obligation demo today.
Request Demo-
SEC Cybersecurity Disclosure Rules: 9 Key Questions to Ask Third Parties
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
-
NIST CSF 2.0: Implications for Your Third-Party Risk Management Program
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024
-
NIST Privacy Framework for Third-Party Risk Management
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024
-
Ready for a demo?
- Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
- Request a Demo