With Environment, Social, and Governance (ESG) increasingly becoming a critical area of focus, key stakeholders, including customers and investors, are demanding greater accountability from organizations, extending to the larger supply chain and outsourced ecosystem. Lawmakers and regulators are also working to ensure that ethics, safety, governance, and sustainability standards are maintained not just within the organization but across the supply chain. Germany’s recent Supply Chain Due Diligence Act (Lieferkettengesetz) is a groundbreaking law that holds German companies accountable for the entire spectrum of their supply chain, placing a strong emphasis on ethics, human rights, and environmental sustainability.
In this blog, we explore the key aspects and implications of the Act to help equip your business with the knowledge and strategies to proactively embrace responsible supply chain practices.
The LkSG, or German Supply Chain Due Diligence Act, aims to ensure better human rights across an organization’s supply chain. It also covers environmental risks that pose a threat to human health and safety. German companies sell products manufactured in other parts of the world where human rights and environmental laws may be violated. This new regulation makes them responsible for ensuring that human rights are respected, and environmental standards and laws adhered to at every stage of their supply chains. Here is a detailed look into the LkSG and its requirements:
Managing third-party and even fourth-party risk is a top-of-mind concern for most organizations across the world today. And there is a growing focus on third-party ESG risk management. Most modern organizations work with partners and suppliers across the world. Unfortunately, violations of human rights by way of child labor, discrimination, exploitation, and unsafe working conditions are still rampant in many parts of the world. Any company that profits from selling products manufactured in other parts of the world is ethically and morally obligated to ensure there are no human rights violations or environmental damage across its supply chain. Germany has taken the step towards making this a legal requirement for the first time in its history. The legislation establishes some concrete steps for organizations to protect not just the employees within their offices but all workers across its extended ecosystem.
Failure to comply will result in fines of up to € 8 million or 2 percent of annual global turnover (only for companies with more than € 400 million in annual revenue). Non-compliance with the LkSG may also result in significant damage to the brand image and even profitability. Modern customers no longer hesitate to stop engaging with organizations that do not meet ethical and environmental standards or profit from products manufactured unethically or by flouting environmental norms.
MetricStream can help organizations gain better visibility into their global supply chains along with ensuring comprehensive risk management processes to identify, prevent, and minimize risks pertaining to human rights and environmental protection. Organizations are empowered to establish a proactive approach to managing ESG and third-party risk management across the supply chain by ensuring:
With MetricStream’s Third-Party Risk Management, organizations can:
Organizations can also establish a proactive approach to managing ESG and third-party risk management across the supply chain. This will help reduce the risk of non-compliance and its severe financial consequences, as well as build trust with the board, and regulators.
The world is now more connected than ever before. This means that risks at any point in a global supply chain can pose a serious threat to the parent organization. As awareness of environmental damage, social injustice, and inequities continues to grow, so does the demand for accountability and responsibility. It is not enough to focus on just the four walls of the organization; enterprise ESG risk now includes third parties across the entire supply chain. More legislations like the LkSG are expected to emerge over the next few years, and organizations must ensure seamless compliance with all emerging standards and regulations. A Connected GRC platform providing robust third-party risk and compliance management is the only way for organizations to effectively manage connected ESG risks and third-party compliance.
Interested to learn more about how MetricStream can help with your LkSEG requirements? Request a personalized demo now!
Check out our latest eBooks to learn more.
Why Aligning ESG, ERM, and Third-Party Risk Management is Key to Creating Value
Top 5 Compliance Priorities for CCOs in 2023
Ensuring Compliance with GERMANY'S REVISED IDW PS 340 n.F. WITH METRICSTREAM
In 2019, 6-year-old Florence Widdicombe opened a box of charity Christmas cards her mother had purchased from the UK supermarket giant, Tesco. As she started to write her Christmas wishes, she opened a card that featured a kitten wearing a Santa hat, but to her surprise the card had already been written in. In block capitals was written:
"We are foreign prisoners in Shanghai Qingpu prison China. Forced to work against our will. Please help us and notify human rights organization."
When reports surfaced in the British media, there were the denials from the card supplier, with them stating that they had “never done such a thing”. The Chinese Foreign Ministry was also dismissive, with Shanghai’s Qingpu prison claiming that it has “no such foreign prisoners undergoing forced labor". For Tesco, it quickly turned into a case of damage limitation. Production was immediately halted, an investigation launched, and assertions were made to reassure the public that the supermarket chain operated a robust and comprehensive auditing process of their suppliers.
Sadly, these “SOS notes” are not exclusive to Tesco Christmas cards. Similar notes have been found in purses from Walmart, a shopping bag from Saks 5th Avenue, and items of Zara clothing. Supply chains now span the globe delivering complexity through various country-specific standards and regulations, or in many cases a lack thereof. Nevertheless, leading brands are intrinsically linked to their third-party suppliers and face continuous scrutiny of their business practices. Employing a robust risk framework is essential to protecting brands from high-risk third-party engagements.
In recent history, COVID-19 has accelerated the use of third-party vendors and suppliers to drive down costs and outsource key skills and experience with immediate impact. However—taking liberty with Newton’s third law—for every action, there is an equal and opposite reaction. The more organizations look to third parties to assist in the delivery of their products and services, the greater the potential risk that they will be exposed to—in all manner of delivery, conduct, and reputation—risks.
One key takeaway from the MetricStream-sponsored study, Third-Party Risk: A Turbulent Outlook Survey Report 2022 is that although most assurance groups have a tight grasp on their own enterprise and operational risks, a key area of concern is that of third parties. 60% of survey respondents reported having experienced an IT security incident in the past two years due to a third-party partner with access privileges, and a higher number—76%—stated that managing all third-party risk was a high or critical priority.
Pressure continues to build as the volume of suppliers increases, with an increasing number of them being classified as delivering high-risk services. This has highlighted the requirement for more frequent assessments, with the onboarding stage no longer sufficient for the organization to ensure risk awareness or operational resilience. The number and type of extensive questionnaires are also set to grow with the introduction of ESG disclosures designed to impede third party “Greenwashing” (more of that to come next month!).
There is no denying the advantages that an extended enterprise delivers, and it would appear as though for many, the “build versus buy paradox” has been solved. However, every new business endeavor creates both opportunity and risk. In a global supply chain with multiple risks and potential for operational and reputational damage, it is ever more important to know who you're doing business with and whether you can trust them. Can you afford to take risks without knowing?
Gain a real-time unified view of your IT vendors, suppliers, and third-party service providers with MetricStream Third-Party Risk Management (TPRM) software. Protect your organizations from existing third-party or even potential fourth-party risk exposures with:
Want to see how MetricStream can help protect against vendor and third-party risk? Request a personalized demo now.
Do check out our other resources on third-party risk management.
Product Overview: Third-Party Management Product Overview
eBook: Boosting Third-Party Risk Management in a Time of Uncertainty
Survey Report: Third-Party Risk: A Turbulent Outlook Survey Report 2022
In today's world, many organizations are dependent on their third parties for a wide range of business services. Outsourcing business processes to vendors has helped organizations optimize the cost of their operations. Businesses also gain additional advantages from these relationships, including the ability to provide better services to their customers, improving efficiencies, and overall performance, and in many cases, gaining a competitive edge. However, dependencies on and the complexity of third-party relationships also brings a certain level of risk, which if not handled properly, may result in operational, reputational or financial loss, or even damage to the organization's brand value.
With the onset of the COVID-19 pandemic, several new risks have emerged. Because of their production or services specialization, many third parties have faced distinct challenges during the pandemic. Lockdowns, increased safety requirements, and a rapidly changing workforce have created an environment where some third parties are unable to deliver required products or services to the organization as reliably as they had in the past. In some cases, third parties have faced financial struggles, that have further resulted in a disrupted supply chain and value chain.
From the organization's perspective, it has become increasingly important to assess the financial stability of its third parties and extended enterprise. Firstly, during the onboarding of a new third party or relationship – to ensure that it onboards only those third parties that are financially strong, and secondly, to continuously monitor for any changes in the financial health posture of the third parties. The initial onboarding review and continuous monitoring can provide the organization with confidence in the third party’s financial position. Or, alternatively, enable it to define substitute options should the third-party struggle or fail.
With MetricStream’s Danube Software Release, it’s now possible to determine third party financial risks during onboarding due diligence and to continuously monitor the financial health of vendors and third-party suppliers, creating an additional level of review and insight, and more informed decision making.
Learn more about the Danube software release. Read What’s New in Danube Software Release.
Using Dun & Bradstreet data cloud, an organization can leverage trusted source financial records to better vet and validate third parties throughout the engagement.
MetricStream's Third-Party Risk Management product seamlessly integrates with the D&B data cloud to help risk managers make informed decisions while onboarding a third party. And, because the data may be updated at any time, it also allows for continuous monitoring of any changes in the financial health of an existing third party.
The D&B integration also automates the updating of third-party profile content using data maintained in the D&B data cloud, thus eliminating the need for any manual data entry in the D&B DUNS system.
With MetricStream’s Dun & Bradstreet Integration, your organization gains the ability to:
As organizations continue to embrace the extended ecosystem, driven by the many benefits it brings, risks within supply chains, third party engagements, and cyber vendors will continue to accelerate. To manage and mitigate emerging and evolving third-party risk, your organization requires a connected, integrated, and proactive approach.
MetricStream’s ConnectedGRC, built to meet the emerging needs modern businesses, enables your organization to power what’s next with an integrated approach to risk management. Streamline the identification, assessment, management, and mitigation risk across the enterprise, including IT and cyber risks, third-party risks, compliance risks, and ESG risks.
Effectively manage third-party risk and IT vendor risk with:
Want to learn more about how our third-party risk management software can help you? Request a demo now.
You may also want to read:
Third-Party Risk: A Turbulent Outlook Survey Report 2022
The Ripple of Effects of Log4J: How You Can Stay Prepared and Resilient
Building An Enterprise ESG Program? Here's How Technology Can Help You Succeed
It’s 2022 and third-party risk is no longer viewed as merely a ‘procurement department issue’. Today, events such as a security breach or a risk incident that affect your supply chain and the actions (including the lack of proactive steps) taken by your vendors can have direct and lasting consequences—financially, legally, reputationally, strategically, and more. Additionally, with vendor-related incidents increasing year on year, regulators are now making it mandatory for organizations to manage third-party risk.
So, what can we expect when it comes to third-party risk management in 2022. Here are 4 trends to help you prepare for what’s next.
Since the onset of the pandemic in 2020 and the success of remote work, many organizations are looking to continue with their business operations remotely. But with the operations remaining online the cybersecurity risk has also increased. The number of data breaches in 2021 has already surpassed the total number of breaches in the previous year. As per reports from the Identity Theft Research Center, data breaches in 2021 have increased by 17% from 2020.
According to a study by Forrester, 60% of security incidents will result directly from issues with third parties. With cyberattacks targeting vendors and suppliers, third-party cyber incidents will increase and Log4j, SolarWinds-style headlines will impact firms that don’t invest in the proper risk management tools.
As cyber risk has emerged as one of the top risks that concern Chief Risk Officers, the cyber risk insurance premium has gone up significantly. An estimate by Moody's Investor Services points to an increase in the total premium paid for protection against cyber frauds and ransomware attacks —from $1.2 billion in 2019 to $1.6 billion in 2020. The loss ratio has also seen a significant escalation due to the increasing ransomware attacks from 44% in 2019 to 65% in 2020.
To understand the overall cyber risk exposure of a third party, various platforms such as BitSight, Security Scorecard, etc., provide cybersecurity ratings. Along with these external platforms, an organization can also use SOC 2 or SOC 3 reports to understand the controls that are in place within a third-party organization.
Across the globe, we are now seeing more and more focus along with a decisive shift to handle Environmental, Social, and Governance (ESG) risks, not only within the organization but also ESG risk associated with third parties or the extended enterprise.
The European Union (EU) announced mandatory legislation on due diligence in its EU Directive on Mandatory Human Rights, Environmental and Good Governance Due Diligence in March 2021 to encourage companies to take action to ensure human rights and reduce environmental impacts in their supply chains.
Assessing the ESG risks of a third-party is no longer a simple tick box activity required by the Ethics and Compliance leadership. Incorporating ESG into your third-party risk management assessments doesn’t just avoid regulatory actions. It also helps protect your organization from various regulatory fines or damaging brand reputation.
Several factors have to be considered when incorporating ESG into your organization’s current workflows and processes. Risk assessments, due diligence, policy updates, questionnaires, contracts, etc., need to be included. Additionally, enterprises will need to examine the following:
The benefits that third-party suppliers and vendors bring have resulted in organizations becoming increasingly dependent on their extended network. According to a Gartner study, 60% of organizations work with over 1,000 third parties and this number is growing as business systems become more complex.
However, the extended enterprise of today does not depend on the network of consultants, vendors, and partners alone, but also on their suppliers as well—fourth and Nth parties. Every one of your partner’s or supplier’s vendors, subcontractors, or service providers poses a risk to your business. But the view gets hazier as the network expands, making it difficult to manage the inherent risks that your supplier ecosystem or supply chain poses.
This makes it important to:
Read More: Colorado Release: What’s Next in Third-Party Risk? Expanding the View to Fourth Parties
The regulatory environment is rapidly changing and evolving, creating compliance risks and pressures leading to challenges in controlling operational efficiencies. MetricStream’s 2021 State of Compliance Report found that almost half -- 48% -- of organizations find it a huge challenge to track and manage third-party compliance.
Third-Party relationships are under constant scrutiny by regulators like OCC, FINRA, CFPB, etc., and regulators are taking interest in third-party risks. The regulators are holding organizations responsible not only for their actions but also for their third parties. A good TPRM program should include assessments to assess the compliance of the regulations for the activities performed by the third party.
Risks from supply chains, third parties, and cyber vendor risks will accelerate as enterprises continue to be driven by the many advantages of an extended ecosystem. Managing and mitigating emerging and evolving third-party risk requires a connected, integrated, and proactive approach.
MetricStream’s ConnectedGRC, designed to meet the evolving needs of the modern enterprise, enables you to power what’s next with an integrated approach to risk management. The collaborative approach enables organizations to better identify, assess, manage, and mitigate risk across the enterprise, including IT and cyber risks, third-party risks, compliance risks, and ESG risks. Empower your teams to effectively manage third-party risk and IT vendor risk with:
Excited to learn more about how our software can help you? Request a demo now.
You may also want to read:
Third-Party Risk: A Turbulent Outlook Survey Report 2022
The Ripple of Effects of Log4J: How You Can Stay Prepared and Resilient
Building An Enterprise ESG Program? Here's How Technology Can Help You Succeed
Subscribe for Latest Updates
Subscribe Now