Risk & Resilience Magazine sat down with Julie Gaiaschi, CISA, CISM, who is the CEO and co-founder of the Third-Party Risk Association. TPRA is a not-for-profit, professional association for third-party risk practitioners and service providers, where they work to further the profession through knowledge sharing and networking. TPRA is the only vendor-agnostic professional association for third-party risk and provides in-depth conversations around topics, and generates guidance, research, and templates as a community.
With regards to third-party risk, Environmental, Social, Governance (ESG) is a new concept. Traditionally, ESG assessments and ratings are used by investors in their decision-making processes when investing in new companies. Now, we’re seeing them used more frequently in the third-party risk realm. ESG assessments and ratings are primarily being incorporated into organizations’ risk models, a portion of which focuses on third-party risk. This means that organizations are deciding how ESG risk exposure (at both a micro and macro level) impacts their organization and what they need to do to strengthen their TPRM programs.
Since ESG is new to third-party risk, it may be hard to get executive buy-in. Leadership will want to understand where the value for assessing ESG risks comes from. To do this, you need to do homework on how ESG risk impacts your own organization. We’re noticing that the risks that third parties pose do impact organizations from both reputational and financial standpoints. We’re also seeing some of these ESG concepts hit the supply chain, especially following COVID-19. It’s important to do your research and determine what impacts ESG has on your organization before starting the conversations with executives.
In addition to the top-down approach mentioned, the third-party risk team needs a seat at the table. This is especially important if you’re a public company that already discloses certain items. You should question what disclosure requirements are currently required by your organization, as well as your vendors. If your third party must disclose an ESG material risk, you may also have to disclose the same risk since they are one of your vendors. So, understanding what the existing process for your organization is, and trying to get a seat at the table is vital.
Regulators are starting to ask public companies to disclose when their third parties have ESG related impacts/disclosures through TPRM programs. This is why there is an increased importance in asking ESG-related questions, because it ensures that you have a good supplier code of conduct and proper language in contracts to allow you to evaluate and assess ESG. I think ESG activities are only going to grow and, as we gain a better footing on how third-party risk programs will incorporate this, there will be more to come.
This is a new topic for many of us. We are seeing third-party risk professionals work with their compliance teams to determine how to look at and evaluate ESG from a third-party risk perspective. An example of this trickledown effect is that now when an organization evaluates one of their international vendors, not only do they ask questions about data protection, but they also inquire about the working conditions and the local communities they operate in.
I would suggest researching what standards are already out there and talk about what companies need to publicly disclose based on the material risk presented. You can also research ratings providers, which take publicly available information and create an ESG score for companies. This is targeted towards the investor side, but they also receive a lot of questions from non-investors, including the third-party risk side.
You may also review your suppliers to see where you could potentially look at certain ESG topics and uncover ways they could be incorporated into your own assessments, such as questionnaires. If you have a database on a vendor, providing additional information within that database related to ESG could be worthwhile. Finally, it could be helpful to do more site reviews and have increased focus on news alerts that look at aspects other than cybersecurity, to then establish an expectation with your vendors on what they need to adhere to.
Wow, I love this question as this is such an exciting field. Third-party risk is not new, but a lot of people feel like it is. This is especially true in the finance and healthcare industries. We are now starting to see TPRM practices develop within other industries, such as manufacturing, retail, hospitality, and entertainment. I’ve seen it start in the audit field, where they review vendors from an internal audit perspective.
Organizations have then seen (based on breaches, cyber incidents, and other things that have happened in their supply chains) that there needs to be more focus on third-party risk. So, they’re now starting to create specific TPRM teams. As a result, in the TPRA we’ve had several new industries join and ask general “Third Party Risk Management 101” questions, such as how to start a program or what tools to leverage. I’m glad that we have the finance and healthcare industries to be the models, because there has been a lot from a third-party risk perspective that has been worked out through them and continues to be worked through them. It’s such a growing and exploding field.
You can read Julie’s interview and more ESG content in our Fall 2021 issue of Risk & Resilience Magazine!
Julie Gaiaschi, CISA, CISM is the Chief Executive Officer and Co-Founder of Third-Party Risk Association (TPRA). TPRA is a community where like-minded third-party risk professionals can share best practices, exchange ideas, and influence the industry. Julie has a demonstrated history of working in the information security and third-party risk management industries and is skilled in Enterprise Risk Management, Internal Audit, CISA, Leadership, and Security.
Follow Julie Gaiaschi on LinkedIn: @juliegaiaschi
Learn more about TPRA: @ThirdPartyRiskAssociation
Share with Your Friends:
