ESG & TPRM: Embracing the Relationship and Solving the Puzzle
December 13th, 2021 •
Hannah Tichansky • Reading Time: 5minutes
A Conversation with Julie Gaiaschi, CEO and Co-Founder of TPRA
Risk & Resilience Magazine sat down with Julie Gaiaschi, CISA, CISM, who is the CEO and co-founder of the Third-Party Risk Association. TPRA is a not-for-profit, professional association for third-party risk practitioners and service providers, where they work to further the profession through knowledge sharing and networking. TPRA is the only vendor-agnostic professional association for third-party risk and provides in-depth conversations around topics, and generates guidance, research, and templates as a community.
Thanks for sitting down with us, Julie. To start, can you share how you have seen ESG evolve?
With regards to third-party risk, Environmental, Social, Governance (ESG) is a new concept. Traditionally, ESG assessments and ratings are used by investors in their decision-making processes when investing in new companies. Now, we’re seeing them used more frequently in the third-party risk realm. ESG assessments and ratings are primarily being incorporated into organizations’ risk models, a portion of which focuses on third-party risk. This means that organizations are deciding how ESG risk exposure (at both a micro and macro level) impacts their organization and what they need to do to strengthen their TPRM programs.
Have you seen challenges to getting board buy-in on these initiatives and adoption?
Since ESG is new to third-party risk, it may be hard to get executive buy-in. Leadership will want to understand where the value for assessing ESG risks comes from. To do this, you need to do homework on how ESG risk impacts your own organization. We’re noticing that the risks that third parties pose do impact organizations from both reputational and financial standpoints. We’re also seeing some of these ESG concepts hit the supply chain, especially following COVID-19. It’s important to do your research and determine what impacts ESG has on your organization before starting the conversations with executives.
I’m sure this challenge goes beyond executives, as well. How can internal stakeholders collaborate on ESG for a productive future?
In addition to the top-down approach mentioned, the third-party risk team needs a seat at the table. This is especially important if you’re a public company that already discloses certain items. You should question what disclosure requirements are currently required by your organization, as well as your vendors. If your third party must disclose an ESG material risk, you may also have to disclose the same risk since they are one of your vendors. So, understanding what the existing process for your organization is, and trying to get a seat at the table is vital.
You’ve talked about third parties. How is ESG affected by third parties or vice versa?
Regulators are starting to ask public companies to disclose when their third parties have ESG related impacts/disclosures through TPRM programs. This is why there is an increased importance in asking ESG-related questions, because it ensures that you have a good supplier code of conduct and proper language in contracts to allow you to evaluate and assess ESG. I think ESG activities are only going to grow and, as we gain a better footing on how third-party risk programs will incorporate this, there will be more to come.
How do you think the public perception is shifting with regards to ESG and sustainability initiatives?
This is a new topic for many of us. We are seeing third-party risk professionals work with their compliance teams to determine how to look at and evaluate ESG from a third-party risk perspective. An example of this trickledown effect is that now when an organization evaluates one of their international vendors, not only do they ask questions about data protection, but they also inquire about the working conditions and the local communities they operate in.
Are there any best practices you can offer for companies that are looking to adopt ESG?
I would suggest researching what standards are already out there and talk about what companies need to publicly disclose based on the material risk presented. You can also research ratings providers, which take publicly available information and create an ESG score for companies. This is targeted towards the investor side, but they also receive a lot of questions from non-investors, including the third-party risk side.
You may also review your suppliers to see where you could potentially look at certain ESG topics and uncover ways they could be incorporated into your own assessments, such as questionnaires. If you have a database on a vendor, providing additional information within that database related to ESG could be worthwhile. Finally, it could be helpful to do more site reviews and have increased focus on news alerts that look at aspects other than cybersecurity, to then establish an expectation with your vendors on what they need to adhere to.
ESG is a new consideration for TPRM. With your experience at TPRA, as a risk manager and as an auditor- how have you seen TPRM develop as a field of practice?
Wow, I love this question as this is such an exciting field. Third-party risk is not new, but a lot of people feel like it is. This is especially true in the finance and healthcare industries. We are now starting to see TPRM practices develop within other industries, such as manufacturing, retail, hospitality, and entertainment. I’ve seen it start in the audit field, where they review vendors from an internal audit perspective.
Organizations have then seen (based on breaches, cyber incidents, and other things that have happened in their supply chains) that there needs to be more focus on third-party risk. So, they’re now starting to create specific TPRM teams. As a result, in the TPRA we’ve had several new industries join and ask general “Third Party Risk Management 101” questions, such as how to start a program or what tools to leverage. I’m glad that we have the finance and healthcare industries to be the models, because there has been a lot from a third-party risk perspective that has been worked out through them and continues to be worked through them. It’s such a growing and exploding field.
Julie Gaiaschi, CISA, CISM is the Chief Executive Officer and Co-Founder of Third-Party Risk Association (TPRA). TPRA is a community where like-minded third-party risk professionals can share best practices, exchange ideas, and influence the industry. Julie has a demonstrated history of working in the information security and third-party risk management industries and is skilled in Enterprise Risk Management, Internal Audit, CISA, Leadership, and Security.
Get in touch for a better approach to third-party risk management
The Definition of Better Business
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.