Third Party Environmental Risks are here to stay. With a busy hurricane season threatening to compound pandemic-related business challenges, environmental risk management is all the more important. This blogpost is about what Shared Assessments is doing to address changing environmental and geopolitical concerns.
The increase in environmental and geopolitical challenges is causing outsourcers to focus on a series of risks that have not received adequate attention in the past. Pandemics sweeping across the globe, devastating wildfires blanketing swathes of land across multiple continents (Australia, North and South America) and severe storms exacerbated by global warming highlight increasing infrastructure and business resilience challenges.
Across the business community, acceptance of the need to address environmental risks has expanded: most of the top risk factors in the latest World Economic Forum (WEF) Global Risks Report are environmental in nature. (Comparatively, in 2009, no environmental concerns made the top five list, either in terms of the likelihood of occurrence or expected impact.)
Due diligence, additional contract measures, and regular business continuity testing…is th eway to manage these risks……
Figure xx: The Global Risk Landscape over Time
Third party regulatory guidance relating to the environment has been lacking, and in financial services early discussion has focused on increasing banking sector exposure to business risks caused by environmental change (Banking in a changing climate – preparing for what lies ahead,” European Central Bank, 2019).
Very little attention to date has been focused on climate related operational risk, and even less on the environmental risks associated with third party risk management.
Shared Assessments Program has sharpened its focus on environmental risk, and the SHARED ASSESSMENTS FRAMEWORK has begun to explore environmental issues in both its Due Diligence module and in the forthcoming volume on Contract Development, Exceptions, Approval and Management.
A few due diligence steps to consider are these:
- Environmental risk is best addressed through real-time monitoring. If your organization operates across a wide geographic footprint, consider continuous monitoring steps that can provide an accurate picture in rapidly changing environmental circumstances..
- Before engaging a third party, outsourcers should examine a candidate’s risk control framework to evaluate whether environmental concerns have been properly incorporated.
- Outsourcers should carefully consider the geographic context around critical facilities when selecting third parties. Facility site inspection can sometimes reveal risks and solutions that have recently come into focus. For example, New York area commercial buildings constructed since Hurricane Sandy now often place basic building infrastructure components (such as HVAC equipment, back-up generators, etc.) well above ground level to ensure continued functionality through high stress environmental events.
- Vendor due diligence efforts should evaluate whether third parties operate in or near areas of high-risk antiquated infrastructure (e.g., areas where risk exists due to antiquated dams, electrical transmission lines, physical plants, etc.).
- Especially when evaluating third parties outside of the United States, Outsourcers should examine the realistic likelihood that vendors can quickly adapt to catastrophic events, whether those be natural disasters, pandemics, or man made in nature. In today’s COVID-19 environment, implementing a work at home structure to support ongoing operations has proved to be problematic in areas with inadequate critical infrastructure.
Even in contracts, Outsourcers can take worthwhile steps to lower environmental operating risk: Contractual stipulations are helpful, but not adequate by themselves, to reduce risks. Verification that contractual requirements are being met is always a must.
- Third party contracts can specify specific geographies where subcontractors cannot operate, for example, in certain USGS (or other) designated flood plains
- Contracts can specify that generators, servers, and other critical infrastructure supports not be placed at or below ground level where conditions warrant.
- Contracts can specify that mutually agreed recovery scenarios for significant environmental events be developed and regularly tested.