and…Third Party Risk Managers Everywhere Should Pay Attention!

Third-party risk managers should be paying attention to important ESG regulatory developments in the European Union, where two pieces of regulation became effective within the last month and one more may be on the cusp. Third-party risk managers should use the relatively long Due Diligence compliance lead times to understand how to best structure existing programs to meet new standards.

The headline news is that the EU is very close to implementing a coherent, integrated corporate human rights and climate due diligence and reporting framework that stem from goals developed over decades.[1] Although the work is not quite finished (supply chain due diligence requirements are in their final stage of negotiation between the EU Council and Parliament), any jurisdiction achieving what the Union has accomplished so far should take a bow.

• The German Supply Chain Due Diligence Act was first out of the box. It was passed by the Bundestag on July 16, 2021 and became effective on January 1^st of this year.
• The EU Council sent its version of a supply chain due diligence proposal to Parliament on November 30 to initiate negotiations between the two bodies. The German Supply Chain Due Diligence Act was an important motivator for the EU initiative.
• The EU Supply Chain Reporting Directive  took effect on January 5^th with a January 2024 compliance date. Simultaneously, the International Sustainability Standards Body (ISSB) and the European Financial Reporting Advisory Group (EFRAG) have been working to attempt an integrated reporting standard by the end of the second quarter. That effort, however it ends, will result in the actual reporting requirements under the Reporting Directive.

The German and EU Supply Chain due diligence Acts are important because they impose fundamentally new requirements on companies to affirmatively address environmental and human resources issues in their extended supply chains. The EU Council submitted its proposal to Parliament at a time of heightened political division in the United States where ESG pushback in the political arena may be having some impact on the thinking of corporate executives.[2] Negotiations between Parliament and the Council will take place with significant crossover advice from firms based in the United States.

The EU directive act will extend to U.S. (and other non-EU organizations) doing business within the Union five years after the Act goes into force if they meet one of these conditions: (a) Firms that have generated a net turnover of more than EUR 150 million in the Union in the financial year preceding the last financial year; or (b) firms that have generated a net turnover of more than EUR 40 million but not more than EUR 150 million in the Union in the financial year preceding the last financial year, provided that at least EUR 20 million was generated in one or more specific sectors.[3]

The German act, already in place, has supply chain due diligence obligations that are less onerous than the current EU Council proposal:

German and EU Supply Chain Due Diligence Obligations

Summarized from:  20210831-Lieferkettengesetz-englisch.pdf (suedwesttextil.de), page 6 https://data.consilium.europa.eu/doc/document/ST-15024-2022-REV-1/en/pdf, page 78.

Significantly, The German Supply Chain Due Diligence Act requires less due diligence over Nth parties, termed “Indirect Suppliers” in the regulation. An “indirect supplier” is defined as “an enterprise that is not a direct supplier and whose supplies are necessary for the production of the enterprise’s product or for the provision and use of the relevant service.”  Although the definition is expansive, outsourcer due diligence obligations are not the same for direct and indirect suppliers.  Outsourcers are required to proactively interact with indirect suppliers only if they become aware of potential or actual violations of human rights or environmental regulations. That’s an important distinction.

EU Supply Chain Due Diligence Regulation

Requirements have already been modified during the EU proposal’s journey to full Council approval. Initial drafts called for true scope 3 end-to-end (up and downstream) outsourcer oversight responsibility. The final proposal (with significant exceptions) limits oversight to upstream relationships, no matter where they occur in the supply chain.[4] As negotiations between the EU’s Parliament and Council continue, due diligence scope issues may be the most contentious.

EU Supply Chain Reporting Directive

The Union’s Supply Chain Reporting Directive has been signed into law and reporting will be required in increments effective January 1, 2024. For the last 15 months both the EFRAG and ISSB have been working to harmonize their work product, ensuring that their language foots to the Taskforce on Climate Related Disclosures (TCFD) framework. The final reporting requirements (effective June 30) will reflect that ongoing work.[5]

Context

In today’s political climate it may useful to understand why so many corporations seem to be stepping up to sustainability requirements, albeit at varying rates in different parts of the world. When the SEC released its climate reporting proposal in March, 2022[6], reaction was mixed, but observers noted that many firms were already reporting Greenhouse Gas (GHG) emissions and additional related data regularly. In fact, many SEC proposal responses were supportive of a standards-based reporting requirement at some level, and, of those, many supported TCFD alignment. Recent reports suggest that the SEC will release final climate (and cyber security) standards by May 1^st of this year.[7]

To better understand the basis of climate reporting support, in February 2022 the TCFD surveyed more than 200 asset managers and owners across the globe, and the results were instructive (see Table 1 below). By far the most important motivation for climate reporting was the simple recognition that climate related risks are, in fact, material. That bodes well for supply chain due diligence and reporting practices in the long run, despite elevated political rhetoric in the U.S.

Table 1: Motivation for FI’s TCFD Reporting

Task Force distributed the survey to around 3,000 financial institutions in February 2022, resulting in 229 responses. Source: 2022-TCFD-Status-Report.pdf (bbhub.io)

Practitioner Advice

Many jurisdictions are advancing climate and human rights due diligence initiatives on a piecemeal basis. The EU is doing the opposite, and it will be a learning experience for the rest of the world. Third party risk practitioners should watch for final language in the EU supply chain due diligence directive and should use it as baseline to judge their directional maturity. Tools that focus on 3^rd and Nth party due diligence, such as the Shared Assessments SIG, are useful now and will become more so as they’re iterated between today and the directive’s eventual compliance dates.  For United States based companies, a five-year due diligence window may seem like a long time, but the practices required to effectively understand and address human rights and climate issues in complex supply chains are generally not in place and will require pooled approaches to implement. A good head start toward a well-defined set of goals may be just what industry needs.

This blog reflects ongoing work in the Shared Assessments ESG and Regulatory Committees. In both groups, members from the U.S., the U.K. and other international jurisdictions come together to stay abreast of and discuss complex outsourcing chain ramifications whether they be standards-based, regulatory proposals, or market initiatives. The Regulatory Committee selectively responds to government/agency requests for comments when they are of interest to members. Non-members are invited to participate in ESG Committee meetings for up to a year; non-members are also invited to request audit access to a regulatory committee meeting of their choice. Please join your peers in this important work. Contact Jessica Calzada at jcalzada@sharedassessements.org

[1]EU sustainability goals have been developed for more than two decades. See, for example: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52001DC0264&from=EN

[2] https://www.nytimes.com/2023/01/19/business/dealbook/esg-business-davos.html

[3] https://data.consilium.europa.eu/doc/document/ST-15024-2022-REV-1/en/pdf, pgs. 64, 115

[4] https://data.consilium.europa.eu/doc/document/ST-15024-2022-REV-1/en/pdf

[5] Download (efrag.org)

[6] https://www.sec.gov/rules/proposed/2022/33-11042.pdf

[7] SEC aims to set climate risk, cybersecurity rules before May | CFO Dive

Shared Assessments: Recent Regulatory Responses