Reporting

 View Only
  • 1.  ESG / DEI reporting and scoring

    Posted 02-03-2023 12:08 PM

    We're looking to get started on vendor reporting around ESG, tying also into our DE&I goals and mission.  Wondering if there are any suggestions on best path to accomplish quick wins, while start evolving on this area.  Questions that come to mind, that maybe someone can help on, are:
    - Does anyone have any questions that we should include to create an initial ESG profile of the vendors we work with?
    - Is there an ESG/DEI scoring associated to the answers gathered?
    - If alternative datasources for vendor ESG/DEI data are leveraged, could anyone provide options that actually worked and helped expedite the progress?

    Thanks!

    Susana



  • 2.  RE: ESG / DEI reporting and scoring

    Posted 02-06-2023 12:08 PM

    Hi Susana,

    Integrating vendor ESG reporting into your TPRM practice can be challenging and requires a lot of thought and planning. Let's say this isn't a "just do it" project. It will take a lot of collaboration and planning to get off the ground.

    First, you must begin with your organization's objectives for ESG. What does the organization plan to disclose and report? And how does that align with the specific DE&I objectives? We need to start there because you can't ask your vendors to do more than the organization or report on ESG criteria that is not being reported by the company. Once the top-level ESG disclosure and reporting parameters are established, they can be more easily cascaded down to the vendors.

    Second, you need to clearly identify if you will ask your vendors to just disclose and report ESG or if you require them to hit a specific goal. If it is only disclosure and reporting, you still need to establish the specific reporting requirements and communicate them to the vendors. Keep in mind that it is unlikely, at this point, that any of your contracts require this disclosure and reporting, so it may be difficult to get your vendors to participate. Likewise, getting a vendor to commit to ESG goals could be tricky if you are already under contract. When integrating ESG into TPRM practices, there are many other factors to consider, including what kind of information is required for ESG due diligence and if you have the right subject matter expertise to assess a vendor's ESG environment.

    As for quick wins, I think it is reasonable to ask your vendors to complete a brief ESG questionnaire. This process can help you identify which vendors have ESG practices and give you a starting point for moving forward.

    You can find a sample vendor ESG questionnaire in the Venminder toolkit Integrating ESG Into Your Third-Party Risk Management Framework . Several valuable resources in the toolkit can help you get started. In the meantime, I would love to hear from other members.




  • 3.  RE: ESG / DEI reporting and scoring

    Posted 07-12-2023 09:58 AM

    Infoblox is also looking to add Compliance questions to our TPRM process in order to better support Supply Chain Risk Management documentation. (NIST 800-53 rev 5 has a whole new control family on SCRM.) I'd be interested in hearing what you find out.

    The SIG 2023 questionnaire includes a batch of ESG questions, primarily focused on the environment issues (carbon emissions, recycling, etc.) If you have a SIG subscription, you can pull those questions. We have not firmed up our question list, but expect to do so by the end of August. There are several third party scoring tools/frameworks for ESG, so you could incorporate some of their self-assessment questions as well. (Sorry, away from my desk, so can't pull those names off the top of my head.

    Good luck in this worthy endeavor!



    ------------------------------
    Kate Wakefield, CISSP / CIPT / CRISC
    Infoblox Director of GRC
    ------------------------------