Supply Chain ESG Risk Assessment and Due Diligence: You're Probably Doing it Wrong


The post-COP26 accelerated frenzy for all things ESG has led to increased demand for, and discourse around, methodologies for assessing and managing ESG risk in supply chains. Having spent over a decade in the risk advisory sector, and a couple of years in corporate risk management, I can say with certainty that many of the current approaches are flawed. In this post, I will outline some key flaws in current approaches to the topic of supply chain ESG risk assessment and due diligence.


Reliance on flawed ESG ratings and data

I have previously covered the question of flaws in ESG ratings. But the issue demands further exploration because, the truth is, many (perhaps most) major enterprises are using ESG ratings both to project an ESG-positive image for themselves and as a key tool in building their supply chain ESG risk management methodologies. Trillions of dollars are invested based on ESG ratings, and the trend has only accelerated after the COVID-19 outbreak.


In fact, to say ESG ratings are flawed is a serious understatement. Study after study has found minimal correlation and wide divergence between ESG ratings from alternative agencies including FTSE4Good, MSCI, Moody's ESG, KLD, Refintiv, S&P Global, Sustainalytics, etc.


As one study put it, the substantial disagreement among ESG ratings providers has several important consequences.


First, it makes it difficult to evaluate the ESG performance of companies, funds, and portfolios, which is the primary purpose of ESG ratings. Second, ESG rating divergence decreases companies’ incentives to improve their ESG performance. Companies receive mixed signals from rating agencies about which actions are expected and will be valued by the market. This might lead to underinvestment in ESG improvement activities...

One might add that it funnels obscene amounts of money into ratings agencies that provide little value while facilitating greenwashing.


Perhaps worse, another recent study has found indications of potential conflicts of interest in ESG ratings.

We find that firms sharing the same major shareholders with the rater (“sister firms”) receive higher ESG ratings...Sister firms receive higher ratings when the common owners have larger stakes in the ESG rater. Notwithstanding their initial higher ratings, sister firms have poorer future ESG outcomes. These findings cast doubt on the quality of ESG ratings and caution practitioners and regulators.

Companies relying on ratings for any part of their ESG risk management program need to ask themselves: Do ESG ratings really provide any value if one ratings agency puts Facebook in the top 10% while another ranks it below average? In the end, if you do not have a reliable, consistent way to decide which ratings to trust, you just have a bunch of "noise."


Overconfidence in "risk-based" approaches

Most ESG risk assessment methodologies are putting the proverbial cart before the horse. Perhaps borrowing from audit terminology (a dangerous prospect since audits and due diligence are very different) most organizations purport to follow a "risk-based" approach when designing processes to narrow the field of, say, suppliers to assess for ESG risk. The problem is that flawed data lead to a "shot in the dark" approach instead.


Companies cannot truly take a "risk-based" approach to ESG risk in their supply chains if they do not really understand their supply chains fully. The vast majority of companies operating internationally likely have trouble with traceability in their supply chain. Simply put, modern supply chains tend to be very complex and they are, often by design, not built for transparency. Mapping a supply chain fully can be a very expensive exercise. In the absence of supply chain transparency, companies will necessarily miss high risk areas. In fact, they will likely be forced to rely on flawed ESG ratings to segment suppliers by risk criteria such as industry, country, etc.


A basis in flawed "ESG Narrative" assumptions

The flaws in ESG ratings are fed from an overarching flawed narrative that is often based on flawed assumptions and imperfect data. Not unlike the way the World Bank and IMF use methodologies that may exaggerate financial risk in African countries, ESG operates on certain assumptions, which, incidentally, also appear to divert investment flows the Global South.


For instance, the predominant western-centric ESG narrative arguably tends to focus on environmental factors while downplaying the social component. Perhaps this is precisely because abusive social and labor practices have been an integral part of supplying cheap consumer goods to western countries for decades.

In any case, the reality is that this ESG narrative means the renewable energy industry is rated as having lower ESG risk despite a surplus of potentially problematic ESG issues in its supply chain around mining inputs. Electric vehicles, for instance, are consistently praised as "ESG positive" despite the use of child labor in cobalt mining. Even when social issues receive attention, the opacity of supply chains can still be a significant obstacle to a well-done ESG risk assessment. In the end, companies that truly care will need to undertake due diligence. But here, too, some caution is warranted.



Flawed due diligence methodologies (and guides)

The ESG risk frenzy has led to an increased demand for ESG Due Diligence as a result of, inter alia, regulations like Germany's Supply Chain Act, which mandate due diligence to mitigate ESG risks in the supply chain. Nevertheless, there are many potential pitfalls not least of which is a tendency to resort to a one-off diligence with a "tick-the-box" approach.


Even guides meant for companies and cited by legislators as resources have significant flaws. Consider, for instance, the OECD Due Diligence Guidance for Responsible Business Conduct. To be sure, there are positives in this guidance, but there are also some key gaps and it's fair to say these are also often present in most companies' approach to ESG due diligence.


No Stakeholder Risk Mapping: While mentioning both stakeholders and rightsholders, there seems to be no mention of the importance of Stakeholder Risk Mapping exercises. Wading into an ESG risk management exercise without understanding the network of stakeholders and how the players interact (especially in a complex market) is a recipe for potential disaster.


Lack of nuance on OSINT and HUMINT practices: The document makes no real mention of issues with OSINT in due diligence, which affect "desk-based" diligence, particularly in complex jurisdictions where this sort of "responsible business conduct" diligence is presumably important. On the HUMINT side, the document also ignores points on critically important context for understanding the comments made by, in this case, stakeholders and rightsholders.


Lack of emphasis on the operating environment: Absent from this guide is information on the importance of understanding the operating environment in conducting this sort of due diligence. The document seems to glibly recommend engaging trade unions and NGOs, for instance, but seasoned investigators who've operated in the Global South understand engagement with such organizations must be informed by an understanding of the operating environment, which considers the context of, for example, corruption and political pressure in such organizations.


No discussion of the benefits of a third party investigator: There seems to be little awareness of the benefits of a third-party investigator both from the vantage point of subject-matter expertise as well as from operational effectiveness. The operating assumption seems to be that companies will carry out their own diligence. However, third-party investigators are often more effective (if and when): they have the proper expertise; they provide an objective, outside perspective; they are also not seen as associated directly with your company and, consequently, often have a better chance of obtaining critical information for your ESG Due Diligence.


From ratings providers, to narratives with flawed assumptions to lacking methodologies, the path of ESG risk assessment and due diligence in modern supply chains is fraught with pitfalls and flawed approaches. Companies that ignore them do so at their peril.