Sustainability Risk Is Supply-Chain Risk
Last week we reported on a study that captured the challenges of third-party risk management these days. Today we can take a deep dive into one specific slice of that challenge courtesy of Microsoft, and its quest to reduce carbon emissions in its supply chain.
The news is as follows. Last week Microsoft released its 2024 sustainability report, and tucked into its flowery 88-page document was this goal: that by 2030 a select number of high-volume suppliers must use 100 percent carbon-free electricity for goods and services delivered to Microsoft.
OK, sounds great, but a question arises: what kind of risk management problem is this?
That is, will enforcement of this goal fall to Microsoft’s sustainability function, headed by chief sustainability officer Melanie Nakagawa? (Hers is the name on the sustainability report, along with Microsoft president Brad Smith.) Will it fall to Microsoft’s procurement function? How will Microsoft audit the suppliers’ compliance with this carbon-free requirement? What happens if an important supplier fails to meet that goal? Who decides whether to grant an exception to the requirement or to cut the carbon-belcher loose?
That’s actually a bunch of questions, but you get my drift. Corporate sustainability objectives are turning into supply-chain management challenges. Those challenges, in turn, are crashing into corporate procurement functions. So how will companies sort out roles and responsibilities for all this, especially with ESG disclosure regulations looming in both Europe and the United States?
Go back to our post from last week about third-party risk management (TPRM). It spotlighted a study of how corporations approach TPRM, and identified seven separate corporate functions that might want to have some say in third-party risk. First, sustainability functions weren’t even among the seven listed. Moreover, each of the seven had substantially different priorities about TPRM. For example, procurement functions were most worried about the speed of onboarding new vendors, while compliance functions were most worried about the vendors’ regulatory compliance.
Both functions are right to list their own interests first, but how can one company reconcile such different priorities under one TPRM umbrella — especially now, with sustainability thrown into the mix as well?
From Sustainability to Supply Chain
Let’s go back to Microsoft and its sustainability report, and how it so neatly captures the issues here.
In that report, we see that Microsoft has managed to cut its carbon emissions for both Scope 1 (direct emissions created by a company’s own activity) and Scope 2 (indirect emissions created by a company’s consumption of electricity and heat) by 6.3 percent since 2020.
At the same time, however, Microsoft’s Scope 3 emissions (from the supply chain) increased by 30.9 percent. Since Scope 3 emissions account for more than 95 percent of all Microsoft’s emissions, that means the company’s total carbon emissions increased by 29.1 percent, too. (See Figure 1, below.)
Source: Microsoft
Quite simply, Microsoft will never be able to achieve its sustainability goals without restructuring its supply chain.
Or, to put things another way, achieving its sustainability goals will always be a supply-chain management issue.
Not every business will fall into that dynamic, but most will. So as sustainability regulations that include Scope 3 emissions hurtle toward us (the California Climate Corporate Data Accountability Act, starting in 2027; the Corporate Sustainability Reporting Directive, starting in 2026), companies will need to integrate sustainability assessments into their supply-chain management capabilities.
So in that case, all you compliance officers out there worried that ESG disclosure issues might be forced upon you — have we been wrong all this time? Maybe ESG issues will be forced upon the procurement team, since they’re (supposedly) the ones in charge of supply-chain management. Maybe compliance officers will play only an ancillary role, reviewing contracts for proper disclosure clauses or investigating complaints about suppliers that somehow come through your whistleblower hotline.
Structuring a Strong Supply-Chain Team
Regardless of exactly who manages sustainability needs in the supply chain, we have other questions to consider here too. For example, what resources would that person need to do the job well?
Clearly he or she would need some way to assess the sustainability performance of suppliers. That’s mostly a data collection issue. You might need to restructure your contracts and procurement processes to compel vendors to supply such information. You might also need to seek sustainability data from outside providers, so you can cross-check whatever the vendor provides to you directly. (Little surprise, then, that I’ve lately been peppered with emails from startups promising that they can provide exactly such information to corporate clients.)
As always, however, I’m more interested in whether this sustainable supply chain officer has the necessary authority to do the job well. For example, when a crucial supplier fails to meet your sustainability requirements, who at the organization then decides what happens to that supplier? Who has the authority to kick such a supplier to the curb? (Nakagawa at Microsoft admitted the company is “not there yet” on dropping suppliers that can’t meet its climate goals.)
In all likelihood, most companies will evaluate suppliers across a range of criteria: cost of the goods supplied, importance of the goods supplied, corruption or sanctions risk, cybersecurity, and yes, sustainability criteria as well. But how does the company weight each of those criteria? Who gets to decide that price is, say, five times more important than carbon emissions, or twice as important as corruption risk?
Does the CFO alone make that determination? Because that suggests that your talk about sustainability is just hot air. Does the procurement officer alone decide? Because then I’d worry whether the procurement team knows how to make those decisions. Does a team of senior executives make those determinations? Because then I’d wonder whether the team does so through a rigorous, data-driven process; or through a bull session in the conference room on some idle Tuesday.
These are the issues we need to clarify as sustainability, supply-chain management, and third-party risk all fuse into one sticky mess. And messes tend to get stickier the hotter it gets.