A Working Checklist for ESG Across Your Supply Base
Two years of disruption taught procurement teams an uncomfortable lesson: you do not really know your supply base until something breaks. The same gap shows up with environmental, social and governance (ESG) commitments. A board signs off on a sustainability statement, the policy gets posted, and then nobody can answer a simple question — which of our suppliers actually meet it, and how would we prove it? As pandemic recovery pulls more spend back online and hybrid teams stretch oversight thin, ESG cannot stay a slide in the annual report. It has to become something you check, supplier by supplier.
This is a checklist you can start using this week. It will not certify your supply chain, and it is not a substitute for a formal program. What it does is surface the obvious gaps fast, so you spend your limited time on the suppliers that carry real risk rather than the ones already doing the work.
Map before you measure
ESG risk rarely sits in the supplier whose logo is on the contract. It sits two and three tiers down, in the mine, the mill, the contract labour agency you have never spoken to. Before you score anyone, build a rough map of where your money and your reputation actually travel.
List your top 20 suppliers by spend, and separately your top 20 by how hard they would be to replace — they are not the same list.
For each, note the country and region where the work is physically done, not just the head-office address on the invoice.
Flag any category historically tied to labour or environmental concerns — extraction, textiles, electronics components, low-cost contract labour.
Mark which suppliers you have a direct relationship with versus those reached only through a distributor or broker.
The week-one checklist
Work through these questions for your flagged suppliers. The goal is a yes, a no, or an honest "we don't know" — that last answer is the most useful one, because it tells you exactly where to dig.
Policy. Does the supplier have a written code of conduct covering labour, health and safety, and the environment — and is it more recent than three years old?
Evidence. Can they produce something beyond the policy: an audit, a certification, an incident log? A claim with no artifact behind it is a claim, not a control.
Sub-tiers. Do they know and disclose their own critical suppliers? A supplier who cannot see one tier down cannot manage risk you are inheriting from two.
Incidents. Has there been a strike, spill, recall, fine, or news report in the past 24 months? A quick search costs ten minutes and tells you more than most questionnaires.
Contacts. Is there a named person responsible for ESG on their side, or does the question bounce around until it lands on whoever picks up the phone?
Contract. Do your purchase terms actually require any of the above, with a right to audit — or is the expectation only ever spoken, never written?
Turn answers into action
A checklist that produces a spreadsheet nobody opens again has failed. Close the loop while the findings are fresh. Sort suppliers into three buckets: meeting expectations, fixable gaps, and genuine red flags. For the middle group, agree a corrective plan with a date. For the red flags, decide deliberately — remediate, dual-source, or exit — and write down the decision and who made it, so the reasoning survives the next staff change.
Keep the trail. The value of this work is not the score on any given day; it is being able to show, a year from now, what you knew, what you asked, and what you did about it. That record is what turns an ESG statement from a promise into a defensible practice.
If you want a second set of eyes on your supplier risk or help standing up a practical program, XNM's procurement, sourcing & contract management can help you build it without the overhead.