Navigating the ESG landscape with Sarah-Jane Boulos from EY

We recently hosted a virtual fireside chat with Sarah-Jane Boulos, Partner and ESG Lead for Forensics and Integrity Services at EY, to discuss how ESG regulations are becoming more defined and why corporate compliance programmes that fail to integrate ESG with AML and ABAC procedures risk falling behind. While the topic gets a lot of attention, practical and actionable insights are harder to find. Sarah-Jane draws on her real-world experience at The LEGO Group and EY to provide much-needed clarity and guidance. 

Q: Let’s start with the US, where Trump froze Foreign Corrupt Practices Act (FCPA) enforcement. What does this mean for ABAC programmes?

Sarah-Jane: While the executive order has raised some eyebrows, we’ve not seen US or international companies scale back their ABAC compliance programmes in response. A key pillar of these programmes is third-party due diligence. Companies are under significant pressure and scrutiny to keep their operations transparent and accountable.  From a business perspective, both reputationally and operationally, the risk of scaling back on third-party risk management and ABAC controls is too risky itself. 

We must remember that the Act is still in place and the executive order only applies to the DOJ, not the U.S. Securities and Exchange Commission (SEC), which still has enforcement power under the books and records provisions. The FCPA has also set a really high standard for preventing bribery and corruption. We now have a clear understanding of what good ABAC frameworks look like.   

Q: Moving to Europe, the EU has released the Omnibus package. What does it mean? 

There have been leaks regarding the EU Omnibus package. For those unfamiliar with it, it’s a simplification exercise aimed at refining and aligning frameworks such as the Corporate Sustainability Reporting Directive (CSRD), Corporate Sustainability Due Diligence Directive (CSDD), and the EU taxonomy. While nothing official has been published yet, leaks suggest significant scaling back of the CSDD which is particularly relevant here. At the moment, the proposed changes include: 

• Due diligence being limited to Tier 1 suppliers only, rather than the full value chain. 
• Potentially only requiring due diligence every five years. 
• No legal obligation to terminate relationships over non-compliance. 
• A restriction preventing EU Member States from introducing stricter rules than those outlined in the directive—meaning that existing regulations in Germany (the Supply Chain Due Diligence Act) and France (the Duty of Vigilance Law) are already more robust than the current CS3D proposal. 

Q: How can corporations bridge the gap between ESG and the compliance function? 

Sarah-Jane: The connection between sustainability, compliance, and legal functions is often overlooked. These areas remain siloed, which surprises me. I expected times to change by now. It’s a missed opportunity for corporate compliance teams since bribery and corruption are closely tied to human rights and environmental harm. They create conditions for abuse and deepen inequalities. I like to use the example of bribes used to manipulate factory audits, leading to unsafe working conditions or environmental non-compliance. But ESG considerations must move beyond a tick-box exercise and be fully integrated into an organisation’s corporate compliance programme to be effective.  

The existence of silos shouldn’t be underestimated. ESG issues typically span multiple functions, including compliance, legal, sustainability, and procurement, among others. Each of these areas has its own subject matter experts. The question of who actually owns the risk is a different matter entirely. Another challenge is ensuring a seamless transition of responsibility between these functions. ESG risks are deeply interrelated, so they can’t be addressed in isolation. There’s always a ripple effect, which is why having clear roles and accountability is crucial, and it’s one of the biggest hurdles organisations face. 

We must remember that ESG is a complex issue. There’s no one-size-fits-all solution. I don’t think organisations need to reinvent the wheel, either. Companies have the option to leverage existing ABAC processes, which have been developed over decades and are more mature. Many foundational elements of an ABAC programme—such as third-party vetting, company disclosures, risk assessments, and monitoring—can be adapted to address ESG risks. But before diving into the how, I would start with a conversation about the what. 

In my experience, one of the biggest obstacles to progress is language. What one person means by “due diligence” can be very different from what someone with a human rights background means by it. So the key questions become: What does due diligence mean to each team? If they’ve already conducted an impact assessment and identified where the risks lie, what information do they need? Where does that information come from—public records, disclosures, certifications, audits, interviews? 

Then, the focus shifts to how risks will be managed, mitigated, and escalated. Too often, organisations jump straight into an operational plan without first establishing this foundation. Understanding where teams align, where they complement each other, and where their needs may conflict is critical. That’s why I always recommend starting with a cross-functional discussion and setting up a working group to get started. 

Q: That’s really valuable advice. How do you bring together functions that aren’t necessarily used to working together? 

Sarah-Jane: Language is key. It’s about having an open and honest conversation without making assumptions. Asking questions like: What do you need? What do we need? What do you currently do? What do we do? Where are the gaps? Where do we complement each other? Taking an exploratory approach helps ensure that everyone feels more invested in the process. After all, these teams are often resource-constrained, and it’s not always clear who owns the budget. That’s why securing senior leadership and board-level buy-in is so important. 

Q: And how can teams go about securing buy-in from senior leadership and the board? 

Sarah-Jane: It starts with a gap analysis, mapping the interplay between ABAC and ESG risks and making a clear case for their connection. Take high-risk geographies, for example. From an ABAC perspective, these regions often have weak governance, lack of enforcement, and opaque regulatory environments. Setting aside outliers for a moment, these same conditions also tend to coincide with weak labour protections and more likely to see concerns like forced labour. 

Consider opaque ownership structures. From an ABAC standpoint, it can mask relationships with sanctioned entities. But from a human rights perspective, the same lack of transparency can hide operations tied to human rights abuses or forced labour.  

If your ABC framework already includes Ultimate Beneficial Ownership (UBO) checks, it can also help identify entities with poor labour practices or those operating in high-risk labor environments. This is just one example of how integrating ABAC and ESG risk frameworks can create a stronger, more effective approach. It’s simply about demonstrating, in a tangible way, how these two domains complement one another. 

Q: So, you’ve got your working group, a common risk language across functions and buy-in from stakeholders. What’s the blueprint from here? 

Sarah-Jane: Start by looking at your current processes. How are you approaching your risk assessment? How are you segmenting your third-party population? Are you clear on your inherent risk?  

What data are you already collecting? What are the key touch points between your teams? What’s missing? For example, things like verifying labour standards or certifications. Once you’ve identified those gaps, you can begin refining or designing new workflows. 

A good starting point is to expand your risk focus. Consider adding specific human rights questions to your existing supplier or partner questionnaires. For instance, you could ask about the recruitment of migrant workers. You could also ask for additional disclosures, like impact assessments, certifications, and environmental compliance reports. Look at what you can add to your current framework. 

Then, leverage your existing technology. Use your tools to access public databases, adverse media, and litigation reports. If you’re not already using them, incorporate things like customs or shipping data to get more visibility into your supply chain, especially beyond just Tier 1 suppliers. 

Think about the sources you’re currently tapping into. Can you add reports from civil society or local sources that may focus on labour practices? Let’s be honest, by the time labour issues hit the public record, they’re often pretty extreme. This information typically doesn’t just appear in your regular reports. You need to be on the ground or have very good intelligence.

Embedding ESG risk assessments into your existing risk scoring system ensures it doesn’t operate in isolation from ABAC efforts. This means understanding your ESG risk appetite, which is often assumed rather than explicitly defined. You can start discussing this early on and then integrate it into your current framework. For example, you might assign higher risk scores to suppliers located in countries with weak human rights protections or in high-deforestation zones. Then, you would incorporate these factors into your due diligence platforms, ensuring ESG risks are considered alongside traditional risks. 

I would also recommend aligning your escalation and remediation processes. Just as ABAC risks are escalated based on their severity, you should set up automated triggers to escalate ESG risks and who owns those risks. For example, if you identify issues like labour risks, remediation plans such as supplier engagement programmes should be put in place. 

Lastly, update policies, contracts, and training to reflect your organisation’s commitment to ESG. Revise your existing compliance and related policies to integrate ESG standards into your code of conduct, supplier codes, and procurement policies. This ensures clear expectations for third parties. You could also introduce specific ESG clauses in your contracts, or build on what you already have for ABAC risks, adding provisions like warranties, audit rights, and termination clauses.