What are a company’s responsibilities to society as a whole? What is our broader purpose? How do our personal values factor into setting priorities?

The answers to the questions above will differ from one company to another. But using corporate purpose as a guiding principle will assist in orienting an organization to what is important for multiple stakeholder groups – its employees, customers, regulators, the communities in which it operates, and ultimately its shareholders.

The pandemic has accelerated interest in the ESG agenda and raised recognition that ESG adoption is both socially and financially profitable and, in certain cases, critical for a company to surface and sustain a business platform demanded by their consumers and investors. However, with opportunity comes risk, and appropriately understanding how ESG risks can impact organizations provides a platform for value creation.

In the first of a series of posts analyzing the opportunities and potential pitfalls when developing an ESG strategy, we focus on Risk Management.


Critical to developing a powerful ESG strategy is understanding an organization’s risk profile with respect to environmental, social and governance goals. ESG risks should be integrated in the organization’s overall risk registers and a wider Enterprise Risk Management (ERM) framework.

The first step is understanding which risks are inherent in an organization’s business profile and operations. Such transparency is critical for a robust assessment of whether appropriate controls are in place to monitor and quickly respond to issues and enhance growth in relation to meeting strategic milestones.

Adequately addressing ESG risk will also require the addition of new skills to the risk management profile: Many facets of the environmental and social spheres require a different understanding of technical and physical aspects than the more traditional financial and operational risk drivers.

At a foundational level, risks should be organized into environmental, social and governance categories, as they impact a company’s reputation, operations, legal liability, and financial health. In some cases, existing controls may sufficiently mitigate ESG risks. For example, many companies have developed Know Your Client (KYC) and Know Your Supplier (KYS) risk review programs as part of overall client and supplier onboarding, which directly supports anti-corruption governance and can be leveraged to also address human-rights aspects like working conditions.

As for other types of risk, risk owners should clearly define an individual or a team who will be responsible for developing ESG action plans that have specific steps and deadlines for mitigating residual and emerging risks. Such individuals or teams are typically seen as a part of the wider risk organization and work in concert with other traditional risk reviewers, such as credit, market, regulatory and operational. Accordingly, consolidated risk reporting should be provided to all relevant business stakeholders – including executive sponsors and board members – to establish consistent reporting lines and effective risk governance.

Key considerations for Risk Management in ESG: 

1. Robust ESG risk identification: Align efforts to clarify and systematically identify ESG risks across the organization, including strategic, financial, operational, legal and regulatory, and people. Integrate them into the existing enterprise risk assessment and register structures, taking into consideration cross-cutting likelihood and impacts.

Once ESG risks are considered a part of the enterprise risk register, holistic risk assessments are conducted and maintained on an annualized basis.

2. Rubric for developing inherent and residual risk calculations and controls: Develop a consistent approach for assessing and calculating ESG risk scoring that is aligned and comparable to the assessment of other risk types. Build a holistic picture across all risk types to re-balance prioritization and design an effective monitoring program. Clearly differentiate between inherent risks and residual risks after mitigation measures are taken into consideration. Where necessary, develop new controls to manage ESG risks and prioritize their inherent risk in order to adequately mitigate the potential for issues.

3. Proactive measures designed to catch issues efficiently: Considering the dynamic nature of the field, remain vigilant for emerging ESG risks. For example, continuously scan competitor behavior and social media discussions, and integrate an ESG risk assessment into new product development and marketing processes. Rigorously review regulatory developments as a minimum threshold for standards frameworks, but also consider “softer” stakeholder requests and be extremely cautious of the perception of greenwashing approaches.

Click here to read the full report: Who Cares? Why the right ESG strategy can spell business success