Skip to content

How to integrate ESG risks into the enterprise’s overall risk management

Natalie Runyon  Director / ESG content & Advisory Services / Thomson Reuters Institute

· 5 minute read

Natalie Runyon  Director / ESG content & Advisory Services / Thomson Reuters Institute

· 5 minute read

Integrating sustainability into company core operations and strategy remains a challenge, and one way to overcome this is to infuse these issues into enterprise risk management workflows

Convergence of sustainability frameworks and standards is driving global consistency in environmental, social & governance (ESG) disclosures. In fact, the International Sustainability Standards Board has integrated the efforts of other industry-driven reporting endeavors, such as the Task Force for Climate-related Financial Disclosures (TCFD) and the Value Reporting Foundation, among others. A key component of this convergence was the TCFD’s principle that had companies identifying sustainability-related risks and opportunities and corresponding governance, strategy, risk management, and metrics or targets.

ESG legal adviser Honieh Udeka of Brown Rudnick warned companies 15 months ago to make sure that an ESG strategy is “built-in and not bolted on,” adding that a “bolted-on” strategy ultimately fails “because ESG values were only loosely coupled with business objectives and operations [and often] added on as an afterthought.” Indeed, one way to ensure a company’s sustainability strategy is built into the business is through integrating the strategy into the company’s enterprise risk management (ERM) governance.

Since ESG-related risks are essentially business risks, they should be incorporated into the company’s strategy and ERM processes as well, according to a joint collaborative guidance issued by the World Business Council on Sustainable Development (WBCSD), a business-driven community committed to limiting the climate crisis, restore nature, and tackle inequality; and the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence.

COSO and WBCSD developed a framework to enable organizations to assess their readiness for ESG-related risks. Setting up governance structures for efficient risk management is a foundation-level step that supports the effectiveness of integrating ESG-risks into ERM processes. Indeed, governance dictates the process for decision-making and the execution of those decisions.

Integrating ESG-related risks into ERM involves enhancing the board’s and executive management’s understanding of these risks and fostering a collaborative culture among risk management personnel. To put this into action, the company’s board and executive leaders must understand explicitly how ESG-related risks could influence the company’s performance. In addition, there must be an awareness among management regarding their duties concerning current or forthcoming ESG disclosure obligations and a thorough grasp of the company’s tolerance level for ESG-related risks.

Finally, assigning ownership to one individual responsible for managing each ESG-related risk or issue, with a clear understanding of how their business area impacts and relies on the natural environment and societal factors is another essential requirement.

Identifying, assessing & communicating ESG-related risks

Changes in a company’s business strategy, core objectives, focus or market, or risk appetite can lead to both risks and opportunities. Incorporating ERM with ESG-related risks includes conducting ESG materiality assessments and analyzing megatrends of the external environment. Given that companies possess finite resources to address all identified risks across the organization, prioritizing risks through assessment and evaluating the severity of top risks are essential.

For example, methods for assessing ESG-related risks include forecasting and scenario analysis. And one critical requirement is involving cross-functional representatives that include sustainability managers, risk owners, and other ESG specialists in the process of ongoing identification of risks that most affect the organization. In fact, including ESG risks in the enterprise inventory of risks and evaluating the impact and probability of those risks are critical components of the ERM process.

Another recommendation described in COSO and WBCSD’s framework is choosing a suitable response for each risk, which can include accepting, mitigating, or transferring the risk and wherever possible, avoiding it or spreading it around to other parties. As part of this, it’s important to set up metrics for ongoing evaluation.

To determine the best response, organizations can utilize a range of available ESG resources, such as industry consortia and specific ESG protocols, to better craft creative and impactful strategies for addressing ESG-related risks. As in any ERM process, stakeholders involved in ERM need to monitor ESG developments and indicators for any shifts in the business environment or strategy and then set up metrics to track the effectiveness of risk response measures.

Finally, COSO and WBCSD recommend collaborating with risk owners to determine the best approaches for assessing and sharing performance insights, both those within the organization and external stakeholders. This includes making sure that the company understands and meets the ESG disclosure expectations of internal and external stakeholders.

Using climate change as an example

To demonstrate how the COSO-WBCSD recommendations work, take for example, climate change, which can impact an organization’s operations and supply chain. Through an ERM framework, a company may respond to this risk by reducing carbon emissions and using more renewable energy, in order to mitigate the company’s environmental impact. Additionally, the company might transfer some of the financial risks associated with climate change by the use of insurance products specifically designed for environmental liabilities. The company also should regularly assess and update its strategy to better adapt to changing regulations and market expectations regarding sustainability, thus ensuring compliance and leveraging competitive advantage.

Bruno Sarda, a partner in Climate Change & Sustainability Services for EY, says that best-in-class companies are integrating enterprise scale decision-making into enterprise risk management and have just started to include climate mitigation into the processes. In fact, an effective governance structure for climate change includes a dedicated cross-functional body with clear roles and responsibilities for climate-related tasks, regular risk and opportunity assessments, and transparent reporting mechanisms. This structure includes a mechanism to report to the board and upper management and ensures strategic alignment, accountability, and proactive management of climate-related impacts.

As the risk environment continues to increase in complexity and uncertainty, especially over the long term, full consideration of ESG risks is an essential ingredient to manage corporate and compliance risks in an escalated risk environment. Integrating a company’s sustainability strategy into ERM governance is one method to embed and build in sustainability into the organization’s overall business operations.

More insights