ESG Risk: What It Is, and How to Manage It

Understanding and Managing Sustainability-Related Business Challenges 

“ESG risk” refers to the potential financial loss or reputational harm caused by a company’s impact on the environment, the fabric of society, and the stewardship of corporate assets. Specific risks include issues like pollution, poor labor practices, and weak board oversight, all of which can undermine a company’s long-term sustainability and stakeholder confidence. These risks can arise from the company’s own operations, but they can also occur in its supply chain or as a result of external factors beyond its control such as extreme weather. Consequently, measuring ESG is extremely challenging. ESG risk is of particular concern for procurement and supply chain leaders precisely because of so much risk arises in the extended supply chain and disruptions to it. Let’s consider some examples under the three headings: 

Environmental 

Environmental risk refers to potential financial loss or reputational harm as a result of a company’s impact on the environment. Examples include: 

• Companies can be held responsible for their negative impact in areas such as resource depletion, waste generation (including wastewater management) and pollution.  

• They face increased regulatory burdens or costly remediation actions to address environmental damage. 

• They also face external risks such as extreme weather events disrupting operations and therefore putting their economic performance in jeopardy. These are becoming increasingly common with climate change. 

Social 

Social risk refers to potential financial loss or reputational damage from a company’s relationships with its stakeholders, including employees, customers, and communities. Examples include: 

• Poor labor practices, including unfair wages, unsafe working conditions, and human rights violations.  

• Failure to protect employee and customer data.  

• Boycotts by socially conscious customers, for example because of the company’s sales to, or operations in, countries with governments deemed to be in breach of international law. 

Governance 

Governance risk refers to potential financial or reputational loss resulting from inadequate internal governance structures and practices. Examples include: 

• Lack of transparency or ethical standards within the company.  

• Inadequate anti-fraud, anti-corruption and cybersecurity policies.  

• Weak board diversity and poor management oversight.  

Why ESG Risk Matters 

ESG issues can lead to fines, legal penalties, and operational disruptions that negatively impact a company’s profitability in a direct and tangible way. Companies face growing regulatory pressure to report on and improve their ESG performance, with non-compliance leading to significant penalties. But reputational damage may be even more serious, even though it is hard to quantify. Poor ESG performance can erode trust with investors, customers, and employees. Investor confidence is of increasing concern. Many investors now incorporate ESG factors into their decision-making, making strong ESG management crucial for attracting and retaining capital. 

How Companies Should Measure ESG Risk 

Companies now measure a whole range of non-financial risks, including ESG risk, by first collecting data on historical losses and monitoring events across their industry and supplier ecosystem. They then analyze this data by assessing first, their probability of occurring, and second, their likely impact if they do occur, often using tools like scenario analysis and simulations to estimate loss potential. Companies should develop risk databases and apply relevant performance metrics and standards (such as SASB, GRI, and TCFD). With the risk landscape constantly changing, it is essential to implement advanced technology such as predictive analytics and artificial intelligence. Third-party data feeds from organizations that monitor ESG loss events and “near misses,” such as EcoVadis enable organizations to gain an accurate overview of their current risk exposure and to detect risks before they fully materialize. 

Companies can then conduct scenario analysis to gauge the potential impact of multiple risks that could occur simultaneously. Comprehensive risk analysis requires companies to cluster interrelated risks to understand complex scenarios that can move together. 

Most organizations today measure risk ESG according to one or more internationally recognized risk frameworks such as GRI, SASB or TCFD. 

The Global Reporting Initiative (GRI) measures ESB impacts on the economy, environment, and society to address the interests and concerns of a broad range of stakeholders — communities, employees, governments, and consumers. It uses a “double materiality” lens, considering both how sustainability issues affect the company and how the company impacts the world.  

The Sustainability Accounting Standards Board (SASB), now part of the IFRS foundation, is more narrowly focused on investors. Its goal is to standardize the disclosure of financial material sustainability information within specific industries. Thus, it provides sector-specific, metrics-based standards for reporting on ESG factors with potential financial consequences.  

The Task Force on Climate-related Financial Disclosures (TCFD) was officially disbanded in November 2023, also folding under the International Financial Reporting Standards foundation, but the IFRS encourages companies to follow TCFD recommendations on how to report on governance, strategy, risk management, and metrics and targets related to climate change. It encourages alignment with investor needs to understand climate-related impacts on a company’s performance and strategy. 

While there is some overlap, for the most part these frameworks complement each other. Companies can use GRI for a comprehensive overview of their sustainability performance, SASB for detailed, industry-specific financial data, and TCFD for strategic insights into their climate-related risks and opportunities. This combination helps companies meet the diverse needs of their stakeholders, including investors, regulators, and the public. 

ESG Risk in Investment Decisions 

ESG risk has become a major factor in investment decisions. Investors view ESG exposure as a proxy for broader operational and regulatory risk. A company with weak ESG practices may face higher costs of capital, insurance premiums, or supply chain instability. It is an especially important consideration for institutional investors and private equity companies. Large pension funds and sovereign wealth funds now require ESG disclosures and often filter out high-risk sectors. For private equity firms, which make investment decisions over a three to seven-year timeframe with an exit strategy, ESG risk will probably not be a deal-breaker. However, it significantly affects pricing, deal structuring, and post-acquisition strategy. For example, firms may apply a discount to valuations of companies with high ESG risk or require immediate corrective action plans. Studies show that companies with strong ESG practices often enjoy lower volatility and better long-term returns, aligning with the PE focus on EBITDA growth and reduced downside risk. 

In short, ESG risk is increasingly equated with financial risk. For private equity, it weighs not only at the screening and due diligence stage but also at exit planning. Firms with unmanaged ESG risk are penalized with lower valuations, while those with strong ESG practices are more attractive, resilient, and potentially more profitable. 

The Regulatory Landscape and ESG Reporting 

Investors must also take growing regulatory pressure into account. Regional ESG frameworks (such as EU CSRD/ESRS, California’s SB 253, and SEC climate disclosure rules) are making ESG reporting mandatory. Investors must anticipate these shifts to avoid stranded assets or compliance costs. 

Moreover, regulatory frameworks such as CSRD expect companies to quantify ESG risks and impacts with precision, using standardized metrics audited by independent third parties. The emphasis on double materiality ensures firms measure both how ESG affects them and how they affect ESG. These disclosures must be integrated into annual financial reporting, forming a more robust, finance-grade counterpart to traditional ESG narratives. In practice, this means putting concrete figures on metrics such as total scope 1, 2, and 3 greenhouse gas (GHG) emissions and water consumption and assessing how ESG issues impact both a company’s business and its broader environment. This includes financial risk (such as the estimated impact on revenues or costs from carbon pricing, regulatory shifts, physical damage due to climate events); operational impact (firms must quantify supply chain disruption risks tied to biodiversity loss, water stress etc.); and social impact (such as the scope of labor rights violations in the supply chain or community protests, with potential cost estimates). 

Challenges in ESG Risk Management 

Managing ESG risk poses many challenges: notably, data gathering and analysis, integration into larger risk frameworks, and accountability. 

Data gathering 

Effective ESG risk management is hindered by the difficulty in gathering reliable and relevant information. ESG data often sits outside the organization, with suppliers, subcontractors, and logistics providers. Gaps are most acute for Scope 3 emissions and Tier-N suppliers, where data quality is inconsistent or unavailable. Moreover, while there are many frameworks and standards, there is still a lack of standardized measurement approaches. KPIs are inconsistent across regions, and this is challenging for organizations that operate globally. Self-reported supplier data may be incomplete, unreliable, or unverifiable. 

Plus, there are technical challenges. ESG data is often spread across finance, procurement, HR, EHS (environment, health & safety), and legal functions. Legacy systems (such as ERP) serving  these different functions rarely integrate smoothly with ESG reporting platforms, creating manual reconciliation work. 

It’s also difficult to hit a moving target and regulatory frameworks (CSRD, SEC, ISSB) continue to evolve rapidly. 

Integration into ERM 

Organizations struggle to integrate ESG risks into their broader enterprise risk management (ERM). This is largely because many ESG risks (biodiversity loss, social impact) are long-term or qualitative, making it hard to express them in terms of cash flow, EBITDA, or cost of capital. CFOs and risk officers therefore find it difficult to quantify probabilities and financial impacts with the same rigor as traditional risks (e.g., foreign exchange, credit, and insurance). 

Ownership and accountability 

ESG risks cut across several corporate functions: procurement, finance, sustainability, and operations. Without clear accountability, risks may fall through organizational cracks. It is hard to apply “risk appetite” frameworks to ESG, since reputational or regulatory consequences can be binary: therefore, boards and risk committees may treat ESG risk as a compliance add-on rather than embedding it into capital allocation, M&A due diligence, or supplier strategy. 

The Future: Closing the Gaps with Technology 

As noted above, data is often spread across various legacy systems and ERP systems tend not to have ESG capabilities. However, help is at hand. With JAGGAER One, user organizations get 360^o visibility into supplier risk, including ESG risks, thanks to the integration of all data from source to pay and data feeds from the JAGGAER risk ecosystem. With predictive analytics and artificial intelligence reducing the manual effort required to create detailed “what-if” risk scenarios, ESG risk reporting and compliance is becoming increasingly simplified.