Introduction
ESG risk management addresses both the internal and external risks affecting a business. The effective integration of environmental, social and governance (ESG) factors into the enterprise risk management (ERM) process strengthens an organisation's resilience and ensures its own sustainability. As stakeholders increasingly prioritise long-term business sustainability over short-term profits, this integration safeguards against these critical risks. By embedding ESG into ERM processes and governance structures, organisations can elevate ESG risks to the appropriate strategic level.
Some businesses may be wondering where to start: this article is a practical guide to effectively integrating ESG into the enterprise risk management process.
Awareness and culture
All businesses rely on the environment and society to support their operations and they, in turn, impact these areas. As a first step, organisations should embed ESG principles into their mission, vision and core values – and the board must recognise the ESG-related risks that could affect the organisation's strategy and objectives. Most large companies have dedicated ERM functions or formal mechanisms for identifying enterprise risks and related controls and reporting processes. It’s important that organisations conduct ESG awareness sessions to effectively integrate ESG risks into their existing ERM process.
Governance is the key driver
Most governance elements related to social issues are well-managed within the established ERM processes, but governance of environmental and social aspects often falls behind. Organisations will need to develop strong governance to integrate ESG-related risks into ERM effectively. The board and senior management should set up governance structures that encourage collaboration among the departments responsible for managing these risks, including those that span multiple verticals. The board should also regularly consider ESG risks in its meetings.
For organisations without an ERM function, assigning ESG risk management duties to key process owners and management is beneficial. Some organisations appoint ESG focal persons within each department who can periodically update risk champions or owners on emerging ESG risks.
Define the ESG risk appetite
Organisations must incorporate ESG considerations into their risk appetite statements, specifying their tolerance for environmental and social risks, compliance and other ESG factors. Precise definitions of acceptable short-term ESG risks will enable an efficient allocation of financial resources, while maintaining alignment with strategic goals. Risk appetite assists management in identifying risks that would have exceeded the risk appetite threshold and trigger immediate attention for remediation.
Identify key ESG risks
Organisations can use ESG materiality assessment to gather insights on the relative importance of specific ESG issues as part of their risk identification process. This involves identifying the most significant ESG issues that could impact the organisation's goals and operational plans across various verticals so, in this process, management and process owners should focus on essential material ESG topics and risks. Risk managers should also integrate the identification and assessment of ESG-related risks into the organisation's ERM process. Ultimately, risk owners should be able to document the risks, their impacts, drivers or sources, risk owners and mitigation strategies.
Organisations often broadly categorise risks as strategic, operational, financial and compliance, so that - for example - environmental-related risks fall under the existing categories of operational or financial. Another option is to add a specific category for ESG risks. The Committee of Sponsoring Organisations of the Treadway Commission (COSO) and World Business Council for Sustainable Development (WBCSD) ESG ERM guidance COSO_WBCSD_ESGERM_ on applying enterprise risk management to ESG-related risks is a valuable resource during this phase.
Assess and prioritise risks
Management should assess the severity of ESG risks to prioritise them effectively, focusing on those that could materially impact the business and its stakeholders. This assessment should align with the organisation's standard risk assessment criteria. Organisations can use toolkits such as the Natural Capital Protocol and the Social & Human Capital Protocol to quantify risks and evaluate their impacts and dependencies on natural and social capital for certain ESG risks.
For these assessments, the severity of risk should primarily consider the potential impact, rather than just the likelihood of occurrence. For example, while the chance of a flood might be low, its potential impact could be significant, so the overall risk rating will remain significant. In addition, human rights impact assessments adopt a different approach by measuring severity from the perspective of affected stakeholders through the human rights due diligence (HRDD) process.
Implement mitigation strategies
Risk owners should consider the organisation's risk appetite when identifying mitigations to reduce or eliminate identified ESG risks. Some risks could materialise in the short, medium or long term. Management should select and implement an appropriate risk response - whether to accept, avoid, pursue, reduce or share the risk. According to the COSO ERM Framework, management should consider attributes such as severity, prioritisation, business context and associated objectives when deciding on a response, as some mitigations may involve interdependencies across various departments. Risk owners are advised to collaborate and agree on the most effective strategies and secure buy-in from senior management, especially if significant financial resources are required.
Continuous review
ESG-related risks evolve faster than traditional risks, because they are influenced by various factors, including changing demographics, emerging scientific data, new technologies, growing stakeholder awareness and shifts in the regulatory landscape. Some ESG risks - especially climate-related ones - are highly unpredictable. Organisations should continuously monitor their internal and external environments to identify any changes that could alter their ESG risk profiles.
It’s important that management regularly reviews their risk responses to evaluate their effectiveness in addressing ESG-related risks and ensure the responses bring risks within acceptable risk appetite levels. Organisations should select specific indicators, such as carbon emissions levels or the number of safety violations, and establish thresholds that serve as alerts when risk exceeds tolerance levels. Periodic and continuous review of these indicators against their thresholds will assist organisations in maintaining effective oversight over ESG-related risks.
Communication and reporting
ESG risk information is crucial in shaping the strategic, operational, investment and purchasing decisions made by internal and external stakeholders – and communication is key. Organisations are best to use their existing communication channels to deliver timely and relevant ESG-related information to their key stakeholders. Relevant information is crucial for various internal stakeholders, including the board of directors, operational management and employees. In addition, ESG risks information should be shared with external stakeholders, including shareholders, regulators, customers, civil society and non-governmental organisations, as part of ESG annual reporting.
Conclusion
Incorporating ESG risks into the risk management process is important for an organisation’s long-term success and sustainability. By promoting a culture of awareness, establishing strong governance and engaging stakeholders, businesses can effectively manage the risks associated with their environmental and social impacts. As ESG challenges evolve, the organisations that are prioritising these issues will enhance their resilience, in turn helping them to become industry leaders. Integrating ESG into the risk management process is critical in building sustainable and resilient organisations.
BDO offers a range of ESG-related services to support organisations in integrating ESG factors into the enterprise risk management (ERM) process. Read more on the BDO global web site about our range of sustainability and reporting services. Please also feel free to reach out to the sustainability experts in your local BDO firm.
Author: Charles Tungwarara
Head of Business Process, ESG & Sustainability, BDO UAE
ESG risk management addresses both the internal and external risks affecting a business. The effective integration of environmental, social and governance (ESG) factors into the enterprise risk management (ERM) process strengthens an organisation's resilience and ensures its own sustainability. As stakeholders increasingly prioritise long-term business sustainability over short-term profits, this integration safeguards against these critical risks. By embedding ESG into ERM processes and governance structures, organisations can elevate ESG risks to the appropriate strategic level.
Some businesses may be wondering where to start: this article is a practical guide to effectively integrating ESG into the enterprise risk management process.
Awareness and culture
All businesses rely on the environment and society to support their operations and they, in turn, impact these areas. As a first step, organisations should embed ESG principles into their mission, vision and core values – and the board must recognise the ESG-related risks that could affect the organisation's strategy and objectives. Most large companies have dedicated ERM functions or formal mechanisms for identifying enterprise risks and related controls and reporting processes. It’s important that organisations conduct ESG awareness sessions to effectively integrate ESG risks into their existing ERM process.
Governance is the key driver
Most governance elements related to social issues are well-managed within the established ERM processes, but governance of environmental and social aspects often falls behind. Organisations will need to develop strong governance to integrate ESG-related risks into ERM effectively. The board and senior management should set up governance structures that encourage collaboration among the departments responsible for managing these risks, including those that span multiple verticals. The board should also regularly consider ESG risks in its meetings.
For organisations without an ERM function, assigning ESG risk management duties to key process owners and management is beneficial. Some organisations appoint ESG focal persons within each department who can periodically update risk champions or owners on emerging ESG risks.
Define the ESG risk appetite
Organisations must incorporate ESG considerations into their risk appetite statements, specifying their tolerance for environmental and social risks, compliance and other ESG factors. Precise definitions of acceptable short-term ESG risks will enable an efficient allocation of financial resources, while maintaining alignment with strategic goals. Risk appetite assists management in identifying risks that would have exceeded the risk appetite threshold and trigger immediate attention for remediation.
Identify key ESG risks
Organisations can use ESG materiality assessment to gather insights on the relative importance of specific ESG issues as part of their risk identification process. This involves identifying the most significant ESG issues that could impact the organisation's goals and operational plans across various verticals so, in this process, management and process owners should focus on essential material ESG topics and risks. Risk managers should also integrate the identification and assessment of ESG-related risks into the organisation's ERM process. Ultimately, risk owners should be able to document the risks, their impacts, drivers or sources, risk owners and mitigation strategies.
Organisations often broadly categorise risks as strategic, operational, financial and compliance, so that - for example - environmental-related risks fall under the existing categories of operational or financial. Another option is to add a specific category for ESG risks. The Committee of Sponsoring Organisations of the Treadway Commission (COSO) and World Business Council for Sustainable Development (WBCSD) ESG ERM guidance COSO_WBCSD_ESGERM_ on applying enterprise risk management to ESG-related risks is a valuable resource during this phase.
Assess and prioritise risks
Management should assess the severity of ESG risks to prioritise them effectively, focusing on those that could materially impact the business and its stakeholders. This assessment should align with the organisation's standard risk assessment criteria. Organisations can use toolkits such as the Natural Capital Protocol and the Social & Human Capital Protocol to quantify risks and evaluate their impacts and dependencies on natural and social capital for certain ESG risks.
For these assessments, the severity of risk should primarily consider the potential impact, rather than just the likelihood of occurrence. For example, while the chance of a flood might be low, its potential impact could be significant, so the overall risk rating will remain significant. In addition, human rights impact assessments adopt a different approach by measuring severity from the perspective of affected stakeholders through the human rights due diligence (HRDD) process.
Implement mitigation strategies
Risk owners should consider the organisation's risk appetite when identifying mitigations to reduce or eliminate identified ESG risks. Some risks could materialise in the short, medium or long term. Management should select and implement an appropriate risk response - whether to accept, avoid, pursue, reduce or share the risk. According to the COSO ERM Framework, management should consider attributes such as severity, prioritisation, business context and associated objectives when deciding on a response, as some mitigations may involve interdependencies across various departments. Risk owners are advised to collaborate and agree on the most effective strategies and secure buy-in from senior management, especially if significant financial resources are required.
Continuous review
ESG-related risks evolve faster than traditional risks, because they are influenced by various factors, including changing demographics, emerging scientific data, new technologies, growing stakeholder awareness and shifts in the regulatory landscape. Some ESG risks - especially climate-related ones - are highly unpredictable. Organisations should continuously monitor their internal and external environments to identify any changes that could alter their ESG risk profiles.
It’s important that management regularly reviews their risk responses to evaluate their effectiveness in addressing ESG-related risks and ensure the responses bring risks within acceptable risk appetite levels. Organisations should select specific indicators, such as carbon emissions levels or the number of safety violations, and establish thresholds that serve as alerts when risk exceeds tolerance levels. Periodic and continuous review of these indicators against their thresholds will assist organisations in maintaining effective oversight over ESG-related risks.
Communication and reporting
ESG risk information is crucial in shaping the strategic, operational, investment and purchasing decisions made by internal and external stakeholders – and communication is key. Organisations are best to use their existing communication channels to deliver timely and relevant ESG-related information to their key stakeholders. Relevant information is crucial for various internal stakeholders, including the board of directors, operational management and employees. In addition, ESG risks information should be shared with external stakeholders, including shareholders, regulators, customers, civil society and non-governmental organisations, as part of ESG annual reporting.
Conclusion
Incorporating ESG risks into the risk management process is important for an organisation’s long-term success and sustainability. By promoting a culture of awareness, establishing strong governance and engaging stakeholders, businesses can effectively manage the risks associated with their environmental and social impacts. As ESG challenges evolve, the organisations that are prioritising these issues will enhance their resilience, in turn helping them to become industry leaders. Integrating ESG into the risk management process is critical in building sustainable and resilient organisations.
BDO offers a range of ESG-related services to support organisations in integrating ESG factors into the enterprise risk management (ERM) process. Read more on the BDO global web site about our range of sustainability and reporting services. Please also feel free to reach out to the sustainability experts in your local BDO firm.
Author: Charles Tungwarara
Head of Business Process, ESG & Sustainability, BDO UAE