ESG and ERM: Optimizing Risk Resilience
- ESGRC
- 14 February 23 |
Introduction
Environmental, social and governance (ESG) concerns are rapidly emerging as critical factors that can impact and disrupt business, livelihoods, and life itself. Organizations are now aware of the significance of ESG compliance, and in many jurisdictions, mandatory ESG reporting is already in effect. The EU's Corporate Sustainability Reporting Directive (CSRD) required Wave 1 companies to report from the financial year 2024, and the ISSB's IFRS S1 and S2 standards now serve as the global baseline for investor-focused sustainability disclosure. And despite there being several overlaps in terms of best practices, requirements, and reporting, many companies have still not integrated ESG reporting and compliance with their enterprise risk management (ERM) practices. As the risks continue to escalate, ESG will only increase in organizational importance, and become a permanent part of GRC. More specifically, it will become a risk category positioned under the overall risk umbrella of enterprise risk management.
The question, of course, is why many organizations are still hesitant to adopt ESG as a business-critical requirement. Unfortunately, too many businesses still perceive environmental or social activism as irrational with little or no connection to business productivity and success. But today, extreme weather events, droughts and lessening snow packs, and global temperature increases are a reality, and instances of discrimination, incivility, and harassment are widely reported across the world, resulting widespread public condemnation, reputational damage, and demands for accountability.
We are at an inflection point with consumers recognizing their influence and demanding that businesses and industries to do better – for the environment and social governance. Their influence extends beyond condemning poor actors to buying behavior, where their demands for accountability have the power to force business, sectors, and even governments to ensure public reporting of ESG compliance, and its impact on the environment, people, and communities. The public in key markets is already making ESG value statements with their pocketbooks. It should not surprise any business today that when given the choice consumers are often more likely to do business with a company that demonstrates its commitment to sustainability. It has been shown that they are willing to pay a premium for products where the brand showcases its approach to ethical, social, and environmental causes. In short, it is time businesses realized that climate-consciousness and pursuing ESG best practices and standards can help increase profits and ensure long-term business success.
At the same time, organizations are beginning to understand the direct impact of climate change on business continuity, resilience, and profitability. It is important to remember that the increasing number of businesses and governments are declaring that climate change and environmental sustainability are real and legitimate risks to operations. This means that committing to an ESG program is no longer a nice-to-have measure that can elevate the reputation of and profitability of a business. It is a must-have critical element within a larger risk management and operational resiliency strategy.
Why Integrating ESG into ERM frameworks is Critical?
Enterprise Risk Management is an umbrella approach for managing multiple risk categories across the business. These include external risks such as economic or geopolitical risks, cybersecurity, or environmental risks, and internal risks like reputational risks, financial risks, product risks, partner risks, data privacy risks, leadership, employee churn risks, and compliance risks. Most ERM strategies include specific categories such as operational risk management, regulatory & ESG has now moved well beyond a standalone practice for many organizations. Substantial integration into ERM frameworks is already underway, driven in part by mandatory disclosure requirements under CSRD and IFRS S2, which require ESG risks to be assessed and disclosed using the same materiality frameworks applied to financial risks.
Management of existing risk categories today apply certain common structures, workflows, assessment practices within ERM frameworks. This includes standard practices for the identification, assessment, and prioritization of individual risks, and the evaluation of risk velocity, severity, and the connections between different risks. ERM frameworks also tend to include a centralized risk registry for easy reference. A centralized system provides the controls, procedures, and policies that can be applied when responding to any category of risks, based on the organization’s predefined risk profile and appetites. Modern ERM frameworks leverage data analytics for real time insights that facilitate better decision making across the risk universe.
Most ERM practices have been around for decades, and the best practices have been designed, tested and reviewed over time. While it is a living process that is flexible enough to adapt to risk scale, diversity and changes in organizational risk profile, program validation, scope, scale, and performance adaptation is constant. In a well-run risk management program, many processes are automated, which allows risk leaders to focus on strategy rather than day to day operations. Reapplying or extending existing standard procedures, automation, assessments, scoring methodologies, data collection and reporting – with some evolution and adaptation – to newer risk management categories like ESG makes good business sense. Pursuing ESG as a risk category and integrating it into existing ERM frameworks should help expedite program accountability and ensure reporting consistency.
The ESG reporting standards landscape has consolidated significantly. The Task Force on Climate-related Financial Disclosures (TCFD) disbanded in 2023, with its recommendations absorbed into IFRS S2, the international climate disclosure standard published by the ISSB. The EU's CSRD, which applies the European Sustainability Reporting Standards (ESRS), took effect for Wave 1 companies from the financial year 2024. These standards define how ESG-related data is to be collected, reporting formats and requirements, as well as other criteria pertaining to what, when, where, and who collects ESG data. These reporting outcomes can be easily incorporated into existing ERM frameworks and may enhance data and reporting across additional risk categories. In fact, ESG and Third-Party Risk Management (TPRM) are central to and can be further integrated into resiliency strategies within ERM. Their inclusion will be invaluable for accelerating recovery from environmental and social risk events. Integrating ESG into ERM frameworks can also add to commonly accepted structures and expand the scale, scope and depth of understanding risks. It would be a mutually beneficial move where each discipline would benefit from the data and values of the other to deliver holistic legitimacy.
ESG and ERM: The Road Ahead
The prospect of ESG being housed within ERM programs is no longer a future prediction. For many organizations, meaningful integration has already begun. Regulatory frameworks, including CSRD and IFRS S2 have accelerated this shift by requiring ESG risks to be assessed and disclosed through the same governance structures applied to financial and operational risks. The "crossing the chasm" moment this blog anticipated is now actively underway. While there will clearly be distinct risks, reporting structures, frameworks, and stakeholders for ESG information, it will increasingly be viewed as one of several important risk categories under the ERM umbrella. In a sense, it must ‘cross the chasm’ to a degree of standardization, consistency, commonality, to capture the market buy-in it doesn’t yet have. Once this is achieved, organizations will more easily integrate ESG risk assessments, reporting, and definition into enterprise risks.
Want to learn how to integrate ESG risks into Enterprise Risk Management (ERM) processes.
Register for the upcoming webinar: The Interconnectedness of ESG, ERM, and Third-Party Risk Management
Read the eBook: ESG and ERM: Bridging the Gap
Frequently Asked Questions
ESG and enterprise risk management share common frameworks, governance structures, and data requirements. Regulatory developments, including CSRD and IFRS S2, now require ESG risks to be assessed using the same materiality frameworks applied to financial risks, making integration a compliance necessity rather than a strategic option for many organizations.
ESG factors carry direct financial, regulatory, and reputational consequences that are material to business performance. Treating ESG as a formal risk category within ERM ensures consistent identification, assessment, and monitoring alongside other enterprise risks, and supports disclosure obligations under frameworks including CSRD and IFRS S2 that now mandate integrated ESG risk reporting.
The ESG reporting landscape has consolidated around two dominant frameworks. The EU's Corporate Sustainability Reporting Directive, effective for large companies from the financial year 2024, mandates reporting under the European Sustainability Reporting Standards. Globally, IFRS S1 and S2, published by the ISSB, have absorbed TCFD and now set the international baseline for sustainability disclosure.
Integrating ESG into ERM embeds climate risks into the same identification, assessment, and monitoring processes applied to financial and operational risks. Organizations with this integration are better positioned to meet regulatory disclosure requirements under IFRS S2 and CSRD, quantify financial exposure to physical and transition climate risks, and build genuine operational resilience.
Consumer purchasing decisions are increasingly shaped by the ESG practices of organizations behind the products they buy. Organizations with credible ESG programs and transparent disclosure build stronger trust with sustainability-conscious consumers, while those that fail on ESG commitments face reputational damage that directly affects revenue, brand loyalty, and market position.
Third-party risk management intersects directly with ESG because most environmental and social risk exposure sits within the supply chain rather than in direct operations. Regulators and investors hold organizations accountable for supplier ESG performance, making it essential to extend due diligence, assessment, and continuous monitoring obligations across the full third-party ecosystem.
ESG reporting and ERM share risk taxonomies, governance accountability structures, board-level reporting requirements, and centralized technology platforms. Organizations with mature ERM programs can leverage existing infrastructure, workflows, and control libraries to accelerate ESG program development, reducing duplication and ensuring ESG risks are expressed in consistent language across all enterprise risk reporting.
Existing ERM automation provides a ready foundation for ESG program maturity. Organizations can apply established risk assessment workflows to ESG risk identification, reuse control libraries to map ESG-related controls, and extend existing reporting infrastructure to capture sustainability metrics, reducing time and cost while ensuring ESG risks are integrated into existing governance and reporting structures.
Treating ESG as a standalone practice creates data silos, duplicates governance effort, and prevents risk leaders from seeing how ESG exposures interact with financial and operational risks. It also limits an organization's ability to meet CSRD and IFRS S2 obligations, which require ESG risks to be assessed and disclosed using integrated materiality frameworks.
MetricStream ESGRC integrates fully with the broader ConnectedGRC platform across risk, compliance, audit, and third-party functions. It centralizes management of ESG frameworks, including CSRD and IFRS S2, automates data collection and aggregation, tracks issues through to remediation, and provides real-time dashboards with AI-powered risk classification and recommended actions across ESG performance and compliance status.
