5 minute read 6 Mar 2024
Gardener's hands with a seedling at garden center

How ESG Cultivates a New Paradigm in Risk Management

By David Sütterlin

Partner, Head of Risk Consulting | EY Switzerland

Passionate Risk Professional and SAP Consultant. Guides EY clients in building, redesigning and implementing risk functions to support greater trust and better decisions.

5 minute read 6 Mar 2024

Discover how to secure your future today by integrating ESG into risk management, paving the way for sustainable growth and resilience. 

In brief

  • From compliance over reputation to resilience, understanding ESG risks and opportunities is crucial for any business.
  • We highlight seven key areas to focus on when integrating ESG aspects into organization’s overall risk management.

In a global business landscape marked by constant change, understanding and navigating risks is an integral part of building organizational resilience and solidifying reputation. In this context, the increasing focus on environmental, social and governance (ESG) factors is a trend that challenges companies from multiple perspectives, including its risk management practices.

Sustainability focus


of companies surveyed include ESG in risk inventory reporting

The regulator constantly specifies increasingly detailed requirements, companies enter into public and internal commitments, and other stakeholders - from board members to customers and investors - raise their expectations and hold them accountable. It means managing ESG risks has become compulsory exercise and a matter of trust. According to the 2023 EY Global C-suite Insights Survey, more than 81% of organizations already have a CSO or equivalent position within their leadership hierarchy. And 9 out of 10 executives report board oversight of their organizations’ sustainability and ESG agendas.

Crafting a robust ESG strategy is not merely an optional supplement, but a fundamental component to achieve long-term business resilience. Vigilant and integrated ESG risk management serves as the backbone of a solid business strategy, linking ESG factors with traditional risk aspects, providing not only a comprehensive and risk-based approach to risk mitigation, but also the ability to identify unexpected opportunities.We highlight seven areas to focus on as you move toward holistic, integrated risk management that includes sustainability aspects.

  • Integrated ESG risk management

    A lack of roles, responsibilities and adequate capabilities can lead to inconsistent and uncoordinated risk management processes across the organization especially when it comes to the integration of ESG aspects

    Therefore companies need to review their governance structure for alignment with stakeholder expectations and establish an integrated Risk Appetite Framework incorporating expertise from relevant functions (such as sustainability teams). With that streamlining the Risk Management Taxonomy and methodology can be assured. This needs to be backed up by relevant documentation such as policies, procedures, and RACI matrices to govern ESG risks relating roles and responsibilities

  • Double materiality

    A double materiality assessment evaluates both how sustainability risks impact a company's finances and the effect the company's activities have on society and the environment. By facilitating future planning and risk management, strengthening accountability to stakeholders, society and the environment, and providing information for strategic decision-making, it becomes a critical element of the company's sustainability plan.

    Assessing double materiality comprehensively can be resource-intensive and requires specific expertise and benchmarks. Companies might lack the necessary resources or prefer to allocate them to core business activities. At the same time, organizations can struggle to integrate the outcome of a double materiality assessment into an existing business strategy and (risk management) processes.

    To progress in this area, organization’s need a detailed picture of their business practices and operations along its value chain. External expertise of validated frameworks and methodologies can be helpful in conducting a comprehensive double materiality assessment.

  • Third-party risk management

    Third-party risk management has become more important due to ESG aspects because a business's ESG risks can extend to its partners, suppliers, and other affiliated third parties, potentially impacting the business's overall sustainability and reputation. By adopting robust third-party risk management, businesses can better control these risks, align operations with their ESG objectives and ensure that their business practices meet regulatory, ethical, and social standards.There is often no single ownership and transparent inventory of third-party relationships, which is a breeding ground for potential gaps and overlaps in risk management activities.

    Considering this, we recommend the creation of risk assessments, surveys and screenings from vendors that can be used in combination with control frameworks and regulations. For that it is important to create transparency and centralize the data sets of third-party providers to get a consistent perspective on the risk profile and assessment data.  Technology-enabled solutions support automated due diligence, continuous monitoring and analysis of opportunities and threats.

  • Internal controls

    Many companies apply an ad hoc and siloed approach to internal controls in the ESG context, without applying common frameworks and metrics. This approach brings the risk of gaps or errors at a time when stakeholder expectations are rising and confidence in ESG disclosures is critical.

    A readiness assessment will help organizations to evaluate their internal control framework and create a roadmap from an ESG perspective. Effective policies and controls are key to support the integration of ESG matters into its control systems, including the design of related business and IT controls. Companies may also like to consider getting attestation services for assurance on key ESG metrics and reporting.

  • Internal audit

    Leading internal audit functions provide a strategic partnership to an organization's ESG programs - providing proactive insights and assurance to increase confidence in managing ESG risks, measuring and reporting progress, and achieving defined ambition and targets. 

    A comprehensive analysis will help businesses to understand ESG gaps in their internal audit function. This should cover internal audit ESG awareness, capabilities and capacity. The goal is to achieve an integrated approach across all related functions and three lines of defense. Investing in external expertise with a focus on ESG Risk Management can be a quick and efficient way to get a businesses’ internal audit function where it should  be.

  • ESG program risk management

    Faced with the need to run a transformative ESG program, organizations may struggle for various reasons, including lack of stakeholder buy-in, higher ESG program costs and challenges around realizing the intended benefits.

    Risk, quality, benefit and performance management are the foundational focus areas to help  management make well-informed decisions,increase stakeholder buy-in and ensure a successful implempentation.

    In a first step, companies should review their ESG transformation program and perform a feasibility analysis based on best practices and benchmarks. Working from this basis,  a roadmap for the program, including immediate mitigation measures for identified risks and a plan to realize benefits can be created

  • Technology enablement

    Technology based enablers can be a valuable addition to an organization’s ESG governance risk and control landscape – but only if they enhance existing capabilities. Otherwise, they can be an additional burden and worthless investment for the organization and governance. 

    To derive value from technological enablement, it is important to first define technical and business requirements. If in-house expertise to do this is not available, seek external support to guide you through vendor selection process and manage the process of tool implementation and roll-out. As with any new technology, user trainings are essential to get personell up to speed quickly and support them on the change journey.

Change your perspective on ESG risk management

Gain a broader perspective on ESG governance and culture, third-party risk management and internal controls and internal audit.

Download here


Navigating ESG risks and opportunities holistically ensures preparedness and adaptability to evolving business landscapes, reinforcing organization’s resilience and supporting your efforts to build trust and achieve external and internal sustainability ambitions. Working with an experienced and knowledgeable external provider can smooth company’s journey toward effective, integrated risk management.

About this article

By David Sütterlin

Partner, Head of Risk Consulting | EY Switzerland

Passionate Risk Professional and SAP Consultant. Guides EY clients in building, redesigning and implementing risk functions to support greater trust and better decisions.