Organic Pea Pod

How to build an ESG control framework for risk management and reporting

Authors

6 minute read 14 Oct 2025

Without a robust ESG control framework, sustainability claims remain vulnerable and reporting lacks credibility.

In brief:

  • An ESG control framework helps companies manage risks and strengthen the reliability of reporting.
  • Smart ESG risk management turns compliance from a box-ticking exercise into a strategic advantage.
  • Organizations that firmly embed ESG earn trust, attract investors, and build long-term resilience.

Sustainability and responsible business practices have become indispensable for organizations today. To optimally leverage opportunities related to sustainability and manage associated risks, it is increasingly important for organizations to effectively monitor relevant and reliable ESG Key Performance Indicators (KPIs). Moreover, despite recent changes to CSRD reporting obligations under the Omnibus proposal, societal pressure from external stakeholders, such as regulators and investors, is increasing, demanding transparent and reliable reporting on Environmental, Social, and Governance (ESG) performance. In practice, however, many companies struggle to meet these expectations.

How can organizations ensure that sustainability reporting not only complies with regulations but is also reliable and future-proof? And how can ESG be more than an administrative obligation? Part of the answer lies in establishing a robust ESG control framework as the cornerstone of both the broader ESG risk management framework and internal and external ESG KPI reporting. This article discusses why a comprehensive ESG risk management framework is essential, its core components, and how it contributes to both compliance and strategic value.

How EY can Help

ESG: ambition versus reality

Most large organizations now place sustainability high on their agenda. There is ambition, there are policy goals, and the topic receives attention in both external and internal management reports. Yet beneath the surface, the foundation often remains fragile. Recent research shows that as many as 85% of investors are concerned about misleading ESG claims. At the same time, finance and sustainability teams struggle with incomplete data, poor data quality, fragmented systems, and manual processes.

 

To make an effective assessment of the significance of sustainability for the organization, it is essential to identify, quantify, assess, manage, and monitor related opportunities and risks. An ESG control framework can support the provision of more reliable information for this identification and quantification. Furthermore, such a framework enables organizations to implement internal control measures in a structured way to optimally leverage opportunities and/or mitigate risks.

 

Why an ESG control framework is essential

Reporting on ESG KPIs is more than a regulatory obligation. It involves recognizing, managing, and monitoring risks that could threaten organizational continuity or create new opportunities. Climate change, human rights issues, data responsibility, and governance ethics are examples of themes deeply intertwined with strategic risks. Therefore, an integrated ESG control framework is essential.

 

This framework ensures that ESG KPIs are not treated as a standalone phenomenon but are embedded within the broader ESG risk management and reporting processes. The focus is on identifying and assessing relevant ESG risks, designing appropriate control measures, and monitoring their effectiveness.

Core components of an effective ESG risk management framework

A robust ESG risk management framework consists of several components that collectively ensure reliable management reporting and effective control of (material) ESG risks:

1. ESG risk identification and assessment

The first component involves mapping ESG-related risks across the organization’s processes and value chain. This may include environmental impacts, social issues, or governance factors affecting operational, financial, or reputational risks. Both the first line (operational teams) and the second line (risk management) play roles: the first line conducts analyses, while the second line monitors methodology and provides guidance. This step closely aligns with performing a Double Materiality Assessment (DMA) as required under CSRD. For organizations with CSRD reporting obligations, it is critical to ensure consistency between the CSRD DMA and the identification and assessment of ESG risks as part of regular risk management.

 2. ESG-controle framework

When ESG risks exceed the organization’s defined risk appetite, effective control measures must be implemented to bring the risks to an acceptable level. These measures collectively form the ESG control framework. Establishing such a framework requires not only consensus on the risks but also a detailed understanding of the relevant business processes and value chain. A single control measure may address multiple ESG risks, or several measures may be needed for one specific risk. The focus is on concrete actions, not empty promises.

Since external sustainability reporting is considered a critical process in most organizations, this process itself must also be assessed for potential risks. This involves specific risk identification and assessment of the reporting process, resulting in the implementation of control measures to ensure reliable reporting.

3. ESG risk monitoring and internal governance

A framework is only complete if the effectiveness of control measures is continuously monitored and the board can actively evaluate whether ESG risks are appropriately managed. This can include Key Risk Indicators (KRIs), control testing, and regular reporting to supervisory bodies. It is also important to rationalize control measures to avoid inefficient or redundant processes, keeping the framework streamlined yet effective.

4. Audit readiness

With the introduction of CSRD, external sustainability reports are increasingly integrated into annual reports. Organizations must demonstrate that ESG data is reliable and auditable, similar to financial data. An audit-ready process requires: 

  • A centralized data hub for all ESG data
  • Transparent data collection to clarify the origin of figures
  • Verifiable calculations and transparent methodologies
  • Documentation of processes, systems, and responsibilities
  • Integration of ESG controls within existing control frameworks

The COSO framework, specifically Internal Control over Sustainability Reporting (COSO2 ICSR), can provide useful guidance, covering environment, governance, risk assessment, communication, and monitoring.

ESG: from burden to opportunity

Beyond compliance, a strong ESG control framework offers strategic advantages. Organizations that manage ESG effectively often achieve higher returns on assets and are more attractive to investors. Reaserch indicates that 88% of investors consider ESG performance when making investment decisions, and poor ESG performance increases the risk of divestment.

Yet many companies still see ESG primarily as a compliance requirement rather than an opportunity to create value. This is a missed opportunity, as a well-designed framework not only mitigates risks but also builds stakeholder trust and supports better decision-making.

The role of governance and oversight

A robust ESG control framework requires engagement from top management and supervisory boards. The CFO, Chief Risk Officer, and Supervisory Board play a crucial role in asking the right questions and ensuring the quality of ESG management reports and external sustainability reporting.

Key questions they should consider include:

  • Do we comply with all current and future ESG reporting requirements?
  • Is our ESG information reliable and fully traceable?
  • How are ESG risks integrated into our broader risk strategy?
  • Are we able to identify relevant sustainability opportunities in time?
  • Do we have the right technology and processes to support ESG reporting?
  • Are we prepared for external audit of our ESG disclosures?

The demand for sustainability is high, but implementation is complex. ESG reporting extends far beyond publishing a sustainability report; it is an integral business challenge closely linked to strategy, risk management, and transparency. Organizations investing in a robust ESG control framework can not only meet new regulations but also turn sustainability into a strategic advantage.

By systematically identifying, managing, and monitoring ESG risks, organizations create a foundation for reliable reporting, value creation, and trust among investors and other stakeholders. In this way, ESG evolves from a compliance obligation into a driver for resilience and innovation.

Summary

An effective ESG control framework forms the foundation for reliable risk management and transparent reporting. Many organizations place sustainability high on their agenda, but in practice they struggle with fragmented data, complex regulations, and increasing pressure from investors and regulators. By systematically identifying, managing, and monitoring ESG risks, companies can not only comply with new reporting requirements but also create strategic value. In this way, ESG becomes more than just a compliance obligation: it offers organizations the opportunity to operate future-proof, strengthen stakeholder trust, and turn sustainability into innovation and growth.

About this article

Authors

Related topics
Sustainability
Financial accounting advisory services

Related articles

Why current climate transition plans are unrealistic and how to make them more credible

In current climate transition plans, EY observes a heavy reliance on overly optimistic assumptions, as well as a lack of transparency on the uncertainty of emissions reductions.

Taco Bosman

How can investors balance short-term demands with long-term value?

Read the EY 2024 Institutional Investor Survey, which highlights a pronounced gap between what investors say and do when considering sustainability.

How a climate transition plan can strengthen your business model

Climate transition plans are necessary for companies aiming to achieve ambitious climate targets. Read why.

Thibaut Millet

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.