Martin Massey(Opens in a new window) – joint academic lead for the Cambridge Advance Online course ESG Risk Management(Opens in a new window). With more than 30 years’ experience in risk management, Martin has worked for some of the leading global insurance firms and specialises in ESG and climate change. He is the author of Climate Change Enterprise Risk Management: A Practical Guide to Reaching Net Zero Goals.(Opens in a new window)

In a rapidly changing and highly interconnected world, Environmental, Social and Governance (ESG) factors have emerged as an important and fast-growing trend. As the drive towards sustainability gains momentum, companies are facing increasing pressure from regulators, employees and customers, suppliers and investors to embrace ESG principles.

A 2023 study by IBM’s Institute for Business Value revealed that organisations seen as leaders in ESG are 43% more likely to be more profitable than their peers. The same study found that 72% of executives believed ESG needed to be a higher priority in their organisation (IBM, 2023).

However, embedding ESG into everyday operations presents a unique set of challenges for businesses. In this article, Martin Massey(Opens in a new window) – joint academic lead for Cambridge Advance Online ESG risk management training(Opens in a new window) course – addresses these challenges by exploring how organisations can manage ESG risk, sharing his strategies for successful ESG integration and discussing the crucial role of education and training when it comes to navigating the complexities of ESG within businesses.

What is ESG risk management?

Let’s start by looking in more detail at what ESG is – and what ESG risk management actually involves.

ESG refers to how organisations promote sustainability, social responsibility and ethical governance practices within their business. Topics covered under ESG might range from greenhouse gas emissions to workforce diversity to anti-corruption measures.

ESG issues are complex, diverse in nature, changing and interconnected, making them challenging for businesses to understand and bring into their processes. Using risk management as a framework enables business leaders to understand their exposure to ESG and the opportunities that it might bring them.

ESG risk management focuses on identifying, assessing and addressing the potential risks, threats and opportunities on a company’s practices, business model and strategy. The threats are broad and range from environmental harm and social inequality to weak governance and ethical failings. Opportunities range from investing in sustainable infrastructure to innovation in products and services. The aim is to promote sustainable, responsible business practices that benefit the organisation, society and the planet.

Why is risk management important in ESG?

Drawing on 30 years of experience in this field, risk management expert Martin Massey highlights that ESG is vital to sustainability and business resilience, and that ESG risk management needs to be integrated into every organisation’s existing risk management framework.

Every company has its key stakeholders: regulators, employees, customers, suppliers and investors, and there has been a significant shift in their ESG priorities, Martin explains.

Regulators and policymakers, in particular, are placing increased scrutiny on industries, focusing on how businesses are transforming the management and mitigation of environmental and social impacts as well as developing more robust governance frameworks.

This shift has created a dual lens of materiality: companies are accountable for both the risks they face, and also the broader impact they have on society and the environment. With a new focus on ‘double materiality(Opens in a new window)’, organisations are realising that policy and regulatory changes are risks in themselves. If they fail to adapt their reputation will suffer, which could significantly damage their brand.

Employees and customers also increasingly expect companies to uphold stringent ESG standards in their supply chains. In response, many organisations have adopted unbiased hiring practices and supply chain monitoring. This trend highlights that ESG compliance is important not only for regulation but also as a business need driven by stakeholder expectations. At the same time, companies are feeling pressure from their suppliers, who must also meet increasingly rigorous standards. This external pressure is compelling businesses to adopt sustainable and ethical practices across their entire value chain.

While sometimes slower to take immediate action, investors are increasingly asking probing questions about companies’ ESG practices as well. This heightened scrutiny is forcing many companies to re-evaluate their ESG approach, recognising that, while investor demands may not yet be fully mandatory, the tide is turning. Companies are beginning to realise the need to adopt ESG strategies before stricter requirements inevitably come into force.

‘Companies are generally shifting their broader purpose and focusing on becoming more sustainable,’ Martin says. ‘There’s also a broader shift around purpose in the culture of organisations. But often overlooked is the fact that ESG also helps to make companies more resilient as well.’

As companies set ambitious targets like achieving net zero carbon emissions, managing ESG risks becomes even more vital, Martin explains. The integration of ESG into existing risk management frameworks and business processes is becoming a core aspect of corporate strategy, driving cultural change and making ESG an essential part of how businesses operate in today’s world, he says.

Read more on building business resilience in the face of climate change(Opens in a new window) in this article, which offers a sneak preview of Martin’s new book, Climate Change Enterprise Risk Management: A Practical Guide to Reaching Net Zero Goals.

How do you manage ESG?

The first step towards managing ESG is understanding what the ESG risks and opportunities are for your business. Exploring and identifying a comprehensive ESG risk framework allows an organisation to describe their business world more accurately – giving greater depth and understanding to a realistic purpose for the company.

To manage ESG effectively also needs a comprehensive approach, incorporating a robust risk appetite framework with the right mix of policies and procedures, technologies and training opportunities, as we will explore in the section below.

ESG risk management software solutions

‘Clearly, organisations need to consider different software solutions as part of their risk management framework when it comes to managing and mitigating ESG risks,’ says Martin.

‘There’s a whole range of ESG-related software that’s being designed and developed ranging from ESG scoring systems used within due diligence processes through to improved governance systems for managing and monitoring ethics and fraud through, for example, whistleblowing software. The challenge is to integrate these solutions into an organisation’s existing IT systems, and this includes a wealth of new data challenges.’

Tracking and analysing ESG metrics

From a risk management perspective, companies need to identify and assess their ESG risks in the first instance then build mitigation strategies and continuously monitor these efforts through tracking a range of metrics including performance indicators.

‘From a risk perspective, it’s the risk appetite framework that companies are reviewing and changing,’ says Martin. ‘They are trying to think about the most appropriate metrics, targets and tolerances they need to design.’

New risks are emerging that organisations need to manage, adds Martin, for example, the potential for ‘greenwashing’ – the practice of misleading stakeholders about a business’s ESG performance, which can lead to significant reputational and brand damage.

This is where tailored ESG risk management software can be introduced to help to manage risks and automate business processes. For example, using ESG risk scoring and escalation software, supported through a centralised platform, enables a business to track and analyse data.

Benchmarking performance against industry standards

Specialist ESG risk management software also allows businesses to benchmark their performance against industry standards. Tools that measure cost-benefit analysis ensure that the chosen ESG mitigation strategy is not only effective but is also aligned with industry norms.

Automating reporting processes

Martin emphasises the need for companies to move beyond compliance exercises and focus on building a proactive and ongoing process of improved ESG risk management. ESG software can help here by automating reporting processes, reducing the administrative burden and allowing companies to focus on implementing strategies that have a tangible impact on their ESG goals.

Training and awareness

Education also plays a vital role in embedding ESG into a company’s culture, according to Martin: ‘Having the training and education programme across all employees, particularly senior management, is really important to improve the risk culture of a company,’ he says.

Training and awareness programmes help employees at all levels to understand ESG principles, from risk management to setting sustainable targets. ESG risk management training is also crucial to make sure senior managers are fully aware of their responsibilities and the role they can play in achieving ESG goals and how to implement best practices effectively.

Managing and reporting emerging ESG risks

Ongoing monitoring of ESG risks is critical to help organisations stay ahead of emerging trends and ensure that businesses remain compliant with regulations.

‘One of the most important techniques is to develop an emerging risk management framework using tools and techniques such as horizon scanning,’ writes Martin in his article on building business resilience in the face of climate change(Opens in a new window).

‘Emerging risks are those that you can see approaching but are not yet sufficiently clear to enable a formal impact and likelihood risk assessment. However, the key is to understand emerging risks as best as possible. Consider monitoring them to ensure they don’t arise unexpectedly and consider any possible cost-effective actions that can be taken now to prepare for when the risks materialise.’ (Massey, 2023).

Continuous monitoring provides transparency, which Martin notes is increasingly important as investors and regulators look to see how well companies are managing their ESG risks. ESG metrics are also becoming more and more important to many organisations seeking to secure capital and investment.

Regular reporting not only keeps stakeholders informed internally and externally but also builds trust, allowing businesses to set targets and demonstrate progress towards their ESG objectives and adjust strategies where necessary.

The insurance and re-insurance company SwissRe has a comprehensive ESG risk management framework(Opens in a new window), which guides how the company manages sustainability risks.

How do you mitigate ESG risk?

Mitigating ESG risk requires a proactive and strategic approach, and it is critical to develop risk mitigation plans that help improve the control environment, according to Martin.

Some examples of these proactive plans might include the following:

• Environmental: Implement sustainable practices, such as reducing emissions, conserving resources and investing in renewable energy.

• Social: Foster a diverse and inclusive workplace, engage with communities and ensure ethical supply chain practices.

• Governance: Maintain high standards of corporate governance, including transparent accounting practices and effective board oversight.

To help with this proactive planning around risk management, there are various ways of classifying risk treatment options, each offering a different approach to considering how best to tackle the risk. One of the most common and best-known options considers the selection or combination of four alternatives – often referred to as the ‘4 Ts’:

• Tolerate – if a risk has a low likelihood and impact, it may be acceptable to retain it, but it should be logged and monitored.

• Terminate – if a risk is far beyond your company’s appetite for risk or if it could severely impact your business, these activities should be terminated.

• Treat – you will almost certainly decide to take action to mitigate the most severe risks. This might include taking steps to reduce the likelihood of the risk occurring, or the severity of the consequences if it does.

• Transfer – you can opt to transfer risks to third parties, for example, through insurance. While risk transfer incurs costs, it helps reduce or eliminate the potential impact of the risk.

When evaluating risk treatment options, Martin suggests starting by:

• identifying existing best practices to address the risk effectively

• developing risk treatment plans that aim to reduce residual risk to an acceptable level within the organisation’s risk appetite

• assessing the costs of each treatment option and weighing them against the potential benefits to ensure a balanced and informed decision-making process.

Martin emphasises the importance of developing a formal strategic action plan and roadmap that integrates risk mitigation efforts, which may extend over three to five years. The plan should cover the integration of both Enterprise Risk Management (ERM) (a company’s structured, consistent and continuous risk management process) and Business as Usual (BAU), prioritising actions, assigning ownership to specific workstreams and setting clear timelines for completion. Regular updates and reports should be provided to an organisation’s risk committee and board to ensure ongoing oversight and progress, Martin adds.

One Risk Consulting Ltd. (Opens in a new window)

In the supply chain

A key focus for organisations is to integrate ESG within their third-party risk procurement processes.

‘Companies will want to align themselves with suppliers that share similar corporate values with regards to ESG and climate change and will either decide to work with or use a particular provider or may elect to agree an action plan to remediate any concerns, which can then be monitored over an agreed period,’ says Martin.

‘By integrating ESG considerations into the process, this flags to your suppliers or prospective suppliers the importance that you are placing on ESG considerations and also provides a mechanism for monitoring carbon emissions going forward.’

This can be achieved through the due diligence processes during the selection process for a provider, but also during their ongoing performance monitoring and when contracts are up for renewal, Martin adds.

It is important to stress that ESG supplier evaluation should be based on designing, firstly, a robust scoring system for each main category of risk, and secondly, an overall scoring system that is linked to a Red, Amber, Green (RAG) rating system to track and manage the status of risks.

Here is an example of the University of Cambridge risk reporting template. (Opens in a new window)

What are ESG risk considerations?

When managing ESG risks, businesses must consider a broad range of factors, moving away from simply being an exercise in compliance, says Martin.

Regulatory landscape

Staying ahead of evolving regulations is key, as new legislation will increasingly affect business operations.

‘Being ahead of the curve means having a robust emerging risk management framework in place, undertaking horizon scanning and thinking that includes changing legislation the implications that might have,’ says Martin. ‘A good example might be electric vehicle strategies. Across Europe, cars will become electric or hybrid by 2035, so that legislation is a big change for certain sectors.’

Martin emphasises the importance of scenario planning and stress testing, particularly for industries undergoing significant change, as well as creating an overarching sustainability strategy and a robust roadmap to help achieve the changes needed.

Stakeholder expectations

Customers, investors and employees are all demanding higher ESG standards. The focus is not only on compliance but on actively improving ESG practices. Staying aligned with stakeholder expectations ensures businesses remain competitive.

Market trends

Keeping pace with industry trends and sustainability innovations is vital for long-term success. By continually monitoring these trends, businesses can identify both risks and opportunities, ensuring they are prepared for the future.

‘It is essential to anticipate key events from emerging trends, constantly adapt to change, and rapidly bounce back from adversity,’ says Martin.

ESG strategy examples

Developing an ESG strategy that aligns with your company's goals and values is essential. Here are some examples of strategic frameworks:

The triple bottom line

This framework emphasises the equal importance of social and environmental impact in addition to a company’s financial performance. Companies adopting this approach seek to balance profit with planetary and people care, rather than focusing on the standard ‘bottom line’.

Materiality assessment

Identifying the ESG issues that are most significant to the business and its stakeholders ensures that efforts are focused where they can have the greatest impact.

Creating an ESG scorecard

Organisations should seek to include high-level dashboards to provide both their senior management and board with updates. These dashboards can be aligned to an ESG scorecard that is populated with Key Performance Indicators (KPIs). Organisations need to actively review their risk profile and consider ways to measure and monitor their ESG-related exposures against their risk appetite.

Comparing progress

Spider charts are one of the most helpful risk assessment tools and ways to present a score for each of the main ESG criteria or dimensions. Spider charts help to compare progress on a relative scale and highlight the greatest gaps, which can then lead to improved mitigation strategies.

One Risk Consulting Ltd.(Opens in a new window)

Identifying key risk indicators (KRIs)

Key risk indicators (KRIs) are another important way to manage and monitor risk that should align to an organisation’s risk appetite strategy.

Specific examples include the reporting and monitoring of carbon emissions but should be developed across a range of ESG-related themes and risks. KRIs should ideally be quantifiable. One of the key challenges is to collect the relevant data, which means that internal IT systems and processes may need to be changed. Typically, an owner is appointed for each metric, which allows the organisation to continually monitor potential threats and measure progress.

In terms of strategic alignment, Martin explains that organisations need to ultimately enhance their risk appetite framework and seek to integrate ESG risks needing board approval. They can then go on to operationalise their strategy through use of KRIs for reporting and monitoring of ESG risks that will require data and systems integration.

Managing ESG risk in your business

As we’ve seen above, incorporating ESG into business strategy and existing risk management frameworks is essential for companies seeking to navigate today’s evolving regulatory and stakeholder landscape. As expectations around sustainability, governance and social responsibility grow, organisations need a tailored approach to identify, assess and mitigate the risks associated with ESG factors.

As Martin has argued, effective ESG risk management not only helps businesses comply with regulations, but also strengthens their resilience and ability to adapt to changing market conditions today and into the future. By integrating ESG into existing risk frameworks, companies can manage risks more proactively and build long-term value, while meeting the increasing demands of investors, customers and regulators.

However, it can be a daunting prospect knowing where to start. Which is where Cambridge Advance Online’s course on ESG Risk Management(Opens in a new window) comes in. Jointly led by Martin Massey and Dr Bronwyn Claire(Opens in a new window) from the Cambridge Institute for Sustainability Leadership(Opens in a new window), the CPD-accredited course provides risk professionals with the frameworks, tools and practical examples they need to navigate the complexities of ESG, develop robust management strategies and drive sustainable success.

‘A lot of the focus of the course is actually to provide practical tools and techniques,’ says Martin. ‘Quite fundamental to the course is the risk management process – identifying risks through to assessment, management and mitigation and ultimately monitoring and reporting. We cover all those areas in the course and with a lot of focus on building sustainability and also resilience within the organisation.’

Discover Cambridge Advance Online’s six-week course exploring what is ESG Risk Management(Opens in a new window).

Read Dr Bronwyn Claire’s thoughts on developing an ESG-informed approach to organisational strategy and strategic management.

Read Martin Massey’s book, Climate Change Enterprise Risk management – A practical guide to reaching net zero goals(Opens in a new window).

References

IBM. (2023). The ESG Data Conundrum, IBM Institute for Business Value: https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/esg-data-conundrum(Opens in a new window) (accessed 13 September 2024).

Massey, M. (2023). How to build climate resilience, Kogan Page, https://www.koganpage.com/risk-compliance/how-to-build-climate-resilience(Opens in a new window) (accessed 13 September 2023).