Recommended Reading


There are many reasons to align ERM and ESG and embed them in strategizing and operations. Both set of principles focus on identifying and addressing the risks to long-term business success.

Enterprise Risk Management (ERM) is an organization-wide process of identifying and addressing events that may potentially either become operational or strategic risks, or harm opportunities to gain competitive advantage. Environmental, Social, and Governance (ESG) standards also address risks that businesses and investors have an interest in addressing. It therefore makes sense that ERM and ESG are merging, because both processes focus on the identification and assessment of the risks associated with running a business, and the opportunities for managing those risks so they do not interfere with the ability to achieve goals and objectives. The alignment of ERM and ESG is an emerging trend, as companies recognize that issues such as environmental sustainability, social justice, and corporate leadership decision-making and policies contribute to reputational, operational, financial, and investment risks.


ESG has been a concept that has been recognized for many years, but its importance to risk management for long-term business sustainability is more recently acknowledged. One of the reasons is institutional investors wanting to assess the risks of ESG factors before making investment decisions regarding the potential harm they can do if not well-managed. For example, what are the risks of experiencing limited natural resources, or of potential climate change effects on business operations? Are corporate values affected, as younger generations of talent consider environmentalism when selecting companies for employment?

A similar perspective is applied to social and governance elements. ESG can lead to positive or negative business impacts, depending on how the related risks are mitigated. For example, Social embraces diversity, equity, and inclusion. Companies that are not diverse, equitable, or inclusive in recruiting, hiring, marketing or governance will experience problems with attracting and retaining top diverse talent. They will also suffer damage to the corporate reputation, and experience less innovation due to a lack of diverse perspectives. ERM is also a process for identifying and responding to risks in a way that minimizes the potential negative impact of those risks on the ability to continue operations. It also helps the organization avoid disruptions, and maximize profits and returns on investments. Bringing ERM and ESG together broadens the scope of strategic risk management, which is important in a business environment continually undergoing disruption and change.


Currently, ERM and ESG are usually treated separately in terms of processes, management, and reporting. That is changing, however, as investors and government entities, such as the Securities and Exchange Commission (SEC), update reporting requirements. Integrating ESG risk factors into the ERM risk management framework is a step process. A good way to start is by setting up a board-level oversight committee, and having an ESG rating agency assess the organization’s risks. There are several ESG-scoring services, including top-rated agencies such as MSCI, ISS-ESG, and Sustainalytics. The most informative risk analyses will identify both current and emerging risks. It is important to assign responsibility for the risk assessment process, so there is the assurance it is completed thoroughly and accurately, and there is follow-through. When the goal is to merge ESG with ERM, having the responsibility fall under operational risk makes sense for coordination purposes.

The ESG strategy is developed and aligned with the business strategy. ESG mitigation strategies will depend on the full range of data and information gathered from the risk analysis, but now this is within the context of ERM. Mitigation strategies address how the organization will use the data analyses and information for decision-making and the reporting structure. ESG risks are assessed as to materiality, and they are merged with existing ERM issues where there is no overlap, including existing and emerging risks. The new set of risks is evaluated for the potential to damage the organization’s reputation and disrupt operations.

Managing ESG as a part of ERM includes identifying where risks are integrated. Melanie Steiner, Board Member of US Ecology, Inc. spoke about the relationship of sustainability and risk, and the need for a good relationship. When the ESG risks are embedded in ERM, a better picture emerges of the full impact of those risks. She gives the example of diversity and inclusion risks. Human Resources could add D&I to its other talent management process risks and have responsibility for monitoring, managing, and reporting on D&I. In another example, a company needs water for its production process, and the risk of climate change creating more droughts becomes an operational issue.


One of the biggest challenges organizations must overcome to marry ERM and ESG is quantifying ESG risks. Risks are identified, assessed, and prioritized, and the cost and benefits of each response adds quantification. ERM has used financial data as the primary valuation process, and as ESG has matured, it has become clear that ESG risk management is consistent with financial performance. The environmental sustainability element has received the most attention to date. The UN Global Compact and Principles for Responsible Investment developed the Value Driver Model, which can be used to “determine the return on investment of corporate sustainability activities.” When risks are evaluated, the ROI becomes a key figure. Common business metrics can be used for all ESG, by approaching quantification from the perspective of how much the risk could impact specific costs. For example, what would happen if facilities located in a floodplain were to flood due to heavy rain? The analysis considered the cost of facilities damage and supply chain impacts. A discounted cash flow approach yielded the financial impact on assets and the supply chain.

The World Economic Forum developed expanded metrics and disclosures that can direct organizations in their efforts to quantify ESG. In the Social category, metrics might look at the risks of infrastructure damage on communities, the cost of absenteeism due to work-related disease or injury, and monetary losses due to discrimination and harassment incidences. Governance includes employee management, and risk metrics may address the risks of changing the mix of regular employees and contracted workers, or the risk of human rights violations in global locations. The Measuring Stakeholder Capitalism report is a good starting point for understanding the connection between ERM and ESG and potential metrics for risk identification.