Over the past several years, sustainability considerations have shifted steadily from the periphery of corporate responsibility programs into the center of enterprise risk discussions. Investors, regulators, customers and employees increasingly expect organizations to treat sustainability topics in the areas of environmental, social and governance (ESG) not as a stand-alone initiative but as an integral component of enterprise risk management (ERM).
This represents a new status for ESG, grounded in the recognition that sustainability factors can equate to genuine business risks and opportunities. Climate exposure, workforce availability, supply‑chain resilience, data ethics and governance failures can all materially affect enterprise value. Further, stakeholders expect organizations to consider these impacts across the entire value chain, engaging suppliers, customers and local communities to identify risks that may not be visible through traditional financial or operational lenses.
Within organizations, the tone of sustainability discussions has also shifted from abstract to pragmatic. Rather than talk about climate risk generally, operational, risk and finance executives may discuss tangible exposures such as physical disruption to facilities, energy price volatility, water scarcity or regulatory transition costs, and draw direct lines from these concerns to strategic planning or capital allocation.
All this is an indication that organizations are moving beyond “ESG for ESG’s sake” and applying risk management discipline to sustainability factors by focusing on operational areas with clear risk exposure, defined time horizons and manageable costs. The most successful organizations are integrating ESG risks into established risk governance structures and elevating their discussion to the board level.
The benefit of a unified risk framework
Consider an organization that conducts an annual ERM risk assessment led by the finance function, focusing on strategic, operational, financial and compliance risks. Separately, the sustainability team conducts an ESG materiality assessment to support regulatory disclosures and investor reporting.
Both efforts rely on many of the same stakeholders: senior executives, supply chain leaders, HR, legal, operations, procurement, and regional management. These leaders are interviewed twice for the two different assessments, answering similar questions framed in different language. The ERM assessment results in a board-level risk profile and heat map; the ESG exercise produces a separate materiality matrix and narrative report. Each is reviewed in different forums, with limited cross-reference between the two.
These near duplicative efforts can result in management fatigue, mixed signals about priorities, and a board having to reconcile two perspectives on risk that are related but not clearly connected. For example, supply chain disruption may appear as a high operational risk in ERM, while labor practices or supplier emissions appear separately as ESG concerns, without a clear view of their combined impact or cumulative exposure.
Integrating sustainability risks into the ERM framework addresses these issues, and more. It can:
- Align stakeholders through the use of shared definitions, scoring criteria and time horizons;
- Reduce “survey fatigue” among respondents, while saving time for both respondents and administrators;
- Reduce IT costs by establishing a single data system for both reports;
- Avoid inconsistencies in internal and external reports, reducing the probability of external auditor findings;
- Provide the board with a holistic, coherent view of enterprise risk, allowing it to formulate a holistic strategy in response to an increasingly complex environment.
Fig. 1. Separate vs. unified risk assessment
Practical steps for integrating ESG into ERM
Despite broad agreement on the importance of ESG-ERM integration, organizations continue to be held back by practical challenges: misaligned methodologies, unclear ownership, different reporting streams, and even different language, are some examples. The following steps can facilitate and streamline the process:
- Align on ESG and ERM language. Offer training to the ERM committee so that they understand sustainability terminology, and vice versa. Use the same terms whenever possible.
- Elevate the risk assessment: Approach sustainability risk assessments not solely as a means to comply with regulatory standards like the CSRD or ISSB, but as an integral part of enterprise risk management frameworks, such as COSO ERM or ISO 31000. While sustainability risks often demand a more granular analysis, such as at the level of individual location sites, these detailed evaluations should still be aligned with the overarching ERM.
- Rationalize the risk register. Before introducing new ESG categories into the risk register, ensure you have a clear understanding of the organization’s current risk taxonomy, naming conventions, scoring scales and time horizons, and map ESG risks to these categories whenever possible.
- Update governance documents, including risk policies and committee charters, to explicitly reference ESG considerations. This means documentation may need to be more detailed, to account for sustainability risks on a more granular level (i.e., location site). Nevertheless, including these considerations reinforces accountability and clarifies that ESG oversight is a core board responsibility.
- Identify material sustainability risks. Identify which ESG risks warrant inclusion in the ERM framework by using industry-specific materiality assessments. Mapping only material risks into the risk register enables clear comparison, prioritization and mitigation planning.
- Embed the identified material risks into existing risk registers, scenario analyses and stress testing processes.
- Align reporting. Leverage ERM structures, metrics and monitoring systems, including data analytics and AI, to monitor ESG risk indicators and flag emerging risks in near-real time.
Conclusion
Boards today demand a full and clear view of enterprise risks and flexible frameworks capable of absorbing new risks and responding rapidly to disruption. Integrating ESG risks into ERM is a vital step toward providing that clarity and responding to the pressures of increased climate volatility and stakeholder and regulatory scrutiny.
The call to action for boards and executives is clear: Treat ESG not as a parallel agenda, but as an essential component of enterprise risk management to build resilient, future‑ready organizations.
Protiviti supports organizations by integrating ESG considerations into ERM by aligning ESG methodologies with enterprise risk frameworks, embedding relevant processes, and facilitating adoption and alignment of data-driven tools. To learn more, visit our website or contact the authors.
Ramona Hoepfl with Protiviti’s Risk & Compliance practice contributed to this content.
