Groundbreaking ideas and research for engaged leaders
Rotman Insights Hub | University of Toronto - Rotman School of Management Groundbreaking ideas and research for engaged leaders
Rotman Insights Hub | University of Toronto - Rotman School of Management

Are the right ESG risks on your radar? Here's a 4-step framework to find out

Read time:

Norman T. Sheehan, Han-Up Park, Richard C. Powers, Sarah Keyes

In the current environment, ESG risks pose one of the greatest threats to public companies’ abilities to deliver predictable results. A recent Bank of America study calculated that 24 ESG incidents in the period 2014–2019 cost U.S. public companies over $500 billion in market value.

Given the threat posed by ESG risks, some argue that superior risk management is a leading indicator of future financial performance, while many lenders and institutional investors view the firm’s ability to successfully navigate ESG risks as a proxy for management quality. And there is growing evidence that companies judged by investors to effectively manage ESG risks are rewarded with lower costs of capital and higher valuations.

ESG risks are potential environmental, social or governance hazards that can keep companies from achieving their stated objectives. Enterprise risk management (ERM) is a process whereby executives, under the board’s oversight, identify, quantify, mitigate and monitor the firm’s material risks. With increasing demands for transparency and more regulations, environmental risks such as climate change, loss of biodiversity and single-use plastics; social risks such as those arising from concerns about equity, diversity, and inclusion; and governance risks associated with corruption, cybersecurity and tax transparency present new challenges for directors.

One of the most prominent ESG risks facing companies today is, of course, climate change, which poses systemic risk to companies across sectors and geographies. Research by the Sustainability Accounting Standards Board (SASB) found that 89 per cent of industries may be materially affected by climate change risks, including physical and regulatory risks. Given the ubiquity of climate change risk, investors and lenders cannot diversify away from its expected negative effects. Rather, investors and lenders must encourage all companies in their portfolios to manage it.

Unfortunately, few corporate boards have experience addressing climate change and other ESG risks. One study of 1,188 Fortune 100 company board members found that only 29 per cent of their directors had relevant ESG experience, which is an improvement over an earlier study reporting that only 17 per cent of boards had at least one director with ESG experience. A 2022 paper by the National Association of Corporate Directors (NACD) found that although 47 per cent of directors see climate change as an issue, only nine per cent see it as a top priority discussed at all levels of the company.

The monetary impacts of poor ESG risk management are likely to be staggering. Recent studies by McKinsey have reported that as the average value of their intangible assets reaches 90 per cent of their market value, companies become more vulnerable to ESG risks, to the point where as much as 70 per cent of corporate EBITDA is at risk from negative ESG events. For example, companies with poor ESG risk management suffer from lower revenues or loss of innovative capacity when disgruntled customers and employees migrate to more responsible competitors. Firms that struggle to manage their ESG risks also incur higher costs from additional advertising, recruiting and insurance, not to mention paying litigation costs and fines.

Perhaps most important, ESG risks have also been shown to increase the corporate cost of capital, with McKinsey estimating that low ESG performers have a 10 per cent higher cost of capital attributable to the risk of lower future financial performance. Moody’s Investor Services found ESG risks to be a material credit consideration in 85 per cent of rating actions for privates-ector issuers in 2020, up from 32 per cent in 2019. Companies with below-average ESG performance may also suffer from lower stock valuations when they are excluded from ESG funds, which PwC expects to grow to $36 trillion globally by 2025.

Directors and executives can be directly impacted by ineffective ESG risk management. Large investment firms and proxy advisory firms withhold votes from committee chairs who do not meet ESG performance standards. And in the worst cases, directors and executives may face litigation if they do not exercise their duty of care when overseeing their firm’s ESG risks.

The total number of climate change-related cases globally has more than doubled since 2015, bringing the cumulative number of cases to over 2,000. Of note, around 25 per cent of these were filed between 2020 and 2022, indicating an accelerating trend of climate litigation against companies. Board members who fail to act with due diligence leave themselves open to being successfully sued by investors if their firms suffer large losses or write-downs due to climate change.

The dynamic materiality of ESG risks

Traditional enterprise risk management (ERM) systems focus on compliance, operational and strategic risks that are well understood, have shorter time horizons (typically the length of the firm’s strategy implementation period) and consider a narrow set of stakeholders, where the focus is on estimating and mitigating the impact on the firm’s future profitability. These risks are more challenging for boards to oversee effectively because they exhibit ‘dynamic materiality,’ which means they might not yet be material but will be a priority for the company in the future.

The dynamic materiality of ESG risks stems from the following characteristics: they are typically ill-defined, have longer time horizons (e.g. climate change has no end date) but may also happen overnight (as in the case of a ban on single-use plastic) and impact a broad set of stakeholders (notably society at large.) ESG risks are also typically interconnected (e.g. climate change leads to lower social equity), all of which make estimating the materiality of ESG risks more difficult than traditional risks.

Adding to the ESG risk oversight challenge is that many of these risks are becoming increasingly threatening. A risk becomes ‘material’ when either the likelihood of the risk event occurring or the impact of the event escalates. The unique dynamic materiality inherent in ESG risks exacerbates this possibility, along with a growing social awareness of ESG issues and expectations of companies.

Another force driving ESG risk materiality is the growing demand for transparency surrounding corporate ESG performance. With the heightened perception of the value of ESG data, investment firms, lenders and national pension funds have begun to demand mandatory ESG reporting from firms, while legislators and regulators have begun to demand mandatory ESG reporting requirements. Even if ESG reporting is not yet mandatory in all jurisdictions, exchange listing regulators such as the Securities and Exchange Commission now expect companies to disclose material ESG risks, such as climate-related and cybersecurity risks, in their security exchange filings.

In addition, ESG benchmarking has also contributed to increasing the transparency of firm ESG performance. ESG rating agencies such as MSCI, Sustainalytics and Bloomberg rate ESG performance based on their assessments of corporate disclosures and then publicize their results. And NGOs such as Ecojustice, Greenpeace and the Tax Justice Network also publicize information about corporate ESG performance, creating further reputational risks for companies.


Enhancing board oversight

Boards are required by company law and exchange listing requirements to oversee the firm’s risks, risk responses and risk management processes. This means boards have a responsibility to ensure that management is following best practices for ESG risk. We recommend the following four-step framework.

STEP 1 - Identify ESG Risks: Since ESG risks can be viewed as stemming from corporate effects on and interactions with stakeholders, executives should begin the risk identification process by considering their companies’ impact on stakeholders throughout the supply chain. The importance for corporate management of taking into account the interests and concerns of a broad set of stakeholders — including the environment and future generations — becomes especially important when one recognizes that nine of the top 10 risks cited in the 2023 World Economic Forum’s Global Risk Report relate to environmental, social and governance threats.

The following eight prompts can be used to identify potential sources of ESG risk:

  1. EXTERNAL ESG REGULATIONS, RULES, GUIDANCE AND INDUSTRY LEVEL INITIATIVES. A review of existing and prospective regulations, rules, guidance and industry initiatives enables directors to identify potential ESG factors that are broadly applicable to the company’s industry, as well as any company-specific factors (such as locations of operations.)
  2. ESG RATING PROVIDER METHODOLOGIES. Reviewing the methodologies of leading ESG rating providers such as MSCI, Sustainalytics and Bloomberg allows directors to understand the relevant factors that impact their ESG ratings.
  3. PEERS’ DISCLOSURE OF THEIR ESG RISKS. Reviewing peers’ ESG risk disclosures helps directors identify potentially relevant ESG risks in their industry. It is important that directors take pains to choose peers with similar business models, nature and location of operations, given that ESG risks can vary significantly based on these factors.
  4. CURRENT AND PROSPECTIVE INVESTORS’ ESG PRIORITIES. Reviewing investors’ ESG priorities provides directors with a view of the ESG risks being considered by providers of capital and their view of the company’s most material ESG risks.
  5. CORPORATE ESG PRIORITIES, POLICIES AND DISCLOSURES. Directors should review the current corporate ESG priorities, policies and disclosures to see if there are any issues that have not historically been considered concerns, such as employee health and safety.
  6. ESG REPORTING FRAMEWORKS. Voluntary reporting frameworks, such as the Global Reporting Initiative (GRI) or Sustainable Development Goals (SDGs), provide a starting point for directors to identify potentially material ESG risks. It is important to consider the definition of materiality applied by each reporting framework based on the intended audience. In the context of board oversight of material ESG risks, an investor-focused reporting framework such as the global sustainability reporting standards being developed by the International Sustainability Standards Board (ISSB) is a useful starting point for directors to review.
  7. CORPORATE EXTERNALITIES. Externalized costs are environmental or social damages attributable to companies but not reported in their financial statements. Former Chief Justice of the Delaware Supreme Court, Leo Strine, notes that, “None of us wants any particular company in our portfolio to get artificially rich by poisoning us. Also, we pay for externalities as investors and as human beings, so those externalities are costs to us.” As the amount and impact of negative corporate externalities grow, so does the risk that companies will be required to internalize these costs through the introduction of stricter regulations or public pressure to use more ESG-friendly materials or processes, which may reduce future profits. To improve oversight, directors should ensure that management recognizes and considers taking steps to limit the negative impact of ESG risks on the company’s stakeholders as well as its shareholders.
  8. CORPORATE TAXES. In 2022, Amazon faced a shareholder resolution asking for the disclosure of the corporate taxes it paid on a country-by-country basis and of the effective tax rates paid by the company relative to the statutory tax rates in each country. According to one observer, “The defense that a corporation has paid all the taxes it is legally required to pay in each country it operates no longer appears to resonate with many stakeholders.” Since most directors lack corporate tax expertise, boards may miss risks arising from over-aggressive tax planning. To close the gap, directors should review the taxes paid and the effective tax rate relative to the statutory tax rate in each jurisdiction the company operates in, asking management to explain any significant deviations.

STEP 2 – Quantify ESG Risks: Because directors have competing demands and limited resources, it is important to prioritize the ESG risks with the greatest potential to impact the company’s value. The traditional method to prioritize risks is to quantify the expected costs associated with each by multiplying the assessed probability of the event by its expected impact on long-run corporate profitability and value. Given the dynamic materiality of ESG risks, estimating the impact and likelihood of ESG risks along a five-part continuum — from ‘insignificant,’ ‘minor’ and ‘moderate’ to ‘major’ and ‘extreme’ — is bound to involve more art than science. The impact of risks should not only consider their potential financial harm to investors but also the negative impact on stakeholders. The greater the harm companies inflict on their stakeholders in terms of pollution or poor employment practices, the higher the risk should be rated.

In addition, estimating the likelihood of an ESG risk event occurring and its duration is challenging as ESG risks may materialize overnight (e.g. #metoo events) or take longer to surface (e.g. excessive GHG emissions). It is common for companies to think about and communicate their sense of their material risk events using ‘risk heat maps’ (such as those proposed by ISO’s 31000 release issued in 2018). However, risk heat maps are not optimal for capturing the dynamic materiality of ESG risks, because risks with low scores are not displayed on the heat map and thus may fly under the board’s radar. ESG risks judged to have a medium-to-high impact and a low likelihood in the short term may not be displayed or prioritized, but still may quickly creep up on the firm and cause real financial damage.

To prevent the directors from losing sight of the ESG risk events estimated to have a low likelihood of occurring, we recommend the use of a “risk radar map.” Such a map shows different time horizons (e.g. short, medium and long) and displays ESG risks based on their impact (colour-coded based on severity). A map for petrochemical industry, for example, would display a ban on single-use plastics may be coded bright pink since its impact is judged to be extreme and shown in the outermost concentric circle of the risk radar map, reflecting the expectation that a ban on single-use plastics may occur in the next five to 10 years.

The mitigation tactics used to address longer-term ESG risks typically require capital investments and a longer time horizon than those for short-term risks. Therefore, it is important for boards to ensure effective oversight of longer-term ESG risks as part of their oversight of the firm’s capital allocation process.

STEP 3 – Mitigate ESG Risk: Once the firm’s ESG risks are identified and scored, management develops risk responses or mitigation strategies for managing material ESG risks and presents these to the board for approval and/or as part of the oversight of its ESG strategy. One proactive risk response that companies can undertake is voluntary self-regulation. For example, Apple stated it will have a carbon-neutral supply chain by 2030 and Nestlé committed to spending $3.6 billion in the next five years to become carbon neutral by 2050. Maple Leaf Foods’ voting agenda uses internal carbon pricing to encourage its managers to prepare for a low carbon future and Unilever pledged that all its employees as well as its suppliers’ employees will be paid a living wage by 2030.

If a company’s negative ESG impacts are easily discernable by third parties, self-regulation can be effective, especially if rivals are not able (or willing) to follow suit. But if a company’s negative impact is difficult to distinguish from that of its competitors (say, the focal firm cuts its emissions into a local river by 99 per cent while its upstream rivals continue to pollute the same river,) then collective action is a better alternative for managing that risk.

Companies intent on pursuing collective action can form industry or trade associations in which all members of the association voluntarily agree to reduce their harmful ESG effects, disclose their impact and achieve certification. For collective action to be a successful tactic to manage ESG risks, companies must agree to third-party audits of their ESG performance. One advantage of self-regulation is that companies may avoid stricter regulations in the long term. A possible disadvantage is that it may decrease the firm’s profitability in the short term, and even place it in an unfavourable competitive position relative to those rivals who refuse to join the industry association and self-regulate. However, the risk of being at a competitive disadvantage is low if there is a large potential for new regulations, such as the introduction of carbon taxes.

Some kinds of ESG risks, such as those associated with failure to achieve expectations for equity, diversity and inclusion, can prove to be not only material but resistant to direct mitigation efforts. Research has found evidence of what appears to be a near-universal unconscious cognitive bias: Most of us seem to prefer to hire and work with people like us. Although most companies claim to be merit-based when recruiting, mentoring and promoting employees, cognitive bias tends to work to reinforce rather than reduce inequality. To limit this risk, companies should consider the use of targets, disclosures and third-party audits to address the unconscious bias hindering minorities from being hired, mentored and promoted in firms. Boards can set the tone at the top by mandating that the nomination committee improve the diversity of their directors, with the aim of having boards that mirror the diversity of their stakeholders. Canadian railway CN has announced its intent to have at least 50 per cent of its independent directors mirror its customers and the communities in which it operates.

To support the success of ESG risk responses, boards should review their corporate incentive plans to ensure alignment. Corporate incentive systems send strong signals to stakeholders about what is important to the firm and motivate executives to improve the firm’s ESG performance. To demonstrate that ESG risk management is critical, boards should revise the firm’s executive incentive plan to include metrics relating to material

ESG risks such as carbon emissions or diversity targets. As two examples, McDonald’s now ties 15 per cent of its CEO’s bonus to success in achieving diversity goals among its senior leadership team, and Shell Oil has included emission reduction goals in its CEO’s bonus since 2018.

STEP 4 – Monitor ESG Risks: All identified ESG risks should be assigned to senior executives who then become responsible for the implementation of approved risk responses. The board then regularly monitors emerging risks and the effectiveness of the approved ESG-risk responses.

To be sure, effective monitoring of ESG risk is likely to prove challenging for most board members. Consider, for example, the emerging ESG risk that now surrounds the use of AI to enhance employee decision-making. As more companies introduce AI, boards need to understand how AI works, its data sources, how the third-party AI provider shares companies’ data, and any systemic biases that AI may introduce into the firm’s decision-making.

To address the lack of ESG risk oversight expertise, boards should consider using a skills matrix to assess what expertise and risk literacy they require to effectively oversee ESG risks. Once identified, boards should train existing members in risk literacy and ESG issues or actively recruit new board members who possess these capabilities as well as reflect the diversity of the firms’ stakeholders.

A second challenge for boards is that the responsibility to oversee ESG risks is typically spread across different board committees, many of which lack the time to effectively address them. Environmental risks are typically dealt with by the Audit and Risk Committee, while social risks relating to employees and executives are often dealt with by the HR or Health and Safety Committee. Given that existing board committees have full agendas, boards should evaluate the merits of establishing a separate ESG committee that focuses on overseeing the firm’s ESG risks, performance and reporting. The ESG committee should engage with stakeholders on a regular basis to continuously reassess the materiality of ESG risks, anticipate emerging ones and ensure that the firm’s risk responses are working to keep it within its overall risk tolerance.

ESG risks such as those associated with climate change, water scarcity and concerns about diversity and inclusion are growing in materiality, posing increased financial risks to companies. In the near term, boards and executives must collaborate with corporate stakeholders to identify, assess, manage, oversee and report material ESG risks. In the longer term, corporate survival is likely to depend on fully integrating ESG risks into the firm’s ERM system, business model, capital allocation process and operations.

 As the Canadian Pension Plan Investment Board recently stated, “companies that integrate consideration of ESG related risks and opportunities are more likely to preserve and create long-term value.” Many companies have a long way to go to achieve such integration. But make no mistake: failure to responsibly manage ESG risks may result in a loss of public confidence, and ultimately in the loss of the company’s social license to operate.

This article has been adapted from a paper published in the Journal of Applied Corporate Finance. It originally appeared in the Winter 2024 issue of the Rotman Management Magazine. Subscribe now for the latest thinking on leadership and innovation. 

Norman T. Sheehan is a professor of accounting at the Edwards School of Business, University of Saskatchewan.
Han-Up Park is an assistant professor of accounting at the Edwards School.
Richard C. Powers is national academic director of directors education program and governance essentials program at the Rotman School of Management.
Sarah Keyes is CEO of Global Advisors Inc.