Enterprise Risk Management and ESG: Building an Integrated Risk Framework

Risk management and ESG governance are increasingly intertwined. Environmental and social risks—climate change, supply chain vulnerability, workforce disruption, regulatory change—are material risks that can significantly impact business resilience and financial performance. Conversely, poor governance regarding these risks undermines ESG credibility. Building an integrated framework that treats ESG risks as core enterprise risks, not as separate compliance concerns, is fundamental to modern risk governance.

This article explores how to integrate ESG into enterprise risk management frameworks, the standards guiding this integration, and practical implementation strategies for Australian businesses. For broader ESG governance context, see our ESG Australia Complete Guide. For guidance on building comprehensive governance structures, see our article on ESG governance frameworks.

Why ESG and Risk Management Must Be Integrated

Financial Materiality of ESG Risks

Major ESG risks have direct financial implications. Climate change impacts supply chains, operations, and asset values. Supply chain disruption affects revenues. Workforce shortages increase labour costs. Regulatory changes impose compliance costs or force business model changes. Reputation damage affects customer and investor confidence. These are material business risks, not peripheral sustainability concerns.

Risk management frameworks that fail to capture material ESG risks miss critical business threats. Risk assessment processes should be equally rigorous for ESG risks as for financial, operational, and compliance risks.

Governance and Accountability

Integrating ESG into enterprise risk management creates clear governance and accountability. When ESG risks are identified as material business risks, boards and executives treat them with appropriate seriousness. Risk owners are assigned, mitigation strategies are developed, and performance is monitored—the same discipline applied to other material risks.

Regulatory Expectation

ASX Corporate Governance Council Principle 7 requires boards to establish risk management frameworks encompassing risks capable of significantly impacting the business. Courts and regulators have consistently interpreted this to include material ESG risks. AASB S1 requires disclosure of governance processes for identifying and managing sustainability-related financial risks. Integration is increasingly a regulatory expectation.

Key Risk Management Frameworks and Standards

ISO 31000 Risk Management

ISO 31000 is the international standard for risk management, providing a framework for identifying, analysing, treating, and monitoring risks. The standard applies to any organisation, any risk, any context. For ESG governance, ISO 31000 provides a consistent methodology for assessing ESG risks using the same discipline applied to other organisational risks.

Key elements of ISO 31000 applicable to ESG risk management include:

• Risk identification: Systematic processes identifying ESG risks material to the business
• Risk analysis: Assessment of likelihood and impact of identified risks
• Risk treatment: Development of mitigation strategies for material risks
• Risk monitoring: Systems for tracking emerging risks and effectiveness of mitigation
• Risk communication: Reporting of risks to relevant stakeholders including the board

COSO ERM Framework

The Committee of Sponsoring Organisations (COSO) Enterprise Risk Management Framework provides guidance on integrated risk management across organisations. While originating in the US, COSO ERM is increasingly adopted globally and by Australian organisations. The framework emphasises that effective ERM aligns strategy and risk management—risks should inform strategic decisions and shape strategic direction.

For ESG governance, COSO ERM principles suggest that ESG risks should be explicitly considered in strategy setting, with boards assessing whether proposed strategies adequately account for identified ESG risks.

AASB S1 Risk Management Requirements

AASB S1 Sustainability Disclosure Standard requires disclosure of governance processes for identifying and managing sustainability-related financial risks. This includes:

• Processes used to identify sustainability-related financial risks
• Processes used to assess and prioritise risks
• Processes used to manage identified risks
• How risk assessment information is used in strategy and resource allocation decisions
• How risk assessment informs financial reporting

AASB S1 operationalises the expectation that ESG risks are managed through systematic enterprise risk management processes.

Building Integrated ESG Risk Management Frameworks

Risk Identification: What ESG Risks Matter?

Effective risk management begins with identifying material risks. For ESG, this requires processes systematically capturing:

• Climate risks: Transition risks (technology change, policy evolution, market shifts) and physical risks (extreme weather, water availability, sea level rise)
• Supply chain risks: Vulnerability to disruption, labour practice compliance, environmental compliance
• Workforce risks: Talent attraction and retention, health and safety incidents, discrimination or harassment claims
• Regulatory risks: Emerging ESG regulations, enforcement actions, compliance failures
• Reputational risks: ESG-related reputational damage affecting customer or investor confidence
• Governance risks: Governance failures that undermine ESG credibility or create liability

Identification processes should be systematic and regular, not ad-hoc. Many organisations conduct annual ESG risk assessments aligned with strategic planning cycles. Quarterly or more frequent assessments are advisable for rapidly changing risks (such as climate impacts or supply chain disruptions).

Risk Assessment and Prioritisation

Once risks are identified, organisations must assess likelihood and potential impact. This informs prioritisation—which risks warrant immediate management attention versus longer-term planning? Risk assessment should use consistent methodologies applicable across all enterprise risks, creating transparency about how ESG risks compare to other material business risks.

Risk assessment should consider:

• Likelihood of risk occurrence (high, medium, low probability)
• Potential impact if risk occurs (financial, operational, reputational impact)
• Time horizon (near-term impacts versus long-term potential impacts)
• Dependencies or amplifying factors (how risks interact)

For climate risks, many organisations now conduct scenario analysis assessing business resilience under different climate outcomes (e.g., below 2°C warming, 2-3°C, 3°C+ scenarios).

Risk Response and Mitigation

For each material risk, organisations should develop response strategies. Options typically include:

• Avoid: Exit activities or markets posing unacceptable risk
• Mitigate: Take actions reducing likelihood or impact of risk
• Transfer: Transfer risk through insurance or contractual arrangements
• Accept: Accept risk as unavoidable cost of doing business

Mitigation strategies should be specific, measurable, and assigned to accountable parties. Risk response often involves capital allocation, policy changes, or operational adjustments.

Risk Monitoring and Reporting

Organisations should establish systems for monitoring emerging risks and assessing effectiveness of mitigation strategies. This includes:

• Key risk indicators (KRIs) tracking changing risk levels (e.g., supplier financial stability, workforce attrition rates, regulatory activity)
• Regular risk reporting to management and board committees
• Escalation procedures for risks exceeding risk appetite or management authority
• Regular risk review and reassessment

Risk reporting should be integrated with broader enterprise risk reporting, not siloed as ESG risks separate from other business risks.

Climate Risk Assessment and Scenario Analysis

Climate change represents a material risk for most Australian businesses. Climate risk assessment typically includes:

Transition Risk Assessment

Evaluation of business exposure to technology change (renewable energy adoption, electrification), policy change (carbon pricing, emissions regulation), and market shifts (customer preferences, investor divestment pressure). For energy-intensive industries, manufacturing, utilities, and mining, transition risks can be material.

Physical Risk Assessment

Evaluation of exposure to climate-related physical impacts: extreme weather (floods, storms), chronic impacts (changing rainfall patterns, heat stress), and sea level rise. Physical risks affect operations, supply chains, assets, and employee safety.

Scenario Analysis

Many organisations now conduct scenario analysis assessing business resilience under different climate pathways. Typical scenarios include:

• Well-below 2°C scenario: Rapid transition to net-zero, aggressive climate policy, rapid technology change
• 2-3°C scenario: Moderate transition, mixed policy and market drivers
• 3°C+ scenario: Limited transition, continued high emissions, significant physical climate impacts

Scenario analysis helps boards understand business resilience across climate futures and informs strategic decisions about capital allocation and risk mitigation.

Integration with Strategic Planning and Capital Allocation

Effective ESG risk management requires integration with strategic planning and capital allocation. Boards should ensure:

• Strategic plans explicitly address material ESG risks and how strategy mitigates those risks
• Capital allocation decisions reflect risk assessment (e.g., are we investing in climate-vulnerable assets or alternatives?)
• Resource allocation supports risk mitigation (e.g., supply chain diversification, workforce development)
• Risk appetite is clear and strategies align with stated risk appetite

Key Takeaways

ESG risks are material business risks requiring integration into enterprise risk management frameworks. ISO 31000 and COSO ERM provide methodologies for systematic risk identification, assessment, treatment, and monitoring. AASB S1 requires governance disclosure of risk management processes. Effective ESG risk governance requires systematic identification of material risks, assessment of likelihood and impact, development of mitigation strategies, and regular monitoring. Climate scenario analysis is increasingly important for understanding business resilience. Risk information should inform strategic planning and capital allocation decisions.

Frequently Asked Questions

Should ESG risks be managed separately from other enterprise risks?

No. ESG risks should be integrated into enterprise risk management frameworks using consistent identification, assessment, and monitoring processes. Siloing ESG risks suggests they are separate concerns rather than material business risks.

What climate scenarios should organisations analyse?

Common scenarios include well-below 2°C (rapid transition), 2-3°C (moderate transition), and 3°C+ (limited transition) pathways. Scenarios should reflect time horizons relevant to the business (short, medium, and long-term impacts).

How should risk appetite be set for ESG risks?

Risk appetite should be set through board discussion considering the organisation’s strategic objectives, stakeholder expectations, and operational capacity. Appetite may differ across risk types—some organisations may accept higher climate risk but lower governance risk, for example.

What are key risk indicators for ESG risks?

KRIs vary by risk type. Climate KRIs might include greenhouse gas emissions, renewable energy penetration, or climate-impacted asset exposure. Supply chain KRIs might include supplier compliance rates or supply chain concentration. Workforce KRIs might include attrition rates or safety incidents.

How frequently should ESG risk assessments occur?

Formal annual assessments are standard practice. More frequent assessments (quarterly) are advisable for rapidly changing risks. Risk assessments should also be triggered by significant internal or external changes.

How does AASB S1 relate to enterprise risk management?

AASB S1 requires governance disclosure of processes for identifying and managing sustainability-related financial risks. This operationalises the expectation that ESG risks are managed through systematic enterprise risk management processes.