Why ESG Impacts, Risks and Opportunities Belong Inside Enterprise Risk Management

When I was leading double materiality assessments, one of the first questions I often asked was simple “Can I speak with your risk management team?”

Not because I wanted to duplicate work, but because I wanted to understand how the organisation already thought about risk, how it made decisions, and how it applied thresholds. I wanted to see what “high risk” actually meant in that business. I wanted to understand how likelihood and impact were defined, what time horizons were used, and how risk appetite showed up in practice.

That connection mattered because a double materiality assessment is not meant to sit in a sustainability silo. It is meant to produce a view of impacts, risks and opportunities that is decision useful. Ideally, it should strengthen the organisation’s ability to govern and manage ESG issues with the same discipline applied to financial and operational risks.

However, what I found in practice was mixed. Some risk teams had strong, documented criteria. Definitions were clear. The scoring methodology was consistent. Risk owners understood how to evidence their ratings. It was straightforward to align sustainability impacts, risks and opportunities with the enterprise risk management approach.

In other organisations, the risk register existed and was populated, but when I asked “how do you score this as high, medium or low” the answer could be vague. Sometimes the methodology lived in someone’s head. Sometimes the scoring was described as experience based. Sometimes it was acknowledged as partially subjective. And sometimes there was no clear evidence trail for why a risk was rated the way it was.

That always stood out to me. Not because judgement is wrong, risk assessment always includes judgement. But because when the organisation relies on risk ratings to prioritise investment, governance attention, audit focus, and strategic decisions, it needs a clear and repeatable (and documented) method behind those ratings.

And when ESG enters the picture, that need becomes even more important.

The hidden risk in many double materiality exercises

Double materiality requires organisations to assess Impact Materiality (i.e., how the company affects people and the environment), and Financial Materiality (i.e., how sustainability topics create risks and opportunities that influence financial performance and enterprise value).

These are not abstract concepts. They inform reporting, governance, risk management, strategy, and increasingly, assurance readiness. The challenge is that many organisations treat the ESG impacts, risks and opportunities assessment as its own parallel process. It can become a sustainability workshop series that produces a list of topics, a heat map, and some narrative. Meanwhile the risk team continues to run its own enterprise risk management cycle with its own scales, thresholds, and language.

This creates a gap.

ESG impacts, risks and opportunities become harder to prioritise because they are not scored or expressed in a way that leadership can compare against other enterprise risks. They can feel like additional reporting content rather than inputs to decision making. The organisation ends up doing more work, not better work.

Why integrating ESG into enterprise risk management changes everything

Enterprise risk management exists to help organisations identify, assess, manage and monitor uncertainty. It brings structure and accountability. It defines governance pathways. It creates a shared language for risk. When ESG impacts, risks and opportunities are aligned to that same system, several valuable outcomes follow.

Consistency in how issues are prioritised

Leadership teams are not short of information. They are short of clarity. If ESG risks and opportunities are scored on a separate scale, or using different definitions, it becomes difficult to compare and prioritise. A consistent scoring approach makes ESG risks legible at leadership level.

Less duplication and better use of internal resources

Many sustainability teams are stretched. Many risk teams are also stretched. Integrating processes reduces duplication, avoids conflicting outputs, and creates one coherent view of the risk landscape.

Better governance and clearer ownership

ESG issues often cut across functions. Procurement, operations, HR, finance, legal, risk, sustainability. When ESG risks are integrated into enterprise risk management, ownership is clearer and escalation pathways are stronger.

Stronger evidence and an audit trail

As reporting expectations mature, organisations need to show not just what they believe, but how they arrived at those conclusions. Integration supports evidence based assessment and better documentation.

Improved resilience and strategic decision making

Physical climate risk, transition risk, resource volatility, litigation, supply chain disruption, workforce expectations. These are business risks. Treating them as such is not only sensible, it is necessary.

Why risk scoring often breaks down, and what ESG exposes

It is worth saying this clearly. Risk assessment is never fully objective. But it should still be structured, transparent, and repeatable. Where scoring breaks down in many organisations, ESG tends to expose it. Here are a few common reasons:

Different time horizons

Risk teams often work in annual cycles, sometimes with a three to five year outlook. ESG risks often unfold over longer horizons, or they present as slow build issues that become acute later. Climate physical risks can have near term impacts, but also long term compounding effects. If time horizons are not explicitly addressed in the risk criteria, ESG risks can be mis scored.

Different types of impact

Traditional enterprise risk management often focuses on financial, operational, compliance and reputational impacts. ESG introduces human impacts, ecosystem impacts, and systemic risks. These can be hard to translate into the usual definitions unless the framework is expanded thoughtfully.

Low probability, high impact events

Severe weather, supply chain shocks, regulatory shifts, litigation, social unrest. ESG is full of risks that can be low probability but very high impact. If the risk criteria are not designed to capture this, these risks can be consistently under weighted.

Lack of clear thresholds

If “high impact” is not defined, scoring becomes inconsistent. One risk owner’s “high” becomes another’s “medium.” That inconsistency makes it harder to compare and harder to manage.

A practical approach to integrating ESG impacts, risks and opportunities into enterprise risk management

Integration does not mean forcing ESG into a rigid template. It means creating alignment where it adds value and adapting the framework where ESG requires a broader lens. Here is a practical approach that I have seen work well.

1. Start with a shared language

Before scoring anything, align on definitions. What is an ESG risk in your organisation? What is an opportunity? What is an impact? What is the difference between impact materiality and financial materiality? What time horizons matter for your business?

Be clear on what these terms mean and how your organisation understands them. This avoids confusion later.

2. Align scoring criteria and calibrate thresholds

If the organisation already has likelihood and impact definitions, start there. Then test whether those definitions work for ESG risks. For example, do you need impact categories that include people and environment alongside financial and operational? Do you need guidance on how to score reputational impacts? Do you need separate time horizon guidance? The goal is one coherent scoring method, not two competing systems.

3. Map ESG impacts, risks and opportunities to the existing risk universe

Rather than creating a standalone ESG register, connect ESG items to the existing risk taxonomy. Climate physical risk may map to operational resilience and business continuity. Transition risk may map to strategic risk and regulatory risk. Human rights risks may map to supply chain risk and reputational risk. This mapping helps ESG become part of the organisation’s risk conversation.

4. Embed ownership and controls

If a risk exists, it needs an owner. It also needs a view of controls. What processes mitigate the risk? What policies exist? What governance exists? What metrics monitor it? This is where ESG becomes operational, not theoretical.

5. Build a clear evidence trail

A mature approach includes documentation that supports the rating. Why was the risk rated as high? What data supports it? What assumptions were used? What scenarios were considered? This strengthens governance, supports reporting integrity, and prepares the organisation for future assurance expectations.

6. Integrate ESG into existing reporting and escalation cycles

If the risk committee reviews enterprise risks quarterly, ESG risks should be visible there too, in the same format, using the same language. This is one of the simplest and most powerful ways to embed ESG into decision making.

7. Connect the outputs to action

The purpose is not a better heat map. The purpose is better decisions. What is the management response? What investment is needed? What targets or metrics should be adopted? What changes to procurement, operations, or governance are required? This is where sustainability starts to drive resilience and value.

What good looks like, a quick maturity check

If you are wondering whether your organisation is truly integrating ESG into enterprise risk management, here are a few signals.

Do we have documented criteria for likelihood and impact?
Are those criteria consistently applied and evidenced?
Can ESG risks be prioritised alongside other enterprise risks using the same scoring logic?
Are ESG risks owned by senior leaders, not just the sustainability team?
Do ESG risks appear in the same governance forums as other risks?
Is there a clear link between ESG risk assessment, strategy, and reporting?

If the answer is no to several of these, it does not mean you are behind. It simply means there is an opportunity to strengthen the foundations.

How I See It

In my experience, one of the fastest ways to mature ESG is to stop treating it as separate.

When ESG impacts, risks and opportunities are assessed using the same discipline as enterprise risks, organisations move from awareness to action. They reduce duplication. They improve governance. They create consistency. They build credibility in reporting. And they become more resilient in a world where sustainability risks are increasingly business risks.

This is also where double materiality becomes genuinely useful. Not just a compliance exercise, but a mechanism to integrate ESG into how the organisation understands risk and makes decisions.

If your organisation is working through double materiality, strengthening ESG governance, or trying to integrate ESG into enterprise risk management in a practical way, this is exactly the type of work I support through Orogen8. The goal is always the same. Build clarity, strengthen foundations, and help ESG become part of how the business is run.