Elevate your ESG maturity: Risk assessment and infrastructure

In today’s corporate landscape, the integration of ESG considerations into a company’s risk management process and the establishment of robust infrastructure for tracking ESG achievements are not just beneficial practices – they are essential. By addressing ESG risks proactively and implementing solid infrastructure, organizations can effectively work toward a more equitable and sustainable future.

As the environmental, social, and governance (ESG) conversation continues to reshape both the way businesses operate and society at large, companies must develop strong ESG practices and policies to make sure they are prepared for the evolving demands of a more conscientious global market.

Risk assessment and infrastructure are used to identify and manage companies’ risks related to ESG factors, inform decision-making, and enhance ESG-related accountability and transparency. Being able to communicate risks and mitigation strategies to investors, stakeholders, and regulatory agencies helps build trust with those entities while also demonstrating the company’s commitment to responsible ESG practices. 

Risk assessment includes conducting thorough examinations of ESG-related risks – particularly climate-change impacts – and embedding these risks into existing enterprise risk management (ERM) frameworks. This not only allows companies to comprehensively understand and effectively mitigate potential ESG-related pitfalls, but also is crucial for aligning ESG objectives with broader business strategies, and making sure that sustainable and responsible practices are at the core of business operations. Climate risk is a newer ESG focus area for most companies, encompassing two types of risk related to climate change and mitigation efforts:

Physical risks: The actual impacts of climate change, which can be event-driven (e.g., a hurricane every so often) or more chronic (e.g., rising sea levels). 

Transition risks: Risks associated with transitioning to a lower-carbon economy. This could include impacts of regulations around sustainability practices, or the cost of implementing new technology to prepare for this transition. It could also include brand risks, i.e., how customers react to whether the business is transitioning.

Infrastructure refers to the systems that are put in place to track a company’s ESG goals and achievements. This implementation is vital for maintaining regulatory compliance, gaining data-driven insights, enhancing operational efficiencies, and fostering innovation. Infrastructure generally includes any software or data-tracking mechanisms that 1) calculate the potential ESG risk, and 2) track the company’s progress toward its ESG goals and targets. As regulatory landscapes evolve, processes will need to be agile and adaptable, shifting in response to emerging requirements.

Together, risk assessment and infrastructure comprise the fourth “cog” in the bigger picture of CohnReznick’s ESG Maturity Model.

Maturity Model: Risk assessment and infrastructure

Novice Supporter Gamechanger
No established processes or frameworks to manage ESG risks ESG-related risks are not considered in comparison to, and are not prioritized with, other company risks ESG risks are embedded into the enterprise risk management (ERM) framework
Data collection and reporting is a manual process Tools and systems are used, but there are identified data quality gaps ESG processes are integrated into core planning and key business processes; tools are evaluated against best practice and revised to keep optimal

At the Novice stage, companies generally don’t have any formal processes in place to evaluate ESG risks. In some cases, ESG risks may overlap with more general business risks – health and safety, for example – but they are not yet viewed individually, uniquely, as ESG risks. Any work related to risk and infrastructure is largely done manually, relying on error-prone approaches like plugging numbers into spreadsheets to meet reporting requirements. Data quality may be poor due to these faulty collection processes – not to mention, there may be gaps in the data where the company is not collecting the right information.

At the Supporter stage, companies are becoming more proficient in these areas. While they haven’t yet fully prioritized and integrated ESG factors into their core business strategies, they are starting to consider ESG risks, and might have started collecting some relevant data. As a result, they are not only identifying and mitigating the potential risks, but also making sure that operations are equipped to support sustainable growth. For example, Supporters may be using advanced analytics to assess their supply chain environment, or may be formalizing and implementing sustainable procurement practices. On the infrastructure side, Supporters are exploring more formal software solutions and identifying which tools and systems can help them automate their data collection processes. 

For Gamechangers, managing ESG risk assessment and infrastructure is a seamless process that has become part of their everyday practices. They have various ESG and climate-related risks embedded into enterprise risk management, and have enabled effective knowledge-sharing across the organization.  Gamechangers have a consistent understanding of how risks and opportunities uniquely impact their organization. They have ESG risk fully incorporated into their business strategy, and are consistently looking for opportunities to improve – a key differentiator from Novices and Supporters, who tend to remain largely focused on compliance. For example, Gamechangers are tracking ESG requirements working their way through regulatory settings, and when regulations do come into effect, they are more prepared, with processes already in place to meet them.

Novice stage: Identify gaps and strengthen processes

As they work toward the Supporter milestone, Novices can begin to develop and implement risk management and infrastructure processes that allow them to assess both qualitative and quantitative risks. The goal here should be to tighten data completeness and data quality: Identify data gaps related to ESG risks, put collection processes in place, confirm whether the data collected is complete and reliable, and make improvements as needed.

ESG risk should now be considered a “business as usual” risk, and monitored as carefully as any other. As discussed earlier, Environmental risk includes climate risks, both physical and transition-related. From a physical risk standpoint, such assessments should include all facilities, warehouses, and offices that may be prone to extreme weather events or other natural disasters. A good best practice is to consider the potential short-, medium-, and long-term climate-related risks associated with those facilities and plan accordingly. 

Social and Governance risks might be tied more closely to business and financial impacts. For example, as mentioned above, a company might consider health and safety as a business risk, but it is also considered a social and reputational risk. 

To most comprehensively identify and assess ESG risks and develop the correct infrastructure:

  1. Map out any risks associated with ESG in general (some of which might overlap with currently-monitored business risks).
  2. Identify what processes are currently in place to track data related to these risks (e.g., health and safety data), and which risks are not yet being tracked (e.g., climate change impacts).
  3. For data that is currently being tracked, evaluate the quality of the data, and improve processes if needed.  For data around ESG risks that is not being tracked, develop solutions and infrastructure to track that risk.

Companies can also look across the country and overseas for indicators of what may be coming next in terms of ESG regulation. Consider material topics in legislation such as California’s two new climate regulations; the SEC’s Climate Disclosure Rules; and the EU’s Corporate Sustainability Reporting Directive (CSRD). While companies might not have to comply yet based on their jurisdiction, they can – and should – start planning now for future disclosures based on the regulations.

Overall, companies should tackle ESG-related risks with the same rigor that they would apply to financial risks. Look at how financial reporting infrastructure is set up, and use a similar approach with ESG. Better yet, integrate ESG-related risks into the same process used to monitor and manage financial risks, to avoid duplicating resources. Even though ESG incorporates non-financial metrics, the key performance indicators (KPIs) should be viewed with the same lens of importance as financial metrics.

Supporter stage: Put the right systems in place 

Building on work they’ve done so far to identify and address ESG risks as they appear, Supporters should focus on developing formal, comprehensive processes that help them proactively identify, assess, and address all their risks – and consider the impact of ESG risks on not just their company’s operations and reputation, but also their stakeholders. 

It’s also time to start investing in software solutions, dedicated systems and/or tools that can track and collect data on any identified ESG risks. These will support organizations in recording, tracking, and mitigating ESG risks in a highly accountable, reportable way. Supporters should also re-evaluate their existing financial reporting systems to consider how they might be leveraged to collect ESG data. For example, when utility invoices are entered into the accounts payable system for payment, can electricity use also be entered so that emissions can be calculated?

Similarly: Can the price of carbon be incorporated into the company’s business forecasts, so that leaders can more quickly identify potential ESG risks that could impact their operations, financials, and reputation, and make more informed decisions, mitigate risks, and operate more sustainably?

Gamechanger stage: Seek out new opportunities 

Companies with advanced ESG strategies think beyond basic compliance and demonstrate a deep commitment to supporting ESG principles across the enterprise – and optimizing themselves to avoid any related risks. These Gamechangers are working hard to build climate resilience; foster a positive and inclusive work environment; and embed ESG principles into all corporate strategies and decision-making. They know how to measure the results of these efforts and identify any problem areas before they become critical issues. 

With this strong foundation, Gamechangers can start looking for new ways to enhance documentation and/or knowledge-sharing related to any ESG considerations. They can also enable best practices across different teams to support a complete understanding of ESG risks and opportunities within the company. 

Finally, Gamechangers can turn their attention to seeking out opportunities to use ESG to an advantage. For example, can new low-carbon technology be incorporated into specific buildings or assets to save on energy costs? How might the company be able to capitalize on changes in customer preferences, to bring in new customers – and prevent existing consumers from looking elsewhere for more ESG-friendly options?

A proven, integrated ESG methodology

Whether you are taking the first steps on your ESG journey or your existing program needs structural transformation, CohnReznick can help. Using a proven, integrated methodology that combines our own ESG experience with industry insights, we will help you effectively advance your ESG initiative at each step of its lifecycle.

Our four-phase approach is built on value creation and impact throughout the journey, and includes:

  • Phase 1: Assess ESG current state, identify ESG priorities
  • Phase 2: Design ESG strategy, roadmap, and KPIs
  • Phase 3: Implement ESG initiatives with governance, technology, and training
  • Phase 4: Validate process and data and report progress against KPIs

With a 35-year track record in community investment and shaping governance strategy, CohnReznick tailors ESG programs to meet your specific requirements. Using a process rooted in advanced data analytics and exclusive primary research, we leverage a cross-functional team that delivers seamless execution and enables fast, integrated results for companies of all sizes and across all sectors. 


Subject matter expertise

View All Specialists

Jenny Brusgul

Sustainability Advisory Practice Leader

Looking for the full list of our dedicated professionals here at CohnReznick?



Let’s start a conversation about your company’s strategic goals and vision for the future.

Please fill all required fields*

Please verify your information and check to see if all require fields have been filled in.

Please select job function
Please select job level
Please select country
Please select state
Please select industry
Please select topic

Related services

Our solutions are tailored to each client’s strategic business drivers, technologies, corporate structure, and culture.

This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.