Chief risk officers have been managing ESG exposures for some time now, but compliance is getting more complicated. Dean Alms, chief product officer at Aravo explains why risk professionals must step up

For many chief risk officers (CROs), environmental, social, and governance (ESG) may be a new way to classify existing enterprise risks.

But because it’s a relatively new taxonomy, managing ESG risks and complying with related laws and mandates often fall to compliance teams or CROs.


 These risks include:

  • Environmental: greenhouse gas emissions; waste management; climate disclosures; sustainable business practices
  • Social: child or forced labor; diversity, equity, and inclusion; working conditions; health and safety
  • Governance: anti-bribery and corruption; fraud; corporate behavior; internal controls over financial reporting

Until recently, CROs likely managed these risks vis-a-vis a sudden or emerging event, such as a severe storm, operational disruption, or public backlash to a negative news story.

They likely developed contingency plans for business continuity and to mitigate these disruptions. But times and corporate requirements are changing – especially for risk professionals.

Risk managers – take notice

ESG laws have been proliferating globally, requiring more companies to conduct supplier and third-party due diligence and disclose findings to regulatory bodies.

In 2022 alone, more than 90% of S&P 500 companies published ESG reports in some form. The number and type of companies filing disclosure reports are likely to increase as new ESG laws pass, such as:

  • The German Supply Chain Due Diligence Act (LkSG) requires companies based or operating in Germany with 3,000 or more employees (1,000 or more in 2024) to conduct due diligence on their and their suppliers’ environmental and social business practices or pay hefty fines for non-compliance.
  • The EU’s Corporate Sustainability Due Diligence Directive (CSDDD) sets mandatory sustainability reporting standards. It increases the scope of reporting requirements and the volume of companies that must file sustainability reports.
  • The Uyghur Forced Labor Prevention Act (UFLPA) presumes that any shipment of goods, products, or materials from or transiting through Xinjiang, China are the products of forced labour; and requires importing parties to conduct sufficient due diligence to refute this presumption, otherwise their shipments will be detained at US ports of entry.
  • The Norwegian Transparency Act requires covered companies in Norway to conduct due diligence on their operations, supply chain, and business partners for certain environmental and human rights practices, to account for their due diligence activities, and to respond to information requests from the public; or incur severe penalties.

There are dozens more legacy and emerging ESG laws, particularly in highly regulated markets (e.g., pharmaceutical and financial services).

Thus, risk leaders will increasingly be marshalled to help their organisations proactively manage ESG-related risks and comply with more laws.

New risks, new responsibilities

Many risk officers now have to establish compliance programs and oversee enterprise-wide compliance efforts to fulfil their legal and regulatory obligations.

In effect, the role of some risk managers may be evolving into a compliance and risk officer.

Legal and compliance teams must identify the applicable laws and regulations, along with their requirements, reporting formats, and deadlines to ensure the company complies with the letter and spirit of ESG laws.

Otherwise, companies risk incurring fines and penalties, reputational damage, lost revenue, and market share.

For example, as of April 2023, nearly $1 billion in goods have been seized at US ports of entry after importing parties failed to provide sufficient due diligence reporting to comply with the UFLPA. The Act had only been in effect for 10 months.

Five steps to build a world-class ESG risk and compliance program

Chief risk officers can adopt strategies and solutions to drive an ESG risk management program.

These include:

  • Stakeholder Engagement:   Engage with internal and external stakeholders to gain insights into ESG concerns and expectations. Collaborate with industry peers and regulatory bodies to stay informed about evolving standards and regulations.
  • End-to-End Risk Identification:   Conduct thorough assessments to identify potential ESG risks across the organisation and the myriad of third parties you work with. This involves understanding the impact of environmental, social, and governance factors on business operations.
  • Data Management:   Effectively manage ESG-related data, as it forms the foundation for risk analysis and compliance reporting. Utilise solutions to automate and streamline ESG data collection and analysis.
  • ESG Reporting Templates:   There’s no need to recreate the wheel. Select industry-standard reporting templates to meet your company’s legal and regulatory needs, such as due diligence reporting.
  • Continuous Monitoring:   Regularly monitor your company’s (and your suppliers’) ESG performance to remain vigilant and address emerging risks proactively and effectively.

By incorporating these practices and tools, CROs can foster a culture of responsible corporate citizenship while mitigating ESG risks and achieving compliance with laws and regulations.

Calling all risk managers!

Is climate change on your risk radar as a physical risk, transition risk or in some other form? How prepared is your organisation for the transition to net-zero? How engaged are your board and executive management with these issues?

StrategicRISK’s annual climate survey tracks how risk managers are thinking about and dealing with climate risks. We want you to tell us how you are mitigating the threats and capitalising on the opportunities created by the race to net-zero.

Please take part in our quick survey. All will be anonymised and the results will appear in this year’s annual special climate change report in the Q3 edition of StrategicRISK, as well as being published on our website.