Greenwashing Risk Assessment: How to Audit ESG Claims

Photo of author
Written By Chris Ekai

In September 2024, Australia’s Federal Court ordered Vanguard Investments Australia to pay a record A$12.9 million penalty for misleading ESG claims. A greenwashing risk assessment run honestly would have caught the problem years earlier: about 74% of the securities in the fund Vanguard marketed as ethically screened were never screened at all.

ASIC called it the highest greenwashing penalty an Australian court has imposed, and the regulator has kept misleading sustainability claims at the top of its enforcement priorities since. The claims concerned exclusionary screens on the Ethically Conscious Global Aggregate Bond Index Fund, screens the research process never actually applied.

Greenwashing Risk Assessment: Key Takeaways
A greenwashing risk assessment audits every public environmental and ESG claim against the evidence behind it, then scores the gap the way a regulator would.
Enforcement is no longer theoretical: over 400 greenwashing actions were recorded globally in 2026, and penalties already include Vanguard’s record A$12.9 million, DWS’s $19 million SEC fine plus a EUR 25 million German fine, Invesco’s $17.5 million, and Keurig’s $1.5 million.
Five steps carry the whole method: inventory every claim, map each one to evidence, rate substantiation, score likelihood and impact, then remediate and monitor.
Evidence is graded on a hierarchy, from independent reasonable assurance at the top to a bare marketing assertion at the bottom, and IAASB’s ISSA 5000 standard formalizes the assurance layer from December 15, 2026.
Deadlines force the calendar: the EU bans generic environmental claims and offset-based carbon neutral labels from September 27, 2026, and the FCA anti-greenwashing rule has applied to authorized firms since May 31, 2024.
Controls make it stick: a claim register with named owners, a pre-publication substantiation gate, greenwashing KRIs on the risk dashboard, and an annual re-audit wired into the ERM cycle.

 

The same failure pattern now costs consumer brands, banks, and airlines real money, with more than 400 greenwashing enforcement actions recorded globally in 2026 alone.

The fix is a disciplined ESG claims audit: inventory every public claim, test the evidence behind each one, score the exposure, and rewrite or withdraw what fails.

What a Greenwashing Risk Assessment Actually Tests

A greenwashing risk assessment is a structured audit of every environmental and sustainability claim an organization makes in public. It tests whether each statement is backed by evidence that would survive regulatory scrutiny, then scores the gap between what the company says and what its own data shows.

Scope is where most programs undershoot. Fund names, annual reports, product packaging, advertising, investor decks, and website copy all carry claims a regulator can act on, so the assessment starts from a complete claim inventory rather than the sustainability report alone. The method mirrors any compliance risk assessment, applied to words instead of processes.

Keurig Dr Pepper learned the packaging lesson in September 2024, when the SEC fined it $1.5 million over annual report statements that K-Cup pods could be effectively recycled. Two of the largest US recycling companies had already told Keurig they would not accept the pods, and the filings never said so.

Run it with the same rigor as a risk-based internal audit and feed the results into the enterprise risk register. Greenwashing risk is legal, reputational, and financial at once, which is why it deserves its own line rather than a footnote under compliance.

The Claim Types a Greenwashing Risk Assessment Must Inventory

Claim type Typical example Regulatory hook
Product claims “100% recyclable” or “compostable” packaging FTC Green Guides; SEC disclosure rules (Keurig, $1.5M, 2024)
Carbon and net-zero claims “Carbon neutral by 2030” based on offsets EU ECGT Directive bans offset-based labels from Sept 27, 2026
Fund and product names “Ethically Conscious” or “Sustainable” fund labels SEC Names Rule 80% test; ASIC v Vanguard (A$12.9M, 2024)
Process claims “ESG is integrated into every investment decision” SEC v DWS ($19M, 2023); Frankfurt prosecutors (EUR 25M, 2025)
Aspirations stated as fact “We are a leader in sustainable finance” FCA anti-greenwashing rule FG24/3 (May 31, 2024)
Biodiversity and nature claims “Deforestation-free supply chain” RepRisk: biodiversity-linked greenwashing incidents tripled

Chart: Greenwashing Risk Assessment Enforcement in Numbers

Greenwashing Risk Assessment: How to Audit ESG Claims

Figure 1. The enforcement numbers that moved greenwashing risk assessment from optional to standing agenda item.

The Regulatory Map Behind Every Greenwashing Risk Assessment

Regulators on three continents can now act against the same sentence with different tools. The SEC polices ESG statements in filings and fund names, the FTC polices marketing under the Green Guides, and state attorneys general add consumer protection suits on top. A greenwashing risk assessment maps each claim to every rule that touches it.

Europe raised the bar for 2026. The Empowering Consumers for the Green Transition Directive bans generic environmental claims and offset-based carbon neutral labels from September 27, 2026. The European Commission signaled in June 2025 that it intends to withdraw the separate Green Claims Directive proposal, but the consumer-facing ban stands.

The UK closed the loop for financial firms first. The FCA anti-greenwashing rule, in force since May 31, 2024, requires every sustainability claim by an authorized firm to be fair, clear, and not misleading. The UK Advertising Standards Authority now runs an AI tool that finds misleading green claims without waiting for a complaint.

Regulator / rule What it demands of ESG claims Key date
SEC Names Rule amendments Funds with ESG or sustainability names must invest 80% of assets in line with the name Adopted Sept 2023
SEC Division of Examinations Risk alert flagged systematic gaps in fund ESG disclosures, a signal of exam-driven enforcement Nov 2025
FTC Green Guides (16 CFR 260) Substantiation for environmental marketing claims; update under review since 2022 Review open
EU ECGT Directive Bans generic green claims and offset-based carbon neutral product labels for consumers Sept 27, 2026
FCA FG24/3 (UK) Sustainability claims by authorized firms must be fair, clear, and not misleading May 31, 2024
IAASB ISSA 5000 Global baseline standard for limited and reasonable sustainability assurance engagements Dec 15, 2026

 

KPMG’s December 2025 international regulatory overview of greenwashing tracks these rules across dozens of jurisdictions and reaches the same conclusion the fines do. Claims travel globally, enforcement is local, and the assessment has to check both. Anchor the mapping in your compliance risk analysis so nothing falls between regimes.

Chart: What Failed Greenwashing Risk Assessments Have Cost

Greenwashing Risk Assessment: How to Audit ESG Claims

Figure 2. Six enforcement outcomes a working greenwashing risk assessment is designed to prevent.

How to Run a Greenwashing Risk Assessment in Five Steps

Five steps take the program from scattered marketing copy to a defensible register entry. The sequence follows standard risk assessment methodology, applied to claims instead of assets, and it borrows its evidence discipline from audit. Practitioner rule: start with the claims customers see, not the ones the sustainability team likes.

Step What you do Output
1. Inventory Pull every environmental and ESG claim from filings, fund names, packaging, ads, and the website into one register with a named owner per claim Claim register
2. Map evidence Trace each claim to the data, methodology, and any third-party verification behind it, with a link to the source file Evidence map
3. Rate substantiation Grade every claim: fully substantiated, partially substantiated, no evidence on file, or contradicted by internal data Substantiation grades
4. Score exposure Score weak claims for likelihood of regulator or NGO attention and impact in penalties, litigation, and reputation Ranked risk scores
5. Remediate and monitor Rewrite, substantiate, or withdraw failing claims; set KRIs, a pre-publication gate, and a re-audit date Action plan + monitoring

 

Step one is where Vanguard’s case would have ended differently. A claim register forces the question “who owns this sentence?” for every public statement, and the step-by-step risk assessment habit of documenting scope keeps marketing copy from escaping the net.

Scoring in step four works on a standard likelihood-and-impact grid. Use the same qualitative and quantitative scales as the rest of the risk function, with regulator attention, penalty size, and class action exposure as the impact drivers. A scenario-based view helps price the tail: ask what the claim looks like quoted in an enforcement release.

Claims drift as products, suppliers, and data change, so re-run the greenwashing risk assessment annually and re-grade any claim whose evidence is older than twelve months. The review frequency question has a sharper answer here than almost anywhere else in risk.

Auditing ESG Claims: The Greenwashing Evidence Test

Evidence decides everything. DWS paid the SEC $19 million in September 2023 because its statements about ESG integration were not matched by the controls behind them, and Frankfurt prosecutors added a EUR 25 million fine in April 2025 over marketing that called ESG an integral part of the firm’s DNA.

A claim carried by independent assurance sits in a different risk class than the same words carried by a brochure. The greenwashing risk assessment prices that difference through a five-tier evidence hierarchy rather than a yes-no checkbox, graded in the scoring model.

Evidence tier Examples Weight in the assessment
Independent reasonable assurance Audited GHG inventory; assured sustainability report under ISSA 5000 Strongest; claim can stand as stated
Independent limited assurance Limited assurance over selected ESG metrics, CSRD-style Strong; watch scope exclusions
Internal data with lineage Metered energy data, supplier attestations, documented methodology Moderate; needs internal audit testing
Internal policy or methodology Screening policy, exclusion list, ESG integration procedure Weak alone; Vanguard had the policy, not the practice
Marketing assertion only “Eco-friendly,” “green,” “sustainable” with no source file Fails; rewrite or withdraw the claim

 

The assurance layer is being standardized right now. The IAASB’s International Standard on Sustainability Assurance 5000 takes effect for engagements covering periods from December 15, 2026, works for both limited and reasonable assurance, and applies to any reporting framework. PwC’s briefing on the standard flags it as the global baseline ESG claims audits will be measured against.

ISO 31000 supplies the risk process behind the evidence test, the ISO 14000 family covers self-declared environmental claims and GHG verification, and the ISO 31000 versus COSO comparison settles which enterprise framework the results report into when findings reach the board.

Chart: Greenwashing Risk Trends Every Assessment Should Track

Greenwashing Risk Assessment: How to Audit ESG Claims

Figure 3. RepRisk’s 2025 data: banking flags up 19% in a year, and biodiversity-linked greenwashing doubled since 2021.

Greenwashing Risk Assessment Controls, KRIs, and Ownership

Ownership fails before method does. Marketing writes the claims, sustainability owns the data, legal reviews a subset, and nobody owns the total exposure.

The IIA Three Lines Model fixes the split: claim owners in the first line, a compliance-run assessment in the second, and internal audit testing the whole system in the third.

One control outworks all the others: a pre-publication substantiation gate. No environmental claim ships in any channel until the evidence link in the claim register is current and the second line has signed it. Wire the gate into the risk and control self-assessment so it gets tested, not just documented.

Greenwashing KRI Warning threshold Owner
Live claims graded unsupported or contradicted More than 5% of the claim register Chief sustainability officer
Claims with evidence older than 12 months Any Sustainability reporting lead
Public releases that skipped the substantiation gate More than zero per quarter Chief marketing officer
Regulator inquiries or NGO complaints on green claims Any General counsel
Supplier data coverage behind supply chain claims Below 80% of spend Procurement / third-party risk
Assurance findings open past 90 days More than two Internal audit

 

Treat these like any other key risk indicators: set thresholds against the risk appetite statement, and put the six numbers on the KRI dashboard the board already reads. Supply chain claims deserve their own line because third-party data is where evidence quality collapses first.

A Worked Greenwashing Risk Assessment Example

Picture a mid-cap US consumer goods company with 40 live environmental claims across packaging, advertising, and an annual impact report. A first-pass ESG claims audit typically grades about 14 fully substantiated, 15 partially substantiated, 8 with no evidence on file, and 3 contradicted by internal data.

The three contradicted claims go to legal the same week. A recyclability claim the company’s own waste contractor disputes is a Keurig-shaped exposure, and withdrawal usually costs less than the enforcement release. The eight unsupported claims get 90 days to find evidence or a rewrite.

Chart: Scoring the Worked Greenwashing Risk Assessment

Greenwashing Risk Assessment: How to Audit ESG Claims

Figure 4. The worked example’s substantiation split: 11 of 40 claims form the remediation queue.

Partially substantiated claims are the subtle ones. “Made with 50% recycled content” backed by data covering one product line gets scoped down to that line, and the qualifier goes in the headline, not the footnote. That is what the FTC Green Guides mean by clear and prominent qualification.

Residual exposure then enters the enterprise risk management framework as a scored risk with an owner and a re-audit date, managed through the normal risk management lifecycle. The output regulators respect is proof the company tests its own words before publishing them.

Greenwashing Risk Assessment: Frequently Asked Questions

What is a greenwashing risk assessment?

A greenwashing risk assessment is a structured audit of an organization’s public environmental and ESG claims against the evidence supporting them. It grades each claim’s substantiation, scores the regulatory and reputational exposure of weak claims, and produces a remediation plan with owners and deadlines.

How often should a greenwashing risk assessment be run?

Run the full assessment annually and re-grade any claim whose evidence is more than twelve months old. Trigger an off-cycle review when products, suppliers, or regulations change, and before any major campaign or report that leans on environmental claims. Deadline-heavy years like 2026 justify an extra mid-year check.

Who should own the greenwashing risk assessment?

Second-line compliance or risk should run the greenwashing risk assessment, with each claim owned by the function that published it and internal audit testing the process. Concentrating everything in the sustainability team fails because that team often wrote the claims being tested.

What evidence does a greenwashing risk assessment require for each ESG claim?

Every claim needs a live link to its source: measured data with lineage, a documented methodology, or independent assurance. A policy alone is not enough. Vanguard had an exclusionary screening policy, and the court fined it A$12.9 million because the screening never actually happened.

How does a greenwashing risk assessment differ from sustainability assurance?

Assurance under ISSA 5000 is an external opinion on reported sustainability information, usually once a year. A greenwashing risk assessment is the internal, all-channel exercise that also covers ads, packaging, fund names, and web copy, and it ranks exposure rather than issuing an opinion.

Which US rules make a greenwashing risk assessment necessary?

The FTC Green Guides govern environmental marketing, the SEC polices ESG statements in filings and fund names under the amended Names Rule, and state consumer protection laws add private litigation. The SEC’s November 2025 examinations risk alert signals that fund disclosure reviews are tightening.

Greenwashing Risk Assessment Pitfalls and Remedies

Most failed greenwashing risk assessment programs share the same handful of root causes. The table below lists the six failures seen most often in enforcement releases and hands-on assessment work, along with the remedy that actually holds up under regulatory pressure.

Pitfall Root Cause Remedy
Auditing the sustainability report only Scope set by reporting team, not by where claims live Inventory all channels: packaging, ads, fund names, web, decks
Policy mistaken for evidence Assessment checks documents exist, not that they run Test operation like Vanguard’s screens: sample and verify
Aspirations worded as achievements Marketing pressure plus no substantiation gate Pre-publication gate; date-stamp targets and label them as targets
Stale evidence behind live claims No refresh cycle after first substantiation 12-month evidence expiry KRI with a named owner
Supply chain claims without supplier data Scope 3 and sourcing claims outrun procurement coverage Cap claims at verified supplier coverage; fix the data first
No single owner of total exposure Claims split across marketing, IR, and sustainability Second-line ownership with board-level KRI reporting

Looking Ahead: Greenwashing Risk Assessment in 2026-2027

Two deadlines dominate the next eighteen months. The EU’s consumer claims ban bites on September 27, 2026, removing generic green wording and offset-based carbon neutral labels from products sold in Europe, and ISSA 5000 becomes the assurance baseline for periods starting December 15, 2026. US companies selling into the EU inherit the first deadline whether or not they report under CSRD.

Enforcement itself is hardening: the 400-plus greenwashing actions recorded in 2026 include criminal referrals, and the SEC’s November 2025 risk alert on fund ESG disclosures reads like an exam plan. Expect the next DWS-scale case to start from a routine examination rather than a whistleblower.

Detection is going algorithmic on both sides. The UK ASA already scans ads with AI, and RepRisk’s incident data shows severity rising even in years when incident counts fell. Its 2025 report points at biodiversity as the next claim category regulators will test, with linked incidents tripling.

The practitioner move for 2026 is unglamorous: get the claim register built and graded before the September deadline, and put the six greenwashing KRIs on the next quarterly risk report. Companies that can show a tested greenwashing risk assessment will negotiate with regulators; companies that cannot will settle.

Infographic: The Greenwashing Risk Assessment in Five Steps

Process infographic for greenwashing risk assessment showing the five-step ESG claims audit: inventory claims, map evidence, rate substantiation, score exposure, remediate and monitor

Figure 5. Greenwashing risk assessment as a five-step loop: inventory, evidence, grade, score, and monitor every ESG claim.

 

Build a Defensible Greenwashing Risk Assessment

Risk Publishing helps US risk and compliance teams turn scattered ESG claims into a defensible greenwashing risk assessment, from the claim register to the board KRI report. Review our services, then contact us before a regulator runs the audit for you.

Index