ESG stands for Environmental, Social, and Governance. These three words represent a framework that investors, regulators, and boards use to evaluate how organizations manage risks and opportunities beyond traditional financial metrics.
But ESG has become one of the most politically charged acronyms in American business, which means the practical meaning often gets lost in the noise.
Here is what ESG actually is: a structured way of assessing whether a company is managing the non-financial factors that affect its long-term financial performance. Environmental factors cover how the company affects and is affected by the physical environment.
Social factors address how it treats people, including employees, customers, suppliers, and communities. Governance factors examine how the company is directed and controlled at the board and executive level.
The numbers behind ESG are substantial. The global ESG investing market was valued at approximately $39 trillion in 2025, and Bloomberg Intelligence projects ESG assets will surpass $40 trillion by 2030 (Bloomberg Intelligence – Global ESG Assets Forecast).
In the United States specifically, the US SIF Foundation’s 2024 Trends Report documented $6.5 trillion in sustainable investment assets under management, representing 12 percent of total US assets under professional management (US SIF – Trends Report 2024).
Regardless of where you stand on the politics, that level of capital allocation demands that risk professionals understand what ESG means and how it works.
This guide breaks down each pillar, explains the current US regulatory landscape, and connects ESG to enterprise risk management practice. For foundational risk management concepts, see our guide on what is the risk management process.
The Environmental Pillar: What It Covers and Why It Matters
The “E” in ESG addresses how an organization interacts with the natural environment. This includes both the organization’s impact on the environment and the environment’s impact on the organization. That second part is critical because it’s where environmental factors become financial risks.
Key Environmental Factors
Climate risk and greenhouse gas emissions. This is the most prominent environmental factor. It covers Scope 1 emissions (direct emissions from company-owned sources), Scope 2 emissions (indirect emissions from purchased electricity), and Scope 3 emissions (all other indirect emissions across the value chain).
Companies face both physical risks (damage from extreme weather events, sea level rise, water scarcity) and transition risks (policy changes, technology shifts, market preferences moving away from carbon-intensive products).
Resource use and pollution. Water consumption, waste generation, hazardous materials management, air and water pollution, and land use. For manufacturing, extraction, and agricultural companies, these factors directly affect operating costs, regulatory compliance, and community relations.
Biodiversity and ecosystems. How company operations affect natural ecosystems, deforestation, and species habitat. This factor is gaining prominence as regulators and investors recognize the financial dependencies businesses have on ecosystem services, including clean water, pollination, and soil health.
The financial materiality of environmental factors is increasingly documented. A 2025 Wharton research paper titled “Sounding the Alarm on a Looming Climate-Financial Crisis” highlighted the growing intersection between climate risk and financial stability (EY – ESG and SEC Climate Disclosure Update).
For companies managing environmental risk through structured frameworks, see our article on how to conduct a risk assessment.
The Social Pillar: People, Communities, and Stakeholder Relationships
The “S” in ESG covers how a company manages relationships with its workforce, the communities where it operates, suppliers, and customers. Social factors are often the hardest to quantify, but they carry real financial consequences through litigation, regulatory action, reputational damage, and talent attrition.
Key Social Factors
Labor practices and workforce management. Employee health and safety, fair wages and benefits, working conditions, freedom of association, and workforce training and development. Companies with poor labor practices face OSHA enforcement, workers’ compensation claims, turnover costs, and difficulty attracting talent.
Diversity, equity, and inclusion. Workforce diversity at all levels including board and executive leadership, pay equity across demographic groups, and inclusive workplace policies.
This factor has become highly politicized in the US, but from a risk management perspective, the question is whether the company faces legal exposure, talent pipeline constraints, or market access limitations related to its workforce composition.
Human rights and supply chain labor. How the company ensures its supply chain is free from forced labor, child labor, and exploitative conditions. The EU’s Corporate Sustainability Due Diligence Directive (CSDDD), adopted in 2024, requires in-scope companies to identify, prevent, and mitigate human rights and environmental risks across their operations and value chains (Harvard Law Forum – Regulatory Shifts in ESG). US companies with European operations or customers face compliance obligations under this directive.
Community impact and engagement. How the company’s operations affect local communities, including environmental justice considerations, local employment, community investment, and stakeholder engagement processes.
Product safety and data privacy. Consumer protection, product quality and safety, responsible marketing, and the protection of customer personal data. Data breaches, product recalls, and privacy violations all represent materializations of social risk factors.
For organizations building social risk into their broader risk frameworks, see our guide on key components of a risk management policy.
The Governance Pillar: How Companies Are Directed and Controlled
The “G” in ESG is the pillar most directly connected to traditional risk management and internal controls. Governance addresses the structures, processes, and practices that determine how a company is directed, how decisions are made, and how accountability is enforced.
Key Governance Factors
Board composition and independence. The mix of skills, experience, and independence on the board. Are independent directors truly independent? Does the board have members with relevant expertise in the company’s key risk areas?.
Board diversity including gender, ethnicity, age, and professional background is a governance factor because it affects decision-making quality and blind spot identification.
Executive compensation. How executive pay is structured, whether it aligns management incentives with long-term shareholder value, and whether compensation metrics include risk-adjusted performance. Excessive short-term incentives can encourage risk-taking that destroys long-term value.
Audit and internal controls. The effectiveness of internal audit, the independence and competence of the audit committee, the quality of financial reporting, and the strength of internal controls over financial reporting. This is where ESG governance intersects directly with the COSO framework and the Three Lines Model.
Ethics and anti-corruption. Codes of conduct, whistleblower protections, anti-bribery and anti-corruption policies, conflicts of interest management, and the company’s track record on regulatory compliance.
The US Foreign Corrupt Practices Act (FCPA) and UK Bribery Act create significant legal exposure for governance failures in this area.
Shareholder rights. Voting structures, shareholder access to proxy, poison pills, and other mechanisms that affect the balance of power between management and owners.
Governance is where ESG and enterprise risk management share the most common ground. The COSO framework’s 2023 guidance on applying internal controls to sustainable business practices explicitly connects governance to sustainability reporting controls (Deloitte – ESG Reporting and SEC Disclosure). For more on governance frameworks, see our article on enterprise risk management.
ESG at a Glance: The Three Pillars Compared
| Environmental | Social | Governance | |
| Focus | Organization’s interaction with the natural environment | Relationships with people and communities | How the company is directed and controlled |
| Key issues | GHG emissions, climate risk, resource use, pollution, biodiversity | Labor practices, DEI, human rights, community impact, data privacy | Board independence, executive pay, audit quality, ethics, shareholder rights |
| Financial materiality | Carbon taxes, stranded assets, physical damage, regulatory fines | Litigation, turnover costs, reputational damage, regulatory action | Fraud, mismanagement, shareholder activism, compliance failures |
| Key standards | TCFD, GHG Protocol, ISSB S2, SASB, CDP | GRI, UN Guiding Principles, ILO Standards, SASB | COSO, OECD Principles, national corporate governance codes |
| ERM connection | Operational risk, strategic risk, compliance risk | Compliance risk, reputational risk, people risk | All risk categories; governance underpins the entire ERM framework |
The US Regulatory Landscape for ESG in 2025
The ESG regulatory environment in the United States is fragmented and politically polarized. Understanding the current state is essential for any organization managing ESG-related risks.
Federal Level: SEC Climate Rule Effectively Dead
In March 2024, the SEC adopted final rules requiring climate-related disclosures for public companies, including material climate risks, governance practices, Scope 1 and Scope 2 emissions, and financial impacts of severe weather events.
A coalition of states challenged the rules in court. In March 2025, the SEC voted to end its defense of the final rules, and by July 2025 declared it had no intention of revisiting them (ICLG – ESG Laws and Regulations USA 2026). The SEC also formally withdrew rules on cybersecurity incident disclosures and ESG investment practices for investment advisors.
Harvard Business School Professor Ethan Rouen noted that the concern now is that instead of reliable, comparable disclosures, there will be a patchwork of requirements applying to different companies in different ways (Harvard Business School – Federal Climate Rules).
State Level: Over 1,000 ESG Bills Since 2020
At the state level, more than 1,000 ESG and anti-ESG bills have been introduced since 2020. As of September 2025, 192 anti-ESG bills were proposed in that year alone, compared to only 76 bills supporting ESG initiatives.
California leads the pro-disclosure camp with SB 253 and SB 261, climate disclosure laws enacted in 2023 that could affect more than 10,000 publicly traded and private companies. These laws mandate disclosure of greenhouse gas emissions (including Scope 3) and climate-related financial risks. While subject to ongoing litigation, a February 2025 court ruling allowed the laws to take effect (PwC – SEC Climate Disclosures and ESG Regulations).
International Requirements Affecting US Companies
The EU’s Corporate Sustainability Reporting Directive (CSRD) applies to an estimated 50,000 companies operating in the EU, including US companies with EU subsidiaries meeting certain criteria.
CSRD requires comprehensive ESG disclosures using European Sustainability Reporting Standards (ESRS) with double materiality assessment. US multinationals with European operations cannot ignore these requirements regardless of domestic regulatory changes. For organizations navigating compliance across jurisdictions, see our article on compliance risk management.
Investor Demand Persists Despite Political Headwinds
Despite anti-ESG rhetoric, investor demand for ESG data remains strong. EY’s Institutional Investor Survey found that 95 percent of investors affirmed that for 2025 they continue to assess how companies manage financially material business risks and opportunities connected to sustainability.
The US SIF Trends Report found that nearly 70 percent of respondents remain committed to sustainability’s long-term future, describing the current environment as one of recalibration rather than retreat (US SIF – Trends Report 2025/2026).
ESG Reporting Frameworks and Standards
Multiple frameworks and standards exist for ESG reporting. The landscape is consolidating but remains complex. The key frameworks risk professionals should understand include:
ISSB Standards (IFRS S1 and S2). The International Sustainability Standards Board issued these global baseline standards covering general sustainability disclosures (S1) and climate-related disclosures (S2). These are becoming the global standard, with jurisdictions including the UK, Australia, and others adopting or aligning with them.
SASB Standards. Industry-specific standards identifying the ESG issues most likely to affect financial performance in 77 industries. Now part of the ISSB. SASB’s materiality-based approach makes it particularly relevant for risk professionals because it focuses on financially material issues.
GRI Standards. The most widely used framework globally, focused on an organization’s impacts on the economy, environment, and people. GRI uses an impact materiality approach (what impact does the company have on the world), compared to SASB’s financial materiality approach (what impact do ESG issues have on the company).
TCFD Recommendations. Task Force on Climate-related Financial Disclosures framework, now incorporated into ISSB standards. Organized around four pillars: governance, strategy, risk management, and metrics and targets. The TCFD’s risk management pillar maps directly to existing enterprise risk management processes.
ESRS (European Sustainability Reporting Standards). Mandatory standards under the EU’s CSRD, requiring double materiality assessment, covering both how sustainability issues affect the company and how the company affects society and the environment.
For organizations evaluating which framework to adopt, Morningstar’s Q2 2025 data shows the reporting landscape is actively evolving, with close to 600 European funds renamed in a single quarter to align with new anti-greenwashing rules (Morningstar – Global ESG Fund Flows Q2 2025).
This signals that scrutiny of ESG claims and disclosures is intensifying. For more on building KRI dashboards that incorporate ESG metrics, see our article on key risk indicators.
ESG Scores and Ratings: What They Measure and Their Limitations
ESG scores are ratings assigned by independent agencies to evaluate a company’s ESG risk exposure and management. The major providers are MSCI, Sustainalytics (Morningstar), S&P Global, Bloomberg, and ISS ESG. These scores are used by institutional investors to screen investments, compare companies, and monitor portfolio risk.
The fundamental limitation of ESG scores is inconsistency across providers. Different agencies use different methodologies, weight factors differently, and reach different conclusions about the same company.
A company rated “leader” by one agency might be rated “average” by another. This creates real challenges for companies trying to manage their ESG profile and for investors trying to make informed decisions.
Bloomberg Intelligence’s analysis noted that the lack of defined standards to assess ESG performance remains a barrier to investment, and that enhanced scrutiny and regulations are expected to bolster ESG asset credibility.
The ESG rating providers market is also consolidating, with a structure divided between a few very large non-EU providers and numerous smaller EU providers. For organizations building risk registers that include ESG factors, see our guide on key elements of a risk register.
How ESG Connects to Enterprise Risk Management
For risk professionals, ESG is not a separate discipline. It is a set of risk categories that fit within existing ERM frameworks. The connection points are direct:
ISO 31000 alignment. ESG risks are risks. They have causes, events, and consequences. They can be assessed for likelihood and impact. They can be treated through avoidance, reduction, sharing, or acceptance.
The ISO 31000 risk management process, from context establishment through risk identification, analysis, evaluation, and treatment, applies to ESG risks the same way it applies to operational, financial, or strategic risks. See our comprehensive guide on the five steps of the risk management process.
COSO ERM framework. COSO’s 2023 guidance explicitly addresses how its five components and 17 principles apply to sustainable business practices.
The governance component of ESG maps directly to COSO’s governance and culture component. Environmental and social risks fit within COSO’s strategy and objective-setting, performance, and review and revision components.
Three Lines Model. First line management owns ESG risks within their operational areas (environmental compliance, labor practices, product safety). Second line functions provide frameworks, policies, and oversight for ESG risk management (sustainability teams, compliance, risk management). Third line internal audit provides independent assurance on the effectiveness of ESG governance, risk management, and controls.
Business impact analysis. Climate-related physical risks (flooding, wildfire, extreme heat) directly affect business continuity planning. Organizations conducting BIA should incorporate climate scenarios into their disruption scenarios. See our guide on business impact analysis.
Practical Challenges in ESG Implementation
Organizations implementing ESG face real obstacles that go beyond political controversy:
Data collection and quality. ESG data, particularly Scope 3 emissions and supply chain social metrics, is difficult to collect, verify, and standardize. Many companies lack the systems and processes to gather ESG data with the same rigor applied to financial reporting. This is a controls problem that risk and audit professionals understand well.
Regulatory fragmentation. Operating across jurisdictions with different ESG requirements creates compliance complexity and cost.
A US multinational might face SEC disclosure requirements (currently in flux), California’s climate laws, EU CSRD requirements, and additional requirements in other operating jurisdictions. Harvard Law Forum’s analysis characterized this as a patchwork that makes it harder to get solid, comparable information.
Greenwashing risk. Companies face legal and reputational risk from making ESG claims they cannot substantiate. The EU’s anti-greenwashing rules triggered close to 600 fund name changes in a single quarter in 2025, demonstrating that regulators are enforcing credibility standards. In the US, the FTC’s Green Guides set standards for environmental marketing claims.
Short-term versus long-term tension. ESG investments often require upfront spending that reduces short-term earnings but builds long-term resilience and value. Quarterly earnings pressure can create organizational resistance to ESG initiatives.
Rothschild & Co’s 2025 analysis found that a hypothetical $100 investment in sustainable funds in December 2018 would have grown to $136 by early 2025, compared to $131 for traditional funds over the same period (Rothschild & Co – ESG Insights for 2025), suggesting the long-term financial case for ESG integration holds up.
For more on managing the intersection of risk and strategic planning, see our article on risk mitigation in project management.
Getting Started with ESG Risk Management
If your organization has not yet formally integrated ESG into its risk management framework, start with what you already know how to do. ESG risk management does not require a separate methodology. It requires applying existing risk management discipline to a broader set of risk factors.
First, identify which ESG factors are material to your organization. Use SASB’s industry-specific materiality map as a starting point.
A financial services company will have different material ESG factors than a manufacturing company or a technology company. Focus on the factors that create real financial exposure, not on checking every possible box.
Second, integrate material ESG risks into your existing risk register. They belong alongside operational, financial, strategic, and compliance risks, not in a separate document. Assign risk owners, define likelihood and impact criteria, and establish treatment plans using the same methodology you apply to other risks. See our guide on risk description examples for risk registers.
Third, establish or strengthen the governance structure for ESG oversight. Determine which board committee has responsibility for ESG risk oversight, what management reporting exists, and how ESG metrics feed into strategic decision-making. The governance pillar of ESG starts at home.
Fourth, assess your disclosure readiness. Even if federal ESG disclosure mandates are stalled, California’s laws, EU CSRD requirements, and investor expectations create disclosure pressure for many US companies. Understanding your readiness now prevents scrambling when requirements crystallize.
For practical frameworks, templates, and deeper exploration of risk management topics including ESG, explore the full library at riskpublishing.com. Our content covers quantitative risk management, compliance risk assessment, business continuity planning, and key risk indicators, all grounded in ISO 31000 and COSO ERM best practice.
Sources:
1. Bloomberg Intelligence – Global ESG Assets Predicted to Hit $40 Trillion by 2030: bloomberg.com
2. US SIF – 2024 Trends Report ($6.5 Trillion US Sustainable Investment Assets): ussif.org
3. US SIF – Trends Report 2025/2026 Executive Summary: ussif.org
4. ICLG – Environmental, Social & Governance Laws and Regulations USA 2026: iclg.com
5. Harvard Business School – The SEC Eliminated Climate Rules: hbs.edu
6. Harvard Law Forum – Regulatory Shifts in ESG (April 2025): corpgov.law.harvard.edu
7. EY – ESG and SEC Climate Disclosure Rule Update: ey.com
8. Deloitte – ESG Reporting and SEC Disclosure (COSO 2023 Guidance): deloitte.com
9. PwC – SEC Climate Disclosures and ESG Regulations: pwc.com
10. Morningstar – Global ESG Fund Flows Rebound Q2 2025: morningstar.com
11. Rothschild & Co – ESG Insights for 2025 and Beyond: rothschildandco.com
Internal Links Used:
• What is the Risk Management Process
• How to Conduct a Risk Assessment
• Key Components of a Risk Management Policy
• Key Elements of a Risk Register
• Five Steps of the Risk Management Process
• Risk Mitigation in Project Management
• Quantitative Risk Management
• Business Continuity Planning
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.