ESG is the worst thing to happen to risk management… after GRC

Climate change is a huge issue, environmental pollution is a huge issue, social inequality and everything else typically bundled under the ESG umbrella are important issues totally deserving the management attention. This article is about something else entirely, so keep your system 1 thinking in check and carry on reading.

This article is about the very concept of ESG, not the underlying issues. Let’s give the authors of the idea the benefit of the doubt and pretend it wasn’t just a marketing fluke like all the other acronyms before (ERM, IRM and GRC) and the intentions were good to bring the much need society attention to the performance beyond profits. One thing is clear short snappy acronyms sell, sexy, easy to understand simplistic ideas sell. And I am totally fine with that, anything goes to promote better care for the planet and people.


What I am totally against is the risk professionals, who really should know better, thinking ESG is “what you see is all there is”. “What you see is all there is” is a term popularized by psychologist Daniel Kahneman to describe the cognitive phenomenon that our brains are wired to believe that the information we have is all the relevant information there is. This becomes a problem because we tend to not look for what is not shown to us. When we get a few elements of a story, we construct a complete story the best we can with the pieces we have. Often, the elements we’re getting are incomplete or biased.

No surprises then, when we hear ESG in the news, conferences and publications, 95% of the time they talk about climate change and carbon footprint.  And yet climate change is not even 1/10th of the issues bundled under the ESG umbrella. That’s issue number one, in the shadows of sexy climate change, many other no less important issues are lost. Global corporations today pollute air, water and soil, yet environmental officers remain to be under resourced and excluded from corporate decision making. The focus seems to be somewhere else, where rating agencies, banks and treasury departments get excited about a new round of green financing.  I have a huge issue when future risks (climate, carbon) are being discussed not in parallel but instead of today’s risks (pollution). 

ESG risk is not a thing

The level of absurdity gets multiplied when the same ESG gurus, rating agencies, auditors and regulators tell us to identify, assess and mitigate “ESG risks”. Just like reputational risks, ESG risks are not a thing. Read my arguments in the reputational risk article. Any operational risk may lead to social, environmental or governance consequences. What’s even worse, the same gurus imply that there is a simple methodology for assessing ESG risks. Nothing could be further from the truth. That’s issue number two, each of the unique risks under the ESG umbrella has it’s own complex risk assessment methodology and cannot be measured using a unified qualitative approach.

Even when we tried to unify the measurement of ESG risks using simple stochastic bow-ties, the estimates were miles off, as each risk has a unique bow-tie. Any attempt to generalise the risk assessments leads to huge error in VaR estimates. Read more here on my attempt to unify the quantitative approach to ESG, compliance and other operational risks. It was quick to implement and looked good, but failed the back-tests by a mile. Let’s take an example of environmental risks, that’s supposedly a 1/3 of the ESG risks. Environmental risks include:

  • water pollution
  • air pollution
  • soil pollution
  • climate change
  • change in regulations
  • many other things

Most of these risks can be represented as a stochastic decision tree or bow-tie. The trouble is that each risk is a unique and quite complex bow-tie. Many of the causes and consequences are usually prescribed by the relevant environmental legislation in your country. So global organisations have to build different risk models for just water pollution in different countries of presence.

Here is an example of very basic decision tree I had to build for a solid waste problem, which was later turned into a risk model:

Solid waste decision tree

Environmental risks are typical operational risks that can be represented as a loss exceedance curve with a narrow body of a distribution and typically a very fat tail. Like most common risks, that don’t have a methodology prescribed by the regulator (market, credit risks and OHS risks usually have prescribed methodologies), environmental risks can be represented by a decision tree or a bow-tie.

A lot of the branches in the tree are uncertain, for example which regulated class will be assigned to the waste and hence what rate will be applied. Local regulators usually provide specific formulas for measuring different environmental risks. Different formulas for different kinds of pollution and waste. These formulas can be turned into stochastic risk models.

Different models are required for each location as the waste composition usually differs. The result of the risk analysis is the loss exceedance curve for the risk at each location, can be aggregated if necessary. And a set of engineering mitigations which can be compared against the expected losses from the risk.

environmental risks

This is just an illustration for the point I was trying to make. Unless ESG risks are assessed for the purposes of window dressing, each risk under the ESG umbrella is unique, complex and takes months to model properly. I can see how modelling can be very useful for the environmental and production teams to help them better budget mitigations, which are usually very costly engineering structures that require changes to technological process. Taking into account social risks is critical for HR and executive decision making. Governance related risks are an important consideration for the legal team and others. However, I cannot think of a reason why would anyone want to aggregate all ESG risks into a single risk profile given the complexity and effort required. This is a typical example of consulting bs, where the idea to have ESG risks is sold by the people who don’t understand the underlying math.


Risk managers should never lead the ESG agenda

The third issue I have is the fact that consolidating various diverse ESG matters under a single executives is just reckless. Environmental and climate risks have always been and should remain the domain of HSE team. The social risks are usually the domain of HR and governance risks are historically the domain of the legal or IR team. Risk managers can help them with the quantitative risk models, if it makes business sense. Risk managers can help build the methodology for the pollution loss exceedance curve or help legal team determine appropriate risk-adjusted limits for investment deals or segregation of authority for market risks. Not lead the ESG agenda, that is just silly. Risk managers are not qualified to talk about E, S or G matters and ESG doesn’t need a glorified secretary. Bringing E, S and G into one fold was a huge mistake and we need to go back to basics – making ESG considerations a decision making criteria whenever important business decisions are made. 

ESG, like ERM, is just a marketing fad

And should be viewed as such. While we are chasing the rating, which I get are important and are part of the corporate game, we shouldn’t loose sight of the environmental and social damage companies are doing every day. Not sometime in the future after 2050, but yesterday, today and tomorrow. The most rewarding feeling I had was helping environmental team to use quant risk analysis to get more budget for sorting pollution issues.



Other RISK-ACADEMY guides and templates:

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


2 thoughts on “ESG is the worst thing to happen to risk management… after GRC

  1. The accounting consulting firms are gearing up big time for all the revenue they expect to earn from ESG reporting.

    1. Totally. And banks and rating agencies and auditors and ESG reporting vendors and ESG metric gurus, all the usual bs vendors

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.