Section 1: Why ESG belongs in risk management
In today’s regulatory and investor landscape, Environmental, Social, and Governance (ESG) is no longer a voluntary exercise. It is a strategic business imperative. For companies in Saudi Arabia and globally, ESG is increasingly linked to regulatory compliance, access to capital, and long-term business resilience.
In the Kingdom, multiple governance and disclosure mechanisms reinforce this shift:
- Vision 2030: ESG as a strategic lever for sustainable diversification.
- Saudi Exchange (Tadawul) ESG Disclosure Guidelines: Voluntary push for transparent, comparable ESG reporting.
- Ministry of Commerce: Corporate Governance Regulations set expectations for board oversight of ESG-linked risks.
- Ministry of Finance Green Financing Framework: Mobilises capital toward green projects, including renewable energy, water efficiency, and sustainable transport, by issuing green bonds and sukuk with transparent use-of-proceeds and reporting standards.
- ZATCA: Aligning tax transparency with ESG-linked financial and operational reporting.
Globally, widely used standards such as:
- International Financial Reporting Standards (IFRS) S1 & S2;
- Sustainability Accounting Standards Board (SASB) – Industry-specific investor-focused ESG metrics; and
- Global Reporting Initiative (GRI) – Broad stakeholder disclosures.
All of the above frameworks converge on a common principle, i.e. ESG-related risks must be embedded into an organization’s business strategy and transparently reflected in its financial disclosures.
The journey of ESG risk management is not a single leap but a gradual evolution. Organizations typically begin with a compliance-driven mindset, meeting minimum regulatory requirements, before progressing toward a structured identification of ESG risks. As maturity increases, these risks are embedded into enterprise risk management (ERM) frameworks through robust controls, enabling assurance and accountability. At the most advanced stage, ESG becomes a core element of strategic decision-making, guiding capital allocation, innovation, and long-term value creation. This progression reflects how companies shift from reactive reporting to proactive integration of ESG into business resilience and competitive advantage.
This discussion paper is structured as a progression, i.e. moving from ESG in risk management, to how organizations can embed it through frameworks and maturity models, and finally to what practical tools they can apply.
|
Section |
Core purpose |
|
Section 2 – Framework & maturity model |
Equip boards and executives with a roadmap for ESG maturity, showing how to evolve from box-ticking to full integration in capital allocation and strategy. |
|
Section 3 – Practical tools: Risk registers & RCMs |
Provides hands-on tools for embedding ESG into governance, risk, and assurance cycles, enabling accountability and auditability. |
Section 2: Framework & maturity model
2.1 Theory & frameworks
When organizations begin embedding ESG into their risk management and internal control systems, they often need a structured set of guiding frameworks. These frameworks act as the backbone, ensuring that ESG is not treated as a “nice to have” but as an integrated part of corporate governance, financial strategy, and stakeholder engagement.
Several leading frameworks and principles have emerged as the global reference points for integrating ESG into risk and control environments. While each has its own focus, together they provide a comprehensive map for organizations to follow:
|
Leading frameworks / Principles |
Role in ESG risk integration |
Practical application in organizations |
|
COSO ERM framework |
Embeds ESG risks into enterprise-wide risk management, aligning with strategy and governance culture. |
• Add climate, supply chain and social risks into the risk register. • Use COSO’s risk appetite framework to set tolerance for carbon exposure or compliance fines. • Link ESG KPIs (e.g., emissions reduction) to strategic objectives. |
|
COSO ICSR (Internal control over sustainability reporting) |
Ensures ESG data reliability, comparability, and assurance readiness. |
• Map ESG reporting processes to control activities (e.g., who validates emissions data). • Develop RCMs (Risk & Control Matrices) for ESG metrics, just as with financial reporting. • Test internal controls on ESG data before external assurance. |
|
IFRS S1 & S2 (ISSB standards) |
Establish a global baseline for sustainability disclosures, ensuring ESG is linked to financial reporting. |
• Align risk disclosures with financial materiality (e.g., show how water scarcity affects revenues or costs). • Integrate ESG risk scenarios into stress testing and financial forecasts. • Use IFRS S2 for climate transition planning and resilience analysis. |
|
GRI standards |
Provides broad, stakeholder-oriented ESG disclosures. |
Disclose topics like community impact, worker welfare, and biodiversity. • Engage HR, HSE, and CSR teams to capture non-financial data consistently. • Use GRI for multi-stakeholder dialogue and transparency reporting. |
|
SASB standards |
Provides industry-specific, investor-focused metrics. |
• Select SASB metrics relevant to the sector (e.g., energy use in petrochemicals, data privacy in tech). • Benchmark ESG risks against peer performance. • Report ESG factors most likely to affect enterprise value and investor confidence. |
2.2 Maturity model
Organizations evolve in how they manage ESG risks, moving from basic compliance-driven disclosure to fully embedding ESG into strategic decision-making and capital allocation. A maturity model helps boards and management assess where they currently stand, and what steps are required to progress.
|
Stage |
Characteristics |
Board & management focus |
Practical example - Saudi context |
|
1.Compliance-driven |
ESG is treated as a regulatory or reputational requirement; sustainability reports are siloed and backward-looking. |
• Raise awareness at board level. • Mandate ESG risk identification in annual governance cycle. |
Preparing ESG disclosure per Tadawul guidelines without linking to ERM. |
|
2. Risk identification |
ESG risks (climate, supply chain, social) are listed in risk registers; basic metrics are reported. |
• Assign risk owners (e.g., HSE for climate, Procurement for supply chain). • Develop ESG KPIs/metrics aligned with IFRS S2 & GRI. |
Industrial company adding “carbon pricing risk” to enterprise risk register. Tech firms disclose cyber/AI ethics risks in SASB reports. |
|
3. Integrated ERM controls |
ESG risks are embedded into ERM systems and RCMs (Risk & Control Matrices); internal audit tests ESG controls using COSO ICSR. |
• Link ESG risks to internal controls. • Task internal audit to review ESG control design and effectiveness. • Begin assurance-readiness for external reporting. |
Utilities company linking water efficiency risks into risk register and testing controls before CMA ESG filings. US listed Multinationals establishing ESG data validation processes to meet SEC climate risk proposal requirements. |
|
4. Strategic ESG embedded |
ESG risks influence strategy, capital allocation, and performance incentives; ESG KPIs drive board remuneration. |
• Align ESG targets with Vision 2030 sustainability KPIs. • Allocate capital for ESG-linked investments. • Include ESG KPIs into the executive compensation. |
Certain companies setting CEO bonus linked to carbon intensity reduction. Automotive companies embedding EV transition and Scope 3 reduction into strategy and investor roadmaps. |
Section 3: Practical tools (Risk registers)
A well-structured ESG risk register is one of the most practical instruments for embedding ESG into enterprise risk management (ERM). It allows organizations to document, assess, monitor, and respond to ESG risks with the same rigor as financial or operational risks. ESG risk registers should not be stand-alone, but should be integrated into the corporate risk register, linked to KPIs, controls, and assurance cycles. The following table provides a practical example tailored for Saudi businesses across environmental, social, and governance dimensions.
ESG risk register (Illustrative example)
|
Risk ID |
ESG pillar |
Risk description |
Root cause |
Impact |
Risk rating |
Control objective |
|
ENV-001 |
Environmental (O&G) |
Methane leakage during operations leading to emissions breaches |
Outdated infrastructure; insufficient detection systems |
Regulatory fines; reputational damage; higher emissions costs |
High |
Ensure timely detection and reduction of methane emissions through monitoring and maintenance |
|
SOC-001 |
Social (Banking) |
Gender diversity gap in leadership roles |
Absence of succession planning; lack of diversity KPIs |
Talent attraction/retention challenges; reputational risk; Vision 2030 misalignment |
Medium |
Enhance diversity and inclusion to strengthen talent pipeline and align with Vision 2030 |
|
GOV-001 |
Governance (Both Sectors) |
Inaccurate ESG reporting (“greenwashing”) |
Weak data governance; fragmented reporting systems |
Investor distrust; potential sanctions; loss of market access |
High |
Ensure accuracy, integrity, and reliability of ESG disclosures |
3.2 ESG risk control matrix (RCM)
The ESG Risk Control Matrix (RCM) operationalizes the risk register by mapping each identified ESG risk to specific controls, their type, frequency, ownership, and testing approach. This ensures that ESG risks are not only documented but actively mitigated and monitored, aligning with COSO ICSR and IFRS S1/S2 assurance expectations.
|
Risk ID |
Control description |
Control type |
Frequency |
Owner |
Testing method |
|
Environmental (E) |
Methane leak detection sensors + variance analysis vs targets |
Preventive / Detective |
Monthly |
Facilities Manager |
Compare monitoring data with thresholds; investigate anomalies |
|
Social (S) |
Quarterly diversity reporting vs. hiring / promotion targets |
Detective |
Quarterly |
HR Director |
Review HR dashboards; reconcile against HRIS and recruitment data |
|
Governance (G) |
Independent assurance of sustainability disclosures before publication |
Preventive |
Annual |
Compliance Officer |
Review assurance report findings; confirm remediation |
How BDO can help
For further information, insights and assistance with your ESG and IFRS reporting needs, please contact us. Our team of experts is ready to support you in this transition.
|
Authors |
|
The material discussed in this article is meant to provide general information and should not be acted on without professional advice tailored to your organization’s individual needs.
© 2025 BDO Dr Mohammed Al-Amri & Co. All rights reserved. www.bdoalamri.com