Why ESG Reporting Is Only the Starting Point for ESG Risk — and and Why Confusing the Two Leaves Companies Exposed

There is a quiet crisis developing inside sustainability functions across Europe and North America. Organisations have invested heavily in ESG reporting infrastructure — CSRD frameworks, materiality assessments, Scope 3 measurement systems, TCFD-aligned disclosures. Their sustainability teams can produce a 200-page sustainability report with impressive precision.

And yet when a supplier is found using forced labour in their tier-2 supply chain, when a greenwashing allegation surfaces in the press, or when an investor asks pointed questions about climate transition risk in their operations — the organisation has no governance framework to respond. They have measurement without management. Disclosure without defence.

This is the ESG reporting versus ESG risk distinction. And in 2026, it has never mattered more.

The numbers that reveal the gap

Consider what the data shows about the scale of ESG risk exposure. According to the Walk Free Foundation's 2023 Global Slavery Index, an estimated 50 million people are living in modern slavery globally — 86% of them in private supply chains connected to consumer goods, electronics, agriculture, construction and manufacturing. The companies sourcing from those supply chains are not necessarily complicit. But under the UK Modern Slavery Act, Australia's equivalent legislation, Germany's LkSG and CSDDD, they are legally obligated to have governance systems capable of identifying and addressing that exposure.

On the environmental side, Swiss Re Institute research estimates that climate change could reduce global GDP by up to 18% by 2050 if temperatures rise by 3.2°C — with supply chain disruption, physical asset damage and transition costs concentrated in specific sectors and geographies. The organisations best positioned to manage those risks are not necessarily the ones with the best sustainability reports. They are the ones whose risk functions have integrated climate exposure into their governance frameworks.

Yet a 2024 PwC Global Investor Survey found that 94% of investors believe companies are making unsubstantiated ESG claims — a finding that reflects the chasm between what organisations say in their reports and what their governance systems can actually substantiate.

Compliance Creates a False Sense of Security

Most ESG reports answer a backwards-looking question: what happened? Companies measure emissions already generated, incidents already occurred, policies already in place. Reporting is used an accountability mechanism — valuable, necessary, increasingly mandatory under CSRD and IFRS S1/S2. But it does not prevent the next incident. It does not tell a sustainability manager which supplier is most likely to create a human rights violation in the next 12 months. It does not give a risk professional the framework to decide whether to proceed with a new supplier relationship despite elevated ESG exposure.

ESG risk governance answers a forward-looking question: what might happen, how likely is it, how severe would it be, and what are we doing about it? It requires different tools — materiality mapping, due diligence workflows, risk tiering models, escalation frameworks, corrective action plans, ongoing monitoring systems. And critically, it requires people trained to use those tools, not just trained to complete disclosure templates.

The enforcement signal

The distinction is no longer just philosophical. In March 2024 the EU fined a major fashion retailer €2 million under greenwashing provisions for sustainability claims that could not be substantiated by their governance systems. The Dutch Authority for Financial Markets has issued guidance explicitly warning financial institutions that ESG disclosures unsupported by underlying risk management processes constitute potential market manipulation.

The regulatory direction is clear. Disclosure without governance is no longer acceptable. The organisations that treat ESG as a reporting exercise are accumulating liability. The ones building genuine ESG risk governance capability — processes, frameworks and trained people — are the ones that will withstand the scrutiny that is now coming.

The question is not whether your organisation produces a sustainability report. It is whether the people responsible for your ESG risk exposure know what to do with what it reveals.