I have spent a decade assessing ESG risk for companies with global supply chains and portfolios. If there is one takeaway from the experience, it is that the evaluation process is broken. I’ve seen firsthand the extent and consequences of it: a reliance on fragmented inputs producing unreliable outputs that gives companies a false sense of security that collapses under scrutiny.
If ESG risk management and due diligence are meant to help companies mitigate the legal, operational, financial and reputational consequences of risk, then today’s models are both flawed and dangerous.
The way we measure ESG risk fails to reflect the actual risk profile of a business. Whether through rating agencies, internal assessments or consultant-led audits, the result is largely the same: a high-cost, low-fidelity snapshot of ESG risk.
Here's an overview of what’s going wrong and what needs to change.
#1 Self-reported data is easy to game
Most ESG scores and ratings rely on self-reporting, requiring entities to fill in questionnaires or complete checklists - a structure that is prone to manipulation. The typical survey reveals exactly what assessors are looking for, creating a bias from the onset and making it easy for respondents to reverse-engineer the “right” answers. In most cases, there is little or no protocol to verify whether inputs match reality.
In the case of voluntary reporting, companies are selective about what they disclose, sharing favorable data while omitting more contentious areas of operations.
Take carbon reporting: CDP data shows over half of companies that report emissions omit Scope 3 emissions (the largest share of their climate impact).1 For businesses with large supply chains and portfolios where the available data is unreliable, that means critical risks go unnoticed in the due diligence process. The result is a picture that looks more compliant than it is.
#2 Scoring methodologies are incomplete and designed for public companies
For 90% of companies, the private ones, there is little to no publicly available ESG information.2 This makes it nearly impossible to assess their risk profiles using conventional methodologies.
But even among the 10% of public companies where data is available, the picture isn’t much clearer. ESG rating providers rely on backward-looking, compliance-oriented data: past reports, policy documents and disclosures that don’t account for the dynamic, future-facing nature of ESG risk. The result is a static and inaccurate evaluation, with consequences on how the risk is managed.
Current rating methodologies suffer from two further limitations. The first is their tendency for surface-level evaluation. They only check for the existence of a policy, without paying attention to how it is enforced or the impact it has. The second is that they equate disclosure to performance while ignoring the broader context. That’s how fossil fuel giants with glossy ESG reports outscore SMEs with cleaner operations but less reporting muscle.
To fill the gaps, especially on environmental data, providers resort to proxies such as industry averages. This contingency plan distorts the risk reality. But for social and governance dimensions, proxying is neither common nor reliable, leaving even larger blind spots. Research shows that 90% of known negative ESG events aren’t disclosed in SEC filings or sustainability reports, meaning even for public firms, key risks are likely going unnoticed.3
#3 Human-centric reviews are costly and inconsistent
Apart from being highly subjective and costly, human involvement in the ESG evaluation process is difficult to scale across entities, geographies or the global economy. ESG consultants, internal assessors and sustainability officers require considerable commitments in time and capital. In 2022, US-based institutional investors spent an average of $487,000 per year on external ESG data and rating services - 2.5x more than on credit rating services.4
In addition to being cost-prohibitive, internal reviews are also an inefficient use of time, with sustainability teams spending between 70 and 80% of their time just on the first step of ESG evaluations: collecting documents and formatting data.
Consultant-led audits are no better. Basic assessments start around $15,000. Larger, multi-jurisdictional ESG strategies can cost over $500,000.5 This model does not scale across thousands of suppliers and is out of reach for most SMEs.
#4 Assessments are not adaptive or materiality-driven
Most ESG frameworks apply uniform standards across different companies, overlooking context like industry and company maturity. They assume ESG responsibilities are homogeneous while in reality, they grow alongside a company.
This one-size-fits-all approach leads to skewed evaluations. A startup or small local vendor with ten employees should not be held to the same reporting expectations as a multinational with global operations and dedicated sustainability teams. Yet in practice, they often are. Studies have also shown a consistent ESG bias toward larger firms, with average scores increasing alongside market capitalization.6
Industry nuances are also poorly reflected. An airline’s climate exposure is assessed on the same scoring scale as a law firm’s, despite fundamentally different risk profiles. Even within rating models, inconsistency reigns: the methodologies and weightings vary across providers. One MIT study of six major ESG ratings agencies found an average correlation of just 0.54 for the same company.7 This isn’t a framework; it’s a patchwork of guesswork.
#5 The outputs are optimized for optics, not operations
The pressure to perform on ESG - from investors, regulators and stakeholders - is considerable. And when the metrics don’t reward substance, companies focus on optics. What gets measured is what looks good: policies over practices, reports over reality. That’s how businesses with significant risk exposures still score well: their paperwork checks out. It’s system-sanctioned misdirection that unintentionally encourages greenwashing.
Consider the Deutsche Bank DWS ESG scandal. Between 2018 and 2021, DWS marketed itself as a leader in ESG investing, claiming sustainability criteria were central to its process and embedded across teams via its proprietary “DWS ESG Engine” tool. But regulators later found those claims to be materially misleading and that ESG was far less integrated than advertised.
In 2023, the firm paid a $25 million settlement for greenwashing and AML violations. The reputational fallout was significant and the scandal served as a high-profile warning to the asset management industry about the risks of overstating sustainability credentials.8
Where to go from here
The current ESG evaluation process is broken. It relies on: (1) gameable inputs, (2) incomplete, backward-looking methodologies, (3) expensive, manual processes, (4) misaligned materiality and (5) optical, reputation-first outputs. Combined, they create a brittle, costly and unreliable assessment framework that undermines ESG as a whole.
What would better look like? In a time of advanced data infrastructure and AI, a new architecture is possible. What the ESG rating process needs is:
- Real signals from verified documents, procedures and data, not self-reported answers.
- Models that adapt to industry, geography and maturity, without forcing every business into the same box.
- A framework that rewards integrity and performance.
Overall, my view is that we need to usher in an era of ESG risk management that is automated, adaptive and anchored in reality.
Sources:
3 Olivier Boiral. ”Sustainability reports as simulacra? A counter-account of A and A+ GRI reports”, Accounting, Auditing & Accountability Journal. Link.
5 Reuters and Socialsuite
6 The Journal of Impact and ESG Reporting
