The Mitigation Gap

The gap between knowing and improving

ESG scores are everywhere; embedded in supplier screenings, investment decisions and compliance reports. But if scores are more prevalent and rising, why aren’t the risks falling? Why are ESG risks still playing out in headlines, courtrooms and balance sheets?

Because what gets measured doesn’t always get managed; and in ESG, we’ve confused measurement with progress. Static risk ratings, especially in supply chains and portfolios, are treated as endpoints when they were only ever meant to be starting points.

Over the last decade, I’ve worked with companies across sectors to assess ESG exposure at scale. The same flaw surfaced everywhere: the tools we use to identify risk rarely help reduce it.

This article is about that failure. The gap between knowing and improving. And why until we close it, ESG risk management remains performative.

Why scores aren’t enough

I’ve written before about the limitations of ESG scoring systems. Many rely on self-reported data that is easy to game. They prioritize policies over practices and reward disclosures rather than performance. A majority isn’t designed for private companies. Few account for materiality or maturity, and the underlying methodologies vary widely between rating agencies, leading to inconsistent results.

The result is a system that creates false signals of ESG health. Even when these tools correctly identify gaps, they stop at diagnosis. There’s rarely a structured pathway to improvement. Scores may reflect relative performance, but they don’t guarantee that underlying issues are being resolved or that future incidents are being prevented.

Worse, scores can create a false sense of security. ESG risks evolve continuously due to regulatory changes, supply chain disruptions or emerging social issues. Static assessments are quickly outdated, leaving companies blind to shifting exposures and without the tools to act.

The mitigation gap

The limitations of ESG risk scores are especially concerning when we consider that they are often taken at face value. Treated as conclusive, these static scores create a discrepancy between identification and intervention that I call the mitigation gap.

Despite years of ESG mainstreaming, most systems still fall short of translating ESG insight into tangible action. There are three dynamics that sustain and widen the gap:

Score-action disconnects. Companies may know where they stand, but few are equipped to improve. Digital solutions and evolving standards have made scoring easier, but risk reduction still lacks a commensurate infrastructure.

Reporting over results. Only 7% of all ESG metrics are tied to supply chain risk management, despite supply chain exposure being a major ESG vulnerability for many industries.1 Most metrics focus on what’s easy to measure such as policies, checkboxes or disclosures and ignore what actually changes risk.

Structural barriers. ESG expectations are still vague; standards are inconsistent and guidance is often generic or unrealistic. Many companies, especially suppliers and SMEs, don’t have the resources or know-how to go from identification to improvement.

The mitigation gap has material consequences, especially at a time when ESG risk improvement is becoming a stakeholder imperative:

Investors are recalibrating. 79% say ESG risks and opportunities factor into their decisions.2 Increasingly, they’re asking what companies are doing, not just how they’re scoring.

Regulators are stepping in. From the EU’s CSRD and SFDR to theSEC’s climate risk disclosures, the shift to outcome-based legislation is happening where reporting is just the first step, while demonstrating mitigation is the real requirement.

Customers are walking away. 76% of consumers say they would stop buying from companies that neglect environmental, labor or community well-being.3

Beyond stakeholder pressure, there’s business logic: Unmanaged ESG risks affect a business’ bottom line. Studies show that companies failing to address ESG concerns can lose 6-20% of annual revenue, due to supply chain disruptions, regulatory penalties or operational failures.4

The 6 pillars of effective ESG risk mitigation

Closing the mitigation gap needs a different type of infrastructure, an operational layer designed for action. Transitioning from measurement to management tool requires a system that is:

1.     Targeted: Improvement efforts should be based on real performance gaps at every level of the supply chain or portfolio

2.    Contextual: ESG risks vary by geography, industry and company maturity. Mitigation should reflect those realities.

3.    Verifiable: Progress must be evidence-based, not intention-based.

4.    Iterative: One-off interventions aren’t enough. ESG risk is dynamic and mitigation needs to evolve with it.

5.    Transparent: Progress should be traceable with clear feedback loops, audit trails and accountability built in.

6.    Scalable: Above all, mitigation has to scale from one supplier to thousands or from one portfolio company to a global footprint.

Operationalizing the pillars through technology

Turning the six pillars into practice requires more than awareness. It requires infrastructure built for action, delivered with speed, scale, and context.

That’s where technology comes in. Specifically, automation and AI. These tools aren’t just helpful; they’re essential for embedding targeted, contextual, verifiable, iterative, transparent, and scalable processes across complex value chains.

AI identifies flagged risks, maps them to tailored remediation pathways, aligns interventions with relevant standards, and adapts recommendations based on sector, geography, and maturity. Automation brings speed, consistency, and traceability, eliminating the friction that stalls progress.

The result is a system that doesn’t just score risk, it reduces it. Systematically. In real time. At scale. And at a fraction of the cost. That’s how ESG moves from compliance exercise to meaningful, measurable impact.

We’ve built entire systems around evaluating ESG, issuing scores, publishing reports, comparing benchmarks, and called it management. That era is ending. Stakeholders no longer accept scores as proof of progress. True ESG risk management means doing both; and doing it systematically, with evidence, at scale.

Sources:

1 OECD

2 PwC

3 KPMG

4 The Economist Intelligence Unit