In both the UK and EU, regulatory expectations around ESG (Environmental, Social and Governance) are evolving rapidly. In the EU, the Corporate Sustainability Reporting Directive (CSRD) requires large companies to disclose detailed information on ESG risks, impacts and strategies, aligned with the European Sustainability Reporting Standards (ESRS). This expands the scope of previous rules (such as the Non-Financial Reporting Directive) and applies to both EU and certain non-EU companies with significant operations in the bloc.
In the UK, while not fully aligned with the CSRD, the government has introduced mandatory Task Force on Climate-related Financial Disclosures (TCFD) -aligned climate disclosures for large companies and financial institutions. This includes risks, governance, metrics and targets related to climate change. UK regulators, including the Financial Conduct Authority (FCA) and Prudential Regulation Authority PRA, also expect firms to integrate ESG into governance, risk management and decision-making.
Across both jurisdictions, ESG compliance is shifting from voluntary to mandatory, demanding transparency, internal controls and robust accountability at board level. Given this backdrop, important practical questions arise as to the readiness of organisations for internal investigations in the area of ESG. This article and its follow-up article tackle six important questions that organisations need to ask themselves of their level of readiness. How does your organisation fare on each of these challenges?
Process: Are We Ready When ESG Issues Arise?
A written policy is no guarantee you’re well‑prepared. ESG breaches are often cross‑cutting, emotionally charged and deeply reputational.
Many organisations still rely on investigation protocols originally designed for fraud or HR complaints. Those playbooks simply don’t map onto ESG risks such as forced labour in supply chains, environmental harm or diversity failures. As Norton Rose Fulbright recently warned, ESG investigations demand a broader lens; “evaluation not only of legal risks but also reputational damage and stakeholder trust”.
ESG issues rarely present a “smoking gun”. More often, they emerge gradually with a pattern of subcontractor complaints, vague sustainability claims or subtle signs of greenwashing. Consider the Deutsche Bank‑owned DWS case: regulators responded only after a whistleblower revealed misleading ESG marketing, followed by months of investigative steps before a €25 million fine.
Practical tips:
- Help yourself by running regular scenario‑planning drills, such as a whistleblower alleging greenwashing or uncovering forced labour in a critical supplier chain.
- Design flexible workflows that can expand or contract to suit different ESG breach types, rather than rigid, siloed pathways.
- Make ESG breach scenarios part of your internal audit and enterprise risk management cycle; integration ensures early detection and clarity, as seen in FTSE 100 firms embedding ESG alerts into risk systems.
Leading companies are increasingly weaving ESG due diligence into mergers and acquisitions activity and risk dashboards. This ensures that if an ESG concern surfaces, you’re not scrambling because the process is already aligned with decision‑making tools.
Challenge | When did you last test your ESG breach response process, not just draft it?
Training: Do Investigators Understand the ESG Landscape?
General investigation skills no longer suffice. ESG investigations require specialist knowledge and emotional intelligence and an ability to understand what regulators expect and what communities feel.
Knowledge gaps often emerge when teams conflate reputational ESG risks (e.g. accusations of greenwashing or poor community relations) with the growing body of regulatory obligations under the EU’s Corporate Sustainability Due Diligence Directive (CSDDD). From July 2024, companies in scope must prevent and mitigate human‑rights and environmental harm in their value chains, or face penalties of up to 5 per cent of global turnover. Investigators must also grasp disclosure materiality under CSRD in the EU or the UK’s climate disclosure frameworks.
Soft skills also matter: ESG allegations often involve emotionally charged issues, with broken community trust, worker welfare or supplier mistreatment. Empathy, cultural literacy and an unbiased stance are essential. Investigators in one FTSE 100 firm reported training in diversity awareness and stakeholder interviewing techniques, recognising that ESG claims often involve vulnerable voices and multilayered power dynamics.
Current practice: Leading organisations now incorporate ESG breach scenarios into compliance training modules, simulating cases of greenwashing or forced‑labour allegations. Some are piloting cross‑training: compliance or legal teams spend time with sustainability or procurement colleagues to understand supplier risk factors and emissions data. This helps build a shared investigative language.
Regulatory pressure is also picking up. Under the EU’s CSDDD, firms will need to demonstrate they are proactively detecting and addressing ESG harms, placing investigative competence centre stage. Meanwhile in the UK, heightened shareholder activism and NGO scrutiny mean ESG readiness is no longer optional. Building real capability consistently over a period of time is more important than ticking compliance boxes.
Challenge | Have you mapped your investigation team’s ESG learning needs?
Expertise: Are the Right People Around the Table?
Modern ESG breaches demand more than traditional legal or HR investigators, they require cross‑functional, multidisciplinary expertise.
Most internal investigation teams are designed around financial misconduct or personnel issues. They often lack expertise in environmental science, human rights law, supply‑chain transparency or sustainability metrics. That blind spot can be critical, especially under evolving regulations like the CSDDD, which requires companies to map, assess and mitigate ethical risks throughout their supply chains.
Progressive approaches are emerging. In the UK and EU, some firms now assemble dedicated “ESG response squads” combining compliance, legal, sustainability, procurement and occasionally HR, backed by external ESG-forensics consultants. For example, KPMG’s Forensic ESG Integrity service blends forensic, human‑rights and environmental advisory to investigate allegations of greenwashing or sustainability fraud. This ensures the team understands technical data, including emissions metrics, traceability records and supplier audits, and can interpret them credibly.
Expect growing investor pressure for independence and credibility. Firms relying solely on internal voices may face reputational blind spots and scepticism about impartiality. Investors increasingly evaluate how investigation teams are structured and whether external, independent expertise has been consulted.
A practical tool: Develop an Investigation Capability Matrix mapping existing skills (e.g. legal, compliance, procurement, sustainability or scientific expertise) against gaps, such as environmental risk assessment or human-rights expertise. Those gaps signal where external advisors or cross-functional collaboration is essential.
Challenge | Would your organisation’s current investigation team be credible in the eyes of regulators, media or investors during an ESG-related probe?
Action, Not Assumptions
Internal ESG investigations are no longer just procedural checklists, they’re a true measure of your organisation’s commitment to ethics, compliance and reputational resilience. With increasing regulatory scrutiny and stakeholder expectations, readiness is essential. So, how prepared are you? Don’t wait for a breach to test your systems. Start asking the right questions now. Identify risks, strengthen internal reporting and embed accountability into your culture. ESG integrity isn’t optional; it’s a strategic imperative. Act before you’re forced to react.
And what about you…?
- Do you and your leadership team fully understand the ESG risks most relevant to your sector and how to respond to them?
- Have you ever reviewed or tested your organisation’s investigation protocols in a realistic scenario or simulation? If not, why?
