Enterprise risk management as the natural starting point
Enterprise risk management is the most established and widely recognised of the three. It is embedded in governance structures, linked to board oversight, and designed to protect enterprise value. Financial materiality is its natural language.
Sustainability-related issues typically enter ERM when they are expected to affect earnings, assets, continuity, or licence to operate — through regulation, litigation, reputational damage, supply disruption, or strategic constraint. Some forms of impact materiality are recognised as well, but usually once escalation thresholds are crossed.
This is not a flaw. It reflects what ERM is designed to do.
What has changed in recent years is the speed at which certain impacts can translate into financial risk. Climate-related impacts are the most visible example. Physical disruption, regulatory response, litigation, and market shifts increasingly follow one another in compressed timeframes. Issues that once unfolded over decades can now materialise within a single planning cycle.
This does not mean that ERM has failed. It does mean that the distance between impact and financial exposure is shrinking — and that relying on financial materiality alone may surface issues later than organisations expect.
At the same time, enterprise risk management remains structurally weaker at picking up issues that are still emerging, dispersed across supply chains, or visible first to workers, communities, or local stakeholders rather than to headquarters.
Enterprise risk management is designed to assess risks to the organisation. It is not designed to systematically identify harm occurring outside the organisation before that harm creates exposure.
By the time certain sustainability issues register as enterprise risks, harm has often already occurred — and options for response may be narrower.
That gap is not a reason to abandon ERM. It is a reason to complement it.
Why adverse impacts surface late
Many social and environmental issues do not announce themselves as risks at the outset. They surface first as grievances, patterns, or tensions — among workers, within communities, or across tiers of the supply chain far removed from enterprise-level dashboards.
In high-risk sectors characterised by subcontracting, informal labour, or weak local enforcement, these signals are particularly easy to miss. Distance — organisational, contractual, and geographic — delays visibility.
Human rights and environmental impacts therefore tend to appear first where enterprise risk processes are least present.
Harm precedes materiality
Human rights and environmental due diligence focuses on identifying and addressing adverse impacts on people and the environment, regardless of whether those impacts are already financially material.
That distinction is not academic — it shapes when issues are seen and how much room organisations still have to respond.
Due diligence is designed to surface harm early, not to assess enterprise exposure. It asks a different question, from a different starting point, and often reveals issues long before they would qualify as enterprise risks.
Used properly, HREDD does not replace enterprise risk management. It extends its field of vision — particularly in areas where ERM is structurally blind.
This is where many governance discussions quietly go wrong.
Human rights and environmental due diligence: a different lens
Human rights and environmental due diligence is concerned with preventing and mitigating adverse impacts. It is not a tool for identifying positive contribution or opportunity, and it should not be stretched to become one.
That focus is deliberate. Due diligence exists precisely because harm can occur without immediately threatening enterprise value.
Due diligence draws much of its strength from proximity. Worker-voice mechanisms, grievance channels, and engagement with workers and communities deeper in the supply chain are often the first places where problems become visible.
This is especially true in high-risk sectors. In those contexts, worker voice can reveal patterns of concern long before they escalate into reputational crises or regulatory exposure.
These insights rarely fit neatly into risk registers. That does not make them less important. It makes the question of connection more pressing.
Positive non-financial impacts — and why they still matter
Neither enterprise risk management nor due diligence is designed to systematically identify positive non-financial impacts. Yet such impacts can influence how organisations are perceived — by employees, communities, customers, and other stakeholders — and over time shape reputation, brand strength, and trust.
Positive non-financial impacts do not cancel out harm, nor do they justify inaction. But they can signal where relationships are stabilising, expectations are being met more consistently, or organisational behaviour is being experienced differently on the ground.
These signals tend to emerge through broader forms of engagement: employee surveys, structured community dialogue, consumer panels, and other stakeholder processes that sit outside formal risk and due-diligence systems.
These mechanisms do not prove success. They provide orientation.
Holding different signals together
At this point, organisations usually feel they have plenty of information — but little clarity about what to do with it.
Enterprise risk management highlights issues once they begin to threaten enterprise value. Human rights and environmental due diligence surfaces adverse impacts that require prevention or mitigation, often before they are financially visible. Broader stakeholder engagement reveals non-financial signals about trust, perception, and lived experience.
Individually, each perspective is useful. Together, they raise a more difficult question: how should organisations decide which signals warrant attention, escalation, or action?
That question cannot be answered by any one process alone. It requires a way of looking across risk, impact, and perception without collapsing them into a single hierarchy.
This is where a double materiality lens becomes relevant.
Double materiality as a connecting lens
Double materiality is often misunderstood as an attempt to merge sustainability and risk processes into a single framework. In practice, that is neither realistic nor desirable.
Enterprise risk management, human rights and environmental due diligence, and stakeholder engagement exist for different reasons. They serve different purposes, operate under different requirements, and respond to different accountability structures.
Double materiality does not replace these processes. It provides a way of holding their insights together.
A double materiality lens considers both how sustainability issues affect the organisation financially (outside-in) and how the organisation affects people and the environment (inside-out), without forcing one perspective to dominate the other.
Used this way, double materiality does not decide outcomes. It changes the quality of the conversation.
It helps prioritise adverse impacts identified through due diligence by considering their scale, severity, and likelihood of escalation. It helps assess which emerging risks identified through ERM warrant deeper scrutiny because of their societal or environmental implications. And it creates space to reflect on non-financial signals that may shape reputation and resilience over time.
This does not require shared tools or uniform processes. It requires clarity about how insights travel, when they are reviewed together, and who is responsible for acting on them.
Where connection breaks down
When organisations struggle to connect enterprise risk management, due diligence, and stakeholder insights, the cause is rarely methodological. Frameworks exist. Tools are available. Guidance is abundant.
What is missing, more often, is governance.
These processes are typically owned by different functions, operate on different cycles, and speak different languages. Enterprise risk management prioritises aggregation and comparability. Due diligence produces context-specific findings. Stakeholder engagement generates qualitative signals that resist standardisation.
Without clear decisions about ownership and escalation, insights remain where they originate.
Adverse impacts identified through due diligence may never reach enterprise risk discussions. Positive signals emerging from engagement may be acknowledged, but not connected to reputational exposure or strategic positioning. Double materiality assessments, where they exist, may crystallise insights into reports — without clarifying responsibility.
The issue is not a lack of information. It is a lack of clarity about who is expected to act, and when.
Making connection work in practice
The aim is not to design a single, integrated super-process. Each system exists for a reason. Enterprise risk management, due diligence, and stakeholder engagement serve different purposes, operate under different constraints, and answer to different audiences.
What matters is alignment — ensuring that insights move between them deliberately, and that nothing falls between the cracks.
The organisations that make this work focus first on feedback loops, not frameworks.
Adverse impacts identified through due diligence need a clear route into enterprise risk discussions when patterns emerge or escalation thresholds are crossed. Signals from employee or stakeholder engagement should be revisited to assess whether they point to stabilisation, deterioration, or shifting expectations. Assumptions embedded in risk registers should be tested periodically against what is being seen on the ground.
None of this requires new tools. It requires agreement on when insights are fed back — and where.
A second, practical step is aligning review moments, even if processes remain separate. Risk reviews, due diligence updates, and materiality judgements often run on different timelines. Bringing them into conversation once or twice a year — even informally — can materially improve coherence.
Friction often comes not from disagreement, but from language. What one team calls a “risk,” another may describe as an “impact.” What is considered “material” in one process may mean something else in another. These differences do not need to be resolved, but they do need to be understood.
Finally, connection only works when responsibility is clear. Insights that circulate without an owner rarely lead to action. Whether an issue originates in due diligence, risk management, or stakeholder engagement, there must be clarity about who interprets it, who decides on escalation, and who follows through.
This is a governance choice, not a technical one — and often the most consequential.
Final thought
Making enterprise risk management, human rights and environmental due diligence, and stakeholder engagement work together does not require added complexity. It requires attentiveness.
Attentiveness to where signals emerge. To how they move across the organisation. And to whether they are revisited when conditions change.
Where feedback loops exist, review cycles are aligned, and ownership is clear, these processes begin to reinforce one another. Blind spots shrink. Fewer issues come as surprises. And decisions are made with a fuller view of what is at stake.
In that context, double materiality does not impose structure or force convergence. It provides orientation — a way for boards and senior leaders to hold risk, harm, and perception in view at the same time, without losing the distinct meaning of each.
That orientation shapes what gets discussed, what gets escalated, and what gets acted on before pressure makes the choice unavoidable.
This is what makes the difference in practice.
Not sophistication, but coherence.
More insights
