ESG RISK RATINGS
ESG Risk Ratings Are a Matter of Methodology, Not Marketing
Dag A.D. Messelt
ESG Risk Ratings Are a Matter of Methodology, Not Marketing
On 2 July 2026, the EU’s new rules governing ESG ratings began to apply.
The objective of Regulation (EU) 2024/3005 is to improve the transparency, integrity, comparability, reliability and governance of ESG rating activities. ESG rating providers operating in the EU will be subject to regulatory requirements, including requirements concerning authorisation, organisational governance, conflicts of interest and transparency regarding their methodologies.
This is a welcome development.
For too long, the market has accepted that fundamentally different products can be sold under the same label: “ESG rating”.
In many cases, these products are also presented, explicitly or implicitly, as suitable for assessing ESG risk.
They are not necessarily the same thing.
An ESG rating is not automatically an ESG risk rating
Providers of fundamental ESG risk ratings, including Morningstar Sustainalytics, MSCI and sustainAX, base their assessments on an analytical methodology. This typically involves identifying material ESG risk factors, assessing a company’s actual exposure to those risks and evaluating how effectively the company manages them.
A fundamental ESG risk rating should express the level of ESG risk that remains after the company’s risk management has been considered.
Other providers primarily collect and standardise reported ESG information. They may combine binary datapoints, numerical company disclosures and selected external datasets in a weighted model that produces a score.
Such information can be useful.
It may constitute valuable raw data. It may be a disclosure score. It may be a datapoint-based ESG score.
But it is not necessarily a fundamental assessment of absolute ESG risk.
The market understands the difference, but does not always act on it
Professional ESG risk analysts and many Nordic asset managers recognise this distinction immediately.
There is, however, a commercial reality in the market. Less expensive data products are sometimes purchased and used as though they were ESG risk assessments, even when they do not provide the analysis required for an investment or credit decision.
A large quantity of data does not automatically create a risk assessment.
A complex scoring model does not automatically constitute an analytical methodology.
A score based on what a company has chosen to disclose does not necessarily reveal the risks to which the company is actually exposed.
This distinction matters whenever an ESG rating is used to support capital allocation, credit approval, risk pricing, portfolio construction or engagement priorities.
What should an ESG risk rating tell you?
A genuine ESG risk rating must address a different set of questions:
What is the company’s actual exposure to material ESG risks?
The analysis must identify the risks arising from the company’s business model, operations, products, geographical exposure and value chain. It cannot be limited to the indicators the company has chosen to report.
How effectively does the company manage those risks?
Policies and disclosures are relevant, but they are not sufficient. The analysis must consider governance, programmes, controls, implementation, targets, performance and evidence of outcomes.
How much unmanaged risk remains?
The central question is not simply whether a policy exists. It is whether the company’s management of the risk is adequate relative to the severity and probability of its exposure.
Which ESG risks could have a financial effect?
A risk assessment must connect environmental, social and governance factors to potential operational, financial, legal, regulatory and reputational consequences.
What is the company’s absolute level of ESG risk?
A company should not receive a favourable risk assessment merely because it reports more information than its peers, or because other companies in the same industry perform poorly.
The assessment must determine the company’s actual residual risk, not simply its relative position within a peer group.
Methodology is therefore decisive
The new EU regulation will not make all ESG ratings identical.
Nor is that its purpose. The regulation does not prescribe a single harmonised rating methodology. Providers remain free to use different analytical approaches, but they must be more transparent about the characteristics, assumptions, limitations and methodologies underlying their ratings.
This is important because methodological differences are not minor technical details. They determine what a rating actually measures.
The new rules should make it more difficult to conceal a weak methodology, or an incorrectly promoted product characteristic, behind a strong brand, an impressive volume of data or an unnecessarily complicated model description.
Investors and lenders should therefore read ESG rating methodologies carefully.
Particular caution may be warranted when a methodology is described in highly technical language but does not clearly explain:
which risks are assessed;
how materiality is determined;
how company-specific exposure is evaluated;
how risk management is assessed;
how residual risk is calculated;
whether the result represents absolute or relative risk; and
how the analysis supports the final rating.
Ask the simple question
The essential question is straightforward:
Is this a fundamental ESG risk assessment, or a mechanical scoring of reported datapoints?
Both products may have a legitimate purpose.
But they do not serve the same purpose.
When an important investment or credit decision is based on an ESG risk rating, the product must be capable of measuring ESG risk. It should also be possible to read the complete company-specific ESG risk analysis supporting the rating.
Is there no underlying ESG risk analysis?
Then you have your answer.
sustainAX clients can access and download our complete company-specific ESG risk analyses through Bloomberg.

Questions about coverage or methodology?

