Supply chains need to pivot from ESG “risk maps” to “risk thresholds”

As ESG regulations are reaching deeper into supply chains and climate disruption intensifies, the limits of traditional risk mapping are becoming clearer. Many companies conduct supplier due diligence, code of conduct audits, monitor social media, and track corrective actions, but decision making often relies on judgement rather than quantified analysis of risk exposure and mitigation options. When weighing trade-offs (e.g., invest in supplier decarbonisation? relocate production? increase audit intensity? dual sourcing?), the discussion is often subjective.

Risk maps lack a financial lens making it difficult balance cost, resilience, and sustainability – requirements that continue to intensify. Investors and regulations are requiring companies to show how they identify, prioritise, and mitigate risk. Simultaneously, climate-related disruptions are no longer theoretical. Carbon pricing and CBAM are also introducing transition costs.

Companies need to understand risk exposure, the related financial magnitude, and which mitigation actions materially reduce risk.

The next step in supply chain management should be translating risk exposure into financial terms. In other words, it means moving from “supplier X is high risk” to “supplier X represents €480m of revenue exposure, with an estimated disruption probability of Y% under defined regulatory and climate scenarios.”

With these insights companies can formulate actions that reduce revenue-at-risk, understand the cost of risk reduction, and understand which mitigation options keeps the company on its emissions reduction pathway.

Some companies have already solved this problem. Many banks operate using clear carbon intensity or risk thresholds: below the threshold — eligible; above the threshold — escalate or decline. Supply chain governance can adopt similar logic, for example:

•  No more than X% revenue exposure to suppliers above a defined compliance risk threshold.
• Mitigation actions must not increase carbon intensity.
• Climate risk exposure above Y level triggers diversification requirement.

They provide guardrails that keep decision-making simple, below which more sophisticated analysis is done. The benefit is the provision of defensible decisions, a structured approach that quantifies revenue exposure and ranks mitigations.

More importantly, it aligns sustainability with operational risk management. Risk maps now become the starting point for estimating the cost of ESG and climate risk and mitigation.

ESG risk mapping is not over, but as regulatory scrutiny and supply chain volatility increase, organisations will need to move from identifying risk to pricing it so capital allocation questions can be answered.

We recommend a three-phase approach: 

1. Establish a financial baseline by quantifying revenue-at-risk under defined climate and regulatory scenarios.
2. Define organisational risk thresholds, such as limits on exposure to high-risk suppliers or carbon-intensive mitigation options.
3. Integrate these thresholds into business processes, including procurement, capital planning, and supply chain governance.

Deloitte can help organisations navigate this transformation by providing advanced risk quantification models, designing ESG-aligned governance frameworks, and integrating insights into existing procurement systems. With our proven methodologies, we enable companies to turn resilience from a reactive exercise into a strategic advantage—ensuring sustainability, compliance, and operational continuity go hand in hand.