Why a Risk-Based Framework
ESG ratings often diverge because providers measure different factors and compress environmental, social, and governance signals into a single score, leaving investors unsure how each rating was formed.
Sustainalytics, which is owned by Morningstar and now trades as Morningstar Sustainalytics, has taken a narrower position than most competitors on what ESG ratings should do. Its ESG Risk Ratings do not attempt to score a company's overall sustainability or ethical profile. They measure one specific thing: how much of a company's enterprise value is at risk from environmental, social, and governance factors that the company has not adequately managed. The framework was introduced in September 2018 and now covers more than 16,000 companies across public equity, fixed income, and private markets.
The methodology replaces the typical question of whether a company is good on ESG with a different one: how much unmanaged ESG risk could materially affect its value, and how that risk compares across companies in any industry.
The Core Concept: Unmanaged Risk
The rating rests on three measurements applied to each material ESG issue a company faces. Sustainalytics first estimates the company's exposure to that issue at the subindustry level, capturing how vulnerable the business is based on its operations, supply chain, and geography. It then assesses the portion of that exposure the company can realistically manage through policies, programmes, and operational practices. The remainder, the part the company has not addressed but could have, is treated as unmanaged risk. A separate category, unmanageable risk, captures exposure that is inherent to the industry and cannot be meaningfully reduced through company action. The carbon emissions of an oil producer are the standard example.
Adding up the unmanaged risk across every material issue produces the final score. The scale runs from 0 upward, and lower numbers are better. Scores map to five absolute risk categories: negligible (0 to 9.99), low (10 to 19.99), medium (20 to 29.99), high (30 to 39.99), and severe (40 and above). Because the categories are absolute rather than industry-relative, scores are comparable across sectors. An oil company and a software company can be placed on the same scale, even though the sources of their risk look nothing alike.
The rating framework covers more than 20 industry-specific material ESG issues, supported by over 200 indicators and more than 1,800 underlying data points. Corporate governance applies to every company in the universe, regardless of industry. Additional issues are switched on or off based on subindustry relevance.
How Material Issues Are Selected
A material ESG issue, in Sustainalytics' definition, is one where the presence or absence of disclosure is likely to meaningfully affect the enterprise value of a typical company in that subindustry. The test is financial rather than ethical. An issue makes it into a company's rating if it could plausibly move valuation, credit risk, or operating performance, not because it is socially important in the abstract.
Each issuer in a given subindustry starts with the same set of material issues. Analysts then adjust exposure based on company-specific factors, such as a mining operation sitting in a region of acute water stress, or a controversy that reveals a risk not initially classified as material at the subindustry level.
Controversies feed into the rating through the management score rather than the exposure score. Sustainalytics categorises controversy incidents on a five-point scale from Category 1 to Category 5, with Category 5 representing severe ESG impact. For Category 4 and 5 events, the research team engages directly with the issuer before finalising the assessment. The premise is that a serious controversy indicates that whatever policies and practices a company has on paper are not fully translating into operational outcomes, so the company's management score is discounted accordingly.
The Research Process
The ratings are analyst-driven rather than algorithmic. Sustainalytics employs more than 200 analysts with subject-matter expertise across more than 40 industries, and each company's rating is updated through an annual research cycle led by a dedicated analyst. Controversy research, by contrast, runs continuously. The firm monitors more than 60,000 news sources daily for incidents that could affect a company's controversy rating.
Analyst assessments pass through peer and manager review, automated exception checking, and change detection before publication. Rated companies also have direct access to analysts and can engage through a dedicated Issuer Relations team, particularly during the annual research cycle and when serious controversies arise. The process is designed to produce ratings that reflect both what a company discloses and what independent research can verify about how those disclosures translate into practice.
The May 2024 Methodology Update
In May 2024, Morningstar Sustainalytics rolled out a notable upgrade to the ESG Risk Ratings compared with earlier versions. The corporate governance framework was revised to be consistent with the rest of the material ESG issue structure. Three existing issues were strengthened: raw materials use, water, and data privacy and cybersecurity. The cybersecurity expansion acknowledged that information security had moved from a subsidiary governance concern to a first-order risk for a widening set of industries.
Henry Hofman, ESG Research Director for Corporate Governance at Morningstar Sustainalytics, pointed to recent real-world stress tests as context for the corporate governance update, citing voting structures at Meta, board independence questions at Tesla, and shareholder lawsuits at ExxonMobil as examples of the governance issues the revised methodology now addresses more directly. The changes were rolled out company by company as each rated issuer moved through its next scheduled review, with the full universe expected to complete the transition by September 2024.
Laura Lutton, who leads ESG Product Management at Morningstar Sustainalytics, described the update as a response to how ESG risks themselves have evolved since the ratings were introduced in 2018.
The Tesla Example
The limits of ESG ratings became a public debate in 2022 when Tesla was removed from the S&P 500 ESG Index. The removal prompted criticism from investors who assumed that an electric vehicle manufacturer would by default rank as an ESG leader.
Sustainalytics rates Tesla at medium risk, around 28.5, placing the company 42nd out of 83 firms in the automobile subindustry it tracks. The score reflects exposure the company has not fully managed across labour practices, product safety and regulatory scrutiny, and corporate governance features including executive compensation, a classified board structure, and supermajority provisions. Tesla illustrates that companies can sell low-carbon products yet still face ESG risks related to labour practices, product safety, and corporate governance. A green product line does not, by itself, offset weaknesses in how the broader business is run.
Criticisms the Framework Has Had to Address
ESG disclosure by companies remains inconsistent, and rating agencies inherit those gaps. Social metrics in particular often lack quantifiable data, and even environmental reporting varies widely by region and sector. Sustainalytics weights analyst research and controversy monitoring heavily enough that scores do not simply reproduce what companies choose to disclose. The firm also treats a lack of disclosure on a material issue as a possible signal of weak management rather than a neutral data gap.
Ratings diverge across providers, sometimes sharply. MSCI, S&P Global, and Sustainalytics can assign notably different scores to the same company because they weight issues differently and in some cases measure different things. MSCI historically compares a company to its industry peers, while Sustainalytics uses absolute risk scoring that is comparable across sectors. The firm's position is that investors should treat each rating as one input rather than a definitive judgement on a company.
Size and geography also influence scores. Research from IEEFA and others has found that larger companies, and firms based in jurisdictions with stronger disclosure regimes, tend to rate better. A renewables-focused firm in a smaller market can end up with a worse rating than an integrated energy company in Europe. Sustainalytics mitigates this by separating exposure from management and by using industry-specific material issues, but the underlying disclosure asymmetry is a structural feature of the rating market that no single provider can resolve alone.
Where the Framework Fits
The ESG Risk Ratings are now used across institutional investor workflows, including portfolio construction, manager selection, index inclusion, and sustainability-linked lending. Banks use them to calibrate pricing on sustainability-linked loans. Asset managers combine them with Morningstar's Economic Moat Rating and other fundamental metrics in integrated research strategies.
The methodology does not try to answer whether a company is doing enough for the environment or for society in absolute terms. It answers a narrower question about financial exposure to ESG factors that could affect valuation. The ratings are designed for financial risk analysis, so they may not match broader ethical questions investors also care about. The ratings are most useful when combined with other measures. Relying on them alone may lead to unexpected conclusions.
Subscribe to our newsletter for more insights, case studies, and ESG intelligence.
Keep abreast of the top ESG Events on OneStop ESG Events.
OneStop ESG Educate: Your go-to source for top ESG courses and training programs tailored to your needs.
Stay informed with the latest insights on OneStop ESG News.
Discover meaningful career opportunities on OneStop ESG Jobs.
.png%3Falt%3Dmedia%26token%3D910a4ea1-9886-4e46-a5c9-0b48aa7b96bf&w=1920&q=90)
.png%3Falt%3Dmedia%26token%3D3075f666-bce1-4367-9ee7-6782087e9f3e&w=1920&q=90)
.png%3Falt%3Dmedia%26token%3Ddf6c179e-0af8-476e-a02b-488a202395ea&w=1920&q=90)
