ESG Strategy: A Practical Guide for Enterprise Leaders

Most organizations have a corporate ESG strategy. The majority of their ESG exposure sits somewhere that strategy has not yet reached.

Scope 3 emissions account for approximately three-quarters of a company’s total greenhouse-gas footprint. The human rights risks, forced labor liabilities, and ethics violations that regulators are actively legislating against are concentrated in the same place, across supplier relationships, geographies, and categories that most corporate ESG frameworks have never meaningfully governed.

This article sets out what a defensible, investor-grade ESG strategy requires in 2026, and the procurement infrastructure that makes it possible.

What is an ESG strategy?

An ESG strategy is an organization’s structured approach to identifying, measuring, and managing its environmental, social, and governance risks and impacts.

It is an operating model with explicit choices about:

1. what the organization will measure,
2. how it will make sourcing and supplier decisions based on ESG performance, 
3. and how it will enforce and improve performance across suppliers and categories. 

ISO 20400 frames this as integrating sustainability into procurement (across policy, strategy, and processes) rather than treating it as a parallel initiative.

Supply chain emissions are typically the hardest to influence because data and levers sit outside the organization’s four walls. Programs must therefore be built around supplier engagement and capability building. 

According to the 2026 EcoVadis and Accenture Sustainable Procurement Barometer, only 15% of procurement teams consider themselves advanced in integrating sustainability into procurement processes, while 41% describe their efforts as still developing. 

ESG risk and operational risk are converging in the same place, i.e., the supply chain. The practical implication for a CPO-led ESG strategy is that supplier ESG becomes a decisioning variable.

An ESG strategy that exists at the corporate level but lacks execution infrastructure at the supplier level is, by the standards regulators and investors now apply, incomplete.

Why most ESG strategies fail at the supply chain level 

Regulators and investors are no longer evaluating whether an organization has an ESG strategy. They are evaluating whether that strategy has reached the supply chain and whether the evidence to prove it exists.

For most organizations, the answer to both questions exposes the same set of structural gaps:

• Strategy exists at the corporate level; execution gaps emerge at the supplier level: The sustainability team sets commitments. Procurement inherits the obligation to deliver them without the data infrastructure, supplier leverage, or workflow integration to do so.
• Policies without outcomes: Most organizations have supplier codes of conduct. Few have documented evidence that those codes produced remediation, closure, or improvement. Regulators are now testing precisely that gap.
• Coverage concentrated in tier one: Exposure sits in tier two, three, and beyond. Most supplier ESG programs stop at tier one, where risk is most visible but often least severe.

Point-in-time audits instead of continuous management systems: A supplier that passes an audit in January can fail in June. Due diligence frameworks now require ongoing monitoring, not periodic snapshots.

The pillars of a robust ESG strategy 

For procurement-led ESG, “strategy” is most usefully defined by five procurement-native elements, each of which can be observed and audited:

Materiality begins with supplier segmentation

Materiality, in procurement terms, means translating corporate ESG priorities into the specific categories, geographies, and supplier segments that drive the majority of risk and impact. The exercise determines where assessment resources are concentrated, which suppliers face enhanced due diligence, and which categories carry regulatory exposure that procurement must actively manage.

A procurement-grade materiality assessment combines spend and revenue impact, inherent ESG risk by country and sector, and regulatory exposure by commodity and geography. Organizations that rely on headcount coverage, assessing the largest number of suppliers rather than the highest-risk spend, find that programs look strong by volume and remain structurally exposed by value.

Due diligence is a management system

Due diligence frameworks (OECD, CSDDD, LkSG) describe due diligence as a continuous cycle: identify, assess, act, track, communicate. Operationalizing that cycle requires contractual rights to request evidence at any point, defined escalation paths, and documented remediation expectations for severe findings.

Regulators are now testing for this distinction explicitly. CSDDD requires companies to identify and address adverse impacts. Evidence of action, closure, and improvement is what separates a due diligence program from a due diligence record.

Supply chain emissions account for approximately three-quarters of a company’s total greenhouse-gas footprint. That is where the material exposure lives.

Supplier improvement is where procurement ESG value is created

Screening suppliers at onboarding establishes a baseline. The procurement value and the regulatory expectation are in what happens after. That requires a performance improvement infrastructure, which includes supplier scorecards, corrective action tracking, closure metrics, and engagement programs that build supplier capability over time.

Improvement trajectories are more defensible than point-in-time scores. Procurement’s ESG value comes from shifting suppliers over time. Disengagement is sometimes necessary. Improvement at scale is the objective.

Assurance-ready data governance is a procurement obligation

Sustainability reporting under CSRD and ISSB-aligned frameworks is moving toward external assurance. Supplier data collected for internal management purposes will increasingly need to meet the standards of an external audit.

Most procurement functions are not structured for this. Supplier data is decentralized, inconsistently captured, and built for category management rather than external scrutiny. Organizations that build assurance-ready data governance ahead of that requirement will be better positioned when investors, regulators, and auditors ask for it simultaneously.

Metrics that turn ESG strategy into procurement execution

A procurement-grade ESG strategy is measurable through a small number of metrics that link directly to procurement levers. The benchmarks below reflect where standards, climate guidance, and procurement research converge.

Coverage and segmentation

Coverage is the first leading indicator of program credibility. Organizations increasingly scale coverage through standardized supplier assessments rather than bespoke questionnaires, a model reflected in how enterprise procurement programs operate at scale across thousands of suppliers.

The metrics that matter:

• Percentage of addressable spend assessed and rated
• Percentage of high-risk suppliers assessed by geography and category
• Supply chain mapping depth to tier two, three, and four
• Percentage of tenders embedding ESG criteria
• Percentage of suppliers meeting minimum ESG requirements at onboarding
• Percentage of contracts with ESG clauses and audit rights

ISO 20400 explicitly positions procurement policy and process integration, not parallel sustainability workflows, as the objective.

Coverage by headcount is the least meaningful measure. A program that has assessed 80 percent of suppliers by count but 30 percent by spend, concentrated in low-risk categories, will not satisfy the risk-based logic embedded in CSDDD and ISSB-aligned reporting frameworks.

Supplier improvement and corrective action

Risk identification without remediation is a liability register. The metrics that demonstrate an active management system:

• Corrective action closure rate
• Cycle time by severity
• Recurrence rate of key findings
• Ratio of corrective actions opened to closed within defined timeframes

Continuous due diligence requires not just identification but mitigation and follow-up. Improvement trajectories across assessment cycles are equally material. A supplier showing measurable progress between a first and second assessment represents a more defensible program outcome than one that passed a one-off screen and has not been revisited.

Scope 3 and climate activation

McKinsey notes that differentiating emissions data by supplier matters. Upstream Scope 3 can often be reduced by choosing lower-carbon materials and suppliers, including cases where equivalent supplies carry materially lower emissions intensity. The procurement-specific climate metrics:

• Percentage of Scope 3 Category 1 emissions covered by primary supplier-reported data
• Percentage of strategic suppliers committed to science-based targets
• Supplier participation rate in emissions reporting programs
• Percentage of suppliers providing product-level carbon footprint data

SBTi guidance makes engagement measurable and time-bound. Suppliers are expected to set aligned Scope 1 and 2 targets, include Scope 3 targets where Scope 3 exceeds 40 percent of total emissions, and report progress annually. McKinsey describes dual-mission sourcing, procurement decisions that optimize cost and carbon simultaneously, as an emerging standard in some value chains.

Estimated Scope 3 figures are acceptable as a starting point. They are increasingly unacceptable as disclosed figures in investor-facing reports or assurance processes.

Assurance readiness

Due diligence is ongoing (unlike periodic audits) and includes mapping supply chains, assessing risk, implementing preventative measures, monitoring, and providing remedies. The metrics, risk, and compliance functions require:

• Percentage of suppliers completing required disclosures within defined timeframes
• Time-to-complete and response quality on due diligence requests
• Escalation rates and incident detection response times
• Supplier status changes following adverse findings

Process-level indicators complete the picture:

• Evidence traceability and documented decision logs
• Consistent supplier data capture across reporting cycles
• Stable methodologies period-over-period
• Controls documentation suitable for external assurance

Regulation and standards are reshaping supplier data expectations

Procurement ESG programs are being shaped by two linked forces: 

1. Sustainability reporting that demands value-chain data
2. Due diligence rules that demand risk-based processes and remediation.

The center of gravity for many multinationals is Europe, because EU rules propagate through supply chains even when suppliers are outside the EU.

Even when regulatory timelines shift, large customers still require suppliers to provide data and evidence. Procurement programmes must be scalable, risk-based, and auditable

EU sustainability reporting and due diligence

The European Commission states that the Corporate Sustainability Due Diligence Directive (Directive 2024/1760) entered into force on 25 July 2024 and aims to ensure that in-scope companies identify and address adverse human-rights and environmental impacts in their operations and across global value chains. 

The EU’s corporate sustainability reporting pages indicate that the first companies subject to CSRD must apply the new rules for the 2024 financial year (for reports published in 2025).

A key “procurement takeaway” is that these regimes pull procurement into:

1. supplier mapping
2. supplier data collection
3. monitoring
4. documented follow‑up. 

Simplification and timeline uncertainty in Europe

Since 2025, the EU has also been pursuing simplification and timing adjustments. A European Commission proposal describes an “Omnibus” approach to amending CSRD/CSDDD dates, including postponing key CSRD reporting waves by two years.

As of late February 2026, reporting indicates that EU countries have approved further changes to narrow the scope and delay certain sustainability requirements (including raising thresholds for due diligence to the largest firms and extending deadlines), though some steps, such as formal entry into law and implementation mechanisms, depend on EU processes and publication. 

Even when timing shifts, large customers still require suppliers to provide data and evidence, so procurement teams should design programs that are scalable, risk-based, and auditable rather than built as one-off compliance “projects.”

Other due diligence regimes that matter to procurement programs

Several non‑EU regimes reinforce similar requirements around supply‑chain due diligence and supplier transparency:

• Germany’s Supply Chain Act (LkSG) applies due diligence obligations along the supply chain; it initially applied to enterprises with at least 3,000 employees (since 2023) and expanded to those with at least 1,000 employees in Germany from 2024.
• France’s 2017 duty of vigilance law requires large French companies (thresholds include 5,000 employees in France or 10,000 worldwide, directly or through subsidiaries) to develop, implement, and publish a vigilance plan designed to identify risks and prevent severe impacts related to human rights, health/safety, and the environment, including in supply chains.
• Norway’s Transparency Act came into force in July 2022 and is intended to address human rights and decent working conditions linked to the production of goods/services in Norway and supply chains globally (with due diligence expectations linked to OECD approaches).
• In the US, supply-chain emissions disclosure pressure is also rising at the state level. Analysis of California SB 253/SB 261 litigation in early 2026 indicates SB 261 enforcement has been stayed pending appeal, while SB 253 remains in effect, shaping expectations for Scope 1–3 emissions disclosure readiness and supplier data collection.
• Separately, the EU Deforestation Regulation’s implementation timeline now points to application from 30 December 2026 for large/medium operators and 30 June 2027 for micro/small operators, reinforcing traceability and due diligence requirements for specific commodities in procurement and trade compliance.

How technology enables ESG strategy at scale

Strategy without infrastructure is a policy document. Thousands of suppliers across multiple geographies, risk categories, and regulatory regimes cannot be managed through bespoke questionnaires and periodic audits. 

Building continuous intelligence into how procurement operates day to day is what separates programs that identify risk from programs that manage it.

EcoVadis makes that possible at scale. Real-time risk mapping, structured supplier assessments, continuous external monitoring, and corrective action management are built into a single platform. It covers a network of more than 150,000 rated companies in 185 countries, organized around the same due diligence cycle that regulators now expect companies to evidence.

Request a demo to see how EcoVadis operationalizes ESG strategy across your supply chain.