Demystifying ESG Ratings: Understanding Factors, Calculation, and Providers

An ESG rating is a measure of a company's performance and impact in key areas related to sustainability and ethical business practices. It evaluates how well a company manages its environmental impact, interacts with society, and governs itself.

The Environmental aspect assesses a company's efforts and performance in areas such as carbon emissions, energy efficiency, waste management, and resource usage. This includes evaluating initiatives to mitigate climate change, reduce pollution, and promote sustainable practices throughout the supply chain.

The Social dimension focuses on how a company interacts with various stakeholders, including employees, customers, communities, and suppliers. It examines factors such as data privacy, labor practices, diversity and inclusion, human rights, product safety, community engagement, and philanthropy. Companies with strong social performance have excellent data governance programs, prioritize fair labor practices, maintain safe working conditions, support diversity and equality, and actively engage with their communities.

The Governance component evaluates the quality of a company's leadership, management structures, and internal controls. It assesses aspects such as board diversity, executive compensation, shareholder rights, transparency in financial reporting, and adherence to ethical standards and legal requirements. A strong governance framework ensures accountability, integrity, and effective oversight, which are essential for sustainable long-term performance and investor confidence.

How Are ESG Scores Calculated?

An environmental, social, and governance (ESG) rating works much like a credit score. It’s typically a percentage (out of 100), with a rating of less than 50% considered weak and over 70% considered strong.

ESG scores are derived through a multifaceted process that involves analyzing a wide range of quantitative and qualitative data points related to environmental, social, and governance performance. Quantitative data might include metrics such as greenhouse gas emissions, diversity ratios, board composition, and regulatory compliance records. These quantitative metrics provide a basis for objective comparison and benchmarking across companies.

Additionally, qualitative assessments play a crucial role in ESG score calculations. These assessments involve analyzing company policies, practices, and disclosures related to sustainability and ethical business conduct. This qualitative analysis may include evaluating the robustness of environmental management systems, the effectiveness of social impact initiatives, and the transparency of governance practices.

Furthermore, ESG scoring methodologies often take into account industry-specific considerations and emerging trends. For instance, companies operating in heavily regulated industries such as energy or finance may be evaluated based on sector-specific ESG criteria and regulatory compliance. Similarly, emerging issues such as climate change resilience, supply chain transparency, and data privacy may receive heightened attention in ESG assessments.

Overall, ESG scores are calculated using a rigorous and comprehensive approach that integrates both quantitative and qualitative data to provide investors and stakeholders with a holistic assessment of a company's sustainability and ethical performance. These scores serve as valuable tools for decision-making, enabling investors to allocate capital to companies that align with their ESG objectives and promoting transparency and accountability in corporate practices.

Who Determines an ESG Score? (Who calculates and provides ESG scores?)

These scores are generated by ESG rating companies that businesses can apply to, with some of the top ESG rating providers being Bloomberg ESG, Sustainalytics, and FTSE Russell. Analysts will evaluate a business, conduct management interviews, and assess publicly available information in order to generate a rating of the business’s performance on environmental, social, and governance issues.

However, it’s important to note that ESG rating methodology isn’t standardized for the time being. There are over 600 ESG rating providers worldwide and the score awarded to a business will be different from agency to agency, with Deloitte reseach in the image below showing the different approaches taken by some of the biggest players. Investors usually also refer to multiple sources before making a decision, meaning that companies can make their ESG rating more reliable as a way to attract investment by building their score with several providers.

Data protection and privacy compliance can nevertheless be powerful influences on a company's ESG rating. The wider public is acutely aware of the dangers posed by the misuse, malpractice, and mismanagement of data. As such, data leaks and theft will create bad capital news and negative stock price growth, while the opposite can drive up value.

However, it’s important to note that this rating will be a reflection of how well a business is meeting broader legal obligations. Data protection and privacy compliance are already codified into a global framework of national and regional legislation designed to protect consumer data rights, with ePrivacy and GDPR the most famous examples. And by adhering to these internal data protection requirements, businesses are better able to mitigate internal and external risks to data.

ESG assessors will want to see evidence that the business is meeting these standards. They’ll assess whether the organization understands its data governance practices, safeguards financial and consumer data, and works to foster transparency with internal and external stakeholders. 

In practice, meeting ESG criteria hinges on the implementation of a data governance program that outlines the policies and processes around the management and security of any personal information held by the company. This program requires a data map, and also needs to detail the systems and processes that ensure that data management is transparent, information is accessible by data subjects, and that it is secured from risk.

Data Mapping.

The first stage in developing a data governance program involves creating a data inventory, which collects information on the types of information collected by a business, storage locations, and how this data is used. A data inventory is also known as data mapping, since it also involves identifying every data point of entry, and mapping out how this information flows through the organization and who has access to it.

This process encompasses the entire data lifecycle, including data collection, storage, usage, sharing, and disposal. Moreover, data mapping plays a critical role in conducting risk assessments to identify potential vulnerabilities or exposures related to data handling, thus assisting in mitigating risks associated with data security, privacy, and compliance.

Additionally, data mapping facilitates the assessment and improvement of data quality by identifying redundancies, inconsistencies, or inaccuracies in data sources and processes. By involving various stakeholders, such as IT teams, business units, legal and compliance teams, and data owners, the data mapping process ensures a comprehensive understanding of data assets and requirements.

Furthermore, documenting the data mapping process and its outcomes establishes a foundation for ongoing data governance efforts, serving as a reference for implementing data policies, procedures, and controls aligned with regulatory requirements and organizational objectives. This documentation is essential for maintaining data integrity, compliance, and accountability throughout the organization's data management practices.

Data Transparency.

Any business with a digital presence will hold consumer data, and privacy compliance means having transparent data management policies. Most jurisdictions also mandate the provision of a clear and easily-accessible privacy notice in plain English, which works to underline the business’s commitment to keeping internet users informed about the collection, storage, usage, and retention of their personal information.

Moreover, transparency in the event of a data breach is essential. Regulations such as GDPR require businesses to promptly notify affected individuals and relevant authorities about breaches that may impact their personal data. This transparency demonstrates accountability and helps affected individuals take necessary actions to mitigate risks. 

Additionally, businesses should regularly review and update their privacy policies to reflect changes in data handling practices, regulatory requirements, and evolving consumer expectations. Transparent communication about policy updates ensures that consumers are informed about any changes that may affect their privacy rights.

Data Access.

Businesses need to honor the consumer data access rights that are enshrined in data privacy regulations. This includes having processes in place to promptly handle customer requests for accessing, amending, or deleting personal data. It also ensures compliance with regulatory requirements, such as GDPR's stipulation that organizations respond to  data subject access requests within a specified timeframe.

Robust verification procedures are also essential to authenticate the identity of individuals making data access requests. Verifying the identity of requestors helps prevent unauthorized access to personal data and safeguards against potential fraudulent activities. 

Furthermore, clear communication and transparency throughout the data access process are paramount. Businesses should provide individuals with clear guidance on how to submit data access requests, what information is required, and what they can expect in terms of response times and outcomes. Transparent communication builds trust and enhances the overall customer experience.

Lastly, maintaining proper documentation of data access requests and responses is critical. Keeping records of data access activities helps demonstrate compliance with regulatory requirements and provides a trail of accountability in case of audits or investigations. By ensuring adherence to these practices, businesses not only fulfill their legal obligations but also reinforce their commitment to protecting consumer data rights and promoting trust and transparency in their operations.

Data Security.

Businesses also need to showcase their dedication to consumer data security, which involves having systems in place to identify and minimize risk (and enhance their ESG risk score). This includes internal issues, as well as any data sharing with third parties and how businesses evaluate the security of these vendors. 

Moreover, it's imperative for businesses to implement robust data encryption and protection measures to safeguard sensitive consumer information. Encryption technologies help prevent unauthorized access to data by encrypting it during transmission and storage, thereby reducing the risk of data breaches and unauthorized disclosures.

In addition to encryption and protection measures, businesses must establish access control mechanisms and continuous monitoring systems to restrict access to sensitive data only to authorized personnel and detect any unauthorized access attempts or suspicious activities promptly. Access control helps mitigate the risk of insider threats and unauthorized data access. 

Furthermore, having comprehensive incident response and recovery plans in place is essential for effectively responding to and mitigating the impact of data security incidents or breaches. Predefined procedures for incident detection, containment, investigation, and recovery minimize disruption to business operations and mitigate potential damages to consumers and the organization's reputation.

Lastly, robust vendor risk management processes are crucial for evaluating the security practices of third-party vendors and service providers with whom businesses share data. Assessing vendors' security controls, contractual obligations, and compliance with relevant regulations ensures the protection of consumer data throughout the data lifecycle. By adhering to these practices, businesses not only fulfill their legal obligations but also reinforce their commitment to protecting consumer data rights and promoting trust and transparency in their operations.

Website analytics tools are essential for digital success, providing businesses with the guidance they need to optimize their online presence and drive success. However, most options complicate data protection, management, and privacy compliance processes, making it harder for organizations to meet ESG standards and qualify for investment.

By contrast, TWIPLA is a privacy-first website intelligence platform and these characteristics enable businesses to monitor website performance metrics, analyze visitor behavior, and track digital channel traffic delivery without burdening themselves with additional data management responsibilities.

All-in-One Website Intelligence.

TWIPLA is a website intelligence solution with a comprehensive toolkit of web analytics features:

• Complete website statistics: these enable businesses to track every performance KPI metric, to compare data historically, and to monitor website performance in real time.
• Behavior analytics tools: heatmaps, session recordings, conversion funnels, and event tracking simplify complex data and allow users to intuitive understand how visitors are interacting with their website.
• Visitor communication features: in-page polls and dedicated URL surveys enable businesses to directly communicate with their audience, to confirm insights pulled from other tools, and to collect the community feedback that is vital for effective growth.

Crucially for ESG qualification, this wide range of features removes the need to adopt multiple website integrations simultaneously. This streamlines data inventories by limiting the number of third-party integrations that have access to data, while also removing data silos and enabling businesses to get more insights out of their data.

Privacy-Compliant Analytics.

TWIPLA uses cookieless tracking technology to collect visitor data, something that enhances the reliability of our toolkit in a world where cookie-based technology is becoming increasingly ineffective. And while the platform has four data privacy modes, businesses interested in ESG investment should use our default Maximum Privacy Mode.

This enables them to leverage web analytics in compliance with all global data standards, including EU ePrivacy and GDPR - laws that form the strictest data privacy framework in the world. It’s an ethical approach to the analytics needed to enhance digital strategies, and means that our users fulfil a key driver of ESG ratings.

Crucially for ESG applicants, TWIPLA's adherence to international data privacy requirements in this mode also means that businesses don’t need a consent banner to legitimately leverage insights. This has the additional advantage of removing an ugly distraction from site design and UX, but this privacy compliance also simplifies privacy policies and wider data management processes considerably.

Data Minimization.

Cookie consent is now declined by the vast majority of site visitors, and most browsers block them by default. And since our platform does not rely on these tracking files, TWIPLA collects five times more data than alternative analytics platforms that do, with obvious implications for the accuracy of insights that businesses base website development on.

However, it still respects the data minimization that streamlines data governance and facilitates ESG qualification. While TWIPLA is able to collect data on the 80% of internet users that are invisible to standard analytics tools, it collects considerably less data from individual website visitors than alternatives.

In Maximum Privacy Mode, TWIPLA doesn’t use fingerprinting, collect IP addresses, or record page histories. Only visitor locations are tracked, and the platform takes an approximate approach to tracking returning visitors and screen resolutions. This means that the platform doesn’t collect any personal data that will need to be managed closely to meet ESG standards.

And by aggregating what data is collected, the platform is able to identify trends and patterns from collective visitor behavior. This means that businesses can collect the insights they need to guide online strategies, while keeping website visitors secure and showcasing their dedication to sustainability and corporate responsibility.

Robust Data Security.

As privacy advocates, we’ve developed our infrastructure to give users complete control over their data. We don’t sell data or transfer it to third parties out of principle, and this security further cements the ESG credentials of our website intelligence solution. 

We also chose our data storage partner Hetzner because they share these values. Their server centers hold an ISO 27001 certification, recognition that they hold the highest data security level possible. They’re fully GDPR-compliant with cutting-edge encryption protocols and robust firewalls, and this provides our clients and their own customers with real protection from breaches and other security risks.

These servers run on hydropower - another factor in ESG ratings - and we use their data centers in Germany, a country with some of the most unyielding data security requirements in the world. This also means that data doesn’t leave the EU, distancing businesses from any potential legal issues that arise when transferring information outside of this trading bloc.