ESG due diligence checklist for investors and acquirers

ESG (environmental, social and governance) due diligence is no longer a soft reputation exercise. For investors and acquirers, it can reveal regulatory risk, weak controls, climate exposure, supply-chain problems, greenwashing risk and hidden costs. This checklist explains what to review before signing.

What ESG due diligence is trying to prove

ESG due diligence asks whether a company understands and manages material environmental, social and governance risks. It should not be a marketing review. It should test evidence, accountability and control quality.

A good process answers three questions: what are the material ESG risks, what evidence supports management's claims, and what could create value erosion after investment or acquisition?

1. Governance and accountability

Start with ownership. Who is responsible for ESG, climate, compliance, health and safety, workforce issues and supplier oversight? Is responsibility board-level, executive-level, operational, or scattered across departments?

Look for meeting minutes, policy approvals, risk registers, internal controls and evidence that issues are escalated. A company with polished ESG language but no owner, no review cycle and no board visibility is a risk.

2. Climate and carbon data

Review the company's carbon footprint, boundary, base year, emissions factors and Scope 3 approach. If the company has made climate claims, check whether the data supports them.

Important questions include: are Scope 1 and 2 emissions measured? Are material Scope 3 categories estimated? Are energy and fuel records available? Is the methodology consistent with the GHG (greenhouse gas) Protocol? Are reduction targets based on real operational changes?

3. Regulatory exposure

Check whether the company is exposed to CSRD (Corporate Sustainability Reporting Directive), UK sustainability disclosure, product regulation, modern slavery rules, environmental permits, packaging regulation, waste obligations, carbon pricing or sector-specific requirements.

The legal answer matters, but so does commercial exposure. A company may not be directly regulated yet still face customer data requests or contractual ESG requirements.

4. Supply chain and human rights

Supply-chain diligence should cover supplier concentration, high-risk geographies, labour standards, audit history, grievance mechanisms and whether the company has supplier codes or contract clauses.

Do not accept a supplier code as proof of control. Ask whether suppliers have signed it, whether audits happen, and what happens when problems are found.

5. Environmental claims and greenwashing risk

Review website claims, sales decks, product labels, carbon neutral statements, offset claims, recycled-content claims and sustainability reports. Claims should be specific, substantiated and not misleading.

In the UK, the Competition and Markets Authority's Green Claims Code is a useful reference. For regulated financial firms, the FCA (Financial Conduct Authority) anti-greenwashing rule is also relevant.

6. Workforce and safety

Review health and safety records, staff turnover, complaints, pay practices, diversity data, training, whistleblowing channels and workforce policies. Social risk is often where hidden operational issues appear first.

7. Data quality

Data quality can make or break ESG diligence. Look for source documents, owners, timestamps, version control and evidence that numbers have been checked. If the data exists only in a slide deck, treat it cautiously.

Red flags

• No named owner for ESG data.
• Climate claims without a carbon footprint.
• Supplier policies with no evidence of implementation.
• Old or inconsistent health and safety records.
• Carbon neutral claims based only on unspecified offsets.
• Major customer ESG requests handled manually each time.
• Unclear regulatory ownership.

What a strong ESG data room contains

A strong data room includes policies, carbon calculations, energy data, supplier documents, workforce metrics, board papers, audit reports, permits, incident logs, claims evidence and a one-page index showing owner, date and status for each item.

For a deeper operational guide, read ESG data room checklist: what evidence should you keep?.

Useful source links

• GHG Protocol Corporate Standard
• CMA Green Claims Code
• FCA anti-greenwashing rule

Bottom line

ESG due diligence should test evidence, not slogans. The strongest targets have clear owners, reliable data, controlled policies, honest claims and a data room that proves how ESG risks are managed.

ESG due diligence FAQ

What is the first diligence request to make?

Ask for the ESG data room index, risk register, carbon footprint methodology and claims evidence. Those documents quickly show whether the company has a controlled process.

Is ESG diligence only for large acquisitions?

No. It is also useful for growth investment, lending, procurement, partnerships and supplier onboarding where climate, labour, governance or claims risk could affect value.

What is a major warning sign?

A major warning sign is a public ESG claim with no owner, no methodology and no supporting evidence. That can create legal, reputational and commercial risk.