# ESG Due Diligence: Framework and Checklist

- url: https://www.tryplox.com/blog/esg-due-diligence
- date: 2026-07-01
- tags: Due Diligence, Data Rooms
- excerpt: ESG due diligence is the process of assessing a target company's environmental, social, and governance practices before an investment, acquisition, or financing closes. It sits alongside the financial

ESG due diligence is the process of assessing a target company's environmental, social, and governance practices before an investment, acquisition, or financing closes. It sits alongside the financial, legal, and commercial workstreams in a deal, but it answers a different question: not just "is this business sound today?" but "will its non-financial risks blow up the value of this deal in two, five, or ten years?" Carbon liabilities, labor practices, board independence, supply-chain exposure, data privacy, and corruption controls all live here. I have run this workstream from both sides of the table, and the pattern is always the same. The deals that go badly on ESG are rarely the ones where the issue was hidden. They are the ones where nobody looked.

This guide covers what ESG due diligence actually involves, who runs it and when, a step-by-step process you can follow, a checklist you can copy, the red flags that should slow a deal down, and how a well-organized [data room](/data-rooms) takes the friction out of it. If you want the broader picture first, start with our [due diligence](/blog/due-diligence-guide) overview and come back here for the ESG-specific layer.

## What ESG due diligence actually means

The three letters cover a lot of ground, so it helps to be concrete about what each one looks for.

**Environmental** is about the company's physical and regulatory footprint: emissions and energy use, water and waste, contaminated sites, permits, exposure to climate transition risk (carbon pricing, stranded assets), and physical risk (flood, drought, heat). For asset-heavy businesses this overlaps heavily with classic [environmental due diligence](/blog/environmental-due-diligence), which goes deep on site contamination and remediation liability.

**Social** covers how the company treats people: labor standards and working conditions, health and safety records, diversity and pay equity, treatment of customers, product safety, data protection, and the conditions inside its supply chain. Modern slavery and forced-labor exposure deep in a supplier network is one of the fastest-growing items here, and it connects directly to [supply chain due diligence](/blog/supply-chain-due-diligence).

**Governance** is about how decisions get made and controlled: board composition and independence, executive pay alignment, ownership structure, anti-bribery and anti-corruption controls, whistleblower processes, conflicts of interest, and the quality of internal reporting. Weak governance is often the leading indicator. If the controls are loose, the environmental and social problems tend to follow.

ESG due diligence is not the same as an ESG rating. A rating agency scores a company from the outside using public data. Diligence is an inside-out review where you get the actual permits, the actual incident logs, and the actual supplier list. The two can disagree sharply, and when they do, the diligence wins.

## Who runs it, and when

On the buy side, ESG diligence is usually owned by the deal team with support from specialists. Private equity funds with a formal responsible-investment policy often have a dedicated ESG lead; in M&A it may sit with the corporate development team and outside advisers. Either way it should run in parallel with the other workstreams, not bolted on at the end. Investors increasingly fold ESG into the standard package because their own limited partners and lenders demand it. If you are raising or selling, expect this scrutiny to be part of [private equity due diligence](/blog/private-equity-due-diligence) and most institutional [M&A due diligence](/blog/ma-due-diligence) from day one.

Timing matters. The honest answer is that ESG diligence works best when it starts early, ideally before exclusivity, because some findings (a contaminated site, a regulatory investigation, a pending forced-labor claim) can change the price or kill the deal entirely. Leaving it until the confirmatory stage means you discover deal-breakers after you have spent months and legal fees you cannot get back. I have watched a deal reprice in the final fortnight because an environmental liability surfaced late, and the buyer felt, fairly or not, that something had been hidden. Surface it early and you negotiate calmly. Surface it late and you negotiate under duress.

Founders on the sell side should run their own ESG review before they open the room. The point is not to hide problems. It is to know what a buyer will find before they find it, and to have the remediation plan or the explanation ready.

## A step-by-step ESG due diligence process

Here is the sequence I use. Adapt the depth to deal size, but keep the order.

1. **Scope and materiality.** Decide what actually matters for this target. A logistics company and a SaaS company have completely different ESG profiles. Use a recognized framework as a starting map (the SASB/ISSB industry standards and the GRI standards are the common references) but tailor it. Trying to assess everything equally wastes time on items that carry no real risk.

2. **Request and collect.** Send a tailored information request and collect the evidence into a structured data room. This is policies, permits, certifications, incident logs, audit reports, supplier lists, and any prior ESG assessments. A clean [due diligence data room checklist](/blog/due-diligence-data-room-checklist) keeps this from turning into an email scramble.

3. **Baseline review.** Read what you were given and benchmark it against the relevant standards and regulations. At this stage you are looking for completeness as much as content. A missing health-and-safety log is itself a finding.

4. **Deep-dive on material risks.** For the handful of items that genuinely move the needle, go further: site visits, specialist environmental surveys, supply-chain mapping, management interviews, and third-party background checks on key people.

5. **Quantify and rate.** Translate findings into something a deal model can use. Estimate remediation costs, potential fines, capital expenditure to meet incoming regulation, and the probability and severity of each risk. "Concerning" is not a number a deal committee can act on.

6. **Report and integrate.** Write it up so it feeds the deal. The output should flag deal-breakers, items for price adjustment, conditions to closing, and a post-close action list. The strongest ESG findings end up shaping the [post-merger integration checklist](/blog/post-merger-integration-checklist), not just the price.

The discipline that makes all of this work is the same discipline behind any good [virtual data room due diligence](/blog/virtual-data-room-due-diligence) process: one organized place for evidence, clear ownership of each request, and a written trail of what was asked and answered.

## The ESG due diligence checklist

Use this as a starting request list and trim it to what is material for the target. Not every line applies to every business.

| Pillar | Item | What to ask for |
|---|---|---|
| Environmental | Emissions and energy | GHG inventory (Scope 1, 2, and 3 where available), energy bills, reduction targets |
| Environmental | Permits and compliance | Current environmental permits, breach notices, regulator correspondence |
| Environmental | Contamination | Site assessments, remediation records, historical land use |
| Environmental | Climate risk | Physical risk exposure by site, transition risk and carbon-cost modeling |
| Environmental | Waste and water | Waste handling records, discharge permits, water usage data |
| Social | Labor and rights | Employment policies, union agreements, collective bargaining status |
| Social | Health and safety | Incident logs, lost-time injury rates, OSHA or equivalent records |
| Social | Diversity and pay | Workforce demographics, pay-equity analysis, grievance records |
| Social | Supply chain | Supplier list, code of conduct, audits, modern-slavery statements |
| Social | Data and privacy | Privacy policies, breach history, GDPR or local compliance evidence |
| Governance | Board and ownership | Board composition, independence, cap table, related-party deals |
| Governance | Anti-corruption | Anti-bribery policy, training records, third-party screening |
| Governance | Controls and reporting | Internal audit findings, whistleblower channel, prior ESG reports |
| Governance | Litigation | Pending or past ESG-related claims, fines, investigations |

The reason a table beats a wall of prose here is that the deal team can assign each row an owner and a status, which is exactly how you keep an ESG workstream from quietly stalling.

## Common red flags

Some findings are routine and priceable. Others should make you stop and reconsider. The ones I treat as serious:

- **Missing records that should exist.** A manufacturer with no health-and-safety incident log is either unusually lucky or not recording. Both are problems.
- **A gap between policy and practice.** Glossy ESG policies with no audit evidence, no training records, and no incidents ever reported usually mean the policy is decoration.
- **Active investigations or recent fines.** Regulatory action, especially environmental or anti-corruption, signals systemic issues rather than a one-off.
- **Concentrated, opaque supply chains.** Heavy reliance on suppliers in high-risk jurisdictions with no audits is a forced-labor and reputational exposure waiting to surface.
- **Governance that centers on one person.** No independent board, no whistleblower channel, and decisions running through a single founder make every other control unreliable.
- **Defensiveness in the room.** When management slow-walks ESG requests or treats them as box-ticking, the substance is usually worse than the documents suggest.

A red flag is not automatically a deal-breaker. It is a signal to dig, to quantify, and to decide whether the right response is a price adjustment, an indemnity, a condition to closing, or walking away.

## How a data room streamlines ESG due diligence

ESG diligence generates an unusual amount of document traffic from an unusual number of sources: HR, operations, legal, facilities, procurement, and external auditors all contribute. That is exactly the situation a virtual data room is built for, and it is where the workstream either flows or falls apart.

A well-structured room helps in three concrete ways. First, **organization**: a folder tree that mirrors the checklist above means an investor can find the modern-slavery statement or the emissions inventory without a single follow-up email. Second, **control**: granular permissions let you share sensitive items (incident logs, supplier contracts) only with the people who need them, which matters when the data is reputationally sensitive. Third, **audit trail**: every view, download, and question is logged, so when the deal closes there is a clean record of exactly what was disclosed and when. That record is what protects everyone if an ESG issue surfaces later.

This is the part I care about most as a builder. I set up Plox so that founders can stand up a properly organized ESG section in minutes, set per-document and per-user access, and watch the analytics on who actually opened the sensitive files. Dedicated platforms like Datasite and Ansarada do this too, and for very large, multi-party deals they remain a strong choice. Plox is built for founders and lean deal teams who want that same control without an enterprise contract or a quote-based sales process. If you are weighing options, our notes on the [best data room for due diligence](/blog/best-data-room-for-due-diligence) and on [virtual data room cost](/blog/virtual-data-room-cost) lay out the trade-offs honestly, and you can see Plox's own plans on the [pricing](/pricing) page.

The tool matters less than the habit. Whatever room you use, the goal is the same: every ESG request has one home, one owner, and one logged answer.

## Frequently asked questions

### What is the difference between ESG due diligence and an ESG rating?

A rating is an external score built from public data by an agency that never sees inside the company. ESG due diligence is an internal review where you get the actual permits, incident logs, supplier lists, and board records. Ratings are useful for screening; diligence is what you rely on before you commit capital. When the two disagree, trust the diligence.

### How long does ESG due diligence take?

It depends on the size and complexity of the target. For a small, asset-light company it can run alongside the rest of diligence in two to three weeks. For an industrial business with multiple sites, deep supply chains, and contamination history, the environmental and supply-chain deep-dives alone can take a couple of months because they often require site visits and specialist surveys. Starting early is the single biggest factor in keeping it short.

### Is ESG due diligence legally required?

It is increasingly required, though the answer varies by jurisdiction and deal. The EU's Corporate Sustainability Due Diligence Directive and various national supply-chain laws are pushing mandatory checks onto larger companies and their partners. Even where it is not strictly mandated, most institutional investors and lenders now require it as a condition of their own compliance. We do not offer legal advice, so confirm your specific obligations with qualified counsel before relying on any general rule.

### Who pays for ESG due diligence?

On the buy side, the acquirer or investor bears the cost as part of overall deal expenses, including any specialist surveys and advisers. On the sell side, founders and sellers sometimes commission their own ESG review (often called vendor diligence) before going to market, which they pay for but which can speed the process and support the valuation.

### Can a small company run ESG due diligence without specialist consultants?

Yes, for the baseline. A founder can scope materiality, gather documents, and run the checklist using a structured data room. Bring in specialists only for the material deep-dives, such as a contaminated-site survey or a supply-chain audit, where independent expertise actually changes the answer. Spending consulting fees on low-materiality items is the most common way small teams overpay for diligence.

### How is ESG diligence different from financial or technical diligence?

[Financial due diligence](/blog/financial-due-diligence) verifies the numbers, and [technical due diligence](/blog/technical-due-diligence) verifies the product or technology. ESG diligence verifies the non-financial risks that can damage value over a longer horizon: environmental liabilities, social and labor exposure, and governance weakness. They share a method (request, review, verify, quantify, report) but answer different questions, which is why a serious deal runs all of them in parallel rather than treating ESG as an afterthought.
