HomeServicesRisk AdvisoryESG Risk Assessment & Strategy

Risk Advisory · ESG & Sustainability Assurance

ESG Risk Assessment & Strategy

ESG is no longer a voluntary disclosure exercise for India's larger companies — it is a regulatory obligation under SEBI's Business Responsibility and Sustainability Reporting (BRSR) framework, a lending condition for banks applying green and sustainability-linked criteria, and increasingly a commercial gatekeeping requirement from multinational customers who demand supply-chain ESG data before they will sign a purchase order.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

ESG is no longer a voluntary disclosure exercise for India's larger companies — it is a regulatory obligation under SEBI's Business Responsibility and Sustainability Reporting (BRSR) framework, a lending condition for banks applying green and sustainability-linked criteria, and increasingly a commercial gatekeeping requirement from multinational customers who demand supply-chain ESG data before they will sign a purchase order. At PNPC Global, we have advised businesses across India and the UAE since 1986 — we bring the same rigour we apply to statutory audit and tax compliance to ESG risk assessment: materiality that is defensible under scrutiny, data that reconciles to your actual financial and operational records, and a sustainability strategy that is realistic for your business rather than a glossy document assembled to satisfy a checklist. We do not outsource this to a marketing consultancy. It is delivered by the same CA practice that already understands your books, your governance structure, and your regulatory exposure.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What ESG Risk Assessment & Strategy is

ESG Risk Assessment & Strategy is a structured advisory engagement that identifies, measures, and prioritises the Environmental, Social, and Governance risks and opportunities that are material to a specific business, and translates that assessment into a sustainability strategy with measurable targets, an implementation roadmap, and a disclosure framework. In India, the primary regulatory anchor is SEBI's Business Responsibility and Sustainability Reporting (BRSR) framework, mandatory for the top 1,000 listed companies by market capitalisation, with BRSR Core assurance requirements being phased in for the top listed entities by market capitalisation on a glide path, and voluntary adoption increasingly expected of their large unlisted suppliers and subsidiaries as part of value-chain reporting requests. Beyond BRSR, Indian companies increasingly respond to ESG risk pressure from multiple directions simultaneously: RBI and SEBI guidance nudging banks and asset managers toward green and sustainability-linked lending criteria, international buyers and multinational parent companies requiring supplier ESG disclosures (often mapped to GRI Standards, SASB, or the buyer's own scorecard), the EU's Carbon Border Adjustment Mechanism (CBAM) creating direct carbon-reporting obligations for exporters of covered goods (iron, steel, aluminium, cement, fertiliser, electricity, hydrogen) into the EU, and increasingly, employee and investor expectations around governance transparency and social conduct.

A proper ESG risk assessment begins with materiality — identifying which environmental, social, and governance topics are actually financially or operationally significant to a specific business, rather than adopting a generic template of forty ESG indicators regardless of relevance. For a manufacturing company, materiality typically centres on energy intensity, water usage, waste management, and occupational health and safety. For a services or technology company, materiality more often centres on data privacy, employee wellbeing and diversity, governance and board independence, and supply-chain labour practices further downstream. A materiality assessment done properly involves structured stakeholder engagement — internal management, employees, customers, investors, and where relevant regulators and community stakeholders — mapped against the magnitude of financial and reputational impact. This is analytically similar to a financial materiality assessment in an audit, and PNPC applies the same rigour: assumptions are documented, the basis for prioritisation is defensible, and the resulting materiality matrix can withstand scrutiny from a lender, an investor's diligence team, or a BRSR assurance provider.

Once material topics are identified, the engagement moves to risk quantification and strategy — setting baseline metrics (energy consumption, GHG emissions calculated per the GHG Protocol across Scope 1, Scope 2, and where relevant Scope 3, water withdrawal, waste generated and diverted from landfill, workforce diversity ratios, safety incident rates, board independence ratios, related-party transaction governance), benchmarking against sector peers where data is available, and translating gaps into a prioritised action plan with realistic timelines and ownership. The strategy layer typically also addresses governance architecture — whether an ESG or CSR Committee exists at Board level, whether ESG risk is integrated into the existing Enterprise Risk Management framework, and whether internal data-collection processes are robust enough to support external assurance if and when that becomes mandatory for the company.

ESG risk assessment is deliberately distinct from ESG reporting or BRSR filing itself, though the two are connected. The risk assessment and strategy engagement produces the underlying analysis, target-setting, and governance recommendations; BRSR reporting (or GRI/SASB-aligned voluntary reporting) is the disclosure output that communicates performance against that strategy to regulators, lenders, and stakeholders. PNPC delivers both as an integrated engagement for clients who need end-to-end support, and delivers the risk assessment and strategy layer as a standalone advisory engagement for clients who already have an internal or external reporting process and need the underlying analytical rigour strengthened.

When an ESG risk assessment is the right engagement

Your company is approaching, or already within, SEBI's BRSR-applicable universe (top 1,000 listed companies by market capitalisation) and needs a defensible materiality assessment and data framework before the next reporting cycle

A bank or NBFC has indicated that continued or expanded credit facilities will reference sustainability-linked loan (SLL) covenants or green lending criteria, and you need baseline ESG metrics to negotiate or comply with those terms

A multinational customer or parent company has issued a supplier ESG questionnaire, scorecard, or code-of-conduct requirement (commonly mapped to GRI, SASB, EcoVadis, or a buyer-specific framework) and non-response risks losing the account or contract renewal

Your company exports iron, steel, aluminium, cement, fertiliser, hydrogen, or electricity to the EU and needs to understand and prepare for Carbon Border Adjustment Mechanism (CBAM) reporting obligations

You are preparing for a private equity or venture capital fundraise where the investor's ESG or impact due diligence checklist has become a standard part of the term sheet process

Your Board or promoters want ESG risk formally integrated into the existing Enterprise Risk Management (ERM) framework rather than treated as a disconnected compliance exercise handled by a junior team member

You operate in a sector with inherent environmental or social risk exposure (manufacturing, textiles, chemicals, construction, mining-adjacent, agriculture-processing) where regulatory, community, or reputational ESG risk is already material to business continuity regardless of BRSR applicability

You want a genuine sustainability strategy with measurable targets — not a one-time report assembled to satisfy a single request — because ESG scrutiny from lenders, customers, and regulators is a structural trend, not a passing requirement

When a lighter-touch or different engagement may fit better

A very early-stage business with no institutional lenders, no BRSR applicability, no multinational customer ESG demands, and no near-term fundraise — a full materiality assessment and strategy engagement is premature; a lighter ESG-readiness conversation may be more appropriate until a specific trigger emerges

You need only a one-time supplier ESG questionnaire completed for a single customer relationship, with no interest in an ongoing sustainability strategy — a scoped questionnaire-response engagement rather than the full assessment may be more cost-effective

Your primary requirement is statutory BRSR filing preparation for a company that has already completed its own materiality assessment and target-setting internally — you may need BRSR reporting support specifically rather than the upstream risk assessment

You are seeking third-party assurance or verification of an existing BRSR report (a distinct assurance engagement under SEBI's BRSR Core assurance requirements) rather than the underlying risk assessment and strategy work

Your primary concern is carbon accounting and GHG inventory measurement in isolation — a focused GHG Protocol inventory engagement may be the right first step before a full ESG risk and strategy exercise

You are looking for ESG-linked marketing or brand positioning content rather than a substantive risk and governance exercise — that is a marketing/communications engagement, not a risk advisory one, and PNPC will say so rather than deliver a document that will not withstand scrutiny

Structure Comparison

ESG Risk Assessment & Strategy vs related PNPC risk advisory engagements

FeatureESG Risk Assessment & StrategyEnterprise Risk Management (ERM)Internal Financial Controls (IFC) ReviewRegulatory Risk AdvisoryInternal Control Review
Primary focusEnvironmental, Social, Governance risk and sustainability strategyEnterprise-wide strategic, operational, financial riskDesign and operating effectiveness of financial controlsRegulatory change tracking and compliance riskProcess-level control gaps
Primary regulatory anchorSEBI BRSR / BRSR Core; CBAM for exporters; lender SLL covenantsCOSO ERM Framework / ISO 31000 (voluntary best practice)Section 143(3)(i) Companies Act 2013; Section 134(5)(e)Sector-specific — RBI, SEBI, DGFT, FEMA, GST as applicableNo single statute — internal governance practice
Mandatory for whomTop 1,000 listed cos by market cap (BRSR); value-chain suppliers increasingly by requestNot statutorily mandatory — expected practice for listed and large companiesAll companies under statutory audit — auditor comments on IFC adequacyNot a standalone mandate — arises from sector-specific regulatory exposureNot statutorily mandatory — internal governance choice
OutputMateriality matrix, ESG risk register, target-setting roadmap, BRSR-ready data frameworkRisk register, risk appetite statement, heat maps, mitigation plansControls matrix, gap analysis, remediation plan, IFC opinion supportRegulatory risk register, change-impact briefings, compliance calendarControl gap report, SOP recommendations, process risk ratings
Typical triggerBRSR applicability, lender ESG covenant, buyer ESG questionnaire, PE/VC diligenceBoard mandate, post-incident review, investor governance expectationStatutory audit requirement, IPO preparation, investor diligenceNew regulation, licence renewal, cross-border expansionFraud incident, audit finding, process redesign, expansion
Assurance layerBRSR Core assurance (phased, for applicable top listed cos); voluntary third-party ESG assuranceNot separately assured — reviewed as part of governance reportingAuditor's report under Section 143(3)(i)Not separately assured — advisory in natureNot separately assured — advisory in nature
Overlap with this engagementESG risk is increasingly integrated as a category within ERMGovernance controls overlap with ESG's 'G' pillarCBAM, BRSR, and sector ESG mandates are themselves regulatory risksData-collection controls for ESG metrics are an internal control matter

These engagements are complementary, not mutually exclusive. Most PNPC clients with meaningful ESG exposure eventually integrate ESG risk as a formal category within their broader Enterprise Risk Management framework, with internal controls strengthened to support reliable ESG data collection. We scope each engagement to the client's actual stage and need rather than selling a bundled package by default.

How it works
#Stage & What PNPC DoesWhat Generic ESG Consultants SkipTimeline
1Scoping & Applicability Assessment — Understanding why ESG matters for this specific businessWe start by asking the question that determines everything downstream: is this driven by BRSR applicability, a lender covenant, a customer questionnaire, a fundraise, or genuine risk exposure? A CBAM-exporter's ESG priorities are entirely different from a BRSR-bound listed company's. Generic consultants often run the same forty-indicator template regardless of the actual trigger.Week 1
2Stakeholder Engagement & Materiality Assessment — Identifying what is genuinely material to your businessStructured interviews and surveys with management, employees, key customers, and (where relevant) investors and community stakeholders — scored against financial and reputational significance to build a defensible materiality matrix. We document the basis for every materiality call, because a materiality assessment that cannot be explained will not survive a lender's or assurance provider's scrutiny.Week 2–3
3Baseline Data Collection — Energy, emissions, water, waste, workforce, governance metricsWe reconcile ESG data to your actual financial and operational records — energy bills, HR records, safety logs, Board minutes — rather than accepting estimated figures at face value. GHG emissions are calculated per the GHG Protocol (Scope 1 direct, Scope 2 purchased energy, and Scope 3 value-chain emissions where in scope) using activity data, not generic industry averages, wherever primary data is available.Week 3–5
4Gap Analysis & Benchmarking — Where you stand against regulatory expectation and sector peersWe compare your baseline against BRSR Core's prescribed KPIs (where applicable), sector-relevant GRI/SASB disclosures, and — where credible public data exists — comparable peer companies. We are explicit about data limitations rather than presenting benchmarks with false precision.Week 5–6
5ESG Risk Register & Prioritisation — Turning gaps into a ranked risk and opportunity listEach material topic is assessed for likelihood and impact, consistent with how we build risk registers in our Enterprise Risk Management engagements — so that ESG risk can be integrated into your existing ERM framework rather than living in a separate silo that the Board never actually sees.Week 6–7
6Governance Architecture Review — Board oversight, committee structure, policy frameworkWe review whether ESG oversight sits with the Board, a CSR Committee, or is undefined; whether policies exist for the material topics identified (environmental policy, POSH policy, code of conduct, whistleblower mechanism, related-party transaction governance); and recommend the governance structure appropriate to your size and listing status — not a generic 'form an ESG Committee' recommendation regardless of fit.Week 6–7 (parallel)
7Target-Setting & Roadmap Design — Measurable, realistic, time-bound targetsTargets are set with input from the operational teams who will actually be accountable for them — not aspirational numbers set by a consultant with no ownership of delivery. We stress-test each target against your existing capital expenditure plans and operational capacity before it goes into the final strategy document.Week 7–9
8Data Systems & Reporting Framework Design — Making next year's data collection easier than this year'sA one-time ESG report with no underlying data system just recreates the same manual, error-prone exercise every year. We design (or recommend) a data-collection process — spreadsheet-based for smaller clients, integrated into existing ERP/MIS for larger ones — so that BRSR or GRI reporting in future cycles is materially faster and more reliable.Week 8–10
9BRSR / GRI / SASB Disclosure Drafting — Where reporting is in scope of the engagementFor clients where BRSR filing or voluntary GRI/SASB reporting is part of the engagement, we draft disclosures directly from the verified baseline data and risk register — ensuring narrative disclosures are consistent with the quantitative data, a consistency gap that is one of the most common findings when BRSR reports are later assured or scrutinised by investors.Week 9–12 (if in scope)
10CBAM Readiness — For exporters of covered goods into the EUWhere relevant, we map export product lines against CBAM's covered goods list (iron, steel, aluminium, cement, fertiliser, hydrogen, electricity), assess embedded emissions reporting obligations, and advise on the interaction between CBAM declarant obligations (typically resting with the EU importer) and the exporter's own data-provision responsibilities.As applicable — assessed at scoping stage
11Board & Management Presentation — Findings presented in governance-ready formWe present the materiality matrix, risk register, and roadmap directly to the Board or CSR Committee in the format expected by a governance body — not a marketing deck. Where the client wants it, PNPC personnel attend the Board presentation to answer technical questions directly.Week 11–13
12Implementation Support & Annual Refresh PlanningA materiality assessment and strategy is not a one-time deliverable — material topics shift as regulation, sector benchmarks, and the business itself evolve. We build the annual refresh cycle into the engagement plan from Day 1, so ESG risk assessment becomes a recurring discipline rather than a one-off project shelved after delivery.Ongoing — annual or biennial refresh recommended
13Lender / Investor / Customer Liaison SupportWhere a bank, PE investor, or multinational customer requests direct clarification on the ESG data or methodology, PNPC is available to support that conversation directly — because a document that cannot be defended in a follow-up call has limited value to the client.As needed — PNPC on call

Realistic end-to-end timeline for a full ESG risk assessment and strategy engagement: 10–14 weeks from scoping to Board presentation, depending on company size, data readiness, and whether BRSR/GRI disclosure drafting is included in scope. A narrower ESG-readiness assessment for a smaller company can be delivered faster. Annual refresh cycles are materially shorter once the baseline data framework is established.

Document Checklist
Corporate & Governance Documents

Certificate of Incorporation, MoA & AoA — to confirm entity structure, sector, and objects relevant to ESG risk scoping

Board composition details — independence ratios, committee structure, CSR Committee constitution (if applicable under Section 135 of the Companies Act)

Existing policies — environmental policy, POSH (Prevention of Sexual Harassment) policy, whistleblower/vigil mechanism policy, code of conduct, related-party transaction policy, CSR policy

Board meeting minutes for the last 2–3 years — to assess existing governance discussion of risk and sustainability topics

Existing Enterprise Risk Management framework or risk register, if one exists — to enable integration rather than duplication

Environmental Data

Electricity bills / energy consumption records for all facilities for the last 2–3 years (or longest available period)

Fuel consumption records — diesel, petrol, LPG, or other fuels used in owned or controlled operations and vehicle fleet

Water withdrawal and consumption data — municipal supply bills, borewell records, or metering data by facility

Waste generation and disposal records — hazardous and non-hazardous waste manifests, recycling/diversion records where tracked

Environmental clearances, Consent to Establish / Consent to Operate (CTE/CTO) from State Pollution Control Boards, and any regulatory notices or show-cause correspondence

Any existing carbon footprint, GHG inventory, or energy audit reports

Social & Workforce Data

Employee headcount by category — gender, seniority level, employment type (permanent/contractual), for at least the most recent reporting period

Attrition and retention data, and average training hours per employee if tracked

Occupational health and safety records — incident logs, Lost Time Injury Frequency Rate (LTIFR) if calculated, safety training records

Wage and benefits data sufficient to assess minimum wage compliance and gender pay parity where relevant

Supplier and contractor labour practice information, particularly for manufacturing and construction clients with significant contract labour

CSR spend and activity records under Section 135 of the Companies Act, where applicable

Governance & Compliance Records

Statutory compliance tracker or compliance calendar, if maintained, covering labour law, environmental law, and corporate law obligations

Related-party transaction disclosures and Board approvals for the relevant period

Details of any regulatory penalties, litigation, or show-cause notices in the last 3–5 years relevant to environmental, labour, or governance matters

Data privacy and cybersecurity policy documentation, where the business handles significant customer or employee data

Anti-bribery / anti-corruption policy and any grievance redressal mechanism records

Commercial & Stakeholder Context

Any ESG questionnaire, scorecard, or code of conduct already received from a customer, lender, or investor — this is often the single most useful document for scoping, since it tells us exactly what standard the counterparty is measuring against

Existing sustainability-linked loan (SLL) term sheet or covenant documentation, if applicable

Export product and destination data, for CBAM applicability screening (iron, steel, aluminium, cement, fertiliser, hydrogen, electricity exports to the EU)

Investor presentation or fundraise materials, if the engagement is being driven by a PE/VC diligence process, to align the ESG narrative with the broader fundraise story

Prior ESG / Sustainability Reporting (If Any)

Any previous BRSR, BRR (Business Responsibility Report — the pre-BRSR framework), GRI, or SASB-aligned report filed or prepared

Any third-party ESG rating or score received (EcoVadis, CDP, MSCI ESG, Sustainalytics, or similar) along with the underlying submission

Prior year's materiality assessment, if one was conducted, including stakeholder engagement records

Any internal or external assurance opinion previously issued on ESG or sustainability data

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Initial Assessment (Month 1–3)BRSR applicability threshold approached, lender covenant, customer questionnaire, or PE diligenceScoping, materiality assessment, baseline data collection, ESG risk register, governance review, and target-setting roadmap delivered as a coherent package — not a checklist exercise.A generic, indefensible materiality assessment that fails scrutiny from a lender, investor, or assurance provider — requiring the exercise to be redone at additional cost and reputational friction.
First Disclosure CycleFirst BRSR filing due, or first voluntary GRI/SASB report requestedDisclosures drafted directly from the verified baseline data so narrative and quantitative sections are internally consistent — the single most common weakness found when BRSR reports are later reviewed or assured.Inconsistent or unsupportable disclosures create restatement risk in future cycles and credibility damage with investors and lenders who cross-check disclosures year on year.
BRSR Core Assurance ReadinessCompany enters the phased BRSR Core assurance requirement as a top listed entity by market capitalisationPre-assurance readiness review — testing whether underlying data, evidence trails, and calculation methodologies would withstand an external assurance provider's procedures before the formal assurance engagement begins.Assurance qualifications or a modified assurance opinion on first attempt, which is far more reputationally damaging than proactive readiness work — and can trigger investor and regulatory follow-up questions.
Annual Refresh (Every Year)New financial year, updated data, evolving regulatory expectationsMateriality is re-tested (not assumed static), baseline metrics updated, targets tracked against actuals, and the risk register refreshed for new or emerging ESG risks — CBAM rule changes, new SEBI circulars, evolving buyer scorecards.A stale materiality assessment and static targets that no longer reflect the business or regulatory environment — a common finding when the exercise was treated as one-off rather than a discipline.
CBAM Reporting Cycle (Exporters)Ongoing exports of covered goods to the EUEmbedded emissions data tracked and reconciled per shipment/consignment in the format EU importers require from declarants; coordination with the EU-side importer on data-provision timing and format.Inability to supply compliant emissions data to EU buyers creates a commercial risk — buyers may shift sourcing to suppliers who can provide CBAM-compliant data, independent of the exporter's own regulatory exposure.
Lender / Sustainability-Linked Loan Covenant CycleSLL facility drawn or renewed with ESG-linked pricing termsKPI tracking against the specific covenant metrics agreed with the lender (which may differ from BRSR KPIs), with periodic reporting support so covenant compliance is demonstrable and margin-ratchet terms are met rather than triggering a pricing step-up.Missed covenant reporting or KPI underperformance can trigger loan margin increases or, in severe cases, technical default under the facility agreement — an entirely avoidable cost with proactive tracking.
Fundraise / M&A ESG DiligencePE/VC term sheet, strategic acquirer diligence, or IPO preparationESG data room preparation, responses to investor ESG due diligence questionnaires, and alignment of the ESG narrative with the broader equity story — coordinated with PNPC's business setup and fund-raising advisory where the same engagement covers both.Weak or inconsistent ESG diligence responses can become a valuation or deal-timeline drag, particularly with international or impact-oriented investors who apply structured ESG scoring as part of investment committee approval.
Governance Escalation (Incident-Driven)Environmental incident, safety incident, governance lapse, or regulatory show-cause noticeRoot-cause review integrated with the existing ESG risk register and ERM framework, corrective action plan, and — where relevant — support in framing the regulatory or stakeholder response consistent with prior disclosures.An incident that contradicts prior ESG disclosures (for example, a safety incident following a report claiming strong safety performance) creates a credibility and potential regulatory-scrutiny problem beyond the incident itself.
Frequently asked
What exactly is an ESG Risk Assessment, in plain terms?

It is a structured exercise that identifies which environmental, social, and governance issues actually matter to your specific business — financially, operationally, or reputationally — measures where you currently stand on those issues, and sets out a realistic plan to manage the risks and capture the opportunities. It is not a marketing document about sustainability commitments; it is a risk and governance exercise, built with the same evidentiary rigour PNPC applies to a statutory audit.

Practitioner noteThe single most common mistake we see is a company treating ESG as a communications exercise rather than a risk exercise. A report with no underlying data discipline will not survive a lender's or investor's follow-up questions.
Is ESG reporting mandatory for my company in India?

SEBI's Business Responsibility and Sustainability Reporting (BRSR) is mandatory for the top 1,000 listed companies by market capitalisation, with BRSR Core assurance requirements being phased in for the largest listed entities on a defined glide path. If your company is not within that listed universe, BRSR itself is not a direct statutory obligation — but ESG expectations frequently apply indirectly, through lender sustainability-linked loan covenants, multinational customer supplier questionnaires, or investor due diligence, regardless of listing status.

Practitioner noteWe regularly see unlisted companies with genuine ESG risk exposure — from a customer scorecard, a bank covenant, or a fundraise — well before BRSR applicability would ever reach them. Applicability by regulation and exposure by commercial reality are two different questions, and we assess both at scoping.
What is BRSR Core, and how is it different from full BRSR?

Full BRSR covers a broad set of qualitative and quantitative disclosures across nine principles drawn from the National Guidelines on Responsible Business Conduct. BRSR Core is a defined subset of key performance indicators within that framework — covering areas like GHG emissions intensity, water and waste management, employee wellbeing, and workforce representation — that SEBI has prioritised for third-party assurance on a phased basis for the largest listed entities, extending progressively to value-chain partners.

Practitioner noteEven where BRSR Core assurance is not yet mandatory for a client, we design the data-collection framework to BRSR Core's standard from the outset — it is materially easier to build the discipline once than to retrofit it under time pressure when assurance becomes mandatory.
My company is not listed. Why would I need an ESG risk assessment?

The most common triggers for unlisted companies are: a bank offering better pricing on a sustainability-linked loan in exchange for ESG covenant reporting; a multinational customer requiring supplier ESG data as a condition of the contract or renewal; a private equity or venture capital investor applying ESG diligence as part of the investment process; or being a subsidiary/supplier of a listed parent that must report value-chain ESG data under its own BRSR obligations and is now pushing that requirement down to you.

Practitioner noteWe increasingly see mid-size manufacturers and exporters approach us not because of BRSR directly, but because a large listed customer's procurement team sent them an ESG questionnaire with a submission deadline. That is a commercial risk, not a regulatory one — and it needs to be treated with the same seriousness.
What is materiality assessment, and why does PNPC spend so much time on it?

Materiality assessment is the process of identifying which ESG topics are genuinely significant to your business — financially, operationally, or in terms of stakeholder impact — rather than reporting against a generic list of forty indicators regardless of relevance. A defensible materiality assessment involves structured engagement with internal and external stakeholders, scored against impact magnitude, with the reasoning documented. A materiality assessment that cannot explain why a topic was included or excluded will not withstand scrutiny from an assurance provider, a lender's credit team, or an investor's diligence team.

Practitioner noteWe have reviewed materiality matrices prepared by generalist consultants that list identical 'material topics' for a software company and a cement manufacturer. That is not materiality — it is a template. We build the matrix from your actual stakeholder input and risk profile.
How is GHG emissions data actually calculated, and what are Scope 1, 2, and 3?

Emissions are calculated per the internationally recognised GHG Protocol. Scope 1 covers direct emissions from sources owned or controlled by the company — company vehicles, on-site fuel combustion, owned generators. Scope 2 covers indirect emissions from purchased electricity, steam, heating, or cooling. Scope 3 covers all other indirect emissions across the value chain — purchased goods and services, business travel, employee commuting, use of sold products, and more — and is typically the largest and hardest category to measure accurately. PNPC calculates emissions from your actual activity data (fuel bills, electricity consumption, travel records) rather than applying generic industry-average estimates wherever primary data is available.

Practitioner noteScope 3 is where most first-time ESG exercises lose credibility — either it is omitted entirely, or it is estimated so loosely that the number is not defensible. We scope Scope 3 categories realistically based on materiality and data availability rather than promising comprehensive coverage that cannot be delivered.
What is CBAM and does it apply to my business?

The Carbon Border Adjustment Mechanism (CBAM) is an EU regulation that requires importers of certain carbon-intensive goods — iron and steel, aluminium, cement, fertiliser, hydrogen, and electricity — into the EU to report, and now, under the mechanism's definitive regime, to purchase CBAM certificates corresponding to the embedded carbon emissions in those goods. While the compliance and certificate-purchase obligation formally rests with the EU importer (the 'declarant'), Indian exporters of covered goods are commercially required to supply verified embedded-emissions data to their EU customers, or risk losing that business to competitors who can.

Practitioner noteWe assess CBAM exposure at the very first scoping conversation for any client with EU-facing exports in the covered sectors. This is a live commercial risk today, not a future consideration — EU buyers are already asking their Indian suppliers for this data.
What is a sustainability-linked loan (SLL) and how does ESG risk assessment connect to it?

A sustainability-linked loan is a credit facility where the interest rate or other terms are tied to the borrower's performance against agreed sustainability KPIs — for example, a reduction in energy intensity or an improvement in workforce diversity ratios. Missing the agreed KPI typically triggers a margin step-up (a higher interest rate); meeting or exceeding it can trigger a margin discount. An ESG risk assessment establishes the credible baseline data needed to negotiate realistic KPI targets with the lender, and the ongoing tracking framework needed to demonstrate compliance through the life of the facility.

Practitioner noteWe have seen companies agree to SLL targets set by the bank's own template without pushing back — and then struggle to meet them because the targets were not calibrated to the company's actual operational baseline. Negotiate the KPIs from your own verified data, not the lender's assumption.
How long does a full ESG risk assessment and strategy engagement take?

A realistic timeline for a full engagement — scoping, materiality assessment, baseline data collection, gap analysis, risk register, governance review, target-setting, and Board presentation — is 10 to 14 weeks, depending on company size, number of facilities, and how readily available the underlying data already is. Where BRSR or GRI disclosure drafting is included in scope, add further time for the disclosure drafting and internal review cycle. A narrower ESG-readiness assessment for a smaller company can be delivered faster.

Practitioner noteThe variable that most affects timeline is not our process — it is how quickly a client can retrieve historical utility bills, HR data, and Board minutes. We provide a clear data request list at Day 1 to minimise this bottleneck.
Do you provide BRSR assurance, or only the underlying risk assessment?

PNPC's ESG Risk Assessment & Strategy engagement covers the materiality assessment, data baseline, risk register, governance review, and strategy roadmap — and, where in scope, disclosure drafting. Formal BRSR Core assurance is a distinct assurance engagement under SEBI's framework, generally requiring independence from the preparer of the underlying report consistent with assurance standards. Where PNPC has prepared the underlying ESG data and disclosures for a client, we coordinate with an appropriately independent assurance provider for the formal assurance opinion, maintaining the same independence discipline we apply to statutory audit engagements.

Practitioner noteWe are explicit about this distinction upfront. A firm that both prepares your ESG data and signs the assurance opinion on it raises the same independence concern as a firm that prepares your accounts and audits them itself — sophisticated investors and assurance standards both flag this.
What does an ESG risk register actually contain?

An ESG risk register lists each material environmental, social, and governance risk identified during the materiality assessment, along with a likelihood and impact rating, the current mitigating controls in place, the residual risk level, an owner accountable for managing it, and a target timeline for improvement. It is structured consistently with how PNPC builds risk registers in our Enterprise Risk Management engagements, so ESG risk can sit within the company's broader risk framework rather than as an isolated document nobody revisits after the initial report is delivered.

Practitioner noteA risk register that nobody owns is just a document. We insist on named owners and a review cadence before we consider the engagement complete — otherwise the register goes into a drawer and the next year's assessment starts from zero.
Our company already has a CSR programme under Section 135. Is that the same as ESG?

No. Corporate Social Responsibility (CSR) under Section 135 of the Companies Act 2013 is a specific statutory spending obligation — companies meeting prescribed net worth, turnover, or net profit thresholds must spend at least 2% of average net profits on prescribed CSR activities. ESG is a much broader risk and governance framework covering environmental performance, social conduct including but not limited to CSR spend, and governance quality — materiality, disclosure, target-setting, and risk management across all three pillars. CSR spend and activity are typically one data point within the 'S' pillar of a broader ESG assessment, not a substitute for it.

Practitioner noteWe regularly meet promoters who believe meeting their CSR obligation satisfies ESG expectations. It addresses a small fraction of the 'S' pillar and none of 'E' or 'G'. The two obligations are related but not interchangeable.
What governance structure does SEBI or good practice expect for ESG oversight?

There is no single mandated structure for unlisted companies. For BRSR-applicable listed companies, oversight commonly sits with the Board itself, a dedicated ESG or Sustainability Committee, or is folded into the existing CSR Committee's mandate (where the company already has one under Section 135). What matters more than the specific committee label is that ESG risk is genuinely discussed at Board level with documented minutes, that a senior executive is accountable for delivery, and that the structure is proportionate to the company's size rather than an elaborate committee structure for a company too small to resource it.

Practitioner noteWe advise against creating a new committee purely for form's sake. For many mid-size clients, folding ESG oversight into an existing Risk or Audit Committee's agenda, with proper minuting, is more effective than a standalone committee that meets once a year and produces no real oversight.
How does ESG risk assessment interact with our existing internal audit and ERM function?

Where a company already has an Enterprise Risk Management framework or internal audit function, the ESG risk register should be integrated as a formal risk category within that framework — assessed with the same likelihood/impact methodology, reviewed at the same governance cadence, and subject to the same internal audit testing over time as other enterprise risks. Treating ESG risk as a standalone, disconnected exercise run by a different team with a different methodology is one of the most common reasons ESG initiatives lose Board attention after the first year.

Practitioner noteFor clients where PNPC also runs the ERM or internal audit engagement, we build the ESG risk register directly into that existing framework from Day 1 — one risk taxonomy, one Board reporting format, one governance calendar.
What are the costs involved in an ESG risk assessment and strategy engagement?

Cost depends on company size, number of facilities, sector complexity, data readiness, and whether BRSR/GRI disclosure drafting is included in scope. PNPC provides a written scope and fixed-fee proposal after the initial scoping conversation — we do not quote a fee before understanding the actual size and complexity of the engagement. As a general principle, the cost of a properly scoped, defensible ESG risk assessment is materially lower than the cost of redoing a rejected BRSR filing, losing a customer contract over an unanswered ESG questionnaire, or facing an SLL margin step-up from a missed covenant.

Practitioner noteWe do not price ESG work as a volume, template-driven service. A materiality assessment for a 40-person services company and a 2,000-person manufacturing group with three facilities are genuinely different pieces of work, and the fee reflects that.
Can PNPC help with ESG disclosures for a UAE-based company, or does this only apply to India?

Yes. The UAE has its own evolving sustainability disclosure landscape — including sustainability reporting expectations tied to the UAE's Net Zero 2050 strategy, ADX and DFM listing-related ESG disclosure guidance for listed companies, and sector-specific requirements in industries like oil and gas and real estate. PNPC's Dubai office advises UAE-registered entities on ESG risk assessment aligned to the applicable UAE framework, and for clients with both an Indian and a UAE entity, we coordinate a consistent ESG narrative and data methodology across both jurisdictions rather than treating them as unconnected exercises.

Practitioner noteFor groups with operations in both India and the UAE, inconsistent ESG data or claims between the two entities' disclosures is a diligence red flag that investors do notice. We align methodology across both jurisdictions from the outset.
What happens if our BRSR disclosures are later found to be inconsistent or unsupportable?

Inconsistent or unsupportable BRSR disclosures create several risks: reputational damage if the inconsistency becomes public or is flagged by an investor or media; qualified or adverse findings if the company later undergoes BRSR Core assurance; SEBI scrutiny in the case of listed companies, given BRSR is filed as part of the Annual Report; and credibility damage with lenders and institutional investors who increasingly cross-reference ESG disclosures year on year and flag unexplained restatements.

Practitioner noteWe build every disclosure directly from the underlying verified data, not from a narrative drafted separately and reconciled afterward. This is slower upfront but eliminates the restatement risk that comes from disclosures and data being prepared by disconnected teams.
Is a materiality assessment a one-time exercise, or does it need to be repeated?

Materiality should be reassessed periodically — typically annually or at minimum biennially — because what is material to a business shifts as the company grows, as regulation evolves (a new SEBI circular, a new CBAM phase, a new customer requirement), and as stakeholder expectations change. A materiality assessment frozen at a single point in time and never revisited becomes a liability rather than an asset, because disclosures built on stale materiality no longer reflect the business's actual risk profile.

Practitioner noteWe build the annual or biennial refresh into the engagement plan from the outset, with a lighter-touch review process than the initial full assessment — refreshing rather than restarting from zero each cycle.
How does ESG risk assessment support a fundraise or M&A process?

Private equity, venture capital, and increasingly strategic acquirers apply structured ESG due diligence as part of their investment or acquisition process — ranging from a basic questionnaire to a full third-party ESG audit for larger transactions. A company that walks into diligence with an existing materiality assessment, risk register, and credible baseline data moves through this workstream faster and with fewer valuation-affecting findings than one that is building ESG documentation reactively under deal-timeline pressure.

Practitioner noteWe coordinate ESG diligence preparation with PNPC's fund-raising and investor-readiness advisory for clients running both processes simultaneously — the ESG data room and the financial data room should tell one consistent story to the same investor.
What is the difference between ESG risk assessment and an ESG rating (like EcoVadis or MSCI ESG)?

An ESG rating is a third-party score assigned by a ratings agency, based on a submitted questionnaire and, in some cases, publicly available information — it is a summary output consumed by investors, customers, or index providers. An ESG risk assessment is the underlying analytical exercise a company undertakes internally to actually understand and manage its ESG risk. A strong internal risk assessment materially improves the inputs available for an external rating submission, but the two are not the same thing, and a good internal assessment does not automatically guarantee a strong external rating, which also reflects the rating agency's own methodology and peer benchmarking.

Practitioner noteWe are sometimes asked to 'get a good EcoVadis score' as the objective. We reframe this: build a genuinely strong internal ESG risk position, and the external rating follows from accurate, complete disclosure of that position — not the reverse.
Does ESG risk assessment cover data privacy and cybersecurity?

Data privacy and cybersecurity governance typically sit within the 'Governance' or, in some frameworks, the 'Social' pillar of an ESG assessment, particularly for services, technology, and financial businesses where data handling is a core operational risk. We assess existing data protection policies, incident response readiness, and — where relevant — alignment with India's Digital Personal Data Protection Act, 2023 as part of the governance review, though a full technical cybersecurity audit is typically a separate, specialised engagement beyond the ESG risk assessment's scope.

Practitioner noteFor technology and financial services clients, we flag early in scoping whether a dedicated data privacy/DPDP Act compliance review should run alongside the ESG engagement rather than being folded superficially into it.
What is the role of the Board in ESG risk oversight, and what is PNPC's role versus the Board's?

Ultimate accountability for ESG risk oversight rests with the Board — it cannot be delegated entirely to an external advisor or even to management alone. PNPC's role is to provide the independent, rigorous analysis, data verification, and strategic recommendations the Board needs to exercise that oversight meaningfully — presenting findings directly to the Board or relevant committee, flagging risks candidly even where the findings are uncomfortable, and ensuring the Board has a defensible basis for the decisions and disclosures it approves.

Practitioner noteWe do not write reports designed to make a Board feel comfortable. If the materiality assessment surfaces an uncomfortable gap — inadequate safety data, a governance lapse, an unaddressed environmental compliance issue — we say so directly and recommend the corrective path, because that is what a genuine risk advisory engagement is for.
Can a smaller, unlisted family-owned business genuinely benefit from ESG risk assessment, or is this only for large companies?

Yes, where a genuine trigger exists — a lender relationship moving toward sustainability-linked terms, a key customer's ESG questionnaire, succession planning where governance clarity matters for the next generation, or simply operating in a sector (manufacturing, chemicals, textiles) with inherent environmental and safety risk that is material to the business regardless of any external reporting mandate. The scope and depth of the engagement should be proportionate to the company's size and actual risk exposure — a family-owned manufacturer does not need a BRSR-grade nine-principle disclosure exercise, but does benefit from a properly scoped, lighter materiality and risk assessment.

Practitioner noteWe actively scope down for smaller clients rather than selling the full listed-company-grade engagement regardless of fit. A right-sized assessment that gets used is worth more than an over-engineered one that sits unread.
What is 'greenwashing' and how does PNPC guard against it in the strategy we produce?

Greenwashing refers to making ESG or sustainability claims that are exaggerated, unsubstantiated, or not supported by underlying evidence — a growing area of regulatory and investor scrutiny globally, including increasing attention from SEBI and market regulators on the accuracy of sustainability disclosures. PNPC's approach is to build every claim in the strategy and any resulting disclosure directly from verified data — energy bills, HR records, incident logs — rather than aspirational language. Where data does not yet support a claim the client would like to make, we say so and recommend building the evidence base first rather than making the claim prematurely.

Practitioner noteWe would rather deliver a modest, fully defensible ESG position than an impressive-sounding one that cannot survive a follow-up question from a lender's credit team or an investor's diligence analyst. That discipline is the entire value of using a CA firm for this work rather than a marketing consultancy.
How does PNPC ensure the ESG data collected is actually accurate, rather than just accepting client estimates?

We apply the same evidentiary standard to ESG data that we apply to financial statement audit evidence — reconciling reported figures back to source documents (utility bills, HR system exports, safety incident logs, Board minutes) wherever those records exist, flagging estimates explicitly where primary data is genuinely unavailable, and documenting the basis for every calculation so the methodology is transparent and repeatable in future reporting cycles.

Practitioner noteThis reconciliation discipline is precisely what separates a CA-led ESG engagement from a template-driven consultancy exercise. Numbers that cannot be traced to source will not survive assurance or investor scrutiny, and we build the process to withstand that scrutiny from the start.
We received a supplier ESG questionnaire from a multinational customer with a tight deadline. Can PNPC turn this around quickly?

Yes — a single-questionnaire response is a narrower, faster engagement than a full materiality assessment and strategy build, and PNPC scopes and prices it accordingly. We collect the specific data points the questionnaire requests, verify them against source records where time permits, and draft accurate, defensible responses within the customer's deadline. We also flag, separately, whether the questionnaire signals a broader ongoing ESG expectation from that customer relationship that warrants a fuller engagement afterward.

Practitioner noteRushed questionnaire responses prepared without any verification are a common source of later embarrassment when the same customer follows up a year later with more detailed questions. We build in a light verification step even under time pressure.
What KPIs are typically tracked in an SLL or ESG-linked banking facility for an Indian mid-size company?

Common KPIs include energy intensity per unit of production or revenue, GHG emissions intensity, renewable energy share of total consumption, water intensity, waste diverted from landfill, workforce diversity ratios (particularly gender representation), and safety performance metrics like Lost Time Injury Frequency Rate. The specific KPIs and their targets are negotiated between borrower and lender and vary by facility and lender — there is no single standard set mandated across all Indian SLLs.

Practitioner noteWe push clients to negotiate KPIs based on their own verified baseline and realistic improvement trajectory rather than accepting a lender's template targets, which are sometimes calibrated to a different sector or company size.
Does PNPC provide ongoing retainer support after the initial ESG risk assessment is delivered, or is it a one-time engagement?

Both models are available. Some clients engage PNPC for a defined, one-time materiality assessment and strategy build, particularly where a single trigger (a fundraise, a questionnaire, an initial BRSR cycle) is driving the need. Most clients with ongoing BRSR applicability, an active SLL covenant, or continuing customer ESG relationships move to an annual retainer that covers the yearly refresh, disclosure drafting, and ad hoc lender/investor/customer liaison support.

Practitioner noteWe recommend the retainer model wherever there is a recurring trigger, because the annual refresh done on a maintained data framework is materially cheaper and faster than restarting the exercise from scratch each year on an ad hoc basis.
How does ESG risk assessment interact with our Corporate Governance requirements under the Companies Act and SEBI LODR?

For listed companies, the SEBI Listing Obligations and Disclosure Requirements (LODR) Regulations already prescribe substantial governance disclosures — Board composition, related-party transactions, committee structures — that overlap directly with the 'Governance' pillar of ESG. Rather than treating LODR compliance and ESG governance assessment as separate exercises, PNPC reviews them together, so the governance data used in BRSR disclosures is consistent with what is already reported under LODR and the Annual Report, avoiding contradictory disclosures across different regulatory filings.

Practitioner noteWe have seen governance data in a BRSR report not match the same company's own Annual Report governance disclosures prepared by a different team. That inconsistency is an easy, avoidable finding for anyone reviewing both documents side by side.
What sectors does PNPC have the most ESG risk assessment experience in?

PNPC's ESG risk assessment practice draws on our broader base of manufacturing, textiles, chemicals, agri-processing, real estate/construction, IT and technology services, and financial services clients across India and the UAE — sectors where we already conduct statutory audit, internal audit, and tax compliance work, giving us direct operational and financial familiarity with the client before the ESG engagement even begins.

Practitioner noteFor clients where PNPC is also the statutory auditor or internal auditor, ESG data reconciliation is faster because we already understand the underlying financial and operational records — we are not starting from zero on the business itself.
Why should we engage a CA firm for ESG risk assessment rather than a dedicated sustainability consultancy?

A dedicated sustainability consultancy may bring deeper subject-matter specialisation in areas like renewable energy engineering or biodiversity impact assessment for specific sectors. What a practising CA firm brings that a pure-play sustainability consultancy typically does not is the audit-grade evidentiary discipline needed to make ESG data defensible under lender, investor, and regulatory scrutiny; direct integration with the company's existing financial, governance, and internal audit data; and continuity — the same firm that assesses your ESG risk this year is available for the follow-up assurance conversation, the covenant renewal, and the next fundraise, rather than handing off to a different provider at each stage.

Practitioner noteWe are candid that for highly technical environmental engineering questions — detailed emissions abatement technology selection, for instance — a specialist environmental engineering firm may be the right complement to our work, and we say so rather than overclaiming expertise we do not have.
What does the PNPC ESG Risk Assessment & Strategy package actually include, in full?

Scoping and applicability assessment; structured stakeholder engagement and materiality assessment; baseline ESG data collection reconciled to source records; GHG emissions calculation per the GHG Protocol (Scope 1, 2, and Scope 3 where in scope); gap analysis and peer benchmarking where credible data exists; a prioritised ESG risk register integrated with existing ERM methodology where applicable; governance architecture review and policy gap assessment; measurable target-setting and implementation roadmap; data-systems recommendation for future reporting cycles; Board or committee presentation of findings; and, where included in scope, BRSR/GRI/SASB disclosure drafting and CBAM readiness assessment for qualifying exporters.

Practitioner noteEvery engagement begins with a written scope letter confirming exactly which of these components are included, so there is no ambiguity about deliverables before work begins.
How much of this engagement can be done remotely versus requiring site visits?

Stakeholder interviews, data review, and strategy design can largely be conducted remotely or via video call. For manufacturing and multi-facility clients, we generally recommend at least one site visit per major facility as part of the environmental and safety data verification process — reviewing utility meters, waste storage areas, and safety records in person materially improves the reliability of the baseline data compared to relying solely on submitted documents.

Practitioner noteFor UAE-India groups, we coordinate site visits through whichever PNPC office — Chennai, Bangalore, Hyderabad, or Dubai — is closest to the relevant facility, rather than requiring one team to travel across both jurisdictions for every visit.
What is the very first step if we want to start an ESG risk assessment engagement with PNPC?

The first step is a scoping conversation — typically 45 to 60 minutes — where we understand what is actually driving the need (BRSR applicability, a lender covenant, a customer questionnaire, a fundraise, or general risk-management interest), your company's size, sector, and facility footprint, and any existing ESG or sustainability work already done. From that conversation, PNPC provides a written scope and fixed-fee proposal before any billable work begins.

Practitioner noteWe do not begin a materiality assessment without this scoping step, even for clients under time pressure from a deadline — a rushed, unscoped assessment produces exactly the kind of indefensible, template-driven output we are trying to avoid.
Why PNPC Global
FeatureMarketing / Branding ConsultancyGeneric Sustainability ConsultantPNPC Global
Data verification disciplineRarely applied — narrative-first approachVariable — depends on firmAudit-grade reconciliation to source records — energy bills, HR data, Board minutes
Materiality assessmentOften generic or assumedTemplate-driven, sometimes sector-adjustedStructured stakeholder engagement, documented basis, defensible under scrutiny
Integration with existing governance & risk frameworkNot offered — standalone deliverableRarely integrated with client's ERM/internal auditBuilt into existing ERM/internal audit methodology where the client has one
Regulatory grounding (BRSR, CBAM, Companies Act, SEBI LODR)Limited — marketing framing over compliance substanceVariable depthGrounded in the same statutory and regulatory practice PNPC applies to audit, tax, and corporate law engagements
Assurance-readinessNot consideredSometimes consideredData and methodology built to withstand BRSR Core assurance or investor diligence from the outset
Continuity across cyclesProject-based, no ongoing relationshipMay offer annual retainerSame CA team available for annual refresh, covenant renewal, fundraise diligence, and BRSR filing support
Independence discipline for assuranceNot applicable — does not offer assuranceSometimes both prepares and 'assures' — an independence gapExplicit separation maintained — an independent assurance provider is coordinated where PNPC has prepared the underlying data
India-UAE coordinationRarely offeredRarely offeredChennai, Bangalore, Hyderabad, and Dubai offices — one consistent methodology across both jurisdictions

What the PNPC package includes

  1. 01

    Scoping and applicability assessment — understanding the actual trigger (BRSR, lender covenant, customer questionnaire, fundraise) before any data work begins

  2. 02

    Structured stakeholder engagement and materiality assessment — documented, defensible, and specific to your sector and business model

  3. 03

    Baseline ESG data collection reconciled to source records — energy bills, HR data, safety logs, Board minutes, not estimated figures

  4. 04

    GHG emissions calculation per the GHG Protocol — Scope 1, Scope 2, and Scope 3 where genuinely in scope and data-supportable

  5. 05

    Gap analysis and peer benchmarking against BRSR Core KPIs and relevant GRI/SASB disclosures where credible data exists

  6. 06

    ESG risk register built consistent with PNPC's Enterprise Risk Management methodology — ready for integration into your existing ERM framework

  7. 07

    Governance architecture review — Board/committee oversight structure, policy gap assessment, recommendations proportionate to your size

  8. 08

    Measurable target-setting and implementation roadmap, stress-tested against your actual operational and capital expenditure capacity

  9. 09

    Data-systems recommendation so future reporting cycles are materially faster than the first

  10. 10

    Board or committee presentation of findings, with PNPC personnel available to answer technical questions directly

  11. 11

    CBAM readiness assessment for qualifying exporters of iron, steel, aluminium, cement, fertiliser, hydrogen, or electricity into the EU

  12. 12

    Coordination with an independent assurance provider where formal BRSR Core or third-party assurance is required

  13. 13

    Direct contact with your engagement CA for lender, investor, or customer ESG follow-up questions — not a support queue

Speak directly with a PNPC Chartered Accountant about your ESG risk exposure. Not a sustainability salesperson, not a template generator — a practising CA who applies the same evidentiary discipline to your ESG data that we apply to your statutory audit, and who will still be your advisor at your next BRSR cycle, your next covenant renewal, and your next fundraise.

← Back to Risk Advisory
Talk to a CA