Management Control at the Intersection of Risk and Sustainability: an analysis of European Energy companies.

This thesis investigates the integration of risk management and management control to address increasingly complex sustainability-related risks. While environmental, social, and governance (ESG) factors are frequently recognised as critical, traditional corporate practices often relegate sustainability to a disclosure requirement rather than a core driver of internal decision-making. Existing frameworks, such as the Sustainable Enterprise Risk Management (SERM), highlight the conceptual need for integration, yet limited research explains how ESG risk information is operationalised within planning, budgeting, and performance management processes. The thesis first delineates the divergence between traditional and sustainability-oriented risk management approaches, showing how sustainability risks differ in their multidimensional, systemic, and long-term nature. It then explores the behavioural and cultural conditions that enable effective ESG risk integration, including risk culture, managerial risk perception, and informal control mechanisms. A central contribution concerns the mechanisms through which management controllers translate ESG risk information into actionable managerial processes, supported by tools such as KPIs, scenario analysis, and incentive mechanisms. To complement the theoretical analysis, the thesis examines three major European energy companies - Enel (Italy), Iberdrola (Spain), and Ørsted (Denmark) - to study how sustainability considerations are embedded within their Enterprise Risk Management (ERM) and control systems. These firms are particularly significant due to their contribution to the energy sector and the industry’s central role in the European Union’s net-zero transition. The findings reveal that while all three companies have formally embedded sustainability into their ERM frameworks, driven largely by compulsory European regulatory requirements and SBTi validation for a 1.5°C pathway, their internal execution varies significantly in terms of the level of strategic integration and the compliance orientation. Consistent wTo complement the theoretical analysis, the thesis examines three major European energy companies - Enel (Italy), Iberdrola (Spain), and Ørsted (Denmark) - to study how sustainability considerations are embedded within their Enterprise Risk Management (ERM) and control systems. These firms are particularly significant due to their contribution to the energy sector and the industry’s central role in the European Union’s net-zero transition. The findings reveal that while all three companies have formally embedded sustainability into their ERM frameworks, driven largely by compulsory European regulatory requirements and SBTi validation for a 1.5°C pathway, their internal execution varies significantly in terms of the level of strategic integration and the compliance orientation. Consistent with a contingency theory perspective, the analysis highlights that while regulation standardises reporting outputs, internal control mechanisms remain highly contingent on firm-specific operational contexts. The thesis first contrasts traditional and sustainability-oriented risk management approaches, showing how sustainability risks differ in their multidimensional, systemic and long-term nature. It then explores the behavioural and cultural conditions that enable effective ESG risk integration, including risk culture, managerial risk perception and informal control mechanisms. A central contribution concerns the mechanisms through which controllers translate ESG risk information into actionable managerial processes, supported by tools such as KPIs, scenario analysis and incentive mechanisms.