Page 566 - COSO Guidance
P. 566
1. Governance and culture for ESG-related risks
ESG at the management level
The board is ultimately responsible and accountable for the organization’s long-term success, with the CEO
entrusted with decision-making and management activities. The CEO delegates to company executives who
themselves delegate down the chain of command to management, which performs the operational activities of
risk management. An example of some of the different roles in the organization throughout the ERM process
can be found in Appendix V.
Questions for risk management and sustainability practitioners to consider:
• Is oversight of the ERM process clearly defined and implemented?
• Do risk and sustainability have operationally and strategically integrated processes?
• Are continual process improvements jointly developed and monitored?
• Does the ERM process connect ESG to risk management?
• Is there agreement on which stakeholder interests are critical to the long-term success of the entity?
• Is ERM embedded in key business processes, reporting and metrics?
• What are competitors and peers doing to identify, manage and disclose their ESG-related risks?
• Have ERM practitioners been trained in ESG and vice versa?
The ERM structures, process and continual improvement
Organizations should not approach ERM solely as a compliance process, a once-a-year activity or checklist of
activities to be performed on an annual cycle. ERM is intended to be ongoing and iterative, embedded
in everyday business processes to allow the entity to stay aware and ahead of emerging threats
and opportunities.
Nonetheless, it is common for organizations to have a structured timeline for ERM activities. This is partly
dictated by reporting obligations and other strategic and regulatory milestones, such as the budgeting
cycle, strategic planning process and annual general meetings. Sustainability practitioners should obtain an
understanding of the end-to-end risk management process and strategic planning cycle to allow relevant ESG
subject-matter experts to be included in annual surveys or workshops and ESG-related risk to be included in
strategic planning and operational discussions. An example strategic planning and operational cycle and how
ERM may support this is illustrated in Figure 1.1.
Figure 1.1: Strategic planning and operational cycle
Year
Strategy Defines near-, mid- and ERM
long-term goals and plans Provides risk insights and
participates in strategic planning
Finance Creates financial plans
and capital allocation Provides supporting information to enable
effective risk adjusted, financial planning
Operations Creates operational plans Provides process support for
to support strategies development of operational risk
within financial constraints management planning and measurement
Implements risk Provides ongoing leadership
management plans and management decision support
Continual improvement and ongoing identification, assessment, management and reporting of risk
Risk management and sustainability practitioners should
map their organization's operating structures, reporting Guidance
lines and processes to identify areas that could strengthen
ESG-ERM oversight and collaboration. In some cases, Map the operating structures, risk
ESG-related risks may materialize unexpectedly, and the owners for ESG-related risks, reporting
appropriate risk owners and subject-matter experts will lines and end-to end ERM and strategic
need to be located quickly to develop an appropriate planning process to identify areas for
response. Figure 1.2 sets out an example governance improved oversight and collaboration
structure and some of the key roles for risk management
and sustainability.
Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018 19
