Page 588 - COSO Guidance
P. 588
3. Performance for ESG-related risks
This sub-chapter outlines the following actions to help risk management and sustainability practitioners identify
and define new and existing ESG-related risks:
Examine the entity’s risk inventory to determine which ESG-related risks have or have not been identified
Involve ESG risk owners and sustainability practitioners in the risk identification process to leverage
subject-matter expertise
Convene meetings with both risk management and sustainability practitioners to understand ESG-related risks
Identify the ESG-related risks that may impact the organization’s strategic and operational plans
Define the impact of ESG-related risks on the organization precisely
Use root cause analysis to understand drivers of the risk
Using a risk inventory
According to the COSO ERM Framework, the objective of risk identification is to determine the risks that
could interrupt operations, affect the reasonable expectation of achieving the entity’s strategy and business
objectives or materially impact the entity’s license to operate (including reputational issues). Identifying
2
opportunities should be a key part of the risk identification process. COSO defines opportunities as the actions or
potential actions that create or alter goals or approaches for creating, preserving and realizing value.
3
Many entities maintain a risk inventory or register to list the risks that they face. This inventory provides common
categories and standard definitions through which risks can be described and discussed. A risk inventory may
also include a description of the impact of each risk, mitigation actions and a risk owner.
4
When ESG-related risks meet the entity’s risk criteria, these risks should be included in the risk inventory, so
they can be managed and monitored. See Table 3a.1 for an example risk inventory.
Table 3a.1: Example risk inventory
Strategic Operational Financial Compliance
• Vision and core values • Research and development • Interest rate volatility • Fraud
• Corporate governance • New products • Foreign currency volatility • Bribery
• Organizational structure • Marketing • Cash management • Conflicts of interest
• Strategic planning • Budgeting and forecasting • Credit risk • Country/state/local
• Mergers and acquisitions • Raw material availability • Accounting policies regulation
valuation and pricing • Suppliers • Accounting estimates • Tax regulation
• Investor relations • Production management • Internal control • Trade regulation
• Competition • Product stewardship • Tax strategy and planning • IP management and
• Changing customer • Inventory management protection
preferences or lifestyles • Employee engagement • Greenhouse gas emissions
• Growing middle class • Labor relations • Water treatment
• Urbanization/growing • Human rights • Health and safety
population • IT investment
• Emerging markets
• Cybersecurity
• Business continuity
• Pandemic
• Physical impacts of climate change
Typical categories of risk include strategic, operational, financial and compliance.
Some organizations may include a separate category for “sustainability” or Guidance
“reputational” risks. However, these risks can usually be grouped in other risk
categories (for example, climate-related risks are often operational or financial in Examine the entity’s
nature). Further, reputational implications are often an impact from another type of risk inventory to
risk, rather than a risk in and of itself (for example, reputational damage resulting determine which
from an environmental incident or pollution). In addition, many ESG-related risks ESG-related risks
are not entirely new but rather represent an additional source to an existing risk have or have not
or compound the risk’s impact or likelihood of materializing. For example, climate been identified
change impacts often increase the risk of raw materials cost fluctuations, which is
an existing risk for many entities (see Table 3a.2).
Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018 41
