Page 592 - COSO Guidance
P. 592
3. Performance for ESG-related risks
Some aspects to consider when identifying and defining ESG-related risks include:
• What is the nature of the risk?
• What is the source of the risk?
• What is the root cause of the risk?
• Why is the issue relevant to the business?
• What is the business case for addressing the risk?
• Which business decisions may be impacted by the risk?
• What will be improved or enhanced by addressing the risk?
Not all ESG issues identified by an entity’s ESG materiality assessment or megatrend analysis should be
included in the risk inventory. For some issues, it may be appropriate for sustainability practitioners to perform
ongoing monitoring and evaluation as to whether these risks should be elevated to an enterprise level and
included in the risk inventory in the future. Regardless of whether the risk is included in the enterprise risk
inventory, once a risk has been identified, risk management and sustainability practitioners can deploy ERM
processes outlined in this guidance to assess, prioritize and respond to the risk.
Risks should be identified at any level of business in which there is a strategy, including entity, business
unit, product and market/regional levels.
Describing risks with precision
When identifying risks, practitioners should aim to precisely describe each
risk. The risk description should focus on the risk itself, rather than calling Guidance
out a general ESG issue (e.g., climate change), the root cause of the risk,
the potential impacts of the risk or the effect of the risk response being poorly Define the impact of
implemented. In accordance with COSO, precise risk identification enables the ESG-related risks on
organization to: the organization
• More effectively manage the risk inventory and understand its relationship to precisely
the business strategy, objectives and performance
• More accurately assess the severity of a risk in the context of business objectives
• Identify root causes and impacts and therefore select the most appropriate risk responses
• Understand interdependencies between risks and across business objectives
• Reduce the “framing bias” that can occur when a risk is framed to focus on either the potential upside
or downside
• Aggregate risks to produce the portfolio view
COSO advises the following sentence structures for precisely articulating the risk:
• “The possibility of [describe potential occurrence or circumstance] and the associated impacts on [describe
specific business objectives set by the organization]”
• “The risk to [describe the category set by the organization] relating to [describe the possible occurrence or
circumstance] and [describe the related impact]” 9
For guidance for assessing and articulating the impact of the risk on the entity, see sub-chapter 3b. Table 3a.4
provides examples of precise risk definitions for ESG issues, including the root cause and impact on strategy,
objectives and performance.
Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018 45
