Page 593 - COSO Guidance
P. 593
3. Performance for ESG-related risks
Table 3a.4: Examples of precise ESG-related risk definitions
Precise risk definition ESG issue or Root cause Impact on strategy, objectives
megatrend and performance
The possibility that Water scarcity The organization has invested primarily Water scarcity may impact the ability to
drought will impact crop in water-intensive crops and therefore produce enough crops at the right price to
yields and revenue will be impacted by water scarcity meet the organization’s revenue goals.
during April and May.
The possibility that a Demographic The entity’s customer base in Europe The declining number of domestic
declining customer base shifts is declining because of negative customers in Europe could decrease
will impact sales population growth, an aging population revenue and profitability.
and restrictive immigration laws.
The possibility that Anti-corruption The entity operates in markets where Bribery violates the US Foreign Corrupt
participating in corrupt corruption is commonplace and does Practices Act, UK anti-bribery legislation
activities will impact the not have processes in place to assess and the entity’s core values and would
entity’s operations due diligence risks. preclude operations in those countries.
Analyzing root cause
Each risk in the inventory is driven by an underlying cause. Root cause
analysis is a useful approach to understanding these drivers of business risk. Guidance
It helps isolate the required changes so that entities can address a problem
at its source rather than its symptoms. Use root cause
Collaborating to determine root cause increases the breadth of knowledge, analysis to understand
understanding and experience, which can make the analysis more robust. drivers of the risk
Organizations should consider involving senior management and daily
operations personnel to support this analysis.
Tools for understanding root causes include the five whys, cause-and-effect diagrams, hypothesis testing
and comparative analysis. The example below illustrates how an organization may perform root cause analysis
in practice.
The five whys
Asking “why” is key to effective root cause analysis. The “five whys” tool, starting with the issue or
observation, guides managers to continue to ask “why” until they arrive at the root cause. For example:
Issue: The safety performance at one of the facilities is significantly worse than organizational averages,
presenting an increased risk to the entity and inhibiting the ability to achieve the goal of zero
incidents.
Why? There is a higher level of Occupational Safety and Health Administration (OHSA) violations at the
facility than at other facilities.
Why? Workers at the facility are not using appropriate personal protective equipment (PPE) at all times.
Why? Workers at the facility are not being provided with appropriate PPE equipment and training.
Why? There is no specific environmental health and safety (EH&S) action plan for improvement at
this facility.
Why? This facility was recently acquired by another entity, and its due diligence processes did not
adequately assess the (EH&S) gaps existing in that entity.
46 Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018
