Page 595 - COSO Guidance
P. 595
3. Performance for ESG-related risks
Assess and prioritize risks
An effective risk assessment examines the extent to which identified risks impact the entity’s strategy and
business objectives. As summarized in Table 3b.1, organizations achieve this by:
• Identifying the impacts or effects that the risk may have on the entity
• Selecting the most appropriate approach, data and assumptions for the assessment (analytical choices)
Taken together, these support an effective dialogue for prioritization that considers the severity of a risk relative
to corresponding business objectives and the entity’s risk appetite.
These considerations are not necessarily sequential and may require an iterative process. The appropriate
metrics for severity are not the same for all types of risk, and they are subject to data or information
availability. Further, the assessment approach selected depends on the risk prioritization criteria of
the organization. Each of these considerations is discussed in more detail below (see Table 3b.1 for
corresponding section references).
Table 3b.1: Overview of considerations for assessing risk severity
Assess risk severity
Perform assessments to express risks relative to the organization’s ability to achieve its strategy and objectives.
1. Impacts and effects 2. Analytical choices
How does a risk impact the organization’s ability What is the appropriate method to assess risk severity?
to achieve its strategy and business objectives?
1.1 Understand risk prioritization approach 2.1 Assessment approach
What criteria does the organization use to prioritize risks? Which assessment approach is appropriate for measuring the
Does the organization use judgmental evaluations or severity of ESG-related risks (e.g., expert input, forecasting
quantitative scoring methods? and valuation, scenario analysis or ESG-specific tools)?
What additional tools are available to support the assessment?
1.2 Understand metrics for severity 2.2 Data, parameters and assumptions
Which metrics are used to express impact on the business What are the data requirements? What data is available?
strategy and objectives (e.g., earnings, costs, revenues, Which parameters and assumptions should be applied
assets and capital allocation/investments)? Which metrics (e.g., time, period, scope)?
are used to measure the likelihood, rate of onset, frequency?
Are metrics qualitative or quantitative?
3. Prioritize risks
Prioritize risks based on severity, importance of the corresponding business objective and the organization’s risk appetite.
Adapted from the Task Force on Climate-Related Financial Disclosures (2017, June). Technical supplement: The use of scenario analysis in disclosure of climate-related
risks and opportunities.
1. Impact and effects
A risk is relevant if it could impact the achievement of an Guidance
entity’s strategy or business objectives. Once a risk is
a
identified, understanding the potential business impacts Understand the required output of the
and effects allows management to prioritize risks and risk assessment (e.g., the impact in terms
allocate resources to respond and monitor the risk over of the strategy and business objectives)
time. To achieve this, risks should be translated into a
common language that captures risk severity.
The following case study demonstrates how the impact Pro Paper & Packaging
of an ESG-related risk can be connected to the financial
impact on an organization’s strategy and business See Appendix VIII for illustrative example
objectives. These results can be used in prioritization and describing the impacts and effects of a risk.
resource allocation.
. . . . . . . . . . . . . . . .
a Note that there are exceptions to this, such as human rights impacts, which are discussed in detail later in this sub-chapter.
48 Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018
