Page 597 - COSO Guidance
P. 597

3. Performance for ESG-related risks




            Table 3b.3 provides some
            examples of criteria used to     Table 3b.3: Example of likelihood prioritization criteria
            assess the likelihood of a risk    Risk rating  Definition
            occurring.
                                              Very high  • Once a year or more frequent   • More than [ ]% chance of occurring
            As shown in the example below,    High      • Occurs once every 1-3 years      • [ ]% chance of occurring
            risks are commonly presented in
            a risk matrix or heat map         Medium    • Occurs once every 3-5 years     • [ ]% chance of occurring
            depicting impact and likelihood    Low      • Occurs once every 5-10 years   • Less than [ ]% chance of occurring
            of individual risks.


                  Eskom: using a heat map to prioritize risks

              Eskom, a utility company based in the Republic   Enterprise risks at 31 March 2016
              of South Africa, uses a heat map to depict the   6                                 1   1
              prioritization of its most critical risks according   Consequences  5  1  4  2  4  5  2  3
              to the likelihood and consequences (impact).                     5     6    7      6   9
              The company’s high-priority risks fall in the   4                3  8  7    10
              top right corner, depicting the inherent risk
              rating. The company assesses the risk against   3                9    10
              its target risk rating – or the target residual   2
              risk that management aims to retain once risk
              responses are deployed. 7                      1
                                                                   A     B        C       D        E
                                                                  <1%   >1%      >20%    >50%     99%
                                                             Likelihood         Risk rating     Target risk rating


            The COSO ERM Framework states that, as part of the risk assessment, management considers inherent risk,
                                                8
            target residual risk and actual residual risk.  These considerations support management in prioritizing risks and,
            even more so, in understanding the effectiveness of risk responses. For example, management may identify
            redundant risk responses that do not result in a measurable change to the severity of the risk.
            Although impact and likelihood are common criteria for risk prioritization, in some cases, relying on these
            attributes alone can lead to a less accurate assessment or prioritization. In Resilience: A journal of strategy and
            risk, PwC  outlines some of the characteristics of ESG-related risks that render them different from traditional
                    9
            risks and causes these challenges in assessment:
            • ESG-related risks can be more unpredictable and manifest over a longer and often uncertain time frame.
            • Assessment of risk is often based on historical data. For ESG-related risks, particularly those that are new or
             emerging, it can be difficult to find historical precedence to estimate the risk impact.
            • ESG-related risks are macro, multi-faceted and interconnected and can affect the business on many dimensions.
             This can make assessing an ESG-related risk more complex.
            • Risks may be outside an entity’s control. Responding to a risk may rely on the actions of other parties or may
             require coordinated efforts.
            ESG-related risks also tend to be affected by organizational biases that exist when assessing and prioritizing
            risks. Specifically, organizational bias can lead to a failure to identify the full range of outcomes that may stem
            from a risk, or overconfidence in the accuracy of risk assessments and mitigations in place. There is also a
            tendency for individuals to anchor risk assessment estimations based on readily available evidence despite the
            known limitations of extrapolations of recent historical data to an uncertain and variable future. This bias is often
            compounded by confirmation bias, which drives individuals to favor information that supports a certain position
                                                          10
            and suppress information that contradicts that position.  Confirmation bias can be particularly common among
            those who hold strong positions about the science of climate change (either affirming or questioning the causes
            and expected impacts). See Table 3b.13 for more information.
            To overcome these challenges, it can be helpful to consider additional criteria (beyond impact and likelihood)
            that provide a more complete understanding of the nature and extent of an entity’s exposure. Table 3b.4 details
            a list of example criteria provided by COSO  that can be used for assessing and prioritizing risks and the
                                                11
            relevance for ESG-related risks.





        50                             Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks  •  October 2018
   592   593   594   595   596   597   598   599   600   601   602