Page 603 - COSO Guidance
P. 603
3. Performance for ESG-related risks
Table 3b.7: Examples of measurement approaches for risk assessment
Measure Considerations Measurement approaches
Quantitative • Useful when prioritization requires consistency with other risk severity • Includes probabilistic and
(monetary) assessments (e.g., financial value at risk and potential business impacts such as non-probabilistic models,
revenues, sales, margin, cost) decision trees, Monte
• Supports decision-making for trade-offs Carlo simulations, value
at risk (VaR), stress tests,
• Assumptions and calculations can be complex severity, frequency and
• Example monetary impact: salaries paid (employment) duration
Quantitative • Useful when time, resources or data are not available for monetization
(non-monetary) • Helpful for measuring progress over time
• Disparate risks that cannot be compared (e.g., volumes of water versus loss
of revenue)
• Example non-monetary impact: number of jobs (employment)
Qualitative • Do not require significant amounts of data • Environmental scanning,
• Less precise, greater possibility of bias interviews, workshops,
surveys, benchmarking,
• Useful when there are many different perspectives or impacts SWOT analysis,
• Helpful for risks that have a strong moral or ethical dimension geopolitical assessments,
• Example qualitative impact: expressed in categories of high, medium or low root cause analysis and
(employment) multimedia monitoring
The type of risk should also be considered when selecting the appropriate tool. Table 3b.8 demonstrates how
the type of risk can guide the selection of the appropriate risk assessment tool.
Table 3b.8: Selecting the appropriate risk assessment approach e
Effect on Risk description Possible causes (risks) Assessment approaches
performance
Strategic Failure to anticipate or adapt policy • Products/services • Environmental scanning
direction and business model in a • Geopolitical • Peer benchmarking
rapidly changing environment • Urbanization/growing population • Competitor analysis
• Environmental • Geopolitical assessments
• Social or stakeholder • Stakeholder assessments
Reputational Unacceptable differences between • Reputation • Media monitoring
how an organization wants and • A consequence of failure to • Stakeholder engagement/surveys
needs to be perceived and how it is manage other risks
actually perceived
Operational Unacceptable differences between • Employee management • Root cause analysis
actual and expected operational • Human rights • Expert input
performance (e.g., product quality, • Raw material availability • ESG-specific tools such as InVest
morale, training, ethics) (Integrated Valuation of Ecosystem
Services and Trade-offs)
Business Inability to prevent, detect or correct • Natural disasters • Maximum allowable outages
continuity business outages within established (e.g., hurricane, flood) • Probabilistic analysis
limits • Supplier failure • Forecasting and valuation
• Terrorism (e.g., Monte Carlo simulation)
• Scenario analysis
The appropriate tool may also depend on whether the risk is likely to have an immediate impact on the entity
(e.g., worker fatalities) or those with a long-term indirect impact on the company, (e.g., CO2 emissions).
Limitation of assessment approaches
All risk assessment tools have different strengths and weaknesses. Conventionally, impact and likelihood have
been used to assess all risks, regardless of the type. Global reinsurer Swiss Re states, “Predictions about
the likelihood of multi-causal losses actually depend on either sound understanding of cause-and-effect
29
relationships or on a detailed loss history and the risks of the future have neither of the two.” Subjective
probabilistic analyses are inevitably biased and may result in the over- or under estimation of opportunity or
exposure. See also Table 3b.7.
. . . . . . . . . . . . . . . .
e Contributed by Funston Advisory Services LLC
56 Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018
