Page 609 - COSO Guidance
P. 609
3. Performance for ESG-related risks
Data sets
Management relies on the availability and quality of data as an input into its risk severity assessments.
Finding quality data sets for ESG-related assessments can be a challenge, especially for organizations
quantifying an ESG-related risk for the first time. Unlike financial information which is subject to internal
controls, ESG-related information does not always receive the same level of scrutiny. Table 3b.12 provides a
starting point for management to identify the primary and secondary data available for a risk assessment.
Table 3b.12: Example data sources for ESG-related risk assessments
Data sources Examples
Primary Internal organization data Supplier spend, sales performance, water usage, greenhouse gas emissions
Survey results Employee, supplier or customer surveys
Interviews or focus groups In-depth conversations for at-risk groups, such as employees, NGOs or communities
Secondary Big data and big indicators Highly detailed, continuously produced global indicators that track change in the
health of the Earth’s most important systems in real time
Academic research Credible research into the nature and extent of an ESG problem, such as plastic waste
or e-waste
Interviews with third parties Interviews may include the Delphi outputs (refer to Monte Carlo example above);
or subject-matter experts NGOs can provide insight into communities that may be otherwise inaccessible to
the organization
Government or think Open data, household budget surveys, demographic health surveys or other
tank data collection databases
Industry or peer organization Sector-specific data such as energy, compliance or cost data or assumptions that can
data or reports be derived from publicly available information (see Appendix VI)
Existing analysis Internal or external analysis completed for other purposes, such as supply chain
interruptions or costs associated with food safety issues
Output from tools referenced Information or results from using the tools (e.g., biodiversity footprint) that can be
in the Natural Capital Protocol used as inputs into monetary risk assessment
Toolkit and Social & Human
Capital Protocol Toolkit
Social Value International An open source database of values, outcomes, indicators and stakeholders focused
(SVI) Global Value Exchange on social and environmental data
Each data source or selection has underlying assumptions. When preparing forecasts or valuations,
practitioners will need to understand the assumptions embedded into the data selected and any subsequent
limitations. For example:
• Emissions factors may be selected based on the energy source and country, which may not be as accurate
for calculating greenhouse gas emissions for operations within a specific city.
• Water scarcity risk may be based on rainfall and watershed measurements that are not current.
• Population growth for Europe may be based on current birth rates but may not take into account migration.
• Proxy data for calculating well-being may be based on a particular region, demographic group or
socioeconomic class.
Understanding the assumptions embedded in the data also helps inform when risk assessments need to
be updated. For example, many greenhouse gas emissions factors are updated annually, which can lead
to an update in the risk severity calculation. See Chapter 4 for more guidance on reviewing and revising
risk assessments.
62 Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018
