Page 610 - COSO Guidance
P. 610
3. Performance for ESG-related risks
Data quality and reliability
When determining which ESG data to use, it is important to consider the quality and reliability – particularly
for data that relates to new or emerging issues or risks. Care should be taken when using “off the shelf”
data or models. In assessing data quality, management should ask the following questions to select
high-quality data sources:
• Is the data of high enough quality to produce reliable results?
• Are controls in place for internally collected data?
• Is the data collected in accordance with a time-tested or industry standard?
• Is secondary data open-sourced or available for challenge?
• Is metadata available to perform analysis prior to using the data?
• What are the key assumptions in the model or data?
• Is expert judgment used in the model or method?
When management has concerns about the quality of data, it may be appropriate to validate the data.
Validation methods include testing the data based on metadata (e.g., summary statistics), implementing
internal controls, validating a subset of the data or performing analyses to assess reasonableness.
Timing
The COSO ERM Framework suggests that the time horizon used to assess risks should be the same as
that used for the related strategy and business objectives. However, environmental and social risks often
51
manifest over a longer time horizon than the one, three or five year time frames typically used for strategy
setting. Managing these risks requires making investment decisions today for longer-term capacity building, or
developing adaptive strategies which may be at odds with the short-term results that companies feel pressure
to deliver.
Further, by considering only the most urgent risks, entities may neglect the long-term value they can deliver
as well as the possible benefits of responding to risks before they fully emerge. Climate change impacts, for
example, may emerge any time over the next 50 years. By assessing the impact of transitional or physical
risks now, an organization can plan to respond to the risk more gradually, whether that includes pursuing
opportunities for low carbon products or services, or building resilience against severe weather impacts into its
operations.
Scope
Scope defines the organizational boundaries (e.g., divisions, functions, operating units) and value chain
boundaries (e.g., inputs, operations, markets) being measured for each risk. These boundaries affect the relative
importance of each risk. For example, risks assessed as important at the operating unit level may be less
important at a division or entity level. At higher levels of the entity, risks are likely to have a greater impact on
reputation, brand and trustworthiness.
52
Discount rate
When assessing financial risks, practitioners often apply discount rates based on the weighted average cost
of capital to arrive at the present value of the potential risk impact. Discount rates imply a level of accuracy
based on the timing of predicted cash flows. Therefore, estimates need to be established with enough
subject-matter expertise or historical evidence to apply a discount rate. Because of the uncertainty of
ESG-related risks, applying a discount rate may not be appropriate given the lack of precision in the
predicted cash flows.
Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018 63
