Page 611 - COSO Guidance
P. 611

3. Performance for ESG-related risks




            3. Prioritize the risk
            An organization prioritizes risks to determine:
            •  The urgency required in the management response                     Guidance
            •  The types of action necessary
            •  The level of investment in the risk response                        Leverage subject-matter
                                                                                   expertise to prioritize
            Section 1.1 of this sub-chapter explores the prioritization criteria companies      ESG-related risks
            use to compare risks across the enterprise. As discussed, impact and
            likelihood are often used to prioritize risks into categories, based on the
            preferred risk severity measures. Typically, financial metrics are the preferred denominator; however, companies
            may also include additional considerations, such as vulnerability, velocity or resilience.
            The example below is an additional example of risk prioritization using a tiered approach.



                  Solvay S.A — using a tiered approach to classify risks

              Solvay uses two ratings to prioritize the company’s risks: impact and level of control. In its external
              report, it disclosed a range of criticality that is applied to its top eight risks and linked to corresponding
              ESG materiality aspects. For each risk, an owner is assigned to respond to and monitor the risk. The
              risk owner maintains the risk description and tracks associated prevention and mitigation measures for
              executive management.
                                  53























            Many companies use the Delphi approach to support the prioritization process (see the expert input section
            above). Convening a group of executives with representation across the business enables risks to be debated,
            compared and voted on. It is often in this session where additional assessment criteria (such as resilience,
            velocity and adaptability) are captured and discussed.
            The cross-functional nature of these panels means that, in many cases, executives involved in these
            discussions are less familiar with ESG-related risks. As a result, the importance of these risks may be
            discounted during the voting process. Risk owners, risk management and sustainability practitioners can
            address this by providing the executive team with context on ESG-related risks such as the impact of the
            risk on the organization’s strategy, key performance indicators (KPIs), peer or industry practices or public
            commitments. The example below demonstrates how an organization’s human rights expert can provide insight
            to the executive team on an ESG-related risk.


















        64                             Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks  •  October 2018
   606   607   608   609   610   611   612   613   614   615   616