Page 615 - COSO Guidance
P. 615
3. Performance for ESG-related risks
This sub-chapter sets out the following actions to help risk management and sustainability practitioners develop
and deploy responses to ESG-related risks:
Select an appropriate risk response based on entity-specific factors (e.g., costs and benefits and risk appetite)
Develop the business case for the response and obtain buy-in
Implement the risk response to manage the entity’s risk
Evaluate risk responses at the entity level to understand the overall impacts to the entity risk profile
Internal control framework
Risk management practitioners should work in tandem with an entity’s internal control structure. Internal
controls encompass the entity’s control environment, risk assessment, control activities, information and
communication and monitoring. Embedding strong internal controls can support the effectiveness of ERM
3
– although ERM is broader in scope. Refer to the 2013 COSO Internal Control – Integrated Frameworkfor
further information.
4
Choosing risk responses
For all risks identified, management selects and implements a risk response. According to the COSO ERM
Framework, risk responses fall within the categories of accept, avoid, pursue, reduce and share. Each of these
5
is detailed below:
Accept: Take no action to change the severity of the risk
This response is appropriate when risks to the strategy and business objectives are within the risk appetite and
not likely to become more severe. For example, a manufacturer may accept potential for human rights-related
risk in the supply chain if the entity has no high-risk suppliers and has not received any public pressure on the
issue. The risk may be seen as too low to justify the cost of a program beyond requesting supplier compliance
statements.
Accepting a risk often leads to a need for close monitoring of the assumptions that led the organization to
accept the risk. If these assumptions change, a different response may need to be deployed (see Chapter 4 for
further detail on monitoring risks).
Avoid: Remove the risk
Organizations may have zero tolerance for certain ESG-related risks, which leads them to avoid the risk entirely
or at least reduce the likelihood that it will occur. For example, in 2018 Swiss Re announced that it would not
provide reinsurance to businesses with more than 30% exposure to thermal coal across all lines of business.
6
Similarly, an entity that supplies services to a government may cease doing business in the highest risk
countries to avoid any possible links to corrupt business activities.
Pursue: Convert risks into opportunities
Risk responses often focus on preserving value, but in many cases responding to ESG-related risks can
unlock value for entities. The Business and Sustainable Development Commission reported in 2017 that the
7
United Nations Sustainable Development Goals (SDGs) could unlock more than USD$12 trillion in business
opportunities by 2030. Some examples are outlined in Table 3c.1.
a
. . . . . . . . . . . . . . . .
a The estimate in reported benefits was determined using the following study on advancing women’s equality from McKinsey Global Institute: Woetzel, J., Madgavkar, A.,
Ellingrud, K., Labaye, E., Devillard, S., Kutcher, E., Manyika, J., Dobbs, R., and Krishnan, M., 2015. The Power of Parity: How advancing women’s equality can add
USD$12 trillion to global growth. McKinsey Global Institute.
68 Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018
