Page 619 - COSO Guidance
P. 619

3. Performance for ESG-related risks




            In rare cases, the risk or set of risks may be so significant that management may consider pursuing an
            alternative business strategy as a response (either at the next strategy setting milestone or, rarely, in the
            immediate term). This is discussed in Chapter 2.

            Choosing risk responses
            According to the COSO ERM Framework, the appropriate risk response is
            based on consideration of a number of factors, such as:                Guidance
            • Business context: Risk responses are selected or tailored to the
             business context, which includes the industry, geographic footprint,     Select an appropriate
             regulatory environment and operating structure. For ESG-related risks,      risk response based on
             questions may include:                                                entity-specific factors
                                                                                   (e.g., costs and benefits
              - How will the risk response minimize or exacerbate the ESG-related
               impacts and dependencies of the entity?                             and risk appetite)
              - Which controls and business processes are in place to address this risk?
              - How will the risk response make it easier or more difficult to meet organization objectives?
            • Costs and benefits: Capturing the anticipated costs and benefits to an entity is particularly important for
             ESG-related risks to demonstrate the business case and obtain buy-in. The costs and benefits to society may
             also be considered when assessing potential response options.
            • Obligations and expectations: Responses should align with generally accepted industry standards,
             stakeholder expectations on ESG-related issues and performance (particularly NGOs, customers, employees)
             and the entity’s mission, vision and core values.
            • Prioritization of risk: Organizations use the prioritization of risk
             (sub-chapter 3b) to inform the allocation of resources. For ESG-related risks,   Pro Paper & Packaging
             speed of onset and vulnerability may be important considerations when
             determining the appropriate response. For catastrophic and high risks,   See Appendix VIII for
             responses typically require action plans that consist of new investments   illustrative example of
             in activities to reduce or pursue a risk. For medium and low risks, an   risk responses.
             organization may accept the risk and monitor it for significant changes.
            • Risk appetite: Risk responses should consider the risk appetite of the
             organization – to develop action plans that reduce residual risk severity to within their risk appetite. If risk
             severity is within the risk appetite, management may choose to accept the risk.
            • Risk severity: Responses should reflect the size, scope and nature of the risk and its impact on the entity.
            Some risk responses may require a focused approach, such as basic compliance risks (responding to
            regulation to report annual greenhouse gas emissions), supply chain risks (establishing expectations and
            ongoing assessment processes to monitor human rights-related supplier information risk) or health and safety
            risks (establishing a management system with policies, procedures and systems). For other risks, management
            may find it appropriate to combine multiple types of risk responses to address a particular risk. For example,
            when addressing climate-related risks and anticipated increases in severe weather, an organization may
            reinforce buildings that are susceptible to hurricanes (reduce) while at the same time purchase insurance
            policies on those buildings (share).

            Building risk resilience
            The nature and complexity of ESG-related risks mean that an organization may not always be able to identify
            all possible risks, may not be able to mitigate against all the potential impacts of a risk or may not be able to
            pursue all available opportunities stemming from a risk. Even with the best assessment tools, an organization
            may learn that while severe weather events are likely, the timing or location of a hurricane cannot be predicted.
            Similarly, an organization may develop a robust social compliance program and stakeholder engagement
            process yet still come under intense criticism from NGOs or customers due to erroneous claims, misinformation
            or shifting stakeholder expectations.
                                          h





            . . . . . . . . . . . . . . . .
            h   For example, consider the impacts of a 2010 Greenpeace campaign against Nestlé. Greenpeace released a video parody of the company’s KitKat “Give me a break”
              candy bar ads. The video implied that Nestlé was killing orangutans by buying rainforest for palm oil. The activist organization launched a boycott of Nestlé  - despite the
              fact that the company bought palm oil in the commodity market, not from a specific plantation (Sheffi, Y. (2015). “The Power of Resilience: How the Best Companies
              Manage the Unexpected.” The MIT Press.)
        72                             Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks  •  October 2018
   614   615   616   617   618   619   620   621   622   623   624