Page 620 - COSO Guidance
P. 620
3. Performance for ESG-related risks
In these cases, organizations should focus on using a suite of risk responses aimed at enhancing their resilience
should the risk eventuate. For example, mitigating against the possibility of a negative social media campaign
may not be possible. However, by designing a crisis management plan that establishes processes, pre-approved
responses and escalation paths, an entity can prepare for such a campaign, if and when it is launched.
Entities can also use business continuity planning to prepare for the short-term impacts from unexpected risks
and scenario planning to prepare for various scenarios that may arise from longer-term trends and associated
threats and opportunities. Transparently communicating the entity’s selected response to NGOs, customers,
investors or other stakeholders can also serve to reduce the severity or likelihood of negative campaigns
occurring in the first place. These mechanisms can also be used by organizations to plan for a range of
scenarios of future ESG-related challenges or changes to customer expectations, so it can innovate and create
or realize value from new products or services.
Collaborate cross-functionally
It is critical to involve the right stakeholders in developing and executing a risk response. Engaging subject-
matter experts can lead to innovation and more strategic solutions. For example, consider the risk that the
safety and environmental performance of a telephone product impacts the revenue of a technology company.
A tactical response may focus on compliance testing at the end of the manufacturing process. A strategic
approach may use cross-functional collaboration to identify opportunities along the value chain to intervene
to address the risk (see Table 3c.4).
Table 3c.4: Example of using collaboration to achieve a strategic risk response
Compliance or tactical response Strategic response
• Sample test the safety and environmental performance • Consult with the end-user to understand needs relating to safety
of a product at the end of the manufacturing process and performance
and conduct root cause analysis to identify major issues
• Consult with procurement and suppliers to find opportunities for
enhanced safety or environmental improvement
• Consult with the customer service team to understand and
monitor customer complaints relating to safety and environmental
performance
• Collaborate with peers to develop cross-industry standards for
product safety
Develop the business case and obtain buy-in
Due to potential biases against allocating resources for ESG-related risks
versus other risks (e.g., financial risks), risk management and sustainability Guidance
practitioners may need to develop a business case for adopting a particular
risk response. As organizations pursue ESG strategies to address some of Develop the business
the significant impacts, investors in particular will be looking to understand case for the response
why resources are being allocated to create value for the business in the and obtain buy-in
short, medium and long term.
37
A business case may include an overview of the risk, root cause, response options, cost benefit analysis, key
assumptions, roles and responsibilities, change management and implementation timeline. An important feature
is the cost-benefit analysis of different risk responses. This analysis considers costs and benefits to the business
but may also consider costs and benefits to the business and society that stem from either changes in access
or availability of an element of natural or social capital on which the business depends or the capital impacts
resulting from the activities of the business (see Table 3c.5). As detailed in sub-chapter 3b, the Natural Capital
Protocol and Social & Human Capital Protocol can support this analysis.
Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018 73
