Page 622 - COSO Guidance
P. 622
3. Performance for ESG-related risks
Table 3c.6: Examples of activities for implementing ESG-related risk responses
Proposed activity Description
Assign a risk owner • Assign a risk owner to be accountable for progress toward addressing each ESG-related risk.
• The risk owner should have a team to support risk management plan development, implementation
and monitoring progress.
Assemble • Determine who needs to be involved in the risk response and implementation of the action plan.
cross-functional • While the risk owner should oversee the process, there should be management-level agreement on the
team functions that should contribute to the action plan and required level of effort.
• A cross-functional oversight team, such as a sustainability council, could serve as an advisory board to
help develop innovative, collaborative solutions to ESG-related risks.
• Sustainability practitioners may:
- Assist in developing cross-functional action plans.
- Act as a risk owner or nominate a risk owner with appropriate cross-functional oversight.
- Bring ESG knowledge, skills and capabilities when designing and implementing the response.
Obtain accurate and • Discuss issues and potential solutions with employees involved in day-to-day operations.
relevant information • Research leading practices at other organizations and within the organization itself.
and inputs
• Analyze data obtained during pilot tests or implementation.
Design risk responses • Integrate risk and management considerations into planning and operational decision-making processes.
to embed in • Incorporate risk responses into day-to-day decision-making.
decision-making
processes • Risk responses made at the entity level should be distilled to the managers at an operational level to
make a consistent, desired impact.
Develop metrics to • Consider the elements of the response that should be assessed periodically to ensure the risk is
monitor the effectiveness addressed in line with management’s risk response decisions.
of the risk response • See Chapter 4 for additional guidance.
Communicate the risk • For many ESG-related risks, both internal (e.g., senior management or the board) or external (e.g.,
response internally and investors, NGOs), stakeholders expect communication from the entity on the risk response.
externally Sometimes this is due to regulatory requirements, such as the requirement to disclose how an
organization is addressing supply chain risk of human trafficking) or to respond to an NGO or activist
request for transparency on a specific risk (such as climate risk).
• See Chapter 5 for additional guidance.
Develop a portfolio view
Risk responses are often developed at an individual risk level – even for a specific geography or business
unit. However, risk and strategy managers need to take an entity-wide view of the risk profile in light of the risk
responses. Management should consider how responses selected for an individual risk may have additive or
offsetting impacts to the entity’s overall risk portfolio. Risk responses designed for individual risks may also
leave gaps in the overall risk coverage for the entity. Taking a portfolio view helps managers identify where gaps
41
may exist and supports timely adjustments prior to finalizing risk responses.
Risk management and sustainability practitioners need to understand the footprint of ESG-related risks within
the entity’s risk portfolio. Consider asking the following questions:
• What is the contribution of ESG-related risks to the overall
company exposure?
Guidance
• Which ESG-related risks are included in each risk category (e.g., strategic,
operational, financial, compliance)? Evaluate risk
• Where do the impacts occur (e.g., business unit versus geography)? responses at the
entity level to
• Of these risks, which are systemic in nature and which are unique to an
operating area? understand the
overall impacts to the
• What needs to be known to better manage these risks? entity risk profile
• What interdependencies exist among risks that increase or decrease the
overall severity to the company?
This view can also help risk management and sustainability practitioners, as well as risk owners, distinguish
between local risks that are significant for one region versus those that will impact the entity as a whole.
Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018 75
