Page 625 - COSO Guidance
P. 625
4. Review and revision for ESG-related risks
Assess substantial change
Compared to more traditional risks, ESG-related risks can change or
evolve quickly due to changing demographics, emerging scientific data, Guidance
new technology and innovation, growing stakeholder awareness and
greater access to information and social media. In addition, the inherent Identify and assess
nature of some ESG-related risks can make them more difficult to predict internal and external
with accuracy – in particular the onset of climate-related risks. Due changes that may
to these dynamic forces, organizations should continually monitor for substantively affect
substantial changes in the internal or external environment to determine if the strategy or
any of these shifts trigger a change in an entity’s risk profile and require a business objectives
response or decision from management. Table 4.1 sets outs examples of
internal and external changes that may impact ESG-related risks.
Table 4.1: Examples of substantial changes to the business context
Internal environment External environment
• Changes in strategy or objectives • New or pending regulations
• Rapid organizational growth • Emerging technology
• Organizational changes including change to leadership • Changing stakeholder expectations
• Mergers and acquisitions • More frequent or extreme weather
• Innovation • Trends or strategies adopted by peer organizations
• Change in risk appetite • Shifts in global megatrends
For managing ESG-related risks, monitoring external shifts in the regulatory landscape is particularly
important. For example, in recent years, large global companies have been closely monitoring the legislative
and enforcement efforts focused on eliminating coerced labor from the world’s supply chain of products or
3
changes in regulation in data privacy leading to the European Union’s General Data Protection Regulation
4
(GDPR). Similarly, discussions with external stakeholders (regulators, customers, investors or peers) can reveal
shifting trends and industry practices, such as changing demographics and customer preferences.
Chapter 2 outlines a variety of approaches that can support organizations in understanding changes to
business context that may impact ESG-related risk performance.
Review ERM activities to respond to change
Guidance
When significant changes in the internal and external environment
are identified, or if the entity’s performance is tracking outside of the
acceptable level of variation, management may need to review or revise Review ERM activities to
ERM processes or capabilities. Some examples of aspects of ERM that identify revisions to ERM
may require review are included below. processes and capabilities
Review governance and culture
ESG-related risk may lead an entity to consider the level of ESG awareness of the board or management
structure and, if appropriate, introduce changes to the governance structure or processes. An entity may
consider establishing a board committee to focus on ESG-related risks and issues or adding new board
members with specific ESG-related knowledge (see Chapter 1 for guidance on approaches for enhancing
ESG board awareness).
An organization may wish to review its culture if the entity is not embracing the actions required to address an
ESG-related risk. For example, an organization that experienced a number of safety incidents or a catastrophic
incident may decide to implement a “safety-first” culture.
78 Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018
