Page 626 - COSO Guidance
P. 626

4. Review and revision for ESG-related risks




               Review strategy or business objectives
               On rare occasions, should the performance of the entity result in a substantial deviation from the expected
               risk profile, the organization may choose to revise its strategy or change or abandon a business objective.
               For example in 2011, Asia Pulp and Paper’s (APP) reputation was severely damaged after an aggressive
               Greenpeace campaign. The Indonesian business went from the world’s biggest pulp and paper company to
               a brand better known for destroying pristine rainforest and driving species to the brink of extinction. Mattel,
               Disney and Unilever were among the 130 major companies to sever ties with APP. Within two years, APP
               developed a new strategy and that included a Deforestation Policy, goals that committed to help preserve
               high-carbon stock rainforests and greater transparency to stakeholders.
                                                                            5
               See Chapter 2 for examples of organizations that have shifted strategy or objectives due to an ESG issue.

               Review new or changing risks
               Risk management and sustainability practitioners should stay alert to internal and external changes in the
               business context to monitor whether new ESG-related risks have emerged or substantially changed. When
               changes in the business context give rise to a new risk, or exacerbate or lessen the potential impact of an
               existing risk, risk management and sustainability practitioners should consider if action is warranted – such
               as a change to the risk inventory, a new risk assessment or investment in a risk response.
               For example, as demonstrated recently in Cape Town, South Africa, water scarcity can have rapid and severe
               impacts.  Manufacturing companies may have been aware of their dependency on water for their South African
                       6
               operations but had not identified water scarcity as a significant risk. As water scarcity worsens, entities may
               upgrade the priority of the risk, developing water reduction programs and business continuity plans and
               establishing indicators to monitor water use and reservoir levels.
               Review assessment approach or assumptions

               As discussed in sub-chapter 3b, a risk severity assessment comprises the selected assessment approach and
               the data, parameters and assumptions underpinning the assessment. When new approaches or data becomes
               available, risk management and sustainability practitioners should consider whether the selected assessment
               approach is still the most appropriate.
               For example, scenario analyses for climate-related risk incorporates a number of assumptions that may change
               over time. Some entities are currently adopting a 2ºC scenario, based on a recommendation from the TCFD,
               as this provides a common reference point that is generally aligned with the objectives of the Paris Agreement
               and supports the evaluation of the potential magnitude and timing of transition-related implications. However,
               entities need to monitor trends and conditions to assess if there is a need to adjust this assumption over time.
               The TCFD recommends companies monitor the International Energy Agency (IEA), Deep Decarbonization
               Pathways Project (DDPP), International Renewable Energy Agency (IRENA) and Greenpeace scenarios to gauge
               the emergence or change of different pathways and the implications for the company.
                                                                                       7
               An organization may take the opportunity to either raise or lower the priority of identified risks to support
               reallocating resources. The change reflects a revised assessment of the prioritization criteria previously applied.

               Review effectiveness of risk responses
               Management reviews risk responses to understand how effectively they are addressing ESG-related risks,
               including whether the response brings the risk to within an acceptable level of performance. An organization
               may select indicators to monitor risk performance for ESG-related risks and set thresholds as alerts when
               risks tolerances are being exceeded and additional decision-making is required. The following example
               demonstrates how a business can set indicators and thresholds for ongoing risk review and revision.




















               Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks  •  October 2018  79
   621   622   623   624   625   626   627   628   629   630   631