Page 628 - COSO Guidance
P. 628
4. Review and revision for ESG-related risks
A selected risk response may also lead to unintended consequences by introducing new risks or risk
consequences that have not been previously considered. For example, a beverage company may mitigate
water scarcity risk by switching from reusable glass bottles to single-use plastic bottles reducing water use in
production (required for initial cleaning of the glass bottles) and reducing reliance on scarce water resources.
However, this may lead to an unintended, additional risk to the entity due to an increased focus on plastic waste
from customers and NGOs.
Selecting indicators to monitor risk
To determine appropriate indicators to monitor a risk, risk management and sustainability practitioners
may leverage the entity’s key performance indicators (e.g., target employee retention, carbon intensity
reduction target) or existing ESG-related frameworks used for sustainability reporting, such as the GRI.
Although not designed to measure risks, the GRI indicators can provide example metrics used to review
the organization response and performance. The table below shows how GRI’s water standard could be
8
used for this purpose.
Example application of GRI to risk monitoring
Description
Risk Water scarcity impacts the entity’s ability to operate.
Response The entity is decreasing its water use, increasing its recycling and monitoring the water table to prevent
further reductions.
Monitoring • Total water withdrawal by source and allocable share of water availability
indicators • Total water sources significantly affected by withdrawal
• Total volume of water recycled and reused
Review changes to communication and reporting
The increased investor focus on ESG-related information, changing regulatory requirements and increased
use of voluntary frameworks have led to changes in reporting and disclosure. Organizations may want to
monitor the sufficiency and relevance of the ESG-related risk information they are collecting and reporting
using approaches such as:
• Tracking ESG-related reporting requirements globally
• Monitoring new ESG-related reporting standards
• Benchmarking the organization’s communication and reporting approach against peers or leading
organizations
• Monitoring ESG-related shareholder resolutions or shareholder proposals, such as a proposal to set science-
based emissions targets or appoint a human rights expert to the board
• Engaging stakeholders (internally and externally) on information needs
From these activities, an organization may determine if it needs to update its communications or reporting to
better meet the expectations of its stakeholders or comply with jurisdiction requirements.
Timing of review activities
The timing of review activities varies by entity. While management often assesses each risk on an annual
basis, significant changes may warrant interim action. Although some environmental risks, such as climate
change, are not expected to impact organizations in the short term, frequent reviews of the anticipated
physical and transitional impacts as well as assumptions and scenarios are warranted, as these are not
necessarily predictable. For example, a megatrend analysis may be performed every three years, supplier
risk assessments may be updated annually, while safety incidence or grievances would be monitored on
a continuous basis. In addition, assessing the status and effectiveness of risk responses may need to be
evaluated and communicated quarterly or semi-annually.
Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018 81
