Page 633 - COSO Guidance
P. 633
5. Information, communication and reporting for ESG-related risks
This chapter sets out the following actions to help risk management and sustainability practitioners
communicate ESG-related risks internally and externally:
Identify relevant information and communication channels for internal and external communication
and reporting
Communicate and report relevant ESG-related risk information internally for decision-making
Communicate and report relevant ESG-related risk information externally to meet regulatory obligations
and support stakeholder decision-making
Continuously identify opportunities for improving the quality of ESG-related data reported internally
and externally
Information and channels for communication and reporting
For ESG-related risks that have been identified and prioritized, information relating to those risks may be
relevant to a range of internal stakeholders, including the board of directors, operational management and
employees, as well as external stakeholders such as shareholders, regulators, customers, civil society and
non-governmental organizations. For each stakeholder group, the organization may consider:
3
• What ESG-related risk information is required for decision-making?
• Which ESG-related indicators and metrics are appropriate to Guidance
provide decision-useful information?
• How frequently is the information required? Identify relevant information
and communication channels
• Which channel and medium should be used to communicate the for internal and external
information?
communication and reporting
• What are the appropriate escalation paths for a given risk?
• What controls or processes are in place to ensure data quality (e.g., controls over internal data,
external assurance)?
• What is the most effective way to communicate the risk? Where possible, organizations should try to
communicate risks in terms of how the risk impacts the entity’s strategy and objectives (see sub-chapters 3a
and 3b for additional guidance).
The risk owner is the central owner of risk information and communication. Risk owners can work with
sustainability practitioners or other stakeholders to understand ESG-related information requirements and
channels for communication. Sustainability practitioners are particularly involved in external communication of
ESG-related risks, such as sustainability reports or climate-related disclosures.
Leverage information systems
While most global organizations use financial and operational data systems daily (e.g., accounting systems,
enterprise resource planning (ERP) systems), information systems for capturing and reporting ESG-related
information are less common. Nonetheless, organizations that use information systems to collect and
aggregate ESG-related data across the entity may see improvements in the following:
• Monitoring and communication • Decision-making
• Data quality • Timeliness
• Visibility of risk across the entity • Collaboration and cross-functional teaming
For example, an entity using an environmental health and safety (EH&S) software platform can compile data
on health and safety incidents from multiple operating facilities shortly after they occur. Root cause can be
determined and recorded in the system at the time of the incident. This information can then be compiled
by the organization for trend analysis to understand the facilities with more significant or frequent safety
issues. The facilities with similar safety issues can work with facilities that demonstrate leading practices
to develop and implement practical solutions. Further, this information can be analyzed alongside other
information management uses for decision-making when software platforms housing EH&S data are
combined or in communication with existing software infrastructure.
86 Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018
