Globally regulators have been seeking companies to disclose on risk and now with more than ever ESG risks are impacting business, ESG risk disclosures are becoming a requirement. Following the trend, Section A, Item 24, for Business Responsibility and Sustainability Reporting (BRSR), requirement by Securities and Exchange Board of India (SEBI), stipulates that organisations present the risk from the material environmental and social issues. BRSR also requires company to report on the financial implications of the risk and how the organization plan to manage the risk.
Risk assessment and materiality assessment have been traditionally having different objectives. Materiality assessment is usually done in context of sustainability/ESG reporting and is not a risk assessment. In this article I am explaining that if done is sequence, an organization can integrate ESG to the risk assessment process.
Global Reporting Initiative (GRI) Standards, which is one of the most popular standards used in ESG reporting worldwide, uses a two-dimensional approach to identifying material topics. The first dimension is the organization’s significance for the economy, environment or society, as per the definition of ‘impact’ – and the second dimension will be their substantive influence on the assessments and decisions of stakeholders. ‘Impact’ refers to the effect an organization has on the economy, the environment, and/or society, which in turn can indicate its contribution (positive or negative) to sustainable development. A topic can be material if it ranks highly for only one dimension of the Materiality principle.
As per the COSO Enterprise Risk Management (ERM) framework, risk assessment is done to bring out the inherent and residual risks of an organization and it considers the risk likelihood and impact inside a defined time interval. But now as more and more ESG risks are precipitating to impact business, the universe of material ESG issues need to be part of the risk assessment.
The materiality assessment methodology brings in a responsibility and stakeholder-oriented approach in identifying the material topics, they need to be evaluated to understand the risk for the organization. This sequential approach of identifying ESG /Sustainability material topics followed with a risk assessment will for the appropriate methodology in integrating ESG to ERM.
Using the principles of GRI, once material issues are identified, it is important to identify the risk against each one of them. For this process, going by the COSO ERM framework, the risk need to be identified as impacting the performance of strategy and business objectives. Once identified as risk, we next need to identify the impact on the organization and also understand the drivers of the risk. Categorization of this risk as strategic, operational, financial or compliance will also help towards later steps. Risk needs to be articulated in a precise manner, and one of the potential ways can be to state as “The risk to [describe the category of risk] relating to [describe the possible occurrence or circumstance] and [describe the related impact]”. An example for a coal based thermal energy producing company can be illustratively stated as “The strategic risk relating to changing energy mix of the country to more than __% in this decade resulting in a __% reduction in the uptake of the thermal energy produced by our company over the same period”.
The next step will be to prioritize the risk. This will require valuation of risk as the product of the probability of occurrence and the impact that will result. Apart from valuation of the risk, the other considerations can be the vulnerability, velocity and also the resilience of the organization. It is important to involve the right competent people and diverse set of inputs to avoid any bias in the prioritization process.
Once the risks are prioritized, the risk responses need to be planned. According to the COSO ERM Framework, risk responses fall within the categories of accept, avoid, pursue, reduce and share. The risk categorization will also come handy at this stage to design the right risk response. It is possible that the response will be a combination of the various categories of response to improve the risk resilience in the organization. The time frame in which the risk is evaluated also need to be considered to design the appropriate response.
This article will end by the standard disclaimer that this process needs to be dynamic as we are in a world where changes are the only constant. The organization needs to have a risk radar which is constantly monitoring the environment against any potential hazards.
The materiality map in a sustainability report gives only potential material ESG topics, and does not showcase the risk for the company, which is what the disclosure as per BRSR is seeking. Every organization which is seeking to report as per BRSR should establish an appropriate ESG risk assessment system and that requires expanding beyond the conventional.
Dear Santhosh,
Appreciate your way of articulating and merging the concept of ESG and Risk Management. A nice thought provoking concept. While I agree to the fact that Materiality assessment is usually done in context of sustainability/ESG reporting and is not a risk assessment, but it seems both these concepts are getting intertwined within the new definition of “Risk” as per COSO/ ISO 31000 framework – “Effect of uncertainty on organization strategic and business objectives”. To me, the Materiality (ESG) issue(s), might be considered, as a strategic & business objective(s) of an organization and thereafter “What may go wrong in not achieving the desired objective(s)” i.e. the Uncertainty and thereafter the Risk Management process could take its own course. Thanks once again for this nice article.
Thank you for your thoughts.
Thanks Santhosh