Identifying internal and external risks to the company, assessing them, and determining how to address them is a critical element of the strategy-setting process. Managing risk is fundamental for an organization to successfully achieve its strategy, remain profitable, and create value for all stakeholders.
- Risk assessment involves analyzing the likelihood and magnitude of inherent and residual risks (those that cannot be avoided) as a basis for determining how the company should manage and mitigate them;
- Risk response is the course of action a company takes when a risk event occurs, such as accept, avoid, limit or mitigate, and transfer. Risk responses should align with the company’s risk appetite and tolerance levels.
Sustainability-related risks. Sustainability issues can be major risks for companies and should be an integral aspect of risk analysis, monitoring, and management.
For guidance on managing sustainability risks and opportunities, see Management of Material Sustainability Issues.
Sustainability-related opportunities. The IFRS Sustainability Disclosure Standards recommend that companies disclose sustainability-related financial risks and opportunities that can affect the company’s business model, strategy, cash flows, and access to finance in the short, medium, and long terms. The European Sustainability Reporting Standards focus on both financial and impact materiality (double materiality) and recommend disclosing risks, opportunities, and impacts of how the company affects the environment and how the environment affects the company’s operations and resilience.
Risk management versus risk governance. Company management should undertake risk analysis and responses, but the board should oversee risk management systems and receive regular reports on their effectiveness. The audit committee is usually responsible for reporting or another specialized committee with risk expertise and composed of a majority of independent directors.
Good management requires an ongoing process for identifying and assessing the likelihood of risks and the magnitude of their impact (including sustainability and climate risks), along with a risk response strategy and continuous monitoring. Disclosure on risk management helps investors assess companies’ risk-return profiles and can lower the risk premium in markets with information asymmetry and high perceived risks, including emerging markets.
Your annual report should describe the approach and result of the risk assessment, including the following:
- Risk events: significant risk factors that have the potential to affect the company and its operations significantly and what might trigger them;
- Risk analysis: the likelihood and magnitude of the impact of significant risk events on operational and financial performance.
Risk Response and Mitigation
Address how your company responds to significant risks, including risk mitigation for each significant risk, and disaster recovery and business continuity plans.
Sustainability issues can be major risks for companies and should be an integral aspect of risk analysis, monitoring, and management. Companies should disclose their process to identify, assess, and manage sustainability-related risks and opportunities in the short, medium, and long term. ISSB IFRS S1 General Requirements for Disclosure of Sustainability-Related Financial Information includes disclosure on risk management as one of the four pillars for sustainability disclosure (governance, strategy, risk management, and metrics and targets).
ISSB IFRS S1 General Requirements For Disclosures Of Sustainability-Related Financial Information (Excerpt)
43. The objective of sustainability-related financial disclosures on risk management is to enable users of general purpose financial reports:
(a)to understand an entity’s processes to identify, assess, prioritise and monitor sustainability-related risks and opportunities, including whether and how those processes are integrated into and inform the entity’s overall risk management process; and
(b) to assess the entity’s overall risk profile and its overall risk management process.
44. To achieve this objective, an entity shall disclose information about:
(a)the processes and related policies the entity uses to identify, assess, prioritise and monitor sustainability-related risks, including information about:
(i) the inputs and parameters the entity uses (for example, information about data sources and the scope of operations covered in the processes);
(ii) whether and how the entity uses scenario analysis to inform its identification of sustainability-related risks;
(iii) how the entity assesses the nature, likelihood and magnitude of the effects of those risks (for example, whether the entity considers qualitative factors, quantitative thresholds or other criteria);
(iv) whether and how the entity prioritises sustainability-related risks relative to other types of risk;
(v) how the entity monitors sustainability-related risks; and
(vi) whether and how the entity has changed the processes it uses compared with the previous reporting period;
(b) the processes the entity uses to identify, assess, prioritise and monitor sustainability-related opportunities; and
(c) the extent to which, and how, the processes for identifying, assessing, prioritising and monitoring sustainability-related risks and opportunities are integrated into and inform the entity’s overall risk management process.
Source: ISSB IFRS S1 General Requirements for Disclosure of Sustainability-Related Financial Information
European Sustainability Reporting Standards: ESRS 2 General Disclosures (Excerpt)
4. Impact, risk and opportunity management
4.1 Disclosures on the materiality assessment process
50. This chapter sets disclosure requirements that enable an understanding of:
(a) the process to identify material impacts, risks and opportunities; and
(b) the information that, as a result of its materiality assessment, the undertaking has included in its sustainability statement.
Source: ESRS 2 General Disclosures.
Report on emerging and ongoing risks and disclose how the likelihood of risk occurrence is changing over time. Risks are constantly evolving, just as the company’s strategy and external environment evolve.
Learn more, see IFC’s FIRST (Financial Institutions: Resource, Solutions, and Tools for guidance on understanding and managing environmental and social risks and to explore opportunities. The site includes guidance on how to implement an Environmental and Social Management System.