Due in 24 hours
WBCSD_Risk_Publication_2016 on Sustainability and ERM.pdf
business solutions for a sustainable world
Sustainability and enterprise risk management:
The first step towards integration
Executive summary 2
I. Introduction 4
II. The evidence base 10
III. Factors driving the breakdown in
sustainability risk management 17
1. Limited knowledge of sustainability risks 18
2. Omission of opportunities or strategic risks 21
3. Difficulty quantifying sustainability risks 22
4. Limited cross-functional collaboration 24
5. Longer time horizons for sustainability risks 26
6. Differing language used for ERM versus
7. Differing purposes for sustainability
versus risk disclosures 28
8. Limited guidance for implementing
risk management framework 30
IV. Expert opinions on risk management 31
V. The way forward 37
1. Enhance use of risk management
frameworks to address these issues 38
2. Develop supplementary guidance for the
management of sustainability risks 39
3. Leverage capacity building and
educational workstreams 40
4. Understand and address the disclosure gap 41
VI. Conclusions and next steps 42
VII. Appendices 44
Appendix A: Bibliography 45
Appendix B: Methodology 46
Appendix C: Glossary of terms 47
Appendix D: Acronyms 48
Risk management – if executed properly – can
be an essential management tool in driving
innovation and value creation.
As the former CEO of TNT, a multinational logistics company, I fully understand
the need for robust risk management. A sound risk management plan is critical
to ensuring compliance with governance and disclosure requirements. It is also
necessary to identify and plan for unforeseen events that can cause disruptions
in even the most resilient operations.
In 2016, the Financial Stability Board’s Taskforce on Climate-related Financial
Disclosure highlighted the importance of effective risk disclosure for businesses
as they transition to the low-carbon economy. At WBCSD, we fully support the
notion that accurate disclosure and reporting will pave the way to a society that
evaluates businesses according to their true cost, true profits and true value.
I am therefore very pleased that WBCSD, with the support of the Gordon and
Betty Moore Foundation, is working to align enterprise risk management and
the environmental conservation and sustainable development agenda.
The world’s most pressing problems have significant impacts. This, coupled
with evidence that many of these problems are occurring more frequently,
is a clear signal that businesses need to understand how these risks (and
opportunities) affect their businesses so that they can disclose those that are
material to the financial markets.
This study clearly shows a disconnect between enterprise risk management
and sustainability practices in most of the businesses studied. It provides a
critical starting point for WBCSD and COSO to work together over the coming
years to help businesses navigate and prioritize sustainability risks.
The result will be new ways for businesses to protect against emerging
challenges and new methods to capitalize on opportunities that create value
and drive performance. We look forward to what comes next.
President and CEO
An organization’s enterprise risk management
function plays a critical role in monitoring and
managing the risks and opportunities that stem
from the internal and external forces that can
impact a company’s profitability, success or
Risk management experts across academic and consulting institutions alike
perceive that the impact of economic and legal risks on a business and
society are steadily giving way to a raft of existing and emerging social and
environmental risks. And yet there is evidence that the effectiveness with which
organizations are identifying, managing and disclosing these risks is limited:
I. Comparing WBCSD member company sustainability and risk disclosures
reveals that, on average, only 29% of the areas deemed to be “material” in
a sustainability report were disclosed in a company’s legal disclosure of risks.
Notably, 35% of member companies did not disclose any of the sustainability
risks identified in their sustainability reports in their legal filings.
II. Discussions and surveys with risk management and sustainability
practitioners show that most practitioners (89%) agree that sustainability
risks could lead to a significant impact on business, while more than
70% find that “risk management practices are not adequately addressing
III. The number of real-world incidences of companies failing to adapt to,
respond to or mitigate social and environmental risks is increasing, from
environmental disasters and oil spills to natural disasters, conflict minerals,
human trafficking and cyber security.
The WBCSD believes that understanding the
causes of this breakdown is the first step to
addressing this situation. Although more work is
to be done, initial investigations point to a range of
internal organizational forces and innate features of
sustainability risks impacting the effective management
of sustainability risks:
– Some companies have limited knowledge of
sustainability, which inhibits the capture of emerging
– Sustainability assessments will often reveal
sustainability opportunities as well as risks; these
opportunities are not always being identified and
captured in enterprise risk management.
– Sustainability risks are often more challenging to
quantify than traditional risks.
– There is often a lack of collaboration between
sustainability and enterprise risk management
– The sustainability risk outlook timeline is longer than
that of traditional risks.
– Legal filings use different language than
– Sustainability reports and mainstream corporate risk
disclosures have different audiences and purposes.
– Existing risk management frameworks may not
provide enough guidance to companies to manage
These organizational challenges are exacerbated
further by a fast-changing global environment,
outdated institutional and capital market norms, and
a gap or absence in regulation around sustainability
The WBCSD believes that advancing a framework and
building capacity to foster sustainability-conscious
enterprise risk management is a critical step toward
building the long-term prosperity of companies and
the societies on which they depend. The first steps in
achieving this include:
– Enhancing the application of existing risk
management frameworks, such as COSO, to
better identify and manage emerging or strategic
– Developing interpretive risk management guidance
for sustainability risks.
– Leveraging WBCSD capacity building and education
workstreams in order to enhance sustainability in
– Understanding and addressing the disclosure gap.
No business is managed without access
to reliable, accurate and timely information.
However, studies by the WBCSD and others
confirm that even forward-looking businesses
typically capture data on social and natural
capital priorities and risks only once or, at best,
twice a year, and in some cases not at all.
At the same time, companies experience
continued pressure to review and transform
their business strategies to remain competitive.
New types of risks are constantly emerging,
including those inherent in the increased
importance of environmental and social
sustainability in business.1
WBCSD’s Redefining Value program was
created in 2014. One of its aims is to make
material sustainability impacts and
dependences part of day-to-day business
management. Various Redefining Value
workstreams support businesses in scaling
up their sustainability initiatives with accurate,
timely, reliable and comparable management
Enterprise risk management basics
The ERM function of a business is critical to monitoring
and managing the risks and opportunities that stem
from internal and external forces – whether social,
environmental, legal, political, technological and/
or economic. An enterprise-wide focus allows the
company to filter out the risks that would have the most
significant impact on the entire company and aggregate
those which might be present across multiple
ERM processes are critical to dealing with business
uncertainty, mitigating hazards and complying with
regulations. Within an organization, enterprise risk
management drives companies to identify and measure
risks and balance the company’s exposure to risk
against reward in the context of the company’s risk
profile, long-term business objectives and stakeholder
expectations. Also critical is a process to communicate
to shareholders the most significant risks and
opportunities and how the company is responding.
Risk or opportunity?
Risk perception is the subjective judgment that
people make about the characteristics and severity
of risk. Its study bridges many disciplines – cognitive
psychology, neuroscience, behavioral economics,
sociology and anthropology, etc. – but all seek to
understand how people process information and
act based on that information. Humans receive and
process risk-related information constantly and make
decisions accordingly. Humans know instinctively
when something is dangerous and mostly try to avoid
it. They know through experience that other signals
may require protective reactions. Humans know
through education, cultural norms and upbringing what
constitutes right and wrong and again mostly react
accordingly. However, humans all acknowledge risk
and react to it in varying ways. The same can be said
for a company’s relationships with risk.
Risk and its sibling opportunity are also central to
business and investment strategies – many successful
businesses and investments are the result of risk taking.
With the separation of ownership and management
in large businesses, the role of corporate governance
has expanded to include risk disclosure. Around the
globe, regulations have been enacted that require the
disclosure of risks in mainstream corporate reports
and filings; many jurisdictions, such as European Union
member states, require risk disclosures.
The primary objective of such disclosures is to inform
the report users of the possible material issues that
could impact the organization in order to inform investor
decision-making. Management understanding of
the risk profile and the taking of corrective action are
fundamental to robust and effective enterprise risk
1 Schroeder, 2014.
2 Enterprise risk management is the “the culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations
rely on to manage risk in creating, preserving, and realizing value.” COSO, 2016.
There are a variety ways to categorize organizational
risks. One way is based on the nature of the risk and
how management responds to or manges that risk,
as defined in an article published by the Harvard
Business Review (summarized in Figure 1).3
1: Categories of risk that impact a company
Internal risks, arising from
within the organization, that
are controllable and ought
to be eliminated or avoided.
Preventable risks are best
managed through active
operational processes and
guiding people’s behaviors
and decisions toward
Risks from employees’ and
incorrect or inappropriate
actions; Risks from
breakdowns in routine
Strategic risks are different
from preventable risks
because they are not
Strategic risks cannot
be managed through a
rules-based control model.
Instead, a risk management
system designed to reduce
the probability that the
assumed risks actually
materialize and to improve
the company’s ability to
manage or contain the risk
events should they occur
May include the risk of
not capturing potential
organizational gains – such
as the tension between
the decision to invest in
and innovation versus the
decision not to make this
investment, which may
impact market share.
Some risks arise from
events outside the
company and are beyond
its influence or control.
As companies cannot
prevent such events
from occurring, their
management must focus
on their identification
(they tend to be
obvious in hindsight)
and the mitigation of
Sources of these risks
include natural and political
disasters and major
Most enterprise risk management frameworks include
a centralized function that performs, at a minimum,
– Risk identification: Processes to scan their
environments for new and emerging risks and
opportunities and to maintain an understanding
of existing risks.
– Risk assessment: Processes to evaluate, quantify
and prioritize enterprise risks.
– Risk response: Processes to determine and
implement an appropriate response to identified risks
based on the company’s appetite for risk.
– Communication and disclosure: Disclosure of the
company’s “material” risks to investors and to meet
To support these activities, the ERM function will
typically engage with the other business functions,
including finance, supply chain, human resources,
legal and sustainability.
3 Kaplan and Mikes, 2012.
Film company captures and responds
to a strategic risk
When the managers of a camera film company
considered potential risks likely to affect its sustainable
revenue growth business objective, they determined
that technology was shifting and consumers were
looking toward the possibility of digital photos.
This change indicated an uncertainty: a likely decline
in future demand for the company’s current products.
In response, management identified ways to develop
new products and improve existing ones, which
allowed the company to maintain revenue from existing
customers (preserving value) and to create additional
revenue by appealing to a broader consumer base
What is a sustainability risk?
A sustainability risk is an uncertain social or
environmental event or condition that, if it occurs, can
cause a significant negative impact on the company.
It includes the opportunities that may be available
to an organization because of changing social or
Role of ERM
The literature shows the importance of enterprise risk
management to organizational success. A study by EY
found that companies with mature risk management
practices outperformed their competitors financially,
with companies ranked in the top 20% in terms of risk
maturity reporting earnings three times higher than that
of companies in the bottom 20%.4
In recent years, it has also been identified that ERM
practices are pivotal to adapting to the changing
complexity of risk, enhancing alignment among
strategy, performance and ERM, recognizing the
globalization of markets and operations, and expanding
reporting to address expectations for greater
98% of respondents reported an increased emphasis
on and more strategic role for risk management in their
organizations compared with two years earlier.
Accenture Global Risk Management Study6
Forces creating risk and
The ERM function collaborates with other business functions to identify and respond to external forces
that may impact the business. Risks are disclosed to investors and other interested stakeholders in a
company’s legal risk filings, annual report and sustainability reports
Legal risk filing
2: Role of enterprise risk manage in an organization
4 EY, 2013
5 COSO, 2016, p. iv.
6 Accenture, 2013.
Companies in many jurisdictions are required
to describe their risk management process and
governance as part of their legal filing or annual report.
Many companies describe their practices as aligned
to or in compliance with one or more of the generally
accepted ERM frameworks.
There are two dominant risk management frameworks
used globally: the COSO Enterprise Risk Management
Framework (2002) (Committee of the Sponsoring
Organizations of the Treadway Commission)7 and the
International Organization for Standardization (ISO)
31000 Risk Management Standard.
As shown in Figure 3, more than half (53%) of member
companies specified in their annual report that they
use one of the standard ERM frameworks. The most
commonly adopted is the COSO framework (34%)
followed by the ISO framework (9%). While some
companies did not disclose the adoption of any of
the standard frameworks, interviews revealed that
many have developed their own, adjusting an existing
framework to fit company culture and geography.
3: Member company disclosure on use of ERM framework
e.g. AMF, Turnbull
0% 10% 20% 30% 40% 50%
Art vs. science
Irrespective of whether or not a framework is used and
regardless of the framework adopted, risk management
invariably requires a balance of “art and science” inputs
to capture and mitigate risk. As explained by one risk
management specialist: “you can rely on a scientific
approach to a point, but then you need to apply some
Art vs. science in risk management
A 2013 survey conducted by the Ponemon Institutes8
asked business practitioners whether, in their opinion,
the management of “information security risk” is an
“art” or “science”.9 The survey found that:
In the US, 49% of respondents said “art” and 51%
In the UK, 58% of respondents said “science” and
42% said “art”.
The “science” will typically include a multitude of tools
to support the quantification and monetization of risks,
such as decision trees, scenario analysis and financial
modeling. The “art” is the analysis and decision-making
based on intuition, expertise and a holistic view of
7 Issued in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Enterprise Risk Management –
Integrated Framework is one of the most widely recognized and applied enterprise risk management frameworks in the world. It provides a
principles-based approach to help organizations design and implement enterprise-wide approaches to risk management. This framework
is currently under review with an exposure draft entitled Enterprise Risk Management – Aligning Risk with Strategy and Performance with a
proposed publication date of 2017.
4: Art and science – general consensus says that both must
be leveraged in enterprise risk management
Understanding the risks and their likely
impacts on the business requires an astute
and often intuitive understanding of risk,
strategy and human behavior.
Formal tools and techniques are important in
order to systematically identify, evaluate and
monitor business risks and the impacts of any
risk management strategies or initiatives.
Value at Risk (VaR)
Over-reliance on the tools and techniques on the
science side of the equation can result in some
important risks being overlooked or understated.
In particular, there is growing evidence that many
business risks arise from factors that cannot be directly
observed or easily quantified.10
In sections II and III, this paper explores the extent to
which sustainability risks are being captured by the
ERM frameworks at a selection of organizations, as
well as the manner in which companies are adopting
both “art” and “science” inputs to identify and prioritize
the risk appropriately.
8 The survey respondents included 749 US and 571 UK-based professionals in the following areas: IT security, IT operations, IT risk management,
business operations, compliance/internal audit, and enterprise risk management. Survey respondents had an average of 10.7 years of
experience and represented a wide variety of organization sizes and industries, including financial services, healthcare and pharmaceuticals,
technology and communications, retail, and the public sector. Ponemon Institute, 2013.
9 For the purposes of the survey, “art” is defined as analysis and decision-making based on intuition, expertise and a holistic view of the
organization. “Science” refers to risk analysis and decision-making based on objective, quantitative measures.
10 Schroeder, 2014, pp. 28-30.
The research found an evidence base to
suggest that sustainability risks are not being
managed or disclosed effectively:
1. Sustainability risks disclosed in company
sustainability reports and legal filings are
2. A survey of sustainability practitioners and
risk management professionals revealed
challenges in integrating sustainability into
mainstream risk management.
3. There are historical examples of
consequences from companies failing
to integrate sustainability risks.
Yet in spite of this, capital markets, regulators
and shareholders are showing greater interest
in understanding how companies are managing
and responding to sustainability risks.
The evidence base
5: Company sustainability-risk disclosure alignment
35% of companies reviewed had no alignment.
A company in this category typically disclosed 5-20 material sustainability risks, which had no overlap or alignment to the risks
detailed in the risk filing.
Health and wellness
Product and food safety
Advocacy and reputation
Climate change and
Sustainable and circular
Global financial and
Raw material prices
Sustainability report Risk filing
57% of companies were found to have some alignment.
In these instances, although different risk headings are used, both filings discussed the risk of climate change and
Preservation of biodiversity
Human and labor rights
Pollution and accidents
Changes in global
Commodity market risks
Foreign currency risk
Stock price risk
Interest rate risk
Sustainability report Risk filing
Sustainability risks disclosed in company
sustainability reports and legal filings are not aligned
A comparison between the material sustainability11
disclosures of 170 WBCSD member company
sustainability reports and their risk factors12 in
mainstream corporate reporting revealed that, on
average, only 29% of material issues disclosed in
sustainability reporting are also reported as risks in
mainstream reporting (“Alignment”). Put another way,
71% of sustainability issues that businesses deemed
to be material were not disclosed to investors as
Notably, 35% of companies had no sustainability-risk
Less than one in three issues identified in sustainability
materiality assessments are disclosed as risk factors in
legal filings for investors.
11 Includes issues or
risks that are defined
as ”material” in a
listed in the upper right
quadrant of a materiality
matrix or defined as the
12 Includes the risks
disclosed in the
”risk factors” section
of a SEC 10-K
or an equivalent
Sustainability risks disclosed in company sustainability
reports and legal filings are not aligned
8% percent of companies were found to have full alignment.
In these instances, all the material issues identified in their sustainability report were also captured in the risk filing.
Health and safety
and air pollution
Impact on suppliers
Raw materials risk
Supply continuity risk
Human resource risk
Sustainability report Risk filing
Some sectors demonstrated greater alignment than others. Analysis of alignment by sector shows that the strongest
performers tended to be in sectors for which sustainability information was more often sought by investors.13
6: Alignment between legal filings and voluntary disclosures by sector
Sectors with the greatest alignment – Forest and paper products
– Oil and gas
– Utilities and power
– Mining and metals
Middle of the pack – Food and beverage
– Water services
– Consumer goods
Sectors with the least alignment – Trading
– IT and telecoms
– Banks and insurance
Note: Categories above based on percent of alignment between member company sustainability report and legal filing. Strongest: >40%
alignment; middle of the pack: 20-40% alignment; weakest performers: <20% alignment.
13 EY, 2015, p. 18.
2 A survey of sustainability practitioners revealed challenges in integrating sustainability into
mainstream risk management
In developing this report, a series of interviews,
workshops and surveys were conducted with a
selection of WBCSD member companies to build an
understanding of the current state of ERM, including the
perceptions and challenges of managing sustainability
risk from the perspective of risk management and
A group of sustainability professionals participated in
a survey during the 2016 USBCSD/WBCSD Pathways
to Impact Conference (held in partnership with the
Center for Business and the Environment at Yale)
aimed at understanding to what extent participants
felt risk leaders and risk processes appropriately
accommodated sustainability risks.
While most sustainability practitioners (89%) agreed
that sustainability risks could lead to a significant
impact on a company’s financial performance and
therefore sustainability risks should be supported in the
mainstream enterprise risk management function, most
organizations encountered challenges doing so (see
Figure 7 and further discussion in the next section).
7: Perceptions on current state of sustainability risk
management (survey of USBCSD/WBCSD members)
practices are not
Failure to manage
sustainability risk could
lead to significant
impacts on a company’s
In general, companies
are not adequately
risks to shareholders”
to view sustainability
risks as less likely and
less impactful on a
then financial risk”
There are historical examples of consequences from
companies failing to integrate sustainability risks3
At the same time, capital markets, regulators
and shareholders are showing greater interest in
sustainability risks. Investors are increasingly expecting
companies to voluntarily report on sustainability
practices and disclose potential climate change impacts
A 2015 survey of institutional investors conducted
Requirements Weekly Assignment
Students must submit three true-false questions prior to each class based on the assigned reading for the week.
· You must include answers and supporting rationale
· Each question must come from a different part of the assigned reading
· The template of true-false question please check the following examples which are two parts, almost 100 words for each question, therefore three true- false questions will be almost 300 words in total.
True false question examples here (Two parts in each question)
Part 1. True or False:
Disclosure requirements are a regulatory response to the information asymmetry issue between financial product providers and consumers.
True. Required disclosures help consumers understand the nature of the products they are considering and therefore make better informed decisions based on the price and risk of services provided.
Part 2. True-False Questions for Responses (supporting rationale)
1. Capital adequacy requirements are an example of competition regulation.
2. Shadow banking systems tend to occur in financial systems that have minimal regulations.
3. Limiting bank deposits per person that are protected by the Federal Deposit Insurance Corporation to a relatively modest amount (e.g. $250,000) serves to reduce the moral hazard of the program.