Many organisations are considering how to incorporate sustainability risks in their enterprise risk management (ERM) process to gain a more comprehensive view of their risk landscape. The question is how best to do so. In this blog, we explore how companies are approaching this task, identify key limitations of typical systems and processes, and ask whether businesses should be expanding their conversation about risk beyond risk appetite and risk tolerance to also consider risk imposition – the acceptable levels of risk that your business creates for others through its actions.

Understanding sustainability-related risk

In this blog, we use the term sustainability-related risk.  Sustainability-related risks manifest in several ways: environmental, social, and governance issues can cause potential risk events (for instance, extreme weather, a community incident, or lack of an effective grievance mechanism); a risk event can be sustainability-related (for instance, a chemical spill, human rights violation, or a personal data leak); and realised risks can also have sustainability-related consequences (consequences for workers, people, and/or the environment such as injury, destruction of cultural heritage, or damage to the environment). Simultaneously, realised sustainability-related risks can also generate consequences for the business (reputational, legal, financial, operational).

How companies assess risk

Companies generally engage in a regular (often, annual) process that involves risk identification, individual risk assessment and scoring, risk response, and risk escalation, creating periodic snapshots of a constantly evolving risk landscape.

Risk Identification: Identifying risks is a continuous process. Your organisation needs to examine evolving internal and external conditions along with its business activities, decisions, relationships, processes, policies, and procedures to identify potential risks. 

Risk Assessment and Scoring: Once risks are identified, they need to be assessed. A common approach involves ranking the likelihood and consequence to obtain a risk score and/or assign a risk level.

Any updates to risk events and their potential causes and consequences should be documented in your risk register. A risk register is a central, living document used to identify, assess, prioritise, and manage risks across an organisation. It documents risk descriptions, likelihood, impact, owners, controls, and mitigation strategies.

Colour coding or heatmapping can also support a visual depiction, with lower scores noted as green, moderate scores as yellow, high scores as orange, and critical scores as red.

Risk Response/Treatment: Once risks have been assessed, scored and documented and existing controls identified, your business needs to determine its response (avoid, mitigate, accept, or transfer) and specific risk treatment(s) (the active, often operational, execution of a chosen response strategy). Risk response options can include: risk avoidance (not going forward with a decision or an activity that may lead to a risk being realised); risk mitigation (working to limit the likelihood or impact of the risk materialising, through policies and processes); risk acceptance (choosing to accept the unmitigated portion of the risk or the residual risk); and risk transference (transferring the risk to a third party, such as through insurance).

Risk imposition: Why companies need to expand their conversations about risk

Sitting at the core of traditional ERM processes is a discussion about risk appetite – often defined as the types and amount of risk an organisation is willing to take on in pursuit of its strategic objectives. Risk appetite is about “taking risks” and defining the acceptable levels of risk to pursue. Risk appetites may vary for different risks, and they may change over time.

Risk tolerance, at a more granular level, is about controlling individual risks. It is about defining the allowable variance for each risk the organisation is willing to face. Risk tolerance is normally described in terms of acceptable thresholds and framed as specific, measurable boundaries of acceptable variation in performance or outcomes that an organisation is willing to endure while pursuing its objectives.

But there is one more concept that we believe that companies need to add to their conversations about risk and that’s risk imposition.

Risk imposition involves subjecting others to the probability of harm or of a setback of interests. For instance, through its business activities (its operations, value chain activities, and decision-making), your company may knowingly or unknowingly impose risks on workers, communities, and/or the environment. Sometimes, risk imposition may occur as a result of risk redistribution (shifting the potential for negative outcomes (losses or hazards) onto other parties). For instance, a company may undertake actions to reduce its greenhouse gas emissions but in doing so, may increase water risk for neighbouring communities.

Surely understanding risk imposition should be part of a company’s overall risk conversation?

The limitations of conventional ERM systems

To be able to incorporate risk imposition, you first need a risk lens that extends beyond risk to your business.

Traditional enterprise risk management systems (such as the frequently referenced, compliance focused COSO Enterprise Risk Framework) have been designed to evaluate risks to the enterprise. Conventional ERM processes focus on risks to earnings, reputation, operations, and shareholder value, prioritise what most threatens a company’s performance and resilience, and aim to help companies protect and create value.

Given the potentially significant impact of social, environmental, and governance issues on an organisation’s performance, companies have been advised to also consider these issues in their risk assessment processes.

Conventional wisdom is that integrating sustainability-related risks into the company’s risk register is best accomplished by leveraging language and processes already familiar to your organisation’s risk management function and leadership, including the organisation's standard risk assessment criteria. The idea is that through incorporating sustainability-related risks into existing risk registers, it should elevate their visibility and importance in discussions among senior management and the board. 

We have identified three key challenges with this approach:

Companies tend to over-prioritise risk to the business

We find that conventional ERM systems do not meaningfully evaluate and prioritise risks with consequences for workers, communities, and the environment unless those risks also present a risk to the business. Aside from some businesses with more mature risk assessment processes, most still focus on risk events that, if not properly managed and mitigated, are likely to have negative consequences for the business.

More recently, some businesses have started to explicitly assess consequences for workers, communities, and/or the environment. However, many still use these assessments primarily to identify and understand potential risks to the business itself. Even when companies do take a more robust lens of understanding the consequences for people or the environment, risk events with high consequence to others but low consequence to the business often still get deprioritised.

Furthermore, within these processes, when risk events with high consequences to others are deemed to have low or moderate risk to the business, the response is often to monitor instead of investing in the risk treatment(s) identified during the risk assessment process.

Evaluating complex, systemic issues is difficult

Sustainability-related risks often stem from complex systemic processes that bridge siloed functions in the business. These risks may also materialise over longer time horizons. These factors can make sustainability-related risks more challenging to identify, assess, and prioritise using conventional ERM processes.

Too often, sustainability-related risks are underestimated due to limited knowledge of the underlying risks and how the business’s activities and relationships can affect them.  This underestimation of risk can apply both to your understanding of risks to the business and the risk to workers, communities, and/or the environment. 

This is why your company’s understanding of sustainability-related risks needs to be underpinned by the input of credible experts (internal or external) working cross-functionally to assess and oversee them. 

Likelihood and uncertainties can be used to downplay risks

Typical ERM processes also tend to prioritise near-term and higher likelihood risks to the business. In particular, using likelihood as a multiplier can draw attention away from sustainability-related risks that are still important to manage.

Under most current risk processes, sustainability-related risks that are estimated to have low likelihood and/or lower potential consequences for the business are ranked low even though they may still impose significant consequences on workers, communities, and/or the environment. Additionally, companies often underestimate risk events for which the likelihood and/or the nature of the consequences is uncertain during risk prioritisation. This uncertainty can stem from a lack of on the ground knowledge or experience, proper consultation, and/or scientific understanding. In some cases, the underestimation of likelihood or consequences may be a deliberate choice to avoid elevating certain risks.

Thus, taking into account risk imposition often requires re-thinking the role of likelihood and the implications of uncertainty. When considering risks to the environment, the health and safety of workers and/or social risks to communities, the precautionary principle encourages taking preventative action against serious or irreversible threats, regardless of the likelihood or the certainty of outcomes. In other words, when probability is low but consequence is high, the precautionary principle mandates treating the risk as certain. This differentiates the likelihood assessment of sustainability-related risks from the approaches that traditional ERM processes typically employ to explore financial, reputational, legal, regulatory, and other consequences to the business.

Furthermore, when it comes to evaluating human rights risk, salience needs to drive the assessment. Salient human rights issues are “the human rights at risk of the most severe negative impact through the company’s activities and business relationships.” Thus, assessing salience relies less on likelihood than typical ERM processes focused on business risk, instead emphasising the severity of potential impacts (based on scale, scope, and irremediability). Salience is intended to help companies to prioritise which human rights issues to address first but is not intended to create a threshold below which a company would not take action to address them.

Being explicit about risk imposition in your risk process

If the aim is to promote a more wholistic conversation about overall risk governance, then your organisation may wish to surface risk imposition more explicitly, including by ensuring that all risks are evaluated through multiple consequence lenses.

For instance, within your consequences table, this may involve creating specific sustainability-related risk categories (environmental, health and safety, social, human rights) and using criteria to assess and evaluate the risks and consequences that align with the unique characteristics of these sustainability risks. This means developing definitions for consequences to workers, communities, the environment, and human rights alongside your existing definitions for financial, operational, legal, and reputational consequences to the business.

We also suggest clearly labelling these definitions as consequences of the business (in contrast to consequences to the business) to help to foster a conversation about acceptable risk imposition.  The key here is that the descriptions and ranking of these risks to the environment, people, and their rights need to remain focused on the recipients of those risks.

These ‘non-business’ consequences need to also drive investments in appropriate risk response and treatments. This may mean adapting your company’s risk treatment action guidance to ensure that organisational prioritisation processes do not inadvertently exclude key sustainability-related risks from meaningful risk treatment. Of course, no company has unlimited funds for risk treatment measures and actions, but budget allocation should not depend exclusively on whether the consequences predominantly affect the business versus people and the planet.

By actively and explicitly considering both the risk consequences to the business and the risk consequences of the business in your risk process, you open up a more holistic conversation about risk that addresses not just risk to the enterprise, but also enables a conversation about what risks your organisation is imposing on people and the planet and prompts discussion of its obligations to address those risks.

Share your experience on embedding sustainability into your enterprise risk process

The practice of integrating sustainability-related risks into corporate risk processes is evolving rapidly. Please reach out to share your own experiences with trying to address sustainability-related risks, particularly if you are making an effort to assess risk imposition as part of your processes. Either way, we would love to hear from you!