How well are organizations disclosing their sustainability risks?

Some organizations are struggling to identify and manage emerging risks by their ERM function and systems to take a strategic view.

Organizations today are challenged with managing a rapidly changing risk landscape, including market volatility, geopolitical crises, widespread economic changes, natural resource constraints, regulatory reforms, threats to their license to operate and immediate social media accountability. Helping an organization identify and understand all of its sustainability risks is more important than ever, yet most do not have strong processes in place to integrate, measure, value, monitor, manage and report these risks.

Changing nature of risks

The shifting landscape of risk in the global business environment is perhaps best reflected in the longitudinal shift of top risks identified by the World Economic Forum (WEF) each year (as shown in figure 1). In 2007, just 20% of the risks were environmental or societal related, in 2012 this figure was 30% and by 2017 it jumped to 70%.

The report shows environmental and societal risks constitute 70% of the top 2017 risks

As these risks materialize, businesses may be impacted in significant ways. In 2009, the H1N1 Influenza A virus sliced more than US$10 billion off company productivity in the United States alone. Between 2013 and 2015, several high profile cyberattacks hit, leading to compromised personal data for trusted companies in retail, banking and health insurance industries. The drought in California, the largest state agricultural producer in the US, led to a US$480 billion revenue decline from 2013 to 2014. These are only a few examples of how failing to adapt to incidents or external forces can lead to an erosion of a company’s reputation and shareholder value.

Risk identification and management

For most companies (57%), some but certainly not all of their sustainability risks are captured through their enterprise risk management (ERM) process. Because emerging environmental or societal risks are less familiar, companies are generally less proficient in identifying and managing these risks. For this reason, some of the most significant risks are being left off the risk discussion (e.g., water scarcity or heavy metal contamination).

It is also clear that qualitative and quantitative measurement tools are typically not sufficiently leveraged to accurately assess the likelihood and magnitude of these risks — as compared with some of the more traditional, economic risks that companies face. For example, the oil and gas industry response to pricing shocks compared to climate change reporting requirements.

Failing to take an enterprise-wide, strategic view

And yet enterprise-wide collaboration is often critical for managing sustainability risk, to ensure the risks receive the “strategic” attention most of them require. At the heart of a strong risk management framework is the prioritization of the relevant risks and their mitigation. Assuming the organization can appropriately prioritize the risks stemming from various divisions and functions of the business on an enterprise-wide basis, the next step typically will be to determine an appropriate response. For certain process risks, a control can be easily identified and implemented. For example, a company may add a policy in which all employees in the manufacturing facility are required to wear steel-toed boots.

However, to address most sustainability risks, a more systemic, strategic approach will likely be required to leverage not only the company processes but also strategy, culture, product and customer proposition. For example, consider a clothing manufacturing company with factories in 20 locations, including Bangladesh and Thailand. Although the company may have enough water to produce their goods in Bangladesh, it may have to consider the impact of arsenic contamination. In Thailand, the challenge of water may be political, and the company may need to assess the amount of water it uses with respect to the local watershed and permit requirements. According to the Greenbiz survey of sustainability practitioners, while most organizations (70%) identify sustainability risks through their ERM framework, 61% say they need to do this better.

Short-termism

Exacerbating issues stemming from taking a short-term view is the fact that many of the 2017 risks may take a long time to develop. The impacts of failure of climate change mitigation and adaption may impact companies from the next year and well into 10 to 50 years. However, most companies and their directors are incentivized to think about the risks that will impact their business in the next year, or at best the next three to five years to increase the return to their shareholders.

Disclosure of sustainability risks

EY has been observing the increasing demand from stakeholders and investors for greater transparency. Internal management and external stakeholders increasingly consider nonfinancial information in their decision-making. In EY’s Tomorrow’s investment rules report from 2017, involving more than 320 institutional investors around the world, nearly 86% of respondents consider CSR or sustainability reports as essential or useful when making investment decisions.

As demand for nonfinancial disclosures rapidly increases, a number of global organizations and regulators have established reporting frameworks aimed at shifting the focus on alignment to the financial and regulatory disclosure markets. While these frameworks continue to be voluntary, companies may see strategic and operational benefits from choosing to use a framework to disclose nonfinancial information.

In 2015, the Sustainability Accounting Standards Board (SASB), a nonprofit organization that develops standards for the disclosure of material sustainability-related information in SEC filings, issued provisional sustainability accounting standards for 79 industries in 10 sectors. The goal of these standards is to assist public corporations in complying with existing requirements when disclosing information material to investors in SEC filings.

In December 2015, the Financial Stability Board (FSB) established the Task Force on Climate-related Financial Disclosures (TCFD). The TCFD is globally diverse and includes private providers of capital, major issuers, accounting firms and ratings agencies, thereby presenting a unique opportunity to form a collaborative partnership between the users and preparers of financial reports. The TCFD was tasked with assessing what constitutes efficient and effective disclosure and to design a set of recommendations for voluntary company financial disclosure of climate-related risks. In June 2017, the TCFD presented its recommendations, which covered governance, strategy, risk management and metrics, and targets disclosures related to climate change.

The International Integrated Reporting Council (IIRC) has developed the Integrated Reporting Framework, which provides guidance for public companies on how to integrate sustainability into their annual financial reports. In addition, governments and stock exchanges are increasingly requesting that companies report on their nonfinancial information. Governments and stock exchanges in more than 40 countries now require or encourage some level of sustainability reporting, according to one estimate.

And yet, as the WBCSD report suggested, current state of disclosures suggests a discrepancy between what companies are reporting in their sustainability reports and their legal filings.

A way forward

There are no silver bullets to address this issue, but a well-designed ERM function is a powerful way to weave the management of sustainability risk into the fabric of an organization.

The ERM function plays a critical role in monitoring and managing the risks and opportunities that can impact a company’s profitability, success or even survival. The ERM function is often tasked with canvasing the internal and external opportunities and threats to the business and challenging these in the business strategy, sometimes leveraging an ERM framework such as COSO or International Standard of Organization (ISO), to support this.

Some of the critical elements in place at leading organizations include:

• Starting with establishing a risk management culture of consistent sustainability factors and their risk management. Encourage everyone in the company to use the same language and share risk definitions across the organization.
• Leveraging the risk management function to better map and identify emerging sustainability risks, as well as support the identification, quantification and prioritization of sustainability risks. Specific tools can be used to help quantify sustainability issues — such as the social or natural capital protocol.
• Leveraging the risk management function to support links into the business strategy and support better decision-making.
• Adopting an enterprise-wide view to prioritize and aggregate issues by likelihood and severity, along with adaptability, complexity, persistence, velocity and recovery.
• Improving collaboration between sustainability and ERM.
• Considering how to align reporting of sustainability and risk.