How well are organizations disclosing their sustainability risks?

By Mathew Nelson

EY Oceania Chief Sustainability Officer

Leading a purpose-driven team that shares a common passion for creating positive impact. Workplace diversity and equality advocate. Engineer. Father of two boys. Australian Football League fan.

8 minute read 8 Mar 2017

Some organizations are struggling to identify and manage emerging risks by their ERM function and systems to take a strategic view.

Organizations today are challenged with managing a rapidly changing risk landscape, including market volatility, geopolitical crises, widespread economic changes, natural resource constraints, regulatory reforms, threats to their license to operate and immediate social media accountability. Helping an organization identify and understand all of its sustainability risks is more important than ever, yet most do not have strong processes in place to integrate, measure, value, monitor, manage and report these risks.

Changing nature of risks

The shifting landscape of risk in the global business environment is perhaps best reflected in the longitudinal shift of top risks identified by the World Economic Forum (WEF) each year (as shown in figure 1). In 2007, just 20% of the risks were environmental or societal related, in 2012 this figure was 30% and by 2017 it jumped to 70%.

The report shows environmental and societal risks constitute 70% of the top 2017 risks

The changing nature of risk

As these risks materialize, businesses may be impacted in significant ways. In 2009, the H1N1 Influenza A virus sliced more than US$10 billion off company productivity in the United States alone. Between 2013 and 2015, several high profile cyberattacks hit, leading to compromised personal data for trusted companies in retail, banking and health insurance industries. The drought in California, the largest state agricultural producer in the US, led to a US$480 billion revenue decline from 2013 to 2014. These are only a few examples of how failing to adapt to incidents or external forces can lead to an erosion of a company’s reputation and shareholder value.

Risk identification and management

For most companies (57%), some but certainly not all of their sustainability risks are captured through their enterprise risk management (ERM) process. Because emerging environmental or societal risks are less familiar, companies are generally less proficient in identifying and managing these risks. For this reason, some of the most significant risks are being left off the risk discussion (e.g., water scarcity or heavy metal contamination).

It is also clear that qualitative and quantitative measurement tools are typically not sufficiently leveraged to accurately assess the likelihood and magnitude of these risks — as compared with some of the more traditional, economic risks that companies face. For example, the oil and gas industry response to pricing shocks compared to climate change reporting requirements.

Oil and gas response to pricing shocks Typical company response to climate change reporting requirements
  • The oil and gas sector experienced major shocks due to political, economic and social events over the past 150 years.
  •  A major oil and gas company was one of the first companies to initiate scenario planning in the 1960s.
  • Scenario planning provided a tangible and quantifiable way to convince executives of emerging trends which were supported with quantitative financial evidence.
  • To respond to pricing risks, oil and gas companies enter into hedging agreements as protection against severe price decreases.
  • Although they quantify and report emissions, many companies fail to quantify the business impact of climate change.
  • A 2013 study conducted by Ceres indicates that only 59% of S&P 500 companies included climate disclosures in their 10-K filings, while 68% reported in CDP’s Investor Questionnaire.
  • When companies do disclose climate risks, it is often using boilerplate language rather than a clear understanding of the likelihood and impact of the risk.



Various surveys indicate that quantification tools are used to support risk management but that very few organizations are using quantification methods for their sustainability risks. Many companies believe their company prioritizes issues that are known to them. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) also recognizes the prevalence of bias due to competing business objectives. This can impact risk prioritization.

A siloed view

In January 2017, the WBCSD published a report  comparing WBCSD-member company sustainability reports and risk disclosures and found that, on average, 29% of the areas deemed to be “material” in a sustainability report were also disclosed in the risk factor section of the legal filing. Although only a proxy for what might be going on within the organization — for a staggering 35% of their member companies, despite naming material risks in their sustainability reports, such as product and food safety, water security and climate change, none of these issues were disclosed in company’s legal filings.

The report suggests that one of the reasons for this was due to limited collaboration between the sustainability function and the risk management team. The WBCSD’s survey found half of companies have a “distinct” structure defined by “no interaction or collaboration,” meaning that sustainability and ERM functions did not interact.

While a sustainability report is prepared with a broader definition of “materiality” and a broader perspective of stakeholder interests — it is clear that certain issues or risks that are being identified or understood by sustainability practitioners within the business are not finding their way onto the company risk registers and onto public mainstream disclosures.

Collaboration between sustainability and ERM

Failing to take an enterprise-wide, strategic view

And yet enterprise-wide collaboration is often critical for managing sustainability risk, to ensure the risks receive the “strategic” attention most of them require. At the heart of a strong risk management framework is the prioritization of the relevant risks and their mitigation. Assuming the organization can appropriately prioritize the risks stemming from various divisions and functions of the business on an enterprise-wide basis, the next step typically will be to determine an appropriate response. For certain process risks, a control can be easily identified and implemented. For example, a company may add a policy in which all employees in the manufacturing facility are required to wear steel-toed boots.

However, to address most sustainability risks, a more systemic, strategic approach will likely be required to leverage not only the company processes but also strategy, culture, product and customer proposition. For example, consider a clothing manufacturing company with factories in 20 locations, including Bangladesh and Thailand. Although the company may have enough water to produce their goods in Bangladesh, it may have to consider the impact of arsenic contamination. In Thailand, the challenge of water may be political, and the company may need to assess the amount of water it uses with respect to the local watershed and permit requirements. According to the Greenbiz survey of sustainability practitioners, while most organizations (70%) identify sustainability risks through their ERM framework, 61% say they need to do this better.

ERM frameworks


Exacerbating issues stemming from taking a short-term view is the fact that many of the 2017 risks may take a long time to develop. The impacts of failure of climate change mitigation and adaption may impact companies from the next year and well into 10 to 50 years. However, most companies and their directors are incentivized to think about the risks that will impact their business in the next year, or at best the next three to five years to increase the return to their shareholders.

Time horizon for considering risk

Disclosure of sustainability risks

EY has been observing the increasing demand from stakeholders and investors for greater transparency. Internal management and external stakeholders increasingly consider nonfinancial information in their decision-making. In EY’s Tomorrow’s investment rules report from 2017, involving more than 320 institutional investors around the world, nearly 86% of respondents consider CSR or sustainability reports as essential or useful when making investment decisions.

As demand for nonfinancial disclosures rapidly increases, a number of global organizations and regulators have established reporting frameworks aimed at shifting the focus on alignment to the financial and regulatory disclosure markets. While these frameworks continue to be voluntary, companies may see strategic and operational benefits from choosing to use a framework to disclose nonfinancial information.

In 2015, the Sustainability Accounting Standards Board (SASB), a nonprofit organization that develops standards for the disclosure of material sustainability-related information in SEC filings, issued provisional sustainability accounting standards for 79 industries in 10 sectors. The goal of these standards is to assist public corporations in complying with existing requirements when disclosing information material to investors in SEC filings.

In December 2015, the Financial Stability Board (FSB) established the Task Force on Climate-related Financial Disclosures (TCFD). The TCFD is globally diverse and includes private providers of capital, major issuers, accounting firms and ratings agencies, thereby presenting a unique opportunity to form a collaborative partnership between the users and preparers of financial reports. The TCFD was tasked with assessing what constitutes efficient and effective disclosure and to design a set of recommendations for voluntary company financial disclosure of climate-related risks. In June 2017, the TCFD presented its recommendations, which covered governance, strategy, risk management and metrics, and targets disclosures related to climate change.

The International Integrated Reporting Council (IIRC) has developed the Integrated Reporting Framework, which provides guidance for public companies on how to integrate sustainability into their annual financial reports. In addition, governments and stock exchanges are increasingly requesting that companies report on their nonfinancial information. Governments and stock exchanges in more than 40 countries now require or encourage some level of sustainability reporting, according to one estimate.

And yet, as the WBCSD report suggested, current state of disclosures suggests a discrepancy between what companies are reporting in their sustainability reports and their legal filings.

A way forward

There are no silver bullets to address this issue, but a well-designed ERM function is a powerful way to weave the management of sustainability risk into the fabric of an organization.

The ERM function plays a critical role in monitoring and managing the risks and opportunities that can impact a company’s profitability, success or even survival. The ERM function is often tasked with canvasing the internal and external opportunities and threats to the business and challenging these in the business strategy, sometimes leveraging an ERM framework such as COSO or International Standard of Organization (ISO), to support this.

Some of the critical elements in place at leading organizations include:

  • Starting with establishing a risk management culture of consistent sustainability factors and their risk management. Encourage everyone in the company to use the same language and share risk definitions across the organization.
  • Leveraging the risk management function to better map and identify emerging sustainability risks, as well as support the identification, quantification and prioritization of sustainability risks. Specific tools can be used to help quantify sustainability issues — such as the social or natural capital protocol.
  • Leveraging the risk management function to support links into the business strategy and support better decision-making.
  • Adopting an enterprise-wide view to prioritize and aggregate issues by likelihood and severity, along with adaptability, complexity, persistence, velocity and recovery.
  • Improving collaboration between sustainability and ERM.
  • Considering how to align reporting of sustainability and risk.
  • Show references# Hide references

    1. The Global Risks Report 2017, 12th Edition, World Economic Forum, 2017.
    2. Walgreen 2011 Flu Impact Report, Walgreen, 2011. According to the study from September 2011, influenza was responsible for 100 million lost workdays during the 2010-2011 flu season. That’s $7 billion in lost wages; two-thirds of the missed workdays were employer-paid sick time. The flu sliced more than $10 billion off company productivity.
    3. 9 Recent Cyber Attacks against Big Business, New York Times, 2015.
    4. Impacts of California’ Ongoing Drought: Agriculture, Pacific Institute, 2015.
    5. Sustainability and enterprise risk management: the first step towards integration, WBCSD, 2017.
    6. Living in the Futures, Harvard Business Review, 2013.
    7. Cool Response: The SEC and Corporate Climate Change Reporting, CERES, 2014.
    8. Aligning Risk with Strategy and Performance, COSO Enterprise Risk Management, June 2016 edition.
    9. Sustainability and enterprise risk management: the first step towards integration, WBCSD, 2017.
    10. Ibid.
    11. Unlock Growth By Integrating Sustainability: How To Overcome The Barriers, a comprehensive study produced by Marsh & McLennan Companies — Global Risk Center, Association for Financial Professionals and GreenBiz Group.
    12. Ibid.
    13. Ibid
    14. Is your nonfinancial performance revealing the true value of your business to investors? EY, 2017.
    15. Global CSR Disclosure, the Initiative for Responsible Investment at the Hauser Institute for Civil Society and Harvard Kennedy School,, accessed November 2016.
    16. Turning risk into results: how leading companies use risk management to fuel better performance, EY, 2013.


A well-designed ERM function is a powerful way to weave the management of sustainability risk into the fabric of an organization.

About this article

By Mathew Nelson

EY Oceania Chief Sustainability Officer

Leading a purpose-driven team that shares a common passion for creating positive impact. Workplace diversity and equality advocate. Engineer. Father of two boys. Australian Football League fan.