Entities, including businesses, governments and non-profits, face an evolving landscape of environmental, social and governance (ESG)-related risks that can

132 KB – 120 Pages

PAGE – 2 ============
This guidance is designed to apply to COSO™s enterprise risk management (ERM) framework, Enterprise Risk ManagementŠIntegrating with strategy and performance . It addresses an increasing need for companies to integrate environmental, social and governance-related risks (ESG) into their ERM processes. Committee of Sponsoring Organizations of the Treadway Commission (COSO) Ł Paul J. Sobel, COSO Chair Ł Douglas F. Prawitt, American Accounting Association Ł Charles E. Landes, American Institute of Certi˜ed Public Accountants Ł Daniel C. Murdock, Financial Executives International Ł Jeffrey C. Thomson, Institute of Management Accountants Ł Richard F. Chambers, The Institute of Internal Auditors World Business Council for Sustainable Development (WBCSD) Ł Peter Bakker, President and CEO Ł Peter White, Vice President and Chief Operating Of˜cer Ł Rodney Irwin, Managing Director, Rede˜ning Value This project is funded by the Gordon and Betty Moore Foundation. ©2018, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and World Business Council for Sustainable Development (WBCSD). All Rights Reserved. Information may be freely shared but may not be used for commercial use without written permission.

PAGE – 3 ============
Table of Contents Introduction 11. Governance and culture for ESG-related risks 13 2. Strategy and objective-setting for ESG-related risks 23 3. Performance for ESG-related risks 39 3a. Identi˜es risk 40 3b. Assesses and prioritizes risks 47 3c. Implements risk responses 67 4. Review and revision for ESG-related risks 77 5. Information, communication and reporting for ESG-related risks 85 Glossary 93Acknowledgements 96 Appendices 98 References 107 iii

PAGE – 5 ============
Introduction Entities, including businesses, governments and non-pro˜ts, face an evolving landscape of environmental, social and governance (ESG)-related risks that can impact their pro˜tability, success and even survival. Given the unique impacts and dependencies of ESG-related risks, COSO and WBCSD have partnered to develop guidance to help entities better understand the full spectrum of these risks and to manage and disclose them effectively. This guidance is designed to help risk management and sustainability practitioners apply enterprise risk management (ERM) concepts and processes to ESG-related risks. What are ESG-related risks? ESG-related risks are the environmental, social and governance-related risks and/or opportunities that may impact an entity. There is no universal or agreed-upon de˜nition of ESG-related risks, which may also be referred to as sustainability, non-˜nancial or extra-˜nanci al risks. a Each entity will have its own de˜nition based on its unique business model; internal and external environment; product or services mix; mission, vision and core values and more. The resulting de˜nition may be broad (for ex ample, may include all aspects of the International Integration Reporting Council™s (IIRC) six capitals, discussed in Chapter 2) or narrow (for example, may include only a selection of priority environmental and social issues) and may evolve over time. For the purposes of this guidance, the term ESG-related risks encompass es the issues that are prominent on investors™ and other stakeholders™ agendas, such as those described by MSCI 1 and Robeco 2 in T able 1: . . . . . . . . . . . . . . . . a Although these terms are used interchangeably, this guidance has adopted the term ESG , as it is currently the term commonly used by the investor community and captures the range of criteria to generate long-term competitive ˜nancial returns and positive social impact. The term related risks has been adopted to account for non-ESG risks that may have ESG-related causes or impacts. For example, the risk of raw material price ˚uctuations may be exacerbated by an environmental cause, such as ˚ooding or droughts that not previously considered by the organization. b SASB™s sustainability topics are organized under ˜ve broad sustainability dimensions: environment, social capital, human capital, business model and innovation and leadership and governance. Table 1: De˜nitions of ESG MSCI de˜nition Robeco de˜nition Environmental Climate change, natural resources, pollution and waste and environmental opportunities The contribution an entity makes to climate change through greenhouse gas emissions, along with waste management and energy e˜ciency. Given renewed e˚orts to combat global warming, cutting emissions and decarbonizing have become more important. Social Human capital, product liability, stakeholder opposition and social opportunities Human rights, labor standards in the supply chain, any exposure to illegal child labor and more routine issues such as adherence to workplace health and safety. A social score also rises if a company is well integrated with its local community and therefore has a fisocial licensefl to operate with consent. Governance Corporate governance and corporate behavior A set of rules or principles de˛ning rights, responsibilities and expectations between di˚erent stakeholders in the governance of corporations. A well-de˛ned corporate governance system can be used to balance or align interests between stakeholders and can work as a tool to support a company™s long-term strategy. Organizations such as the Sustainability Accounting Standards Board (SASB) b and the Global Reporting Initiative (GRI), among others, also provide lists of the potential issues that may be captured in the de˜nition of ESG. COSO™s Enterprise Risk ManagementŠIntegrating with Strategy and Performance (COSO ERM Framework) de˜nes risk as fithe possibility that events will occur and affect the achievement of strategy and business objectives.fl 3 This includes both negative effects (such as a reduction in revenue targets or damage to reputation) as well as positive impacts (that is, opportunities Œ such as an emerging market for new products or cost savings initiatives). 1

PAGE – 6 ============
Example: Unilever’s purpose, vision and ESG issues Unilever™s identi˜ed ESG issues stem from its purpose fito make sustainable living commonplacefl and its vision fito grow [its] business while decoupling [its] environmental footprint from [its] growth and increasing [its] positive social impact.fl 4 The table below highlights Unilever™s identi˜ed ESG topics that may affect achievement of this purpose or vision. 5 Improving health and well-being Reducing environmental impact Enhancing livelihoods Responsible business practices Wider sustainability topics Ł Nutrition and diets Ł Sanitation and hygiene Ł Agricultural sourcing Ł Climate action Ł Deforestation Ł Packaging and waste Ł Water Ł Non-agricultural sourcing Ł Human rights Ł Women™s rights and opportunities Ł Economic inclusion Ł Employee well-being Ł Fair compensation Ł Ethics, values and culture Ł Data security and privacy Ł Governance and accountability Ł Responsible marketing and advertising Ł Tax and economic contribution Ł Responsible use of innovation and technology Ł Trusted products and ingredients Ł Animal testing and welfare Ł Consumers and sustainability Ł Talent Ł Communicable diseases Why do environmental, social and governance-related risks matter for organizations? ESG-related risks are not necessarily new. In particular, corporations, organizations, governments and investors have been considering governance risks for many years, focusing on aspects such as ˜nancial accounting and reporting practices, the role of board leadership and composition, anti-bribery and corruption, business ethics, and executive compensation. However, over the last several decades Œ and particularly the last 10 years Œ the prevalence of ESG-related risks has accelerated rapidly. In addition to a clear rise in the number of environmental and social issues that entities now need to consider, the internal oversight, governance and culture for managing these risks also require greater focus. The evolving global risk landscape Each year, the World Economic Forum™s Global Risks Report 6 surveys business, government, civil society and thought leaders to understand the highest rated risks in terms of impact and likelihood. Over the last decade, these risks have shifted signi˜cantly. In 2008, only one societal risk, pandemics, was reported in the top ˜ve risks in terms of impact. In 2018, four of the top ˜ve risks were environmental or societal, including extreme weather events, water crises, natural disasters, and failure of climate change mitigation and adaptation. The World Economic Forum also highlights the increasing interconnectedness among ESG risks themselves, as well as with risks in other categories Œ particularly the complex relationship between environmental risks or water crises and social issues such as involuntary migration. In the business world, this evolving landscape means ESG-related risks that were once considered fiblack swansfl c are now far more common Œ and can manifest more quickly and signi˜cantly. A report by the Society for Corporate Governance 7 in the United States found that these issues often, although not always: Ł Derive from a risk or impact inherent in the core operations or products Ł Have the potential to meaningfully damage a company™s intangible value, reputation or ability to operate Ł Are accompanied by persistent media interest, organized stakeholders and associated public policy debates that could magnify the impact of a company™s existing position or pra ctice and increase the reputational risk (or opportunity) created by a change in company policy or practice . . . . . . . . . . . . . . . . c The black swan theory was developed by Nassim Nicholas Taleb, who describes it as “˜rst, it is an outlier, as it lies outside the realm of regular expectations, because nothing in the past can convincingly point to its possibility. Second, it carries an extreme impact. Third, in spite of its outlier status, human nature makes us concoct explanations for its occurrence after the fact, making it explainable and predictable.fl For more information, refer to the 2007 New York Times article fiThe Black Swan: The Impact of the Highly Improbable.fl 2

PAGE – 8 ============
fiA company™s ability to manage environmental, social and governance matters demonstrates the leadership and good governance that is so essential to sustainable growth, which is why we are increasingly integrating these issues into our investment process. Companies must ask themselves: What role do we play in the community? How are we managing our impact on the environment? Are we working to create a diverse workforce? Are we adapting to technological change? Are we providing the retraining and opportunities that our employees and our business will need to adjust to an increasingly automated world? Are we using behavioral ˜nance and other tools to prepare workers for retirement, so that they invest in a way that will help them achieve their go als?fl 12 Larry Fink, CEO BlackRock, 2018 ESG disclosures and regulation Sustainability reporting has become a norm for many public and private companies. Non-pro˜ts and public entities have also started to disclose ESG information to their stakeh olders. f Most entities face some level of investor, customer and/or supplier demand for more transparency about ESG issues, particularly those related to questions around supply chain integrity, board diversity or climate change adaptation. In 2018, 85% of all S&P 500 companies produced some type of ESG disclosure. 13 There has also been growth in ESG-related regulation and disclosure requirements Œ totaling 1,052 requirements (80% of which are mandatory) in 63 count ries. g From 2017, the European Union Directive on Non-Financial Reporting requires that companies that operate in EU member states and meet certain criteria prepare a statement containing information relating to environmental protection, social responsibility and treatment of employees, respect for human righ ts, anti-corruption and bribery, and diversity on boards. Regulatory bodies and stock exchanges are also responding to growing investor demands for uniform ESG information linked to ˜nancial performance. In 2017, Singapore introduced a listing rule for listed issuers to prepare an annual sustainability report, identifying material ESG factors, policies, practices, performance, targets and a board statement. 14 NASDAQ™s Nordic and Baltic exchanges issued voluntary guidance in March 2017. 15 The Recommendations of the Task Force for Climate-related Financial Disclosures (TCFD) 16 are a signi˜cant step to support preparedness in the transition to a low-carbon economy and against anticipat ed increases in the frequency or intensity of extreme climate events. Drawing on numerous guidance documents, initiatives, reporting and risk management mechanisms, the TCFD has issued recommendations on climate-related risks that can be applied to corporations and other entities. These proxy voting results are not surprising given the growing attention by large institutional investors to responsible inv esting and how companies are addressing social and environmental challenges to achieve long-term, sustained growth. e Once limited to a small set of investors, the focus on ESG investing has expanded to mutual funds, exchange-traded funds and p rivate equity. The largest passive investors globally, including BlackRock, which has USD$6.3 trillion in assets under management, State Stre et Global Advisors (USD$2.8 trillion) and the Government Pension Fund of Japan (USD$1.4 trillion), have embraced purpose and ESG considerations in their investing, engagement, risk management practices and marketing practices. 11. . . . . . . . . . . . . . . . e An EY survey revealed that more than 80% of institutional investors surveyed agreed that for too long, companies have failed to consider environmental and social risks and opportunities as core to their business. They believe that ESG issues have fireal and quanti˜able impactsfl over the long term and that generating sustainable returns over time requires a sharper focus on ESG factors. For more information, refer to the 2017 EY report fiIs your non˜nancial performance revealing the true value of your business to investors?fl f Some examples include the DMCC (Free Zone and Government of Dubai Authority on commodities trade and enterprise), Eskom, NASA, NASDAQ, Oxfam and WWF. g These countries include Argentina, Australia, Austria, Bangladesh, Belgium, Bolivia, Brazil, Canada, Chile, China, Colombia, Costa Rica, Croatia, Czech Republic, Denmark, Ecuador, El Salvador, Finland, France, Germany, Greece, Guatemala, Honduras, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Kazakhstan, Luxembourg, Malaysia, Mexico, Myanmar, Netherlands, New Zealand, Nigeria, Norway, Panama, Paraguay, Peru, Philippines, Poland, Portugal, Romania, Russia, Singapore, Slovakia, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Turkey, Ukraine, United Kingdom, United States, Uruguay and Vietnam. For more information, refer to the Reporting Exchange at reportingexchange.com/ 4

PAGE – 9 ============
Many entities have ERM structures and processes in place to identify, assess, manage, monitor and com municate risks. Even in the absence of a formalized ERM function, roles and responsibilities for risk management activities across the business are often de˜ned and executed. h These processes provide a path for boards and management to optimize outcomes with the goal of enhancing capabilities to create, preserve and ultimately realize value. 19 While there are many choices in how management will apply ERM practices and no one better approach is universally better than another, research has shown that mature risk management can lead to higher ˜nancial performance. i Leveraging these structures and processes can also support organizations to identify, assess and respond to ESG-related risks. Given ESG-related risks can be complex or unfamiliar to organizations, COSO and WBCSD have developed guidance to support entities to better understand and manage the full spectrum of ESG-related risks. Comparing ESG disclosures to risk disclosures Despite an increase in ESG disclosures, evidence shows that the issues reported in sustainability reports or ESG disclosures do not always align to the risks reported in an organization™s risk disclosures. WBCSD member companies point to a range of reasons for this, including: Ł The challenge of quantifying ESG-related risks in monetary terms. Not doing so makes prioritization and appropriate allocation of resources much more dif˜cult, particularly when the risk is long term with uncertain impacts emerging over an unknown time period. Ł Lack of knowledge of ESG-related risks across the entity and limited cross-functional collaboration between risk management and sustainability practitioners. Ł ESG-related risks are managed and disclosed by a team of sustainability specialists and viewed as separate or less signi˜cant than conventional strategic, operational or ˜nancial risks Œ leading to a range of biases against ESG-related risks. Refer to Sustainability an d ERM: The ˜rst step towards integration 17 for more information or Appendix I for a summary of this research. . . . . . . . . . . . . . . . . h A 2017 report by the AICPA that surveyed 432 executives across large organizations, public companies, ˜nancial services and not-for-pro˜t organizations found that 28% of organizations have a ficomplete formal enterprise-wide risk management process in placefl while 37% have a fipartial enterprise-wide risk management process in place (i.e., some, but not all, risk areas addressed). (Beasley, M., Branson, B., & Hancock, B. (2017, March). fiThe state of enterprise risk oversight: an overview of risk management practices 8th edition.fl) i For example, a 2013 study by EY found that companies with mature risk management practices outperformed their competitors ˜nancially. Companies that ranked in the top 20% in terms of risk management maturity reported earnings three times higher than companies in the bottom 20%. (EY (2013). fiTurning risk into results: how leading companies use risk management to fuel better performance.fl p. 3) A 2014 study found that fi˜rms with advanced levels of ERM implementation present higher performance, both as ˜nancial performance and market evaluation.fl (Florio, C. and Leoni, G. (2017). fiEnterprise risk management and ˜rm performance: The Italian casefl British Accounting Review 49. p. 56-74) How can ERM help risk management and sustainability practitioners navigate ESG-related risks? There is a case to be made for entities taking a more active role in understanding and addressing ESG-related risks Œ whether that means reducing or removing risk, adapting and preparing for risk or being more transparent about how the organization is addressing risk. The COSO ERM Framework de˜nes ERM as fithe culture, capabilities and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving and realizing value.fl 18 5

PAGE – 10 ============
Application of this guidance to small and medium-sized enterprises (SMEs) j ESG-related risks are as relevant for small and medium-sized entities as they are for large corporations or government bodies. However, resources in SMEs are often limited, making it challenging for these entities to establish robust governance or to adequately identify, assess and respond to all ESG-related risks. SMEs should take a common sense approach that uses available resources ef˜ciently. This may include focusing on strategy and objective-setting and performance (Chapters 2 and 3) while being aware of the importance of continual monitoring and improvement (Chapter 4). About this guidance Œ audience This guidance is designed to be used by any entity facing ESG-related risks Œ including startups, non-pro˜ts, for-pro˜ts, large corporations or government entities. The intended audience includes any decision-makers as well as risk management and sustainability practitioners who are looking for guidance on managing ESG-related risks. The audience may include those positioned in an ERM or sustainability function or with oversight responsibilities of those functions, but may also include any risk owner or operations manager whose roles are impacted by ESG-related risks Œ whether a procurement manager, an analyst in investor relations or a marketing director. The intended audience and their application of this guidance may be described as follows: Ł Decision-makers: The guidance generates awareness that ESG is a mainstream topic encompassing a wide range of issues that require effective oversight and decision-making. Ł Risk management practitioners: Risk management practitioners primarily include those with a direct role in the ERM process; however, the guidance is applicable to anyone with responsibilities to manage risk (including operational management, risk owners and line management). The guidance aims to help these practitioners understand the types of ESG-related risks that may impact the entity along with tools, resources and frameworks that can support further understanding. Ł Sustainability practitioners: Sustainability practitioners primarily include those with a direct role in a sustainability function; however, the guidance is applicable to anyone impacted by ESG-related considerations. The guidance aims to help these practitioners integrate their knowledge and awareness of ESG-related trends, issues, impacts and dependencies with ERM tools and processes to better support identifying, de˜ning, assessing, responding to and disclosing ESG-related risks. In some cases, practitioners may hold more than one of these roles. Everyone has the responsibility to manage risk. While many ESG risks will be owned by the ESG or sustainability team Œ as stated by Larry Fink, fiWe want ESG risk management to be a tool that every manager is looking at.fl . . . . . . . . . . . . . . . . j This is de˜ned by the European Union as companies with less than 250 employees. About this guidance Œ purpose and scope Purpose The purpose of the guidance is to help organizations apply ERM principles and practices to ESG-related risks. To this extent, the guida nce applies COSO™s ERM Framework Enterprise Risk ManagementŠIntegrating with Strategy and Performance .206

PAGE – 11 ============
While the guidance is aligned to COSO™s ˜ve components and 20 principles shown in Figure 2, it also offers a practical approach to entities using other risk management frameworks, such as ISO 31000 or entity-speci˜c risk management frameworks. Wherever possible, this document lev erages existing frameworks, guidance, practices and tools from both the risk management and sustainability ˜elds. k It is not intended t o be used as ERM guidance in isolation and should be used in conjunction with an established ERM framework. The purpose of this guidance is to help an entity achieve: Ł Enhanced resilience: An entity™s medium- and long-term viability and resilience will depend on the ability to anticipate and respond to a complex and interconnected array of risks that threaten the strategy and objectives. Ł A common language for articulating ESG-related risks: ERM identi˜es and assesses risks for potential impact to the strategy and business objectives. Articulating ESG-related risks in these terms brings ESG issues into mainstream processes and evaluations. Ł Improved resource deployment: Obtaining robust information on ESG-related risks enables management to assess overall resource needs and helps optimize resource allocation. Ł Enhanced pursuit of ESG-related opportunities: By considering both positive and negative aspects of ESG-related risks, management can identify ESG trends that lead to new opportunities. Ł Realized ef˜ciencies of scale: Managing ESG-related risks centrally and alongside other entity-level risks helps to eliminate redundancies and better allocate resources to address the entity™s top risks. Ł Improved disclosure: Improving management™s understanding of ESG-related risks can provide the transparency and disclosure investors expect and achieve compliance with jurisdictional reporting requirements. . . . . . . . . . . . . . . . . k Examples include the COSO Internal Control Integrated Framework, Global Reporting Initiative (GRI) Standards, the Greenhouse Gas Protocol, International Integrated Reporting Council™s (IIRC) Integrated Reporting Framework , Natural Capital Protocol, Social & Human Capital Protocol, Sustainability Accounting Standards Board (SASB) Standards, Recommendations of the Task Force on Climate-related Financial Disclosures (TCFD). Figure 2: COSO™s Enterprise Risk Management Framework ˜˚˛˛˚˝˙ˆˇ˘˚˛˚˝˙ˇ˜˚˛˝˙ˆˇˆ˘˝ “ “• ˘ ˛ ˇš ˙ fi ˘†ƒ• fl š“—⁄“• “• Œ• š ˙ š ı ı †š š • ‡ ˙ © 2017 COSO. Used by permission. All rights reserved. 7

132 KB – 120 Pages