Assessing risks and opportunities
How to prepare your organisation for uncertainties and an unknown future? It can be quite depressing and discouraging. Fortunately, there exists some help available.
About the risk and opportunity assessment process
The risk and opportunity assessment process is a systematic, structured approach to identifying, analysing and treating risks and opportunities. It can be applied to any size of an organisation. Furthermore, it can be recommended to every organisation to assess the risks and opportunities they are exposed to make better decisions.
The process requires careful preparation, research and communication. The scope and purpose should be well-defined before you start the assessment and participants need to have a mutual consensus about definitions and criteria. Documenting assessment context enables doing assessments in a similar manner over time. Additionally, establishing commonly agreed definitions and criteria able to compare results and their development in the long run.
Assessment methodologies
The two most known enterprise risk management (ERM) frameworks are ISO 31000:2018 (The International Organization for Standardization) and “2017 Enterprise Risk Management – Integrated Framework” by The Committee of the Sponsoring Organizations of the Treadway Commission (COSO) which both provide their assessment methodologies. Fortunately, they follow the same path and principles, even though some terms and steps have been named differently.
In addition, due to the importance of recognizing sustainability in risk management, several organisations have provided their assessment methodologies to assess e.g., ESG, nature-related and biodiversity-related risks and opportunities. These methodologies share similar basic steps as the two ERM frameworks above, adding a sustainability aspect to the steps. Furthermore, sustainability reporting has added the need for materiality assessment to the scene. However, the same basic steps can be modified for materiality assessment and both assessments should work together to avoid extra work.
Assessment process steps
The steps below are based on the ERM frameworks mentioned above. Additionally, the documents from The Taskforce for Nature-related Financial Disclosures (TFND), The University of Cambridge Institute for Sustainability Leadership, The World Business Council for Sustainable Development (WBCSD), The World Resources Institute, and The Task Force on Climate-related Financial Disclosures (TFCD) were researched to add ESG, nature and ecosystem perspectives.
The general risk and opportunity assessment steps are:
Prepare - Organisation, responsibilities, schedule, tools, techniques,
Communicate - Internal and external stakeholders, experts,
Scope - Scope, purpose, context, boundaries, objectives,
Research – history, documents, environment, trends, conditions, drivers, data, events,
Assess - Terms, definitions, criteria, risk universe, tools, techniques,
Identify - Risk universe incl. ESG, climate change, nature, ecosystem services,
Analyse - Impact vs likelihood and vulnerability, severity, velocity, controls,
Prioritize - Risk register and matrix, interactions, dependencies,
Treat and response - Existing controls and residual risk, treatment options: avoid/do nothing/accept/reduce/control/transfer/share/pursue,
Monitor and review - Risk action plans, owners, yearly schedule, feedback,
Report - Risk management and sustainable reporting,
Risk and opportunity assessment techniques
There are tens of assessment techniques and tools available and choosing the right ones can be overwhelming. ISO 31010 standard contains almost fifty assessment techniques. Moreover, the techniques have short introductions and comparison tables. The standard can be purchased on ISO´s website.
………..
Disclaimer: I do not work in any of the organisations mentioned in this article. I have organized and implemented risk assessment workshops and am therefore interested in sharing best practices and sources.
………..
Sources:
Guidance for Applying Enterprise Risk Management (ERM) to Environmental, Social and Governance (ESG)-related Risks [Online], WBCSD and COSO. Available at https://www.coso.org/news/Pages/new-guidance-addresses-resiliency-against-esg-risks.aspx (Accessed 22 May 2022)
ISO 31000:2018 Risk management — Guidelines [Online], Switzerland, ISO. Available at https://www.iso.org/standard/65694.html (Accessed 22 May 2022)
ISO 31010:2019 Risk management — Risk assessment techniques [Online], Switzerland, ISO. Available at https://www.iso.org/standard/72140.html (Accessed 22 May 2022)
2017 Enterprise Risk Management – Integrated Framework. [Online], COSO. Available at https://www.coso.org/sitepages/guidance-on-enterprise-risk-management.aspx?web=1 (Accessed 22 May 2022)
Recommendations of the Task Force on Climate-related Financial Disclosures, The Task Force on Climate-related Financial Disclosures (TFCD), (2017) [Online]. Available at https://www.fsb-tcfd.org/recommendations/ (Accessed 22 May 2022)
The TNFD Nature-Related Risk & Opportunity Management and Disclosure Framework Beta v0.1, Taskforce for Nature-related Financial Disclosures (TFND) [Online]. Available at https://tnfd.global/tnfd-framework/ (Accessed 22 May 2022)
University of Cambridge Institute for Sustainability Leadership (CISL). (2022). Climate Tango: Principles for integrating physical and transition climate-risk assessment with sectoral examples. Cambridge, UK: University of Cambridge Institute for Sustainability Leadership. Available at https://www.unepfi.org/publications/climate-tango-principles-for-integrating-physical-and-transition-climate-risk-assessment-with-sectoral-examples/ (Accessed 22 May 2022)
The Corporate ecosystem services review: Guidelines for identifying Business risks and opportunities arising from ecosystem Change, 2012 [Online], World Resources Institute. Available at https://www.wri.org/research/corporate-ecosystem-services-review (Accessed 22 May 2022)