ERM Chapter 8.5 Enabling Sustainability risk

ISO 31000:2018 14 Minutes

Sustainability involves complex issues that can be both good and bad for an organization. These issues often clash with each other and bring both opportunities and challenges. Because of this, strong risk management is essential. It helps organizations achieve and handle sustainability goals. Sustainability can stir strong feelings—some people think climate change isn’t real, while others see it as the biggest problem we face today. A skilled risk manager can unite people with different opinions and help them agree on a plan. Risk management also sets clear tasks, goals, and responsibilities. That’s why sustainability rules and guidelines, like the Taskforce on Climate-Related Financial Disclosure (TCFD), mention risk management so often. In the end, sustainability risks should be treated like any other risks in a company. It’s easier for organizations to see sustainability as just one of many risks they need to manage.

Risk management helps make sustainability possible by checking each UN Sustainable Development Goal (SDG) to figure out if it’s good or bad for the organization and the area around it. Some SDGs can bring benefits, like having leaders from different backgrounds, making nature better when building new places, or knowing all companies must follow the same rules. Other SDGs can cause problems, such as polluting water through company actions or getting into legal and reputation trouble if unfairness happens. Often, one SDG can be both a chance to gain and a risk to avoid, and the risk manager has to handle both sides carefully. When thinking about sustainability, companies might decide to do things that don’t seem worth it just for profit but still make sense overall. How a company works on these SDGs depends on whether it sees them as risks or possibilities—for risks, it tries to stop bad things from happening; for possibilities, it tries to make good things happen. Also, different people connected to the company might see its role in reaching these goals in different ways.

Social materiality

In sustainability, the word “materiality” is used a lot, but it can mean different things depending on the context. Risk managers need to understand these differences to effectively work with various people and viewpoints when deciding which risks or issues matter most. To determine what’s important, two main questions need to be answered: How do we decide what counts as important, and who is it important to?

1. Deciding What Is Important (Materiality Criteria)

When figuring out what’s important, we often look at how big or serious a risk could be. This is similar to how risks are sorted in a chart that compares their impact (how much harm they could do) and likelihood (how likely they are to happen). In this approach, the most “material” risks are usually those with the biggest potential impact or those that are both very likely and very serious. For sustainability, though, it’s not enough to just think about money or reputation. The criteria should also cover the environment, people (social factors), and how the organization is managed (governance).

2. Who It Is Important To (Dynamic Double Materiality)

The second question is about who cares about these risks or issues. In finance and law, something is “material” if knowing about it would change a typical person’s decision. In finance, that person is usually a shareholder; in law, it’s more like an everyday person you might meet. In sustainability, it’s more complicated because many different people—called stakeholders—might be affected and have different concerns. So, we use “double materiality” to think about two things: how an issue affects the organization’s goals and how the organization’s actions affect other people’s goals. This matters because if we impact others, it could eventually affect us too, depending on how they respond. It’s called “dynamic” double materiality because the situation keeps changing, and what’s important to people can shift over time.

Focusing on Social Materiality

Now, let’s look at “social materiality,” which is about what matters to people. A common way to figure this out is by asking different groups what they think about a set list of topics—like risks or issues that the organization cares about. Two groups are usually involved: one representing the organization itself and another representing people who might be affected by what the organization does. Each group rates the topics from “not important” to “very important.” Then, their ratings are compared to see which topics stand out as most important to both sides. This helps prioritize what really matters socially. Materiality in sustainability is about understanding what’s important, how to measure it, and who it affects. By considering a wide range of factors and perspectives—and knowing these can change—risk managers can better handle sustainability challenges.

In measuring social materiality, the social materiality matrix can be taken as a step further, considering the alignment of perceptions of what is important to stakeholders and to the business / organization. While the material topics are those positioned in the top right-hand corner of the matrix – A typical social materiality matrix, it is often more useful to consider those in the top left and bottom right corners of the matrix,

Understanding what matters to different people in a changing world is the first two steps of the four-step risk management process. We can use tools to figure out the situation we’re in, what different groups want to achieve, and what risks or opportunities they think are important. These tools also help decide which risks or opportunities need action. Risk managers should lead or team up with others to make sure this information is complete and fits into the risk management system. Sustainability often looks at what’s important in different ways. As risk managers, we need to help different groups understand a few key points:

  • Different fields have their own trusted ways to figure out what’s important, but they might not know other fields do it differently.
  • Materiality means understanding what matters and, when needed, sharing and acting on that information.
  • Different groups will care about different things for their own reasons, and all those views should be respected. What’s important varies between groups, but we should combine all these perspectives so everyone is heard.

Emerging sustainability risks

The idea of emerging risks helps people think beyond their usual ways of looking at risks or how far ahead they plan. Many organizations see sustainability risks as emerging because they are:

  • New: The organization hasn’t thought of them as threats or possibilities before.
  • Complicated: It’s hard to figure out what the real danger is.
  • Uncertain: No one knows how big the impact might be, now or later.

Some organizations don’t deal with a risk until it’s fully clear and official. This works for some risks, but sustainability risks are so tricky that we might never know everything about them. If we wait for all the details, it could be too late to take control and fix things. Take climate change as an example. Experts say global temperatures might rise 4-6 degrees above old levels by the 2040s. By then, seas could rise a lot, some areas might lose farmland to deserts, and parts of the world might get too hot to live in without special technology. If we wait until these things happen, we can’t stop them anymore. To avoid this, most countries have agreed to cut emissions close to zero by 2050. This plan slowly stops the planet from heating up too fast by thinning out the layer of greenhouse gases built up since the industrial age. Lower emissions mean slower warming, which slows down ocean heating, ice melting, and changes to plants worldwide. Reducing emissions—by making less and removing some carbon—will take years to work. If we wait to see if the science is right and the planet is warming because of human actions, it’ll be too late to act by the time we’re sure. So, we need to manage climate change risks now, even if we’re not 100% certain. Doing nothing until the proof is clear could leave the world much worse for people in the future. Even though climate change is still an emerging risk, that doesn’t mean we should ignore it. Many sustainability risks are emerging, but the key question is when to start managing them. Sometimes, we have to act even if we don’t fully understand the risks yet.

Just Transition

Working toward all 17 Sustainable Development Goals (SDGs) at once is challenging because pushing hard on one goal can sometimes harm others. For instance, if we focus only on SDG 13 (Climate Action) and forget about the other 16 goals, we might accidentally make things worse for SDG 1 (No Poverty). That’s why we need to find a fair balance. Climate change is a pressing issue that’s rushing us toward sustainability, but we have to tackle it without breaking the other goals. This careful way of handling climate change—especially how we produce energy—is called the “Just Transition.” The name “Just Transition” comes from “just,” meaning fair and rooted in justice. People see it in different ways, though. For some, it’s about helping workers in industries like oil, gas, or coal switch to new jobs as energy changes. But for most, it’s a bigger idea: using this shift to create opportunities, like spreading wealth more evenly, boosting education, and fighting diseases. To make the Just Transition happen, we have to spot where goals clash and figure out how to balance them. Good risk management plays a big role here, helping us weigh the ups and downs of our choices so we can keep everything in harmony. This version keeps the key ideas—SDG conflicts, the Just Transition’s purpose, its varied meanings, and the importance of risk management—while making the language straightforward and easy to follow.A just transition isn’t just about achieving sustainability—it’s about people too. By prioritizing fairness and inclusion, it ensures that the journey to a sustainable future benefits everyone, not just a select few.

A just transition refers to the process of shifting to a more sustainable economy in a way that is fair and inclusive, ensuring that no one—particularly workers and communities affected by changes in industries like energy or manufacturing—is left behind. It’s a concept rooted in sustainability and climate change efforts, aiming to address environmental challenges while preventing economic and social disruption. Essentially, it balances the need to protect the planet with the need to support people, ensuring that the move toward a greener future is equitable.

To make a just transition successful, several key steps are necessary:

  1. Stakeholder Engagement: Involve everyone who might be impacted—workers, unions, businesses, and local communities—in the decision-making process. Their input helps identify concerns and tailor solutions to their needs, ensuring the transition feels fair and collaborative.
  2. Planning and Support: Governments and companies should proactively plan for changes in the workforce. This includes offering retraining programs, financial assistance, or other support for workers whose jobs may disappear or evolve due to the shift to sustainable industries.
  3. Investment in Sustainable Opportunities: Create new jobs and industries to replace those that are phased out. For example, investing in renewable energy, green technology, or sustainable manufacturing can provide employment opportunities that align with environmental goals.
  4. Protection for Vulnerable Groups: Safeguard communities that might be disproportionately affected, such as low-income populations or indigenous groups. Special measures, like targeted funding or tailored programs, can ensure they aren’t unfairly burdened by the transition.
  5. Monitoring and Adaptation: Continuously evaluate how the transition is unfolding. By tracking its impacts and adjusting policies as needed, we can address any unintended consequences and keep the process equitable and effective.
  6. Individual thinking: Risk management can be used to help individuals think more broadly than might otherwise be the case. Tools such as horizon scanning, scenario analysis, emerging risks, etc. can be used to aid this thinking. Sustainability affords every organization with the opportunity to re-think its potential threats, opportunities, and strategy. Risk management is key to supporting this “re-think.”

Accountability

Many companies and initiatives face accusations of “greenwashing,” where they present themselves as environmentally and socially responsible while doing little to genuinely support sustainability—instead using these claims primarily for financial gain. Terms like sustainability, ESG (Environmental, Social, and Governance), and CSR (Corporate Social Responsibility) are often criticized as part of such greenwashing, undermining their potential benefits. To be meaningful, sustainability efforts must focus on real action and measurable impact in addressing sustainability-related risks and opportunities. From a risk management standpoint, this means prioritizing actual controls over mere data collection and guidelines. Additionally, performance measurement should be transparent and verifiable. Currently, most sustainability reporting relies on self-assessment surveys, which often emphasize checkbox-style compliance—such as having policies or tracking emissions—rather than tangible progress. However, there is a positive shift toward assessing real-world impact, supported by independent, verifiable data sources like satellite-based emissions monitoring. These third-party datasets enhance credibility, offering stakeholders (such as investors) reliable information to evaluate sustainability performance. Investors increasingly incorporate ESG ratings into their decision-making, alongside traditional financial, legal, and technical due diligence. Post-investment, sustainability KPIs and KRIs (Key Performance and Risk Indicators) may be monitored regularly, reflecting growing expectations for investor stewardship. Accountability for genuine sustainability impact extends beyond companies to investors, insurers, suppliers, and customers—all share responsibility in ensuring organizations deliver real benefits rather than just greenwashing. Several ESG rating agencies have emerged, using proprietary methods to assess and rank companies. While their methodologies have strengths and weaknesses, they provide investors with material insights that can influence investment decisions. A notable example of ESG criticism came from Elon Musk, who in 2022 called ESG a “scam” and accused it of being misused by “phony social justice warriors.” His frustration followed Tesla’s removal from the S&P 500 ESG Index, despite its role in electric vehicle production. The exclusion was based on factors like Tesla’s lack of a clear low-carbon strategy, workplace discrimination allegations, and safety concerns related to its autonomous driving systems. This highlights that ESG evaluates not just a company’s products (e.g., electric cars) but also its operational practices. While creating sustainability plans and standards is important, real impact comes from their execution—aligning with the principle that true controls modify risk (whether threats or opportunities). Given the evolving state of corporate sustainability, ESG’s full impact is still emerging. Reporting should emphasize actual progress rather than future promises. Risk management plays a key role in holding organizations accountable, ensuring ESG targets are realistic and properly supported.

Sustainability and resilience

n the past, “sustainability” and “resilience” were often used to mean the same thing. Some organizations still use them interchangeably to suggest long-term survival. However, these terms now have distinct meanings, causing confusion.

Defining Resilience: ISO 22316, the international standard on resilience, defines it as an organization’s ability to adapt to change, recover from disruptions, and continue achieving its goals.

Sustainability vs. Resilience
A sustainable organization improves the planet and society for future generations.
A resilient organization survives shocks and adapts to change.

While a sustainable organization is likely resilient, a resilient one isn’t necessarily sustainable.

Key Differences

  • Resilience focuses on survival—how an organization handles internal or external shocks.
  • Sustainability looks beyond survival to positive impact—how the organization affects society and the environment.

Materiality Perspective

  • Resilience = Single materiality (How risks affect the organization).
  • Sustainability = Double materiality (How the organization affects the world, and vice versa)

Climate change

The management of climate-related risks encompasses diverse approaches, with this discussion concentrating specifically on the transformative financial disclosure requirements introduced through the mandatory adoption of the Task Force on Climate-related Financial Disclosures (TCFD) framework, as established during COP26 in Glasgow (2021).

The financial sector is undergoing significant transformation. Entities seeking capital investment are now expected to demonstrate their consideration and management of climate-related factors. In the United Kingdom, this requirement is fulfilled through TCFD compliance reporting. Numerous other jurisdictions – including the European Union, Canada, and the United States – are developing comparable regulatory frameworks, with all indications suggesting these will maintain substantial alignment with TCFD standards. While multiple climate reporting mechanisms exist, the TCFD framework currently represents the focal point for substantial reforms in financial risk disclosure practices.

Historical Development of TCFD:

  • 2015-2016: The G20 Finance Ministers commissioned the Financial Stability Board to evaluate climate change as a systemic risk to global financial stability
  • 2017: TCFD released its inaugural recommendations, enabling financial institutions to systematically identify and incorporate climate risk assessment into core financial operations
  • Subsequent implementation required banking institutions, insurance providers, and investment firms to evaluate potential climate-related financial impacts across their portfolios
  • 2020: The Network for Greening the Financial System (NGFS), a consortium of central banks, issued comprehensive guidance for long-term (30-year horizon) climate scenario analysis
  • November 2021: The UK government mandated TCFD reporting for all large corporate entities

TCFD Reporting Framework Components:

  1. Governance – Climate risk oversight structures
  2. Strategy – Climate impact integration into business planning
  3. Risk Management – Identification and mitigation processes
  4. Metrics & Targets – Performance measurement and objective setting

Strategy and risk management

The TCFD governance mandate necessitates structured board-level engagement with climate change matters, including rigorous discussion and challenge processes. In organizations lacking dedicated sustainability committees, this responsibility typically resides with the risk (and audit) committee, as these forums facilitate the most comprehensive integration of climate considerations with broader enterprise risks. It is critical to recognize that governance structures must be tailored to each organization’s specific operational context. Effective governance must align with and support organizational strategy. Climate-related considerations should be formally embedded within the core business strategy rather than treated as a separate initiative. This integration typically occurs through a structured process involving:

  1. Comprehensive materiality and risk assessments
  2. Control evaluation and action planning
  3. Continuous performance monitoring and strategy refinement

This cyclical approach enables progressive optimization of climate strategy implementation. TCFD specifically recommends scenario analysis as the primary methodology for evaluating potential climate risks and informing strategic responses. The framework provides particularly valuable guidance on categorizing climate-related risks:

Physical Risks:

  • Sea level rise
  • Drought conditions
  • Extreme weather phenomena
  • Wildfire incidents

Transition Risks:

  • Carbon pricing mechanisms
  • Insurance availability and affordability
  • Regulatory compliance requirements

While TCFD terminology distinguishes risks (exclusively negative) from opportunities, organizations may concurrently assess both elements using conventional enterprise risk management methodologies. This dual perspective allows for comprehensive threat mitigation while capitalizing on emerging prospects in the transition to a low-carbon economy.

Scenario analysis

The Taskforce on Climate-Related Financial Disclosures (TCFD) asks companies to do a scenario analysis. This means looking at risks (and opportunities—TCFD uses both terms) for the medium term (about the next 7 years) and the long term (about the next 25 years). TCFD doesn’t say exactly how to do it, so it’s usually up to the risk manager to pick the best way. Scenario analysis is a tool used when figuring out risks is too tricky or costs too much. Climate change is complicated and uncertain, so it fits this approach. A scenario is like a story that shows how things might turn out—it’s not a guess about what will happen or just the most likely result. Instead, it helps companies imagine different possible futures. The Network for Greening Financial Systems (NGFS) has created some trusted scenarios with solid data behind them. They update these regularly. Most companies start with these scenarios because they’re reliable and match what others are doing. Doing the scenario analysis is useful, but the real benefit comes from what happens next: the actions it sparks, the changes to plans, and the goals and measures set to track progress.

Climate change – metrics and targets

Organizations track many different things related to climate change—like water use or how diverse their leaders are—but right now, most focus on emissions.

Types of Emissions

Emissions are split into three groups, called scopes:

  • Scope 1: Direct emissions from things the company owns, like its buildings or cars.
  • Scope 2: Indirect emissions from energy the company buys, like electricity or heating for its own use.
  • Scope 3: Other indirect emissions, split into:
    • Upstream: Things like goods and services the company buys, fuel use, shipping, waste, business trips, employee commutes, and leased items.
    • Downstream: Things like shipping sold products, how products are used, or what happens to them when they’re thrown away, plus investments or franchises.

For example, an investment bank might have tiny Scope 1 and 2 emissions but a huge Scope 3 footprint because of the emissions from the companies it invests in. Ideally, every organization should measure and report all three scopes. Emissions include all key greenhouse gases, not just carbon dioxide. The big aim is for all organizations to hit net zero emissions—and keep it that way—before 2050. They’ll do this with a transition plan that tracks their progress. The term “net zero” can be tricky and changes over time. Right now, it means cutting emissions as much as possible and using offsetting (like buying carbon credits) when cutting more isn’t an option. This balances things out so the organization adds no extra emissions to the air. Buying carbon credits to offset emissions is a growing market. By 2030, experts think a ton of carbon in the U.S. might cost between $100 and $200. The rules, markets, and prices are still unclear, which makes this tricky. With so much uncertainty about rules, costs, and markets, risk management is key. It helps organizations handle the risks and possibilities tied to climate change over the coming decades.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply