SRM Leaders Must Plan Immediately for Climate Change Risk or Become Outmoded
Climate change is an operational risk. Investors and stakeholders are driving organizations to strategize and manage material risks arising from climate change. Security and risk management leaders must be involved or accept that they will not have the resources to manage this operational risk.
Overview
Impacts
- Climate change will introduce new risks and exacerbate existing risks, affecting organizations worldwide.
- Organizations are under increasing pressure to update their risk assessments and business impact analysis in the face of climate change, particularly with respect to material risks.
- Climate-related risks introduce new considerations to existing strategic and operational plans.
Recommendations
Security and risk management leaders should:
- Work with enterprise risk and sustainability leaders to ensure that new climate-change-related risks and changes to existing risks are identified.
- Work with community leaders, scientists and emergency management organizations to understand and ensure that the assessments related to operational risks are accurate.
- Validate that response, recovery and restoration plans accurately reflect the impact and likelihood of climate-related risks and other risks that can be triggered by climate-related events.
- Adapt staffing and talent recruitment plans to account for climate risk impacts on operations, starting with prioritizing highest-risk business regions.
- Maintain and test operational response plans regularly, and in detail, to ensure their viability in relation to climate-related risks.
Introduction
Climate change is an acknowledged enterprise risk that organizations must address. The financial impacts are significant and growing: According to reinsurer Munich Re, natural disasters — which are made more frequent and severe by climate change — produced $210 billion of known losses in 2020 ($89 billion of which were insured), up 26.5% compared to 2019.
Regulators across the globe require evidence that risks related to climate change are incorporated into enterprise risk management plans. Societal demand has become more intense, and this is reflected in various efforts from shareholder and consumer groups (see Standardizing Climate Risk Management). Climate-related risks accounted for five of the top 10 risks in the World Economic Forum’s (WEF’s) 2021 Global Risk Report (see Figure 1). Significantly, “climate action failure” comes in as the second-highest risk for both impact and likelihood.
Figure 1. World Economic Forum Global Risk Report 2021
Organizations must evaluate ways of building resilience while accounting for the welfare of their workforce in response to climate change. For example, in 2021 alone:
- Extreme rain globally and floods specifically in China, Germany and India have resulted in casualties and displacement of significant numbers of people.
- Global average temperatures have increased above the preindustrial baseline. Rising temperatures affect the load on power grids, which then struggle to meet demand. An organization may suffer from untenable brownouts or blackouts that negatively impact the continuity of operations and introduce security failures.
Conversations about these risks will broaden as competition for real estate and resources increases. Geopolitical risks will cascade as situations develop. Inaction in building agility into business will lead to greater impacts than would otherwise occur.
SRM leaders struggle to understand and reflect these risks in their own practices and operations. Climate-related disasters can seem a long way off, vague and unrelated to the day-to-day concerns of operational risk management. However, the early effects of climate change are with us now and can no longer be ignored. These effects can and will touch almost all functions of almost all organizations, including risk management, resilience and business continuity.
Therefore, SRM leaders must now bring a pragmatic approach and work with sustainability and enterprise risk leaders to ensure that the short- and long-term implications are understood, articulated and managed (see Table 1).
Table 1: Impacts and Top Recommendations for Security and Risk Management Leaders
| Impacts | Top Recommendations |
|---|---|
| Climate change will introduce new risks and exacerbate existing risks, affecting organizations worldwide. | Work with enterprise risk and sustainability leaders to ensure that new climate-change-related risks and changes to existing risks are identified. |
| Organizations are under increasing pressure to update their risk assessments and business impact analysis in the face of climate change, particularly with respect to material risks. |
|
| Climate-related risks introduce new considerations to existing strategic and operational plans. | Maintain and test operational response plans regularly, and in detail, to ensure their viability in relation to climate-related risks. |
Source: Gartner (September 2021)
Impacts and Recommendations
Climate Change Will Introduce New Risks and Exacerbate Existing Risks, Affecting Organizations Worldwide
The challenge with climate risk is that it may seem vague and complicated. SRM leaders must be part of climate risk adaptation efforts by contributing perspective to the overall organizational view.
Identify New Risks and Impact on Existing Risks
SRM leaders should work with line of business (LOB) leaders to ensure that the risks attributable to climate change are accurately recorded in the risk register. Gartner recommends following an impact-based approach to critical activities and the systems and processes that support service delivery. Identify how these can be affected by crises regardless of the specifics of a risk event (see Toolkit: Document Your Cyber and IT Risks in a Risk Register). Forming a cross-functional team of internal audit, compliance, legal and other stakeholders to identify gaps in climate-related risk management activities will establish a diverse risk-aware community across all LOBs.
For example, issue-motivated hackers, or “hacktivists,” are targeting enterprises with large carbon footprints. This is a new risk for enterprises in that they become a larger target for nefarious attacks by simply doing business as usual.
Another example is that, in today’s hybrid work models, a weather event could prevent employees from being able to work because they are working from home and not within an office with business continuity capabilities.
SRM leaders must also maintain open lines of communication with environmental, sustainability and governance (ESG)-related business areas, such as increasingly popular sustainability functions or investor relations. Sourcing and verifying risk information from these business areas can ensure that the climate risk profile captures high-velocity emerging risks related to climate change. Further, this collaboration facilitates more effective identification of climate risk interdependencies.
This is an opportunity for SRM leaders to support ESG materiality assessments, which will greatly reduce the misalignment of risk management and ESG priorities. A materiality assessment is a tool to help executive leaders gather the different stakeholder perspectives on issues and their relative importance to help focus the enterprise’s sustainability programs and ESG risk management strategies on the critical issues. Materiality assessment is an organizationwide exercise, as it involves stakeholders from cross-functional teams.
This is a critical process in identifying material issues that are important to an organization’s sustainability strategy (see Ignition Guide to Conducting a Materiality Assessment).
Organizations Must Disclose Climate Risk
SRM leaders need to understand the climate risk standardization frameworks. The Task Force on Climate-Related Financial Disclosures (TCFD) has developed recommendations for these disclosures. These recommendations are structured around four themes:
- Governance — Disclose how the organization identifies, assesses and manages climate-related risks.
- Strategy — Describe the organization’s processes for identifying and assessing climate-related risks.
- Risk management — Describe the organization’s processes for managing climate-related risks.
- Metrics and targets — Describe how processes for identifying, assessing and managing climate-related risks are integrated into the organization’s overall risk management.
For years, the complexity and fragmentation of climate and sustainability disclosure frameworks have made it challenging for organizations to implement comprehensive reporting solutions. However, 2020 saw the most widely implemented standards organizations commit to collaborating to integrate and further standardize disclosure frameworks (see Standardizing Climate Risk Disclosures).
Leaders must prepare for climate-related disclosures and listen to stakeholder expectations (i.e., public, investor, regulator) for climate areas of concern and disclosure requirements to identify which climate-related financial risks and opportunities affect the organization to prioritize the risks addressed. Expectations around the world are evolving on climate action. Consumers, employees and regulators increasingly expect enterprises to mitigate their climate impacts. Failure to act on this growing instability will lead to failure in developing strategic plans or adjusting operational plans in due course.
This is leading to new calls for climate transparency and continues to drive interest in climate reporting standardization. In March 2021, the U.S. Securities and Exchange Commission (SEC) created a new climate and ESG task force in the division of enforcement. The task force’s focus is on proactively identifying climate- and ESG-related misconduct in financial disclosures. Climate change action, including climate risk disclosure, is no longer a bold act of environmental leadership; it is the key to maintaining a competitive edge. See Note 1 for a table illustrating how the organizations plan to combine frameworks, standards and technology platforms for the “risk management” pillar of the TCFD.
An example of the impact of climate-related disclosure is occurring in many organizations where employees and prospective employees make decisions about if they want to stay or work for the company based on the organization’s disclosure of its green initiatives, as many employees feel this is an important social responsibility. Recruiting and retaining talent is often a mission-critical priority for executives; CISOs often struggle to find needed talent in today’s workforce. Hiring will be more exacerbated.
Recommendation:
Work with enterprise risk and sustainability leaders to ensure that new climate-change-related risks and changes to existing risks are identified.
Update Risk Assessments and Business Impact Analysis, Particularly With Respect to Material Risks
Work with enterprise risk and sustainability leaders and others to ensure that risk assessments are accurate, particularly with respect to material risks. SRM leaders cannot drive this change on their own; this will need to be a joint effort between multiple internal stakeholders. Emerging legal (e.g., regulator requirement, class action) and financial (e.g., insurance coverage) considerations compel organizations to ensure effectiveness and accuracy of their risk assessments and business impact assessments. These compelling reasons will only grow in stature (see Headline Statements from the Summary for Policymakers, IPCC).
Organizational climate change adaptation strategy should be based on the objective of long-term sustainability through business continuity management planning. Organizations should integrate climate risk as a new impact category in the business impact analysis (BIA) to determine short- and long-term consequences, from which strategies for continuity of operations can be developed. Also, by understanding the impacts, changes to operating decisions can be made early so that investments aren’t wasted, and losses can be minimized. SRM leaders should work with sustainability and line-of-business leaders to ensure that the risks attributable to climate change are accurately recorded and reflected in the risk assessment and BIA.
Risks should be recorded in a risk register. This will establish a diverse risk-aware community across all LOBs (see The Business Impact Analysis: A Digital Business Essential). Consider how climate change alters the impact and likelihood of material risks; these impacts must be recorded in the risk register for prioritization (see Toolkit: Document Your Cyber and IT Risks in a Risk Register). A failure to record these risks for prioritization will mean that there is a good chance that the critical business process will end up irrelevant to continuity. For example, if climate change impacts availability of water supply to a company location that requires it, then that risk needs to be identified and plans created to address it, such as moving the site — a business continuity challenge. In the absence of impact-driven decision making, negotiations and the business cases for necessary resources to maintain the viability of operations are more likely to fail.
Recommendations:
- SRM leaders must be prepared to work with community leaders, scientists and emergency management organizations to understand and ensure that the assessments related to operational risks are accurate — for example, to understand floodplain changes, temperature rise on water availability, and so on.
- Validate that response, recovery and restoration plans accurately reflect the impact and likelihood of climate-related risks and other risks that can be triggered by climate-related events.
- Adapt staffing and talent recruitment plans to account for climate risk impacts on operations, starting with prioritizing highest-risk business regions.
Climate-Related Risks Introduce New Considerations to Existing Strategic and Operational Plans
Reflect the changes in the risk profile most effectively by developing strong causal chains, which enables you to accurately identify relationships between risks and business impact. SRM leaders must take on the role of facilitators to develop these causal chains, which depict the cause-and-effect relationship that results in a business-outcome-driven decision-making process. This will help tie key risk indicators (KRIs) to key performance indicators (KPIs) and their impact to the enterprises’ performance.
SRM leaders can map the relationship between climate change and business risk by developing causal chains from risk to business outcome. An example of a causal chain is represented in Figure 1. For instance, extreme weather could lead to outages and negatively impact data centers threatening high availability of systems could negatively impact business outcomes such as profitability. (See Developing Key Risk Indicators: The Relationship Between KRIs, KPIs and Business Outcomes for a detailed discussion on causal chains.)
Figure 2 shows that critical IT availability and business continuity management (BCM) readiness must be evaluated in terms of various scenarios. For example, situations like extreme weather impacts or cybercriminals attacking water supply infrastructure during extreme drought conditions in an area could both lead to devastating impacts on life and property.
Figure 2. Example of a Causal Chain
The causal chain aids SRM leaders when working with risk owners to identify whether climate change acts as a risk amplifier. This will help leaders prioritize risks that will require immediate response. It is likely that executives will yield to one common thought trap while going through this process — they could assume that this exercise will call for expensive efforts to respond to a risk. It is imperative at this stage for SRM leaders to emphasize that the goal is to act on the low-cost, high-value mitigation strategies.
Traditional risk management sometimes focuses only on minimizing threats using controls. If your threats exceed predictability or control, then measuring them has minimal value. Climate risk will impact all aspects of the business — people, process and technology. From the perspective of an SRM leader, climate events could impact confidentiality or integrity; however, it most definitely has an adverse effect on availability of systems.
Based on the inherent risks identified through risk assessments and BIAs, executive leadership can decide what risks can be accepted and which ones they are willing to remedy. If an organization has identified certain risks that could pose an existential threat to the organization, then it is necessary to ensure that decisions made across the organization adequately take these risks into consideration.
For example, an organization that runs its business primarily through bricks and mortar identifies that all their stores are in regions that have faced record-high temperatures, and that this has impacted sales. The risk should be recorded in the risk register, and leadership should be informed about the changes needed. The mitigation strategy in this case might be to digitize the shopping experience, which could in turn increase security concerns.
This explains how a risk affecting the overall business strategy suddenly becomes an SRM leader’s issue as well — senior executives typically have a very low appetite for such risks for fear of catastrophic consequences of having to implement high-cost mitigation strategies. By this stage, the business case for any required remedies will have been established through the BIA; in this case, can organizations digitize their business?
LOB leaders, working with SRM leaders, are responsible for articulating the impact of risks; however, SRM leaders should work with sustainability leaders and other stakeholders to decide how likelihood will change. This will require LOB leaders to engage with community leaders to understand community emergency plans and capabilities.
Business leaders and SRM leaders should make sure these plans are exercised regularly, and refine their various incident response plans on an ongoing basis. For example, have you validated the performance and efficiency of your infrastructure in a wide range of temperature fluctuations? Or in the absence of a key staff member, do you have a succession plan?
Recommendation:
Maintain and test operational response plans regularly, and in detail, to ensure their viability in relation to climate-related risks.
Note 1: Framework Combination for TCFD Risk Management Pillar
Table 2: Framework Combination for TCFD Risk Management Pillar
| Risk Management | Metrics and Targets | ||
|---|---|---|---|
| Disclose how the organization identifies, assesses and manages climate-related risks. | Disclose the metrics and targets used to assess and manage relevant climate-related risks and opportunities where such information is material. | ||
| Recommended Disclosures | Mapped Disclosures | Recommended Disclosures | Mapped Disclosures |
| (a) Describe the organization’s processes for identifying and assessing climate-related risks. |
|
(a) Disclose the metrics used by the organization to assess climate-related risks and opportunities in line with its strategy and risk management process. |
|
| (b) Describe the organization’s processes for managing climate-related risks. |
|
(b) Disclose Scope 1, Scope 2, and, if appropriate, Scope 3 GHG emissions and the related risks. |
|
| (c) Describe how processes for identifying, assessing and managing climate-related risks are integrated into the organization’s overall risk management. |
|
(c) Describe the targets used by the organization to manage climate-related risks and opportunities and performance against targets. |
|
| * “Various elements of guidance, but no requirements.” | |||
Source: Impact Management Project, World Economic Forum and Deloitte
