A practical sustainability risk taxonomy with common scenarios and treatments

Sustainability risks are commonly defined as those impacting on the long-term viability of organizations. They affect wide environmental, social, and governance objectives. Several compliance requirements for non-financial and climate change reporting increased the need to adjust and standardise the risk criteria for multiple and fragmented decision-making processes.

The following guide provides non-industry-specific risk scenarios and treatments grouped by a suggested taxonomy to benchmark reporting practices.

X) Taxonomy domain

1. Risk scenario > frequent risk treatments

A) Risks of poor sustainability governance

1. Erroneous decisions due to incorrect indicators > audit data inputs and formulas, assign owners to non-financial data, validate data inputs

2. Failure to communicate material sustainability risks > reconcile risk assessments against asset inventories, follow top-down and bottom-up approaches, compare losses and incidents causes against identified risks

3. Ineffective contingency plans and crisis protocols > test crisis protocols for multiple scenarios, update procedures

4. Breach of obligations towards stakeholders > reconcile risk assessments against the stakeholder matrix, maintain a list of obligations

B) Risks of climate change

1. Variability of water supply > build reservoirs, diversify water sources, reduce water footprints

2. Variations in crop productivity > contract options, build artificial irrigation systems

3. Fluctuations in price and availability of raw materials > contract hedging options, identify alternative suppliers and raw materials, increase under-delivery penalties in supply contracts

4. Emerging infectious diseases > make operations more flexible for remote work, and high absenteeism, prepare communication with employees, suppliers and clients

5. Deforestation and loss of biodiversity > identify and protect species and habitat affected by operations, perform environmental impact assessment, stabilize soils, control invasive species, regenerate native species

6. Failure of low carbon economy projects > test project assumptions with pilots

C) Risks of environmental hazards

1. Hazardous spills and emissions > develop and test contingency plans, design building layouts for disaster resistance, contract insurance

2. Inefficiencies in energy use > audit energy consumption, reduce electricity and gasoline consumption, maintain machinery, avoid business trips, prioritize local purchases, use LEDs for lighting

3. Waste management inefficiencies > waste reuse, recover waste into energy, implement zero-waste initiatives

4. Floods, fires, hurricanes, earthquakes and natural disasters > assess vulnerabilities on impacted assets, improve maintenance, test emergency, response and contingency plans

D) Risks of social hazards

1. Failure to meet customer expectations > monitor and survey customer behaviors and preferences, approve sponsorships, assess the impact of new products, attract and train talent

2. Non-compliance with human rights commitments > audit working conditions especially for contractors and third and fourth parties, implement volunteering programs

3. Strikes and poor working conditions > audit working hours and wages for internal and third-party employees, inspect working and safety conditions, communicate labor rights, promote internal associations

4. Suboptimal talent management > identify critical talent segments and capability gaps with future operations, identify talent pools for target actions, collaborate with universities and recruiting events

5. Occupational accidents > raise awareness on workplace safety, report and analyze near-misses and accidents, inspect factors such as lack of protective equipment, ineffective maintenance, poor driving, and drug abuse, limit operations under unsafe conditions such as bad weather or night, communicate emergency plans and practices in safety meetings

6. Exposing clients to fraud and privacy threats > analyze the external impact of potential data breaches, encrypt personal information, quarterly revalidate users, install data loss prevention software, compile a data inventory data with owners and custodians, prevent the use of removable memories, monitor and prevent external attacks, train on phishing and data hyena

E) Risks of bankruptcy

1. Low profitability or high volatility > assess the volatility of assumptions used for business models and key projects, assess insurance policies, diversify clients and products, implement cost-cutting initiatives, sell non-essential assets

2. Increased competition > protect patents, innovate with products and segments

3. Loss of funding > improve investor relations, seek access to new funding sources, stress test on the covenants and liquidity

4. Tax disputes > approve and audit tax calculations, reconcile tax filings against calendars

F) Risks of non-compliances

1. Loss of licenses, permits and certifications > compile an obligation register, implement controls on obligations, document procedures, perform compliance audits

2. Lack of accountability > assess the alignment of objectives with responsibilities and accountabilities, implement management reviews

3. Accounting and operational fraud > perform due diligence on employees and managers, document and implement internal controls, validate high-risk operations, implement a complaint line, report and approve conflicts of interest, perform anti-fraud audits

4. Non-compliance with regulations and laws > document policies, perform compliance audits, retain documentation on decision-making, train on regulations with disciplinary and criminal implications, monitor high risk activities by employee types, third-parties, transactions and countries

G) Risks of technological threats

1. Loss of confidentiality of IT assets > have an inventory of IT assets, certify user rights, address security vulnerabilities, update firewall rules, protect network perimeters, encrypt data, implement data loss prevention solutions

2. Loss of integrity of IT assets > test and monitor interfaces, implement and audit data quality rules, create audit trails, implement data error solutions

3. Loss of availability of IT assets > simulate emergency response workflows, set and approve target recovery times, update anti-virus and patches

4. Lack of innovation > implement a continuous improvement program

H) Risks of supply chain operations

1. Lack of control over suppliers and contractors > Expand due diligence and ongoing due diligence, implement a sustainability and supplier policy and controls for contractors, approve subcontractors, request guarantees, references and certifications, add contractual clauses for internal policies compliances, inspect the supplier activities

2. Shortages and logistical delays > increase contractual penalties, request suppliers to communicate performance risks

Professor Hernan Huwyler is head of Vendor Due Diligence and Third Party Risk at Danske Bank