Skip to Content

Climate Controlled

Articles Subhasis Sen, CIA, CPA, GAICD Aug 08, 2022

Climate change is not just a concern for the future. It’s already disrupting business. For proof, turn to The World Economic Forum Global Risk Report 2022, which ranks climate action failure as the most concerning global risk over the next 10 years, followed by extreme weather and biodiversity loss. According to the survey’s 1,000 global experts and leaders, climate change is impacting the world now and is likely to continue to escalate.

As climate change receives global attention, investors and other stakeholders are challenging organizations to demonstrate a well-founded, integrated, and strategic approach to identifying and managing climate-change risks and opportunities. Internal auditors need to become aware of these risks and opportunities and work on developing their climate competence. 

Where climate change is a material and foreseeable risk, board directors have the obligation to address it as part of their risk oversight role. Because boards are realizing they must effectively manage climate risks to stay relevant, internal auditors are increasingly expected to help leaders accomplish this mission. Internal auditors may be asked to:

  • Provide assurance on the effectiveness of climate change risk management.
  • Review the integrity of climate-related data and information disclosures.
  • Assess climate-related compliance and disclosure obligations.
  • Advise on climate-related processes, such as reviewing carbon use, climate impact within the supply chain, or executive incentives that are aligned to climate and sustainability targets.

Two Types of Risk

It is important to view climate risks from two different perspectives risks that arise out of uncontrollable environmental factors and risks that arise out of failure to take effective action to reduce the impacts of such environmental factors. Broadly, climate risks can be categorized as physical and transition-related risks. 

Physical risks stem from severe weather-related events, such as floods, cyclones, fires, or other natural disasters. They have a large impact on infrastructure and disrupt supply chains and service delivery. Fast-moving events are considered acute risks.

Slow-moving events can also create physical risks, such as sea level rise and coastal changes that impact infrastructure, transportation, communication, agriculture, etc. These gradual events are considered chronic risks and have a more incremental but longer-term effect on operations.

Both acute and chronic physical risks can have a variety of impacts. Some examples are damage to infrastructure, stranded assets, cost increases from higher insurance premiums, and attitudinal and expectation shifts (for instance, informed customers may refuse to engage with organizations that do not mitigate climate damage caused by their processes). 

Transition-related risks include adaptation and mitigation risks. These climate risks result from transitioning to a low-carbon and more climate-resilient economy.

Adaptation risks also can be wide-ranging. Organizations might experience strategic uncertainty from difficulty predicting long-term impacts on future investments, or impaired valuation arising from the deteriorating effects on stranded assets. Or they may be faced with reputational damage from failure to adapt to threats posed by climate change and a transition to net zero, or from inappropriate disclosure of climate-related information (e.g., greenwashing). Mitigation risks can emerge from policy and regulatory shifts that require additional due diligence, enhanced disclosures in financial statements, additional spending to comply with new regulations, and increased litigation due to breached climate regulations.

Climate-change Opportunities

Efforts to mitigate and adapt to climate change can also produce opportunities for organizations. These positive gains, in the form of resource efficiency or cost savings, can result from the transition to carbon-efficient operations or decarbonization. For instance, electric cars require advances in battery technology, which promotes innovation. Similarly, warmer winters may present opportunities for vineyards to increase their production areas or for the health-care industry and governments to reduce cold-related mortality. Warmer weather can offer opportunities to the maritime transport industry and English ports to reap the benefits of opening an Arctic trade route. Moreover, advances in energy-efficient building design may create opportunities for organizations to reduce electricity and water usage.

Transition and physical risks and opportunities will have substantial effects on strategic planning and risk management, with potentially significant financial impacts on the income statements, balance sheets and cash flow statements of organizations. As a result, climate governance is entering the audit universe and audit plans of internal audit teams across organizations. Internal auditors must consider principles for effective climate governance.

Assess the Role of Governance and Leadership

Climate risk management must be an essential part of an organization’s governance. It should be fundamental to how the organization is directed, managed, and controlled at all levels. Internal auditors need to review whether the board is adequately considering the risks and opportunities presented by climate change and whether there is a clear understanding of it among those charged with governance. Auditors can review and assess whether climate risks and opportunities are factored into the organization’s strategy. This involves assessing the climate risk appetite established by the board.

As part of this assessment, internal auditors can look at board briefings on climate change matters, such as results of climate risk deep dives. They can determine the relevance and integrity of data used by management to assess climate-related decisions. Roles and responsibilities should be documented, clearly defining the accountabilities for climate risk. Internal audit can assess whether there are gaps in climate competence and determine whether the board supports objective decision-making on climate issues.

Promote a Climate-risk Culture

To ensure the organization makes informed decisions and achieves its objectives, climate risk management should be integrated in all relevant organizational activities. Internal audit can assess whether the risk culture promoted by the board supports the discussion and understanding of emerging climate risks at all levels. Such climate risk conversation and action need to be integrated across all three lines. Many organizations are including climate-based performance metrics in their remuneration policies.

Climate risks cannot be considered in isolation. Organizations should consider value-for-money alongside risks associated with policy and legislative changes and managing strategic uncertainty. Internal auditors should examine processes in place to embed climate-related risks throughout the organization.



TOP 5 Climate Challenges that are already impacting companies 

1. Operational impact of climate-related disasters

2. Regulatory/political uncertainty 

3. Pressure from civil society

4. Need to modify industrial processes

5. Cost of climate change mitigation


Source: 2022 Global CxO Sustainability Survey Report, Deloitte



One way to do this is to assess whether the strategic objectives, budgets, and delivery plans reflect climate change risks and opportunities. For example, a city council in Australia recycles crushed glass from its waste stations as a substitute for sand and aggregate in road materials. Meanwhile, Queensland Transport and Main Roads department in Australia estimates that it uses up to 10% of recycled glass in asphalt bases and up to 20% in gravel bases in road construction.

Internal auditors can examine how climate risks and opportunities are embedded in policy development, if policy development supports such opportunities, and whether there are adequate processes to track the realization of these benefits.

Identify and Assess Climate Risk

Climate risk management processes must be structured to include risk identification and assessments. These processes should then be used to prioritize how risks should be managed. Organizations must be rigorous about identifying climate-related risks and opportunities. This is particularly true for adaptation and mitigation risks. Because many climate risks are long-term in nature, internal auditors should be skeptical about management prematurely labeling climate risks as not material.

Risk assessments should be robust enough to weigh the impact of all the climate risks identified. Once again, internal auditors should consider the integrity of the data used to measure the impact. Furthermore, internal audit can examine whether management has stress tested climate risks and opportunities across sufficiently robust scenarios that are relevant to the organization’s future strategy. This is important because climate risks and opportunities are often uncertain in nature. 

Another area of assessment is the materiality analysis of the risks. A good way for internal audit to assess the risk analysis process is to benchmark it against similar organizations in the relevant sector.

Respond to Climate Risk

The key challenge in climate risk management is the inherent uncertainty and the need for these risks and opportunities to be considered in strategic decision-making. Internal auditors can assess whether the organization has sufficiently considered such unpredictability and whether the risk responses are flexible enough. Auditors also need to examine the interconnectedness of climate risks and opportunities with other principal risks.

Internal auditors should ask if climate-related risk responses are aligned with the organization’s risk appetite and whether there are any indications that the risk appetite needs reassessment, especially in the context of the climate risk unpredictability. 

One good practice to recommend to senior management is developing a climate adaptation strategy and integrating the climate risk responses to that. For example, the New Zealand Department of Conservation’s climate adaptation plan articulates how it will adapt risk management and project management tools to integrate with climate adaptation strategy and action plans, and how it will evaluate, monitor, and report climate actions.

Monitor Climate Risk Performance

Climate risk management processes must include integrated and informative risk monitoring. Internal auditors should review whether management has embedded climate-related risk monitoring into its wider performance metrics to fully integrate climate risks and opportunities into the strategic objectives and key performance indicators. Internal audit should examine whether management understands how the organization’s overall risk profile is likely to change because of climate change risks.

The review should include whether management has defined core performance metrics, including key risk and control indicators for climate risks. The risk appetite and tolerance need to be factored in, as well. One useful line of inquiry would be to assess how these metrics influence strategic decision-making, investment plans, and budget considerations. A case in point is the recent decision by BHP to exit the oil and gas sector arising from its assessment that ongoing involvement in these activities would exceed its climate risk appetite.


97% of executives report their companies have already been negatively impacted by climate change. Half the respondents say these impacts are increasingly disrupting business models and supply networks worldwide.

79% of executives say the world is at a tipping point for responding to climate change, versus 59% eight months prior.

88% of executives say, with immediate action, humans can limit the worst impacts of climate change.

Source: 2022 Global CxO Sustainability Survey Report, Deloitte



Internal auditors can review how often management reassesses the impact of existing climate risks. If the organization is impacted by legislative or regulatory changes, management needs to track these, too. Additionally, internal auditors should examine how climate risks within the organizations’ third-party vendors and partners are monitored. Climate risks must be appropriately escalated and aggregated effectively. 

Monitoring results must be shared effectively across the organization. Therefore, internal auditors should review the effectiveness of the feedback loop among the results of monitoring, the assessment of residual risks, the effectiveness of risk management activities, and decision making.

Subhasis Sen, CIA, CPA, GAICD

Senior Advisor of Assurance and Compliance, Cross River Rail Delivery Authority, Brisbane, Queensland, Australia

Access the Digital Edition

Read Now