Climate Controlled

Two Types of Risk

It is important to view climate risks from two different perspectives risks that arise out of uncontrollable environmental factors and risks that arise out of failure to take effective action to reduce the impacts of such environmental factors. Broadly, climate risks can be categorized as physical and transition-related risks. 

Physical risks stem from severe weather-related events, such as floods, cyclones, fires, or other natural disasters. They have a large impact on infrastructure and disrupt supply chains and service delivery. Fast-moving events are considered acute risks.

Slow-moving events can also create physical risks, such as sea level rise and coastal changes that impact infrastructure, transportation, communication, agriculture, etc. These gradual events are considered chronic risks and have a more incremental but longer-term effect on operations.

Both acute and chronic physical risks can have a variety of impacts. Some examples are damage to infrastructure, stranded assets, cost increases from higher insurance premiums, and attitudinal and expectation shifts (for instance, informed customers may refuse to engage with organizations that do not mitigate climate damage caused by their processes). 

Transition-related risks include adaptation and mitigation risks. These climate risks result from transitioning to a low-carbon and more climate-resilient economy.

Adaptation risks also can be wide-ranging. Organizations might experience strategic uncertainty from difficulty predicting long-term impacts on future investments, or impaired valuation arising from the deteriorating effects on stranded assets. Or they may be faced with reputational damage from failure to adapt to threats posed by climate change and a transition to net zero, or from inappropriate disclosure of climate-related information (e.g., greenwashing). Mitigation risks can emerge from policy and regulatory shifts that require additional due diligence, enhanced disclosures in financial statements, additional spending to comply with new regulations, and increased litigation due to breached climate regulations.

Climate-change Opportunities

Efforts to mitigate and adapt to climate change can also produce opportunities for organizations. These positive gains, in the form of resource efficiency or cost savings, can result from the transition to carbon-efficient operations or decarbonization. For instance, electric cars require advances in battery technology, which promotes innovation. Similarly, warmer winters may present opportunities for vineyards to increase their production areas or for the health-care industry and governments to reduce cold-related mortality. Warmer weather can offer opportunities to the maritime transport industry and English ports to reap the benefits of opening an Arctic trade route. Moreover, advances in energy-efficient building design may create opportunities for organizations to reduce electricity and water usage.

Transition and physical risks and opportunities will have substantial effects on strategic planning and risk management, with potentially significant financial impacts on the income statements, balance sheets and cash flow statements of organizations. As a result, climate governance is entering the audit universe and audit plans of internal audit teams across organizations. Internal auditors must consider principles for effective climate governance.

Assess the Role of Governance and Leadership

Climate risk management must be an essential part of an organization’s governance. It should be fundamental to how the organization is directed, managed, and controlled at all levels. Internal auditors need to review whether the board is adequately considering the risks and opportunities presented by climate change and whether there is a clear understanding of it among those charged with governance. Auditors can review and assess whether climate risks and opportunities are factored into the organization’s strategy. This involves assessing the climate risk appetite established by the board.

As part of this assessment, internal auditors can look at board briefings on climate change matters, such as results of climate risk deep dives. They can determine the relevance and integrity of data used by management to assess climate-related decisions. Roles and responsibilities should be documented, clearly defining the accountabilities for climate risk. Internal audit can assess whether there are gaps in climate competence and determine whether the board supports objective decision-making on climate issues.

One way to do this is to assess whether the strategic objectives, budgets, and delivery plans reflect climate change risks and opportunities. For example, a city council in Australia recycles crushed glass from its waste stations as a substitute for sand and aggregate in road materials. Meanwhile, Queensland Transport and Main Roads department in Australia estimates that it uses up to 10% of recycled glass in asphalt bases and up to 20% in gravel bases in road construction.

Internal auditors can examine how climate risks and opportunities are embedded in policy development, if policy development supports such opportunities, and whether there are adequate processes to track the realization of these benefits.

Identify and Assess Climate Risk

Climate risk management processes must be structured to include risk identification and assessments. These processes should then be used to prioritize how risks should be managed. Organizations must be rigorous about identifying climate-related risks and opportunities. This is particularly true for adaptation and mitigation risks. Because many climate risks are long-term in nature, internal auditors should be skeptical about management prematurely labeling climate risks as not material.

Risk assessments should be robust enough to weigh the impact of all the climate risks identified. Once again, internal auditors should consider the integrity of the data used to measure the impact. Furthermore, internal audit can examine whether management has stress tested climate risks and opportunities across sufficiently robust scenarios that are relevant to the organization’s future strategy. This is important because climate risks and opportunities are often uncertain in nature. 

Another area of assessment is the materiality analysis of the risks. A good way for internal audit to assess the risk analysis process is to benchmark it against similar organizations in the relevant sector.

Respond to Climate Risk

The key challenge in climate risk management is the inherent uncertainty and the need for these risks and opportunities to be considered in strategic decision-making. Internal auditors can assess whether the organization has sufficiently considered such unpredictability and whether the risk responses are flexible enough. Auditors also need to examine the interconnectedness of climate risks and opportunities with other principal risks.

Internal auditors should ask if climate-related risk responses are aligned with the organization’s risk appetite and whether there are any indications that the risk appetite needs reassessment, especially in the context of the climate risk unpredictability. 

One good practice to recommend to senior management is developing a climate adaptation strategy and integrating the climate risk responses to that. For example, the New Zealand Department of Conservation’s climate adaptation plan articulates how it will adapt risk management and project management tools to integrate with climate adaptation strategy and action plans, and how it will evaluate, monitor, and report climate actions.

Internal auditors can review how often management reassesses the impact of existing climate risks. If the organization is impacted by legislative or regulatory changes, management needs to track these, too. Additionally, internal auditors should examine how climate risks within the organizations’ third-party vendors and partners are monitored. Climate risks must be appropriately escalated and aggregated effectively. 

Monitoring results must be shared effectively across the organization. Therefore, internal auditors should review the effectiveness of the feedback loop among the results of monitoring, the assessment of residual risks, the effectiveness of risk management activities, and decision making.