Mastering CDP Scoring
ESG/Module 4: IRO process (CDP Module 2)/Lesson 1 of 3/6 min read

The IRO process CDP wants to see

Lesson 3.1

Key takeaway

The IRO module is where CDP asks how you actually identify, assess, and manage environmental dependencies, impacts, risks, and opportunities. It is the module where most companies lose points not because their answers are wrong, but because the process they describe is real but informal, and CDP's rubric awards points for formality and frequency. This lesson explains what CDP wants to see in an IRO process and the moves that turn an informal practice into a Leadership-tier answer.

What "IRO" actually means

CDP uses four letters together: dependencies, impacts, risks, opportunities. It is worth defining each clearly before you answer.

TermWhat it meansWho studies this
DependencyHow your business relies on natural systems (water for cooling, fertile soil for inputs, stable climate for crop yields)Operations, procurement
ImpactHow your business affects natural systems (emissions, water withdrawal, deforestation, plastic waste)Sustainability, operations
RiskHow environmental change could hurt your business (drought disrupting supply, carbon price increasing costs, flooding damaging assets)Risk function, finance, board
OpportunityHow environmental change could benefit your business (low-carbon products gaining share, green finance reducing capital costs)Strategy, BD, finance

The four are linked. Today's impact often becomes tomorrow's risk. A water-intensive operation in a dry region creates an impact (depletion) and a dependency (continued access). If the basin runs short, that becomes a risk. The quality of your IRO process is judged partly on whether you treat these as connected, not in silos.

What CDP wants to see

The IRO module asks you to describe your process across roughly five dimensions:

  • Coverage. Does your assessment cover all relevant operations, geographies, and value chain tiers?
  • Frequency. How often do you run the assessment? Annual is the floor for a Management-tier answer.
  • Methodology. What frameworks and tools do you use? TCFD-aligned scenario analysis, ENCORE for nature, WRI Aqueduct for water risk, CDP's own forest risk assessment, sector-specific climate scenario tools.
  • Integration. Is the IRO output integrated into other business processes? ERM, financial planning, board risk reviews, capital allocation?
  • Substantive thresholds. How do you decide what counts as "material" or "substantive"? CDP wants quantitative thresholds, not "we judge it on a case-by-case basis."

A Disclosure-tier answer says "yes we have a process." An Awareness-tier answer describes the process. A Management-tier answer shows that the process runs at the right frequency and feeds business decisions. A Leadership-tier answer adds quantitative substantive thresholds and external benchmarking against peer practice.

Analogy

Think of the IRO process like a regular medical check-up. A Disclosure-tier company says "yes, we go to the doctor." Awareness adds "we go annually and check blood pressure, cholesterol, and BMI." Management adds "the doctor also reviews family history and recommends specific tests." Leadership adds "we share the report with our cardiologist for a second opinion and benchmark our metrics against population norms."

The depth of process is what scores, not just having one.

How frequency drives the score

CDP's scoring rewards frequency.

  • Annual assessment is the floor for any Management-tier point.
  • More than annual (continuous monitoring, quarterly updates) earns Leadership consideration in some questions.
  • Less than annual (every two years, ad hoc) caps you at Awareness.
  • No fixed frequency typically scores at Disclosure only.

The reason is structural. Environmental conditions change. A risk assessment from three years ago does not reflect today's drought, today's policy, today's supply chain. CDP wants to see that your process keeps pace with the world it is assessing.

Worked example

InfraCorp India Ltd (synthetic example). A mid-sized infrastructure company that conducts a formal climate risk assessment every two years. They describe a thorough methodology using physical and transition scenarios. But the two-year gap caps their Management-tier eligibility.

Fix: They add an annual "lighter" review between full assessments, focusing on changes in policy and material physical events. The new process is not as deep as the biennial full assessment, but it satisfies CDP's frequency expectation. With the same content, they move from a B to a B-plus the next year.

Substantive thresholds, what CDP wants in numbers

Question 2.2 asks you to define your "substantive financial impact" threshold. This is the dollar (or rupee) amount above which a risk or impact is considered material enough to disclose.

Most first-time responders write something like "we assess based on materiality." That is not a threshold. CDP wants something like:

  • "Substantive impact is defined as anything that could affect EBITDA by more than 1 percent of group revenue, or a single asset by more than 5 percent of replacement value, in any given year."
  • "We use a materiality matrix with quantitative impact thresholds at 0.5 percent of revenue (low), 2 percent (medium), 5 percent (high)."

Numbers, not adjectives.

You can describe the same risk in two ways: "climate change is a material risk to our supply chain" or "climate change could increase input costs by USD 12 million annually under a 4 degree warming scenario, equivalent to 2.3 percent of revenue, which crosses our 1 percent substantive threshold." The second answer is identical in content but worth significantly more points. CDP's scoring methodology pays for quantification, not for sentiment. The threshold is the proof that you have a quantitative discipline.

Integration with other business processes

A serious IRO process is not a stand-alone sustainability report. It feeds ERM (enterprise risk management), capital planning, M&A diligence, and board risk reviews.

The Leadership-tier evidence the grader looks for:

  • ERM integration. Climate, water, biodiversity risks appear on your top-10 corporate risk register, with named owners, mitigation plans, and review schedules.
  • Capital allocation. Major projects (new plants, acquisitions, large capex) include environmental risk and opportunity analysis as a required diligence step.
  • Board cadence. The board (or a committee of it) reviews IRO output at least annually, with documented minutes and decisions.
  • External validation. You commission third-party reviews (TCFD readiness assessments, biodiversity baseline studies, water risk audits).

If you can show two or three of these, you are in Management-tier territory. If you can show all four with documentation, Leadership.

Worked example: from informal to Leadership-tier

Worked example

ConsumerGoodsCo, India (synthetic). First CDP response. Real practice on the ground:

  • They run an informal annual risk workshop with operations and procurement.
  • The CSO tracks weather-related supply chain disruptions in a personal spreadsheet.
  • The CFO has flagged climate-related capex risk in two recent board meetings.
  • No documented thresholds, no formal methodology, no external validation.

This is real environmental governance. But it scores at Disclosure-tier only, because the process is informal and undocumented.

The Leadership-tier upgrade. Same content, formalised:

  • The annual workshop becomes a structured assessment using CDP's recommended TCFD framework and WRI Aqueduct for water.
  • The CSO's spreadsheet becomes a formal risk register, integrated with the corporate ERM system.
  • The CFO's board flags become a quarterly climate risk standing item, minuted.
  • A consulting firm (any of the CDP Accredited Solutions Providers) does an annual external review.
  • Substantive thresholds defined at 1 percent of EBITDA per single risk, 0.25 percent per opportunity.

Same risks, same insights, same business reality. But now the process is documented, frequent, integrated, and externally validated. The score jumps from D to A minus on this module alone.

Practitioner takeaway. The work to upgrade from informal to Leadership is mostly documentation, not new content. Companies that recognise this often gain two letter grades in a single year.

Key Takeaways

  1. The IRO module covers dependencies, impacts, risks, and opportunities, treated as connected concepts rather than silos
  2. CDP rewards frequency: annual is the floor for Management tier, more frequent reviews unlock Leadership
  3. Substantive financial impact thresholds need to be quantitative numbers, not adjectives like 'significant' or 'material'
  4. Leadership-tier answers show integration with ERM, capital planning, board oversight, and external validation
  5. Most first-time responders already do real IRO work informally; the upgrade to Leadership tier is documentation and formalisation, not new substance

Knowledge Check

Test what you just learned

6 questions ยท check each one as you go

0 of 6 answered

What does IRO stand for in CDP's terminology?

What frequency of IRO assessment is the floor for Management-tier scoring?

Which substantive threshold answer scores higher?

True or false: A company that runs a real but informal IRO process scores at Management tier.

Which integration evidence does Leadership-tier IRO disclosure show?

Select all that apply

Match each tool to its primary use in the IRO process.

Match each item to its pair

TCFD-aligned scenarios

ENCORE

WRI Aqueduct

TNFD LEAP

Previous lesson

Sector activity, financial filing, and value chain framing

Next lesson

Time horizons and substantive thresholds

We simplify.
We show you the source.
We make the work easy for you.

This is the whole deal.

โ€” GREENTRYST

Start freeSee pricing