Key takeaway
Module 3 is where you turn your IRO process output into specific, named risks. CDP wants each risk to have a type, a driver, a financial impact, a time horizon, a likelihood, and a mitigation strategy. Most companies disclose risks vaguely (climate change is a risk to our supply chain) and lose most of the available points. The companies that score well disclose risks the way an investor or regulator would expect: specific, quantified, and tied to a balance-sheet item. This lesson explains the structure and the moves that score.
What CDP expects per disclosed risk
For each material risk you disclose, CDP wants a structured record. The required fields typically include:
| Field | What goes in |
|---|---|
| Risk type | Acute physical, chronic physical, transition (policy, technology, market, reputation), or systemic |
| Risk driver | The specific environmental change that causes the risk (e.g., carbon pricing, drought, deforestation policy, supply chain disruption) |
| Time horizon | Short, medium, or long, matching what you defined in Module 2 |
| Likelihood | Probability bucket (very unlikely to virtually certain), often expressed as a percentage range |
| Magnitude of impact | Qualitative (low, medium, high) plus quantitative (currency value or percentage of a financial metric) |
| Financial impact figure | A specific number with a methodology note explaining how you calculated it |
| Description | 2-4 sentences explaining the mechanism: how this risk would materialise and propagate |
| Mitigation | What you are doing or plan to do about it, with cost and timeline |
The pattern is consistent across all the climate, water, and forests risk questions. Master the structure once and you can answer them all.
Risk type, the first classification
CDP uses TCFD's classification: physical risks (the climate is changing) and transition risks (the world is responding to climate change), plus emerging classifications for nature, water, and forests.
| Type | Examples |
|---|---|
| Acute physical | Cyclone damaging coastal plant; flooding closing a logistics route; heat wave forcing operational shutdown |
| Chronic physical | Long-term drought reducing crop yields; sea-level rise eroding port assets; rising temperatures lowering productivity |
| Transition policy | Carbon tax increasing operating costs; ban on diesel vehicles affecting fleet; CBAM affecting EU exports |
| Transition technology | Battery cost decline making ICE products obsolete; alternative materials (plant-based protein, recycled content) shifting demand |
| Transition market | Investor preference for low-carbon assets raising cost of capital; corporate buyers requiring science-based targets from suppliers |
| Transition reputation | Activist campaign targeting deforestation in supply chain; consumer boycott over plastics |
The grader expects you to disclose risks of multiple types, not just one. A response that lists only physical risks misses the transition exposure (which is often more material in the medium term). A response that lists only transition risks ignores the physical reality.
Quantification, the dividing line between Awareness and Management
Most first-time responders write something like:
"Carbon pricing in our key markets is a transition risk that could affect operating costs."
This earns Disclosure points but not Awareness or Management. The Awareness-tier upgrade adds quantification:
"EU CBAM is expected to apply to our steel exports starting January 2026. Based on our current EU export volume of 250,000 tonnes annually and an estimated CBAM certificate cost of EUR 80 per tonne CO2e, we estimate an annual cost increase of EUR 14 million, equivalent to 1.8 percent of group EBITDA, in the short term. The figure could rise to EUR 22 million by 2030 as the free allocation phase-out continues."
Same risk, very different score. The differences:
- A specific policy mechanism (CBAM, with start date)
- An exposed product line (steel exports)
- An exposed volume (250,000 tonnes)
- A unit cost (EUR 80 per tonne)
- A total impact (EUR 14 million)
- A reference to a financial metric (1.8 percent of EBITDA)
- A trajectory (rising to EUR 22 million by 2030)
This level of detail signals to the grader that the risk is real and managed.
Analogy
The difference is like the difference between a doctor saying "you have heart disease" versus "you have moderate coronary artery disease with 50 percent stenosis in your left anterior descending artery; we recommend a statin and follow-up angiography in three months." Both are accurate. Only one is useful for decision-making. CDP scoring rewards the second style for the same reason.
The mitigation column, the often-skipped Management point
For each risk, you have to describe what you are doing or plan to do about it. This is where many companies leak Management-tier points by writing generic statements like "we monitor this risk through our risk management process."
A scoring-quality mitigation answer:
- Names the action (capex, policy, contract, target, diversification)
- States the cost (with currency and time period)
- States the expected outcome (the risk reduction in quantitative or qualitative terms)
- Names the responsible function or executive
Worked example
Risk: Drought in the Marathwada region of Maharashtra reducing tomato yields by 20-30 percent in the medium term, affecting our processing plant input costs by approximately INR 80 crore annually.
Mitigation, Disclosure-tier: "We monitor weather conditions and have alternative suppliers."
Mitigation, Management-tier: "We have shifted 40 percent of our tomato sourcing to drip-irrigated farms in the Nashik and Pune regions over 2024-25. Capital invested: INR 35 crore in farmer support programmes and irrigation infrastructure. Expected risk reduction: 12-15 percent of the original 80 crore exposure. Programme owner: Chief Procurement Officer; reviewed by the Sustainability Committee quarterly."
The Management-tier version names the action, the cost, the outcome, and the owner. This is what scores.
Where companies leave points on the table
Several patterns recur:
- Listing five generic risks instead of three specific ones. CDP rewards depth, not breadth. Three well-quantified risks score higher than ten vague ones.
- Forgetting opportunities (covered next lesson). Q3.6 cluster is the sister set, and many responders run out of energy by then.
- Underdisclosing physical risk. Transition risks are easier to talk about because they involve policy and finance, which sustainability teams understand. Physical risks require operational and engineering input that often is not included in the response.
- Inconsistency with Module 2 horizons. A risk disclosed as short-term in Module 3 should be characterised the same way in Module 5 (strategy) and Module 7 (financial impact). Inconsistency across modules is heavily penalised.
- Missing the systemic risks. Some risks (like loss of social licence or systemic disruption to commodity supply) are not bound to a single risk type. The Leadership tier rewards companies that can describe these.
A worked example: BlueCove Apparel Ltd (synthetic)
Worked example
Company: BlueCove Apparel, Mumbai-headquartered, USD 800 million revenue, 80 percent cotton-based product, exports to EU and US.
Three disclosed risks:
Risk 1: Acute physical, water stress in cotton-growing regions.
- Driver: Increasing frequency of below-normal monsoon years in Punjab and Haryana cotton zones.
- Horizon: Short and medium term.
- Likelihood: 60 percent in any given year (based on rainfall pattern data 2010-2024).
- Magnitude: 12-18 percent reduction in cotton supply availability, leading to spot purchase premiums of 8-15 percent above contracted rates.
- Financial impact: USD 18-28 million annually in input cost variance, or 2.3-3.5 percent of group revenue.
- Mitigation: Diversifying sourcing to rainfed cotton regions in Maharashtra and Karnataka; multi-year contracts with cooperative aggregators; investing USD 4 million over 2025-2027 in farmer water-efficiency programmes. Owner: Chief Procurement Officer.
Risk 2: Transition policy, EU CBAM and CSDDD.
- Driver: EU import controls and corporate sustainability due diligence covering apparel from 2026.
- Horizon: Short term.
- Likelihood: Virtually certain (regulation already enacted).
- Magnitude: Compliance cost and risk of import delays in EU markets.
- Financial impact: USD 6 million in additional compliance and reporting costs in 2026, USD 8-12 million in potential supply chain re-routing if major suppliers fail diligence.
- Mitigation: Joining the SAC (Sustainable Apparel Coalition); supplier audit programme covering 100 percent of Tier 1 by end-2026; legal review with EU counsel completed Q4 2025. Owner: Chief Risk Officer.
Risk 3: Transition reputation, fast-fashion backlash.
- Driver: Consumer and investor pressure on textile waste, microfibres, and overproduction.
- Horizon: Medium term.
- Likelihood: Probable (50-65 percent based on peer experience).
- Magnitude: Brand value impairment, retailer delistings, ESG score downgrades.
- Financial impact: Estimated 1.5-3.0 percent revenue impact in affected geographies, USD 12-24 million annually.
- Mitigation: Circularity programme launched 2024; SBTi target submitted; transition plan published 2025 with 50 percent recycled content commitment by 2030. Owner: CEO.
This disclosure scores at Management tier. The fix to push to Leadership: add scenario analysis for each risk under 2 degrees and 4 degrees pathways, and add quantitative target metrics for the mitigation actions (e.g., "reduce water exposure by 50 percent by 2028, measured by sourcing from regions with WRI Aqueduct stress score below 3").
Key Takeaways
- Each disclosed risk needs eight fields: type, driver, horizon, likelihood, magnitude, financial impact, description, and mitigation
- Quantification (specific numbers, mechanisms, exposed volumes) is what moves a risk from Disclosure to Management tier
- Mitigation answers need named actions, costs, expected outcomes, and accountable owners; generic statements lose Management points
- Three well-quantified risks score higher than ten vague ones; depth beats breadth
- Inconsistency between Module 2 horizons and Module 3 risks is heavily penalised; lock the horizons first
Knowledge Check
Test what you just learned
6 questions · check each one as you go
Which is the dividing line between Awareness-tier and Management-tier risk disclosures?
How many risks should you disclose for the best score?
True or false: A mitigation answer that names the action, cost, expected outcome, and accountable owner is the Management-tier signal.
Which fields does CDP expect for each disclosed risk?
Select all that apply
What is the most common mistake on physical risks?
Match each risk type to an example.
Match each item to its pair
Acute physical
Chronic physical
Transition policy
Transition reputation