Risk management disclosures explain the processes behind strategy disclosures. While the strategy section describes what risks and opportunities the entity faces, the risk management section describes how it finds them, evaluates them, and monitors them, giving investors insight into the reliability of the entity's risk identification.
The Objective of Risk Management Disclosures
Paragraph 24 of IFRS S2 sets the objective: risk management disclosures shall enable users to understand the processes and procedures an entity uses to identify, assess, prioritise, and monitor climate-related risks and opportunities, and whether those processes are integrated into the entity's overall risk management.
This objective has three distinct elements:
- Process transparency: How specifically does the entity identify and assess climate risks?
- Prioritisation: How does climate risk rank relative to other risks?
- Integration: Is climate risk management part of the main risk framework or separate?
Paragraph 25(a): Six Process Disclosures for Climate Risks
Paragraph 25(a) requires disclosure of six specific aspects of the entity's climate risk identification and assessment processes:
- 25(a)(i) Inputs and parameters: What data sources, tools, and scope of operations does the entity use? For example: does it use climate data from IPCC projections or external data providers? Does it cover all geographies or only certain regions? What asset classes are included?
- 25(a)(ii) Use of scenario analysis: Whether and how the entity uses scenario analysis as part of its risk identification and assessment process. This directly links the Risk Management section to the Climate Resilience section (Para 22), showing that scenario analysis serves a practical risk management function.
- 25(a)(iii) Assessment of nature, likelihood, and magnitude: How does the entity assess:
- Nature of the risk (physical or transition; acute or chronic)
- Likelihood of occurrence (qualitative categories or quantitative probabilities)
- Magnitude of impact (on financial position, performance, or operations)
- 25(a)(iv) Prioritisation relative to other risks: Does climate risk get the same priority treatment as financial, operational, or reputational risks? Is there a common risk scoring framework that includes climate risks alongside other enterprise risks?
- 25(a)(v) Monitoring processes: How does the entity track changes in its climate risk profile over time? How frequently is the risk register updated? What triggers a reassessment?
- 25(a)(vi) Changes from prior period: Whether and how the processes have changed from the previous reporting period. This creates accountability. If the entity improved its climate risk management practices, it should say so; if it weakened them, it must disclose that too.
| Requirement | What Good Practice Looks Like |
|---|---|
| (i) Inputs and parameters | Named data sources; defined scope (all operations, all geographies); specific asset types covered |
| (ii) Scenario analysis use | Explicit description of how scenario outcomes feed into risk register |
| (iii) Assessment of nature, likelihood, magnitude | Consistent scoring matrix; examples of how risks are scored |
| (iv) Prioritisation | Climate risks appear in enterprise risk register with consistent priority framework |
| (v) Monitoring | Defined review frequency; triggers for ad-hoc reassessment; named ownership |
| (vi) Changes from prior period | Specific description of process improvements or changes made during the year |
Risk management disclosures are like showing your work in a mathematics exam. The strategy section gives the answer ("we face significant transition risk from carbon pricing"). The risk management section shows the calculation ("we identified this risk using X data, assessed its likelihood as high based on Y methodology, scored its impact as Z, and it ranks as our third-highest priority risk because...").
Integration with Enterprise Risk Management
A key quality indicator in risk management disclosures is whether climate risk processes are integrated with, or separate from, the entity's broader enterprise risk management (ERM) framework. Paragraph 25(c) (covered in the next lesson) addresses this explicitly.
Integrated approaches are generally viewed more favourably because they:
- Ensure climate risks are evaluated on a consistent basis with other risks
- Prevent climate risk from being managed by a separate team with no connection to financial planning
- Support better escalation of material climate risks to governance bodies
Example: Risk assessment methodology disclosure
"We assess climate-related risks using a three-dimensional scoring matrix applied to all identified risks:
Likelihood: Scored 1 to 5 based on estimated probability of occurrence within our planning horizon. For transition risks, we use regulatory calendars and IEA policy scenario probabilities. For physical risks, we use IPCC regional hazard projections.
Financial impact: Scored 1 to 5 based on estimated impact on EBITDA, ranging from less than 1% (score 1) to greater than 10% (score 5).
Strategic impact: Scored 1 to 5 based on impact on competitive position, market share, and operational continuity.
Climate risks are mapped onto the same heat map as all other enterprise risks. Our carbon pricing transition risk currently scores likelihood 4, financial impact 4, strategic impact 3, making it our second-highest priority risk, behind cybersecurity."
Key Takeaways
- 1Six process disclosures are required: inputs and parameters, scenario analysis use, nature-likelihood-magnitude assessment, prioritisation relative to other risks, monitoring processes, and changes from the prior period
- 2Disclose specific data sources (e.g. IPCC projections, external data providers), scope of operations covered, and which asset classes are included in risk identification
- 3Show how scenario analysis feeds into the risk register - connecting risk management directly to the climate resilience assessment in the strategy section
- 4Prioritisation must show how climate risks rank alongside financial, operational, and reputational risks within the enterprise risk framework
- 5Year-on-year process change disclosure creates accountability for whether the entity is improving its climate risk management practices over time