While most businesses are usually good at defining and managing material risks – those that pose clear and present danger – the identification of new and emerging risks is still under-developed.
In September 2018, Facebook admitted that an attack on its computer network had exposed the personal data of more than 50 million users – one of the largest data security breaches in history. Just one year earlier, Facebook had been embroiled in another landmark data privacy scandal involving unauthorized access to user data and an attempt to influence voters in the 2016 US presidential election. Facebook has paid billions in connection with both cases and continues to suffer reputational damages from reduced stakeholder trust.
Meanwhile, 3M Co., a U.S.-based industrial conglomerate, faces an increasing number of legal suits related to its use of PFAS,1 toxic chemical substances widely considered harmful to human health. In February 2018, 3M settled with the state of Minnesota for US $850 million over PFAS-related pollution, and expected liabilities could reach over US $5 billion.
The severity of the financial and reputational damage suffered by Facebook and 3M casts a spotlight on weaknesses in the links of many companies’ risk management processes. The magnitude of the damages (not only to companies but also to society and the environment) led us to ponder how cases like these can arise and, more important, how they can be avoided.
Lead ESG Benchmarking Specialist,
Senior Manager ESG Research,
While most businesses are usually good at defining and managing material risks – those that pose clear and present danger – the identification of new and emerging risks is still underdeveloped. Emerging risks are uncertain and difficult to quantify and so represent large unknowns to companies. Given these constraints, they have been omitted from traditional risk reporting and financial disclosures to investors. With sustainability-themed risks on the rise – often embedded in complex long-term developments and externalities –demand is growing from investors that companies identify emerging risks early on and transparently communicate about these topics as part of a more holistic risk management approach.
We posit that companies with a comprehensive risk management process in place that emphasizes the early identification of distant threats are better positioned to adapt and respond to changes in external risk when those risks develop into clear and present dangers.
Using data from the SAM Corporate Sustainability Assessment (CSA),2 we analyzed the risk reporting sequences of companies over the past five years (2015-2019) for two key risk areas – 1) climate change and 2) data security and privacy – to test whether companies that first identified emerging risks and then managed them as material issues were able to avoid or mitigate later controversies and damages.
With sustainability-themed risks on the rise – often embedded in complex long-term developments and externalities – demand is growing from investors that companies identify emerging risks early on.
1 PFAS, short for per- and polyfluoroalkyl substances, a group of chemicals that the U.S. Environmental Protection Agency has ruled adverse to human health.
2 A total of 2,974 companies within the CSA were assessed for this study.
3 Analyses of controversies are carried out through the CSA's Media and Stakeholder Analysis (MSA). An MSA case is created if a company has been involved in a specific negative event related to the company’s material sustainability factors. The MSA methodology can be found at https://www.spglobal.com/esg/csa/csa-resources/csa-methodology.
Risk definitions and descriptions
Emerging risks – Since 2015, the CSA has asked companies to indicate significant emerging risks. The CSA defines emerging risks as newly identified areas of potential risk whose impact is unlikely to be felt in the coming three to five years. Emerging risks often reflect uncertain outcomes of upcoming political decisions, legislation changes, or market dynamics that might shape the future competitive landscape for companies. Generally, these risks are not properly accounted for in companies’ current financial statements.
Material issues – Since 2012, the CSA has asked companies whether they have conducted a materiality analysis, whereby they identify their most important material issues that will impact their ability to generate long-term value. Material issues are defined as sustainability factors that can have a present or future impact on the company’s value drivers, competitive position, and long-term shareholder value creation.
Companies should manage material sustainability issues by defining a business case, implementing management strategies, setting targets, developing progress indicators, and linking targets to performance incentives (e.g., executive compensation). Moreover, as soon as a risk is defined as a material issue, it loses its “emerging risk” status.
Controversial issues – Controversial issues are realized risks that result in financial and reputational damage for companies. Our analysis of company controversies is carried out through a Media and Stakeholder Analysis (MSA).3 The MSA process is used to identify controversies and damages that are linked to poor corporate policies, structures, and practices on a variety of sustainability issues
Figure 1: The reporting sequence within a comprehensive risk management process
Climate Strategy – A growing corporate concern
Over the past five years a significant number of companies have reported on climate-related issues and identified specific aspects of climate strategy as emerging risks.4 Uncertainty about changing environmental regulations, potential water shortages, and the negative impacts of plastic packaging have all been cited as potential risk factors that could influence companies and industries in the future.
Frequency of reporting as an emerging risk
Over the past five years, 33.15% of all correctly identified and reported emerging risks5 have been related to climate strategy. Over the same time period, companies from 51 out of 61 industries have reported at least one climate strategy-related topic as an emerging risk.
However, the number of companies reporting climate strategy as an emerging risk, in line with RobecoSAM requirements, decreased drastically over the past five years, with 231 companies reporting climate strategy topics in 2015, against 39 companies in 2019. This steep decline is in line with our expectations and represents a positive shift toward more transparent climate change disclosure.
As companies recognize the potential and severity of climate-related risks for future business, the topic has become more mainstream and accepted as a material risk. As a result, fewer companies are identifying it as an emerging risk on the distant horizon and are taking measures to address the risk now – even if the implications are longer-term (see insert "Climate strategy" for company case examples).
Over the past five years, a significant number of companies have reported on climate-related issues as emerging risks, citing uncertainty about changing environmental regulations, potential water shortages, and the negative impacts of plastic packaging as potential risk factors.
Climate strategy – emerging risk versus material issue
Below are examples reported in 2019 demonstrating how companies differ in their views of risks related to climate strategy. While it was already considered a material issue by the European arm of food and beverage producer Coca-Cola, it was still considered emerging by the cement manufacturer Heidelberg.
Climate change as an emerging risk – Heidelberg Cement AG
Cement is a basic raw material for the construction of houses, industrial facilities, and infrastructure. Because cement is energy- and CO2-intensive, research projects are being undertaken to develop alternative binders with a more favorable energy and climate footprint; however, we generally do not anticipate that the alternative binders currently being developed will replace traditional cement types on a large scale in the next few years. [As a result,] the risk is not included in our risk reporting.
Source: Extract from Heidelberg’s 2018 Annual Report
Climate change as a material risk – Coca-Cola European Partners
Due to concerns about the environmental impacts of litter, our packaging is under increasing scrutiny by regulators, consumers and customers. This exposes us to the risk of increased regulation or taxation and reputational impacts. As a result, we may have to change our packaging strategy and mix in a short timeframe. This could result in a reduction in demand for single use plastic packaging, and we may be liable for increased costs related to the design, collection, recycling and littering of our packaging. We may be unable to respond in a cost-effective manner and our reputation may be adversely impacted.
Source: Extract from Coca-Cola’s 2018 Integrated Report
4 ”Climate strategy” alone is not considered an emerging risk due to its material impact on most companies. However, specific aspects of climate strategy are risks, depending on the industry and the region and its operations are located.
5 A number of companies have been incorrectly reporting current material risks as emerging risks. Such cases were excluded from consideration in this analysis.
We posit that companies with a comprehensive risk management process in place that emphasizes the early identification of distant threats are better positioned to adapt and respond to changes in external risks.
Frequency of reporting as a material issue6
Climate strategy was the second most reported material issue over the past four years (2016-2019). As seen in Figure 2, climate strategy for many companies has evolved from an emerging risk to a material issue that must be strategically managed.
Furthermore, the overall proportion of risk events and controversies linked with climate strategy is falling as companies report it as a material issue.
Figure 2: A widening gap – as climate risks become material, the proportion of realized risk events falls
Frequency of realized risk events
In line with our risk identification and management hypothesis, as climate strategy moves from an emerging risk to a material issue on corporate risk assessments, we would expect a decreasing amount of environmental MSA cases.
Despite an uptick in environmental MSA cases in 2018 (see Figure 2), the trend in MSA cases related to climate strategy and the environment over the past four years has followed a downward trajectory.8
6 Beginning with the 2016 CSA, RobecoSAM modified its material issues criteria for companies making one-to-one comparisons with prior years difficult for the purposes of this study. As a result, the analysis of material issues for climate strategy considers only four years of data (2016-2019).
7 Ibid. See footnote 6.
8 MSA statistics as per Q3 2019.
Data Security And Privacy Risks – Companies are sensitized and aware
The World Economic Forum Global Risks Report 2019 ranks cybersecurity as one of the top five business risks, further noting that technology will be a major component in shaping the global risk landscape. Both companies and consumers are concerned by fraud, cyberattacks, and technological weaknesses that leave them vulnerable to rogue hackers, rogue governments, and even “rogue” companies.
In addition, the risks associated with fraud and loss of privacy are expected to increase. These topics, which historically have been insignificant in many industries, are taking center stage in terms of the damage they inflict, as our own experience with CSA data reveals. Cybersecurity and data privacy issues are appearing across a number of new industries as diverse as hotels and tourism and aluminum smelting and manufacturing.
Frequency of reporting as an emerging risk
Over the past five years, 46 out of 61 industries have reported data security and privacy at least once as an emerging risk. This underscores the fact that though for some companies data security is still nebulous in nature, the extent of possible damage is clear enough for them to flag it as an emerging risk and proceed with caution. An interesting example within the geopolitical context is the utilities sector.
Utility companies generally face the risk that cyberattacks may disrupt the energy supply as well as cause safety-related incidents at operational facilities. Furthermore, interruptions with political backing may intentionally target the economic prosperity of an entire region via cyberattacks on regional power supplies. This would have disastrous implications not only for utilities themselves but also for other companies and industries operating in the region (see insert "Data securityand privacy as an emerging risk –Atos SE").
In the CSA, between 2015 and 2019, the number of companies reporting data security and privacy as an emerging risk decreased significantly (see Figure 3). This is to be expected as data security risks become more publicized and mainstream.
Emerging risks are uncertain and difficult to quantify and so … have been omitted from traditional risk reporting and financial disclosures to investors.
Data security and privacy as an emerging risk – Atos SE
By 2022, the cybersecurity landscape will be heavily influenced by the challenge of efficiently protecting the myriad of devices that we will engage with in daily life. Although this hyper-connected ecosystem will generate significant opportunities and benefits for individuals and society in general, it will also provide a tempting target for cyber criminals looking to exploit broadened attack surfaces and vulnerabilities that have wide-ranging and critical impacts. The increasing mobility, connectivity, flexibility and versatility of infrastructures and devices will also add layers of complexity to the management and control of autonomous systems, in making them compliant with regulatory and ethical standards throughout a dynamic life cycle.
Source: Atos Registration Document, p. 49-50, Journey 2022, p. 30
Frequency of reporting as a material issue9
Over the past four years, the number of companies reporting on data security and privacy as a material issue has been on an increasing trend, with 78% more companies reporting on the topic in 2019 than in 2016.
This is a clear signal that companies' awareness of the topic has increased not only in terms of the risks to be avoided but also the opportunities to be seized. Our dependence on software and digital solutions and data storage in cyberspace will continue to grow, so many companies are beginning to understand and effectively execute cybersecurity risk management and strategy processes now (see insert "Data security and privacy as an emerging risk – Engie S.A.").
9 Beginning with the 2016 CSA, RobecoSAM modified its material issues criteria for companies, making one-to-one comparisons with prior years difficult for the purposes of this study. As a result, the analysis of material issues for data security and privacy considers only four years of data (2016-2019).
10 In 2019, the Information Security / Cybersecurity Strategy and Governance criterion was expanded from 11 to 29 industries, explaining the limited industry exposure prior to 2019.
Data security and privacy as an emerging risk – Engie S.A.
[Engie S.A.] is continually exposed to new threats from the introduction of new technologies particularly the multiplication of connected objects, the development of industrial control systems, the spread of mobility tools, and the development of new uses (e.g. social networking). Cyber-attacks target both the company and its customers and partners. More generally, IT system failure could result in information losses or leaks, delays and/or extra costs that could be detrimental to the Group’s activities or its reputation. In response, the Group continually adjusts its prevention, detection and protection measures for all its information systems and critical data.
Source: Engie 2018 Registration Document
Frequency as a realized risk event
While companies in a majority of industries identified data security and privacy as an emerging risk and material issue, very few MSA cases were related to the topic over the period analyzed.10 In 2016, only two data security and privacy controversies were identified out of a total of 183 MSA cases. While still low, the number of controversies related to the topic is increasing.
The current or historical absence of controversies does not necessarily indicate lower risk. The low number of MSA cases can indicate either that companies are sufficiently managing the risks or that we are only at the beginning stages of an increasing trend where, despite company risk control efforts, controversies still arise.
A few high-profile cases are enough to demonstrate the potential extremes that can be reached by internal hacking and data breaches (see insert "Two breaches, millions of customers").
We also see that many breaches are only found many years after they occur, signaling the need for better early warning systems. This may result in delayed data being reported by companies, which results in historical figures being corrected in future years.
We see that many [data security] breaches are only found many years after they occur, signaling the need for better early warning systems.
Two breaches, millions of customers
The Equifax data breach in September 2017 compromised the personal data of almost 1 million customers in the U.S. and the U.K. and cost Equifax US$700 million in the U.S. alone. Another notable case is illustrated in the flawed microprocessing chips manufactured by Advanced Micro Devices and Intel Corp., which supply chips to 90% of computers worldwide. These flaws potentially exposed computers to attacks from hackers who could harvest personal information such as passwords or credit card data.11
Despite the relatively low (and concentrated) number of documented controversies related to data security, we still observe a widening gap between material
issues reporting and realized risk events later on for data security and privacy issues (see Figure 3).
12 Beginning with the 2016 CSA, RobecoSAM modified its material issues criteria for companies, making one-to-one comparisons with prior years difficult for the purposes of this study. As a result, the analysis of material issues for data security and privacy considers only four years of data (2016-2019).
Figure 3: A widening gap – as data security risks become material, the proportion of realized risk events falls
Encouraged by these initial findings, we analyzed in greater detail the climate risk and data risk reporting sequences of companies to see if there is a
further link between risk reporting and reduced risk controversies.
Making The Case – Relationship between emerging risk identification, material risk reporting, and the development of controversial events
In this section, we attempt to demonstrate the working hypothesis that companies that identify emerging risks early, and subsequently continue managing, monitoring, and reporting on these topics as material issues, will experience fewer controversies.
Taking the working hypothesis a step further, we expect to find that even when companies experience adverse
risk events, those that have reported and managed those risks will have minor controversies with minimal impact in terms of costs and reputational damages. This implies that companies that have taken measures to identify emerging risks early on and managed those risks they deem material will be in a better position to take appropriate measures to mitigate the impacts.
Hypothesis 1) Companies that have identified emerging risks early on and subsequently continued to manage, monitor, and report on these risks as material issues are subject to fewer controversies.
Hypothesis 2) The impact of risk controversies, when experienced by companies with comprehensive risk management frameworks in place, will be minimized in terms of costs and reputational damages.
In-depth analysis on corporate risk reporting
Knowing that not every company would follow a comprehensive risk reporting process sequence, we used forward- and backward-looking (retrospective) analyses to capture all possible risk reporting scenarios for each risk issue.
- Forward-looking analysis – Start with companies that identified the risk issue as an emerging risk, observe how many reported it later as a material issue, and compare with the frequency of controversial MSA cases (realized risk event).
- Retrospective analysis – Start with controversial MSA cases and, looking backwards, analyze whether those companies had targeted and managed the topic as a material issue as well as an emerging risk early on.
[It is] critical for companies to embrace a holistic risk management approach that not only focuses on dangers that are near and clear (i.e., material issues) but also on the uncertain and distant threats on the horizon (i.e., emerging risks).
Forward-looking analysis results – climate strategy as a risk
Of the 292 companies that reported climate strategy as an emerging risk, 122 (42%) confirmed hypothesis 1 (H1).13 In these cases, climate strategy risk was first identified as an emerging risk and subsequently as a material issue. Furthermore, none of these companies was subject to any adverse risk events. Additional supportive evidence is shown from a further 21 companies (7%) that identified climate strategy early on as an emerging risk but failed to manage it as a material issue later, even as material risks were obviously present. As expected, these companies experienced controversial risk events later (see Figure 4).
This means a total of 49% (143 of 292 companies) evaluated for climate change risk confirm H1 – that companies that identified climate strategy risk early and managed it have fewer controversial events.
Only 2.7% of company cases assessed (eight of 292 companies) contradict H1. These companies, despite having identified climate strategy as an emerging risk as well as a material issue, were still subject to MSA cases.
Another 141 cases (48%) were classified as inconclusive, neither confirming nor contradicting H1. In these cases, companies identified climate strategy as an emerging risk but not as a material risk. Moreover, no MSA controversies materialized in these cases, so no hard conclusions can be drawn either way.
Further analysis of each MSA case was conducted in order to test hypothesis 2 (H2), that adverse risk events were mitigated when companies had early risk identification, reporting, and management mechanisms in place. We found that seven of these eight controversial risk events (88%) were considered minor MSA cases with minimal impact in terms of costs and reputational consequences. These results were strongly supportive of H2.
13 Forty-one other companies identified climate strategy as an emerging risk and had no MSA case, but their reporting flow was not consistent; they either reported climate strategy as a material issue every second year or reported it in a year before they reported it as an emerging risk.
Figure 4: Forward-looking analysis results – The risk reporting sequence of companies starting with those that initially identified climate strategy as an emerging risk
Retrospective analysis results – climate strategy as a risk
In the retrospective analysis, we started with companies that had experienced MSA controversies and worked backward (retrospectively) to test H1. We expected to find that companies that experienced MSA controversies had neither identified climate change as an emerging risk nor managed it as a material issue.
We assessed a total of 106 MSA cases for climate strategy risk using the retrospective approach. Of these, a total of 52 companies (49%) neither reported climate strategy as an emerging risk nor as a material issue, which confirms H1 (see Figure 5). A further 20 companies (19%) reported climate strategy as an emerging risk but not as a material risk, bringing the total confirming cases to 72 (68
Climate strategy was reported as a material issue and as an emerging risk by 15 companies (14%) before they experienced an MSA case, contradicting H1. In 19 cases (18%), the data results were inconclusive. Companies identified climate strategy only as a material issue but not as an emerging risk.
Furthermore, each MSA case was analyzed in detail to test H2 – whether the presence of a risk management process mitigated realized risk controversies. In more than two-thirds of cases (10 of 15 companies, or 67%), controversies were judged as minimal, thus confirming H2.
Risks are moving targets with possible long-term impacts that must be monitored early rather than later.
Figure 5: Retrospective analysis results – The risk reporting sequence of companies starting with adverse risk event related to climate strategy
Forward-looking analysis results – data security and rivacy as a risk
A total of 185 companies were assessed for their risk reporting process on data security and privacy, using the same forward-looking and retrospective approaches described above. Of these, only 26 companies (14%)
provided confirmation of H1. These companies identified data security and privacy early on as an emerging risk, later documented and managed it as a material issue, and never experienced a realized risk event over the period studied (see Figure 6). The rest of the data was far less conclusive.
Figure 6: Forward-looking analysis results – The risk reporting sequence of companies starting with those that initially identified Data Security & Privacy as an emerging risk
Of the remaining companies (159 of 185, or 86%) that identified data security and privacy as an emerging risk, none went on to identify it as a key material issue within their risk reporting process. This was a surprising result, given the attention that digital security and privacy have received in the past five years.
We would have expected more of these companies to have proceeded past the emerging risk stage and reported data security as a material risk issue. Moreover, there were no MSA cases linked to any of these companies.
In the absence of company data on material issue reporting and in the absence of MSA cases, we cannot draw any firm conclusions about the risk management processes of these firms. We must wait and see how their behaviors and actions play out in the future. Therefore, we rendered these cases inconclusive, neither confirming nor contradicting H1.
Retrospective analysis results – data security and privacy as a risk
Using controversial issues (MSA cases) as the starting point, we looked retrospectively to test H1 for data and security risks. Again, we expected to find that companies that experienced adverse risk events or controversial issues had neither reported data security and privacy as an emerging risk early on, nor subsequently as a material risk issue.
Only 11 company cases were assessed for retrospective analysis. These companies experienced MSA cases related to data security over the period of study but had gaps in their preceding risk reporting sequence. None of these companies reported data security as a material issue and as an emerging risk. Although the dataset is small (11 cases), it still confirms H1 (see Figure 7).
There were no cases in the retrospective approach that allowed us to test H2.
Figure 7: Retrospective analysis – Results on Data Security & Privacy risk management process
The data showed that as more companies accepted and managed material issues for climate strategy and data security and privacy, the overall proportion of controversial risk cases fell.
Even the most successful companies fail at correctly predicting where risks will arise and how fast they will escalate, as the recent cases of Facebook and 3M attest to. Further previously unknown or unanticipated risks have suddenly appeared in new industries and business operations, underscoring that risks are moving targets with possible long-term impacts that must be monitored early rather than later. This makes it all the more critical for companies to embrace a holistic risk management approach that not only focuses on dangers that are near and clear (i.e., material issues) but also on the uncertain and distant threats on the horizon (i.e., emerging risks).
Cases like those of Facebook and 3M motivated our desire to better understand the connection between early risk perception and identification and realized controversies in later years. The intuition that guided the construction of our two working hypotheses was that companies with a comprehensive risk identification and management process that included early identification of potential risks, together with targeted strategies for mitigating material and present risks, would be better equipped to either avoid controversial risk events altogether or at least minimize their aderse impact.
Using data from the Corporate Sustainability Assessment (CSA),14 we analyzed general risk reporting patterns of companies over the past five years (2015-2019) in the two key risk areas of climate strategy and data security and privacy.
Results of the high-level analysis were encouraging and supported our initial intuitions for both risk topics. First, the data demonstrated that over time, emerging risks fell as companies and industries recognized these as financially material issues that deserved more
attention through robust risk management frameworks. More important, the data showed that as more companies accepted and managed material issues for climate strategy and data security and privacy, the overall proportion of controversial risk cases fell.
From these more general findings, we proceeded to look more closely at company reporting sequences across climate strategy and data security and privacy risks. Results varied based on the risk issue studied (climate strategy or data security)
as well as by the direction of analysis (forward-looking or retrospective). For climate strategy risk, more cases confirmed the hypothesis than contradicted it (49% versus 2.7%, respectively).
For data security and privacy risk, all evaluated cases (100%) confirmed our primary hypothesis (H1) in the retrospective analysis; however, only 14% of cases in the forward-looking analysis did so. Moreover, the majority of cases (159 companies, or 86%) were inconclusive due to gaps in companies’ reporting processes.
Although we were surprised at the number of inconclusive cases, we were still able to demonstrate correlations that were generally supportive of our hypothesis that a comprehensive risk management and reporting structure that includes early identification and later targeted management of risks as material issues leads to the avoidance and attenuation of realized risk events later on.
Furthermore, results for our secondary hypothesis (H2) were stronger. In more than two-thirds of cases (67%) where a controversial event was experienced with respect to climate strategy, the ultimate impact was minimized when comprehensive risk management structures were in place and the appropriate risk reporting sequence had been followed. Results for H2 with respect to data security and privacy risk were inconclusive due to lack of available cases.
Climate strategy and data security and privacy risks are in different stages in their life cycles. While the urgency of climate-related topics has accelerated dramatically in recent years, the impact of data security and privacy issues remains largely unknown for many industries. Moreover, rapidly evolving dynamics and technological developments in the digital space make it a moving target for many companies. This could also help to explain the inconclusiveness of findings on data security and privacy, which correlates to the overall lack of transparency.
Moreover, identifying and reporting on data security breaches is complicated and overwhelming for many companies – more time is needed to allow what are now seen as emerging risks to mature into material issues. Only then can stronger inferences be made.
14 A total of 2,974 companies within the CSA were assessed for this study.