The Risk Management dimension in IFRS S1 and S2 Standards

CVM Resolution No. 244 has reframed the debate on sustainability and climate reporting in Brazil. By replacing mandatory reporting with the “Comply or Explain” approach, the standard has made the decision to report an explicit choice of positioning vis-à-vis the market. However, as we argued in a recent article, this maturity has not become optional — and it is in this context that the Risk Management dimension gains even greater relevance.

In the previous article, we discussed how the Strategy dimension focuses on incorporating sustainability and climate risks and opportunities into the business model, strategic planning, and financial decisions. The Risk Management dimension takes this discussion a step further by shifting the focus to processes: how do companies identify, assess, prioritize, and monitor these risks and opportunities? Do these processes operate in an integrated manner with the rest of corporate risk management?

The focus should be on the process and on integration

The purpose of risk disclosures is twofold: i) to enable users of financial reports to understand how risks and opportunities are identified, assessed, prioritized, and monitored — and, based on that, ii) to evaluate the organization’s overall risk profile and the robustness of the processes underlying this management.

Companies must demonstrate not only which exposures have been mapped, but also how this identification takes place — using what data and criteria — and how each risk is assessed in terms of nature, probability, and magnitude. The focus is on the process. For example, in the context of climate change, this means specifying which scenarios guided the identification — such as those from the IPCC or NGFS — and how they informed the distinction between physical and transition risks, how frequently these risks are reviewed, and whether the processes have evolved compared to the previous period.

In addition to risks, the standards require companies to describe the processes used to identify, assess, prioritize, and monitor opportunities related to sustainability and climate as well. This aspect is often overlooked in initial disclosures, when attention tends to focus on negative exposures, but it carries equivalent regulatory and strategic importance. Thus, this dimension seeks to assess the quality and maturity of risk and opportunity mapping.

Furthermore, the standards also address integration, asking whether — and how — these processes align with the entity’s corporate risk management framework. It is not enough to simply have processes; it is necessary to demonstrate that they operate in a systemic manner and are connected to corporate governance. In practice, this means that climate risks must be included in the same matrix that guides investment decisions and capital allocation — and not operate as an exercise separate from corporate ERM. The standards further emphasize that, when risk oversight is managed in an integrated manner, the company must provide integrated disclosures, avoiding duplicate sections for each identified risk or opportunity.

How Companies Are Structuring Risk Management

The first Brazilian disclosures aligned with CBPS 01 and CBPS 02 / IFRS S1 and S2 reveal distinct approaches to climate risk management, but with one common thread: a focus on demonstrating not only which risks have been identified, but also how this process works and how it connects to the corporate decision-making framework.

• Vale describes a climate risk management framework that is formally integrated into its corporate ERM process. Climate risks are prioritized within the same matrix used to assess other types of corporate risk, and opportunitie — such as the growing demand for metals for the energy transition — are evaluated through the same process.
• Renner structures its climate risk management based on a financial materiality assessment, describing how risks were prioritized relative to other types of corporate risk. The company also notes that, even when the estimated financial effects did not reach the established materiality threshold, it chose to disclose them to ensure transparency in the process.
• Irani describes a methodology integrated into its corporate Risk Management Policy, with identification and prioritization conducted by the Executive Board and submitted to the Board of Directors. The company highlights that climate-related opportunities outweigh the risks over the analyzed time horizon, emphasizing that the management required by the standards is not limited to negative exposures.

Recurring Challenges in Implementation

The experience of supporting companies across various sectors in preparing for reporting reveals two recurring challenges in structuring the risk management required by the standards:

The first is internal fragmentation: in many companies, climate analysis processes and corporate risk management processes operate in parallel, without systematic coordination. The result is climate risk assessments that are not incorporated into the corporate risk matrix and, therefore, do not influence capital allocation or executive decision-making.

The second challenge lies in the reliability and traceability of data: the use of climate models and generic assumptions — which are poorly calibrated to the company’s specific reality — undermines the validity of the analyses during assurance processes and their ability to support decision-making. The methodological robustness of risk analyses has become one of the key differentiators for companies that choose to remain committed to disclosure — and a factor increasingly evaluated by investors and rating agencies.

What Robust Risk Management Delivers Beyond Reporting

As companies advance in structuring their processes, it becomes evident that risk management extends beyond what is disclosed: it structures what is known. A robust process for identifying, assessing, prioritizing, and monitoring climate and sustainability risks generates tangible value regardless of mandatory reporting requirements.

Anticipating risks before they materialize into losses

The main benefit of a structured climate risk management process is the ability to identify exposures before they result in operational disruptions, damage to assets, or unexpected regulatory costs. Companies with such a mature process shift from a reactive stance — responding to an event after it has already occurred — to a forward-looking stance, which guides investment decisions, asset location, and supplier relationships based on anticipated scenarios.

Credibility with investors and access to capital

Institutional investors, rating agencies, and creditors use risk management disclosures as input to assess companies’ resilience to climate and transition shocks. The quality of the process described — not just the outcome of the risk mapping — is a sign of the maturity of corporate management.

Internal consistency across departments and improved decision-making

The requirement to integrate climate risks into the overall risk management process — when effectively implemented — promotes internal consistency that goes beyond reporting. When climate risks are incorporated into the same risk matrix that guides decisions on investment, expansion, and capital allocation, the sustainability, finance, operations, and strategy departments begin to operate from a common information base, reducing the risk of inconsistent decisions and increasing the company’s ability to respond in a coordinated manner to external shocks.

This is perhaps the most difficult effect to measure, but the most enduring: well-structured climate risk management does not merely produce a report; it creates an organization with a greater capacity to anticipate, adapt, and respond.

Anticipation as a Key Element of Implementation

The risk management dimension in the IFRS S1 and S2 / CBPS 01 and CBPS 02 standards represents much more than a list of information to be disclosed. It establishes a quality standard for companies’ internal processes: how they identify, assess, prioritize, and monitor their sustainability and climate risks and opportunities; what data and criteria they use; and how these processes integrate with the rest of corporate management.

The first Brazilian disclosures, such as the case studies presented by Vale, Lojas Renner, and Irani, reveal that this path is feasible and that there are different ways to structure this process according to each company’s size, sector, and stage of maturity. What all three have in common is precisely the central requirement of the standards: the integration of the climate risk management process with the corporate decision-making structure.

For companies in the early stages, the starting point is documenting existing processes and defining explicit criteria for assessing and prioritizing risks. For those with more advanced processes, the challenge lies in ensuring traceability, methodological robustness, and formal integration into the corporate ERM framework.

More than simply anticipating a regulatory requirement, moving forward with this agenda now is an opportunity to strengthen strategic decision-making, enhance business resilience, and improve dialogue with investors.

João Henrique Bueno

Sustainability Coordinator at WayCarbon |  + posts Bio

This author does not have any more posts.

Luiza Caldas

Senior Sustainability Analyst at WayCarbon |  + posts Bio

This author does not have any more posts.

Victor Vieira

Analista de Sustentabilidade at WayCarbon |  + posts Bio

This author does not have any more posts.