ARTICLE • 5 min

How to Conduct a Climate Risk Assessment: A Step-by-Step Overview

July 2, 2026

Climate risk assessment has moved from a voluntary best practice to a mandatory disclosure requirement across an increasing number of jurisdictions. For sustainability leaders charged with executing one, the challenge is not finding information about why it matters, it is figuring out how to actually do it — methodically, defensibly, and in a way that produces outputs useful for both disclosure and business decision-making.

This guide walks through the end-to-end process of conducting a climate risk assessment, from scoping and data gathering through to scenario analysis, financial impact quantification, and disclosure reporting.

It's also worth being precise about scope from the outset: every framework referenced in this guide, TCFD, IFRS S2, ASRS S2, and CSRD, requires assessment of climate-related opportunities alongside risks, not risk in isolation. A process that only ever asks "what could go wrong" will miss real, disclosable upside: cost savings from efficiency gains, new revenue from low-carbon products, or competitive advantage from supply chain resilience. The steps below are written around risk identification because that's where most of the analytical heavy lifting sits, but a complete assessment applies the same rigour to opportunities at each stage, and we flag where that applies as we go.

Why the Process Matters as Much as the Output

Before getting into the steps, it is worth addressing something that trips up many organisations: the common instinct to start with the disclosure document and work backward.

Regulators and auditors are increasingly sophisticated at identifying disclosures that look complete on the surface but are not supported by genuine underlying analysis. A climate risk report that names risks without demonstrating how they were identified, how materiality was assessed, and how scenario analysis was conducted will not withstand external assurance — and may not withstand legal scrutiny.

The process of conducting a credible climate risk assessment is therefore not just a compliance input. It is the source of the credibility that your disclosure derives its value from.

Step 1: Define Scope and Objectives

Before beginning any analysis, clarity on scope is essential. This involves answering four questions:

What is being assessed? Define the entities, assets, and value chain elements in scope. For a large company with multiple subsidiaries, sites, or operating regions, this is a significant decision. In principle, the scope should mirror your financial reporting boundary — but there may be materiality-based adjustments, particularly for supply chain elements.

What time horizons apply? Climate risk assessment typically covers three horizons: short-term (to 2030), medium-term (2030 to 2050), and long-term (post-2050). The appropriate horizon depends on the asset life and planning cycles of the business. A company with 40-year infrastructure assets needs long-horizon analysis; a retailer with a 5-year property lease cycle may focus more heavily on short to medium-term risks.

Which frameworks govern the disclosure? The disclosure frameworks your organisation is subject to — IFRS S2, ASRS S2, TCFD, CSRD ESRS E1, California SB261, or a combination — will shape methodological requirements. Identify these upfront and ensure your assessment process satisfies all relevant requirements.

Who owns the process? Climate risk assessment sits at the intersection of sustainability, finance, risk management, and strategy. Governance and accountability for the process should be clearly defined before work begins.

Step 2: Identify Physical and Transition Risks

The next step is to build a comprehensive inventory of the physical and transition risks relevant to your organisation. This is a structured discovery process, not a freeform brainstorm.

Physical Risk Identification

For physical risk, the analytical starting point is your asset and operational footprint. The core questions are: where are your material assets and operations located, and what climate hazards are relevant to those locations?

Physical hazards to assess typically include:

  • Acute events: flooding (coastal, riverine, and surface water), tropical cyclones and extreme wind, wildfire, extreme heat events, extreme cold events, drought, hailstorm
  • Chronic shifts: rising mean temperatures, sea level rise, changing precipitation patterns, water stress, heat stress accumulation over time

A systematic physical risk identification process maps each material location against this set of hazard categories, using climate data and geospatial analysis to determine current and projected exposure under different warming scenarios.

Transition Risk Identification

Transition risk identification requires a different approach — it is less about location data and more about understanding the business model, value chain, and regulatory environment.

Transition risks span four categories:

  • Policy and legal: carbon pricing, emissions regulations, disclosure mandates, litigation exposure
  • Technology: stranded assets, required capital expenditure for low-carbon transitions, cost of emerging technologies
  • Market: shifting demand, changing input costs, capital market repricing of climate risk
  • Reputational: stakeholder expectations, activism exposure, greenwashing risk

For each category, the task is to identify specific risk factors relevant to the organisation's industry, geography, and business model. A manufacturing company will have different transition risk exposures than a financial institution or a logistics business.

Unlike physical risk, transition risk doesn't lend itself to a standard checklist: the same policy shift or market change can affect two companies in the same sector very differently depending on their business model, value chain position, and geography. The quality of a transition risk assessment matters more than the quantity of risks identified. A long list of generic factors copied from a sector template is less useful, and less credible to auditors, than a shorter list of risks clearly and specifically traced to how the company actually generates revenue and where it sits in the value chain.

Identifying Climate-Related Opportunities

The same discovery process should also surface opportunities, which TCFD groups into five categories: resource efficiency (cost savings from reduced energy or material use), energy source (cost or resilience benefits from shifting to lower-carbon energy), products and services (new or adapted offerings aligned with a low-carbon economy), markets (access to new customers, regions, or public-sector incentives), and resilience (value created by supply chain or operational adaptation, including insurance and financing advantages).

In practice, opportunity identification often runs in parallel with transition risk identification, since they're frequently two sides of the same underlying driver. A carbon price that creates transition risk for a high-emissions competitor may be a market opportunity for a company with a lower-carbon product already in place. Treating risk and opportunity identification as a single combined exercise, rather than two separate processes, tends to produce a more complete and more strategically useful risk register.

Step 3: Select and Apply Climate Scenarios

Scenario analysis is the methodological core of a credible climate risk assessment. It is also the element most often done poorly — either skipped entirely, conducted using generic scenarios without organisational specificity, or treated as a presentation exercise rather than an analytical one.

Why Scenarios Matter

The future climate is uncertain. Depending on the trajectory of global emissions, policy responses, and technological change, the climate of 2050 could look very different under different pathways. Scenario analysis allows organisations to test the resilience of their strategy and assess the financial materiality of climate risks across a range of plausible futures, rather than betting on a single forecast.

Recognised Scenario Frameworks

TCFD recommended that companies test resilience against a scenario consistent with 2°C or below, though this was guidance rather than a hard requirement. IFRS S2 doesn't name a specific scenario or temperature threshold at all, instead requiring an approach commensurate with the company's circumstances and a reasonable, supportable basis for whatever scenario is chosen. In practice, however, both frameworks point toward the same outcome: testing at least one lower-warming and one higher-warming scenario is the only way to demonstrate genuine resilience testing rather than a single-point forecast. 

Choosing Which Scenarios to Use

Disclosure frameworks don't mandate a specific scenario; IFRS S2 and AASB S2 both require companies to use a scenario, or set of scenarios, for which they have "a reasonable and supportable basis," rather than naming one. In practice, the choice comes down to three questions: what you're trying to learn, who needs to be able to use the output, and how much analytical capability you have.

What are you trying to learn? If the question is primarily "how exposed are our physical assets to climate hazards under different warming outcomes," IPCC/SSP-based scenarios are the natural starting point, since they're built directly from physical climate models and are the standard input for asset-level hazard mapping tools. If the question is "how exposed is our business model or sector to the energy transition," IEA scenarios are usually more useful, since they model the actual pace and shape of energy system change (fossil fuel demand, renewables deployment, electrification) rather than just temperature outcomes. If the question is "how should we think about this in financial or credit terms," NGFS scenarios are purpose-built for exactly that, translating climate pathways into the kind of economic and financial variables a board or CFO can act on.

Who is the audience? Financial institutions and companies reporting primarily to investors and lenders often default to NGFS, since that's the language banks, insurers, and regulators (including the Bank of England, ECB, and APRA in Australia) already use in their own stress testing, making the company's disclosure directly comparable to what its capital providers are seeing elsewhere. Energy-intensive or carbon-exposed sectors often lean on IEA scenarios for the same reason: their investors and analysts are already fluent in NZE, STEPS, and APS. Companies whose primary concern is physical asset resilience, particularly in real estate, infrastructure, agriculture, or insurance, tend to anchor on IPCC/SSP scenarios because that's what their hazard data is built on.

What's your jurisdiction's regulatory posture, and what's your own capability? AASB S2's guidance gives a useful, generalisable principle here: a company operating mainly in a jurisdiction with active or likely-future carbon regulation has a reasonable basis to centre its analysis on an orderly transition scenario, since that's the world it's actually likely to operate in. A company with concentrated physical exposure (a coastal property portfolio, for example) has a reasonable basis to weight its analysis toward localised, higher-physical-risk scenarios instead. The same guidance also expects scenario sophistication to scale with company capability: a smaller or first-time reporter can start with a qualitative, narrative-based application of a published scenario, while a larger or more experienced reporter is expected to move toward quantitative modelling.

In practice, most credible disclosures don't pick one. The strongest approach, and the one the frameworks point toward, is pairing at least one lower-warming/orderly-transition scenario with at least one higher-warming/disorderly scenario (the bookend pairing used throughout this article: SSP1-2.6 against SSP5-8.5, or NGFS's Net Zero 2050 against its Current Policies or Hot House World pathways). This pairing is what actually demonstrates resilience testing, since a single scenario only shows what happens in one possible future, while the contrast between an orderly and a failed transition is what reveals where the company's greatest vulnerabilities sit.

Applying Scenarios to Your Risk Inventory

For each identified physical and transition risk, the scenario analysis should estimate:

  • The likelihood or severity of the risk under each scenario
  • The time horizon over which the risk is expected to materialise
  • The financial exposure associated with the risk

This is where generic risk identification translates into organisation-specific findings.

Step 4: Assess Materiality

Not all identified risks will be material to the organisation. The materiality assessment step filters the full risk inventory down to the risks that require disclosure and active management.

Materiality in climate risk has both a financial materiality dimension (is the risk likely to affect the organisation's financial position, performance, or cash flows?) and, under some frameworks like CSRD, a double materiality dimension (does the organisation's activity also have a significant impact on the climate, beyond how the climate affects the organisation?).

For TCFD, IFRS S2, and SB261, the primary lens is financial materiality. The questions to answer for each risk are:

  • What is the potential financial magnitude of this risk (as a range or order of magnitude)?
  • How likely is the risk to materialise, under which scenarios, and over what time horizon?
  • Is this risk material enough to warrant disclosure and active management?

The same financial materiality test applies to opportunities: a cost-saving or revenue-generating opportunity is material if its potential financial magnitude and likelihood are significant enough to warrant disclosure, using the same lens applied to risks above.

The outputs of this step should be a prioritised risk matrix that forms the spine of the disclosure.

Step 5: Quantify Financial Impacts

Moving from risk identification to financial quantification is the step where many organisations stall, but it is the direction that disclosure frameworks are clearly heading.

Financial impact quantification asks: if this risk materialises, what is the estimated financial effect on the organisation? This can be expressed in multiple ways:

  • Asset value at risk: what is the potential impairment of specific assets?
  • Revenue at risk: what portion of revenue could be disrupted under a given scenario?
  • Increased operating costs: what additional costs could arise (insurance, energy, adaptation capex)?
  • Transition expenditure: what capital investment is required to align operations with a low-carbon pathway?
  • Liability exposure: what potential legal or regulatory costs could materialise?
  • Opportunity value: what potential cost savings, new revenue, or margin improvement could a given opportunity generate, and over what time horizon?

Quantification should run in both directions. A disclosure that only ever expresses climate risk in negative financial terms, without giving any quantified sense of upside, presents an incomplete and arguably unbalanced picture of the organisation's actual climate exposure. 

Disclosure frameworks acknowledge that quantification methodologies are still maturing, and do not expect all companies to produce precise dollar-for-dollar impact figures for every risk. They expect evidence that organisations made a genuine effort to connect risk findings to financial context and transparency about the assumptions and limitations of that analysis.

Step 6: Assess Strategic Resilience

The scenario analysis findings should be fed back into a strategic assessment: given what we now know about our climate risk exposure across different scenarios, how resilient is our current strategy and business model?

This is the question that makes climate risk assessment strategically valuable rather than purely a compliance exercise. It surfaces decisions that need to be made about:

  • Capital allocation (investing in climate-resilient assets or infrastructure)
  • Asset management (divestment, adaptation, insurance strategy for high-risk assets)
  • Supply chain management (diversification, supplier resilience assessment)
  • Product and service strategy (transition risk-driven shifts in revenue mix)
  • Operational planning (climate adaptation measures at facilities)

This step should also surface climate-related opportunities, not just risks. TCFD's opportunity categories (resource efficiency, new energy sources, new products and markets, supply chain resilience) often emerge directly from the same scenario analysis used to identify risk, and the strategic response to an opportunity (where to invest, what to build, which markets to enter) belongs in the same conversation as the strategic response to risk, not a separate one. 

The disclosure frameworks require organisations to describe how climate scenario analysis has informed or is informing strategy — not just to present the analysis findings in isolation.

Step 7: Document Governance and Risk Management Processes

Alongside the analytical outputs, a complete climate risk disclosure requires documentation of the governance and risk management processes that underpin the assessment.

For governance, this means describing:

  • How the board oversees climate-related risks (board committee structure, frequency of climate risk reporting)
  • How senior management identifies and manages climate risks (roles, responsibilities, escalation processes)
  • How climate risk is integrated into executive incentives or performance frameworks (where relevant)

For risk management, this means describing:

  • The process used to identify climate risks (who is involved, what data and methodologies are used)
  • How climate risks are prioritised and assessed
  • How climate risk management is integrated into the organisation's enterprise risk management framework

These sections often require collaboration with the risk, legal, and governance teams, not just the sustainability function.

Step 8: Prepare and Publish the Disclosure

With the analytical work complete, the final step is preparing the public-facing disclosure. This requires translating technical findings into clear, accessible language that serves multiple audiences: investors, regulators, auditors, and other stakeholders.

A well-structured climate risk disclosure:

  • Is organised around the TCFD four pillars (Governance, Strategy, Risk Management, Metrics and Targets) for maximum cross-framework consistency
  • Connects risk findings to financial materiality, avoiding abstract risk descriptions
  • Is transparent about methodology, scenarios used, and the limitations of the analysis
  • Is consistent with other public disclosures (annual report, regulatory filings, investor presentations)
  • Includes specific metrics and, where applicable, quantitative targets

The disclosure should be published in a format accessible to the relevant regulatory body — for SB261, this means public availability accessible to CARB; for ASRS S2, it means inclusion in financial report filings.

Where Technology Fits In

A manual approach to climate risk assessment — drawing on consulting support, spreadsheet-based risk registers, and ad hoc data sources — is feasible for a first-time assessment but creates significant challenges over time:

  • It is expensive to repeat, particularly as biennial and annual disclosure cycles require updated analysis
  • It is difficult to audit, as methodological decisions are embedded in spreadsheets or consultants' proprietary models
  • It is inconsistent, as data sources and methods may vary between reporting periods
  • It is slow, leaving limited time between data collection and disclosure deadlines

Purpose-built climate risk platforms, like Socialsuite, address these challenges by automating the physical and transition risk assessment process, integrating established climate datasets and scenario frameworks, mapping risk to specific asset locations, modelling financial impacts, and generating disclosure-ready outputs — all within a consistent, auditable methodology that can be updated as conditions change.

For organisations subject to mandatory disclosure obligations, building this capability into a repeatable technology-supported workflow is increasingly the difference between a disclosure program that scales and one that becomes an annual crisis.

Summary: The Climate Risk Assessment Process at a Glance

The Bottom Line

A credible climate risk assessment is not a document, it is a process. One that, when done well, produces insights that are genuinely useful for business strategy, not just for compliance. The organisations that build that process properly will find that each subsequent disclosure cycle gets easier, more efficient, and more defensible.

The first step is often the hardest. But given the direction of mandatory disclosure requirements globally, the cost of not starting significantly exceeds the cost of starting now.

Socialsuite's Climate Risk Assessment and Scenario Analysis module automates the end-to-end climate risk assessment process — from physical hazard mapping and transition risk analysis through to multi-scenario modelling and disclosure-ready reporting. Built for ASRS S2, IFRS S2, TCFD, CSRD ESRS E1, and California SB261. Learn more at socialsuitehq.com.

Dr. Tim Siegenbeek van Heukelom
Chief Impact Officer
Article Contents
See all Articles

Recent articles

Ready to maximize your organization’s impact?

Whether it’s a public company, a private company, or a charity, Socialsuite has the right solution for you.