Disclosure LibraryPractitioner guidance for every reporting disclosure
Home Disclosure Library IFRS / ISSB IFRS-S1 s1-43
IFRS-S1: IFRS S1 - General Requirements for Disclosure of Sustainability-related Financial Information · 2024
Paragraph 43

Risk management disclosure objective

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official IFRS source.

Dr Ross Kurinko, Sustainability Reporting Trainer
Reviewed by Dr Ross Kurinko · Sustainability Reporting Trainer LRA educational guidance · Not issued or endorsed by IFRS
To prepare this disclosure
Disclosure focus

This disclosure asks an organisation to explain how it identifies, assesses and manages sustainability-related risks in practice. The focus is on the organisation’s actual risk management approach: what processes it uses, who is involved, how often risks are reviewed, and how sustainability-related risks are considered alongside other business risks.

In practical terms, the report should show whether this approach applies across the whole organisation or only to selected parts such as major sites, business units or flagship operations. Readers should be able to see the breadth of coverage, the level of integration into existing risk processes, and any important gaps or limitations in how risks are managed.

This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official IFRS source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation

Key datapoints to prepare

Datapoint What to capture Evidence hint Owner
Overall risk view A plain explanation of how the reported information lets a reader understand the organisation’s overall risk picture, including the main risk themes and how they fit together. Risk register, board or committee papers, and the published narrative that links the datapoint to the wider risk picture. Risk management
Risk management link A description of how this disclosure sits within the organisation’s wider risk management process, including where it is used, reviewed, and updated. ERM policy, risk governance documents, and meeting papers showing the disclosure is embedded in the normal risk process. Risk management
Method clarity A clear account of the steps, judgments, and assumptions used to produce the disclosure so a reader can see how the result was reached. Method note, calculation workbook, internal controls documentation, and review sign-off showing the process used. Reporting / Controls
+ Show s1-43 sub-elements (LRA working checklist)

How to prepare it

1Set the reporting boundary first. Decide which risks, controls and business areas are in scope so the disclosure covers the full risk picture users need to understand.
2Agree what counts as the relevant risk process. Map how your risk management sits alongside the wider enterprise risk framework, and make sure the description reflects that link clearly.
3Gather support for each point you plan to report. Pull together the papers, logs, approvals, meeting records or other records that show how the process works in practice.
4Prepare the final wording or figures from the evidence. Present the information in a way that lets a reader see the overall risk profile, the connection to the risk framework, and how the process operates.
5Record any exclusions, assumptions or changes in method. Explain what was left out, what changed from the prior period, and why the approach used this period is the right one.
6Check the draft against the official source before sign-off. Confirm the disclosure still matches the source requirement, the evidence supports it, and nothing important has been missed or overstated.
Request the data

Request the risk process evidence from ERM

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

How do we show that our risk process lets readers understand the group’s overall risk picture, how it links into the wider risk framework, and how the process itself works in practice?

Use your organisation’s own risk language first, then map it to the reporting request. For example, if you talk about risk registers, control reviews, issue logs, or board risk packs internally, use those terms in the request and only translate them later for reporting. Keep the ask practical and evidence-led; check the source disclosure before sign-off.

Weak request

Please provide the disclosure wording for risk management and confirm compliance with the objective.

Why it fails: This is too close to reporting language and does not tell the owner what evidence to pull. It asks for a statement rather than the underlying material, so it is harder to verify, harder to trace to source documents, and more likely to produce a generic narrative instead of usable evidence.

Better request

Please send the current risk register summary, board or committee risk paper, and any process note that shows how risks are reviewed, rolled up, and escalated for [period] and [scope]. Include the source file, owner, date, and any recent changes. I’ll translate your internal terms into the reporting draft after review.

Formal email template
Subject: Request for risk process evidence for [reporting period]

Hi [name],

I’m pulling together the reporting pack for [reporting period] and need your help with the risk process material for [business area / scope].

Please could you send over the current evidence that shows:
- how the main risk picture is presented so a reader can understand the overall exposure;
- how this sits within the wider risk framework and reporting route; and
- how the process works in practice, including any recent changes.

Please include the relevant source files or links, the period covered, the owner, and any committee or management papers that support the description.

If it helps, you can use your team’s own terms first and I’ll map them for the reporting draft. Please send by [date].

Thanks,
[preparer name]
Short Teams / Slack version
Hi [name] — could you share the latest risk pack / register / process note for [period] for [scope]? I need evidence on the overall risk picture, how it links into the wider risk setup, and how the process runs in practice. Please include the source file, date, owner, and any linked committee papers. Use your usual internal terms — I’ll map them for the report. Thanks.
Industry examples
Manufacturing

Context. A plant-led group uses operational risk reviews, incident logs, and monthly management packs rather than a formal ERM dashboard.

Adapted request. Please share the latest operational risk review pack for [period] covering [site / division]. I need the material that shows how the main risks are grouped, how they feed into the wider company risk process, and how the review cycle works. Include the pack, any escalation notes, and the owner.

Example response. Attached: monthly operations risk pack, site risk log extract, and the latest escalation memo. The pack shows the top risk themes, the review cadence, and the route into the group risk committee. Owner: Operations Director. Period covered: Apr–Jun 2026.

Financial services

Context. A regulated business uses a formal risk taxonomy, committee papers, and control monitoring reports.

Adapted request. Please provide the latest risk committee paper, risk taxonomy summary, and process note for [period] covering [entity / scope]. I need evidence showing how the risk view is assembled, how it connects to the wider risk framework, and how the review and escalation process operates.

Example response. Attached: risk committee paper, taxonomy summary, and process flow note. The paper sets out the current risk view by category, the link to the group framework, and the review and escalation steps. Owner: Enterprise Risk team. Period covered: Q2 2026.

Draft your disclosure

Notes that turn data into a disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

Explain the basis used to judge risk exposure, how the organisation defines its risk categories, and how the reporting process links those judgments to wider risk management arrangements.

Context note

Set out what the figures say about the organisation’s overall exposure, how closely risk work is connected to day-to-day management, and how open the process is to readers.

Fluctuation statement

If the numbers move, point to changes in the underlying risk picture, shifts in how risk is built into management routines, or differences in how fully the process is described.

Content index entry
s1-43 Risk management disclosure objective — [location / page] / [notes]
Download Centre

Preparation tools & forms

Professional preparation tools for s1-43 — free with an LRA Community membership. Register once (it's free) and every download unlocks, together with the Disclosure Library, templates and the LRA AI-assistant.

Free · Community members
Assurance readiness

For each claim, check the evidence

ClaimRiskEvidence to check
We prepared the coverage figure from the reporting boundary used in our internal risk papers, and we checked that the same boundary was applied consistently across the disclosed operations.The assurer may test whether the coverage basis is selective, inconsistently applied, or excludes parts of the business that should have been included.Boundary memo, consolidation or scope list, cross-reference to internal risk reporting, mapping of entities/sites included and excluded, and sign-off showing the same basis was used in the published figure.
We linked the disclosed risk process to our wider risk framework, so the reader can see where sustainability-related matters sit within the overall control and oversight set-up.The assurer may probe whether the link to the wider risk framework is real or only described at a high level, and whether the published wording overstates integration.Risk framework diagram, policy or procedure showing where sustainability-related risks are handled, committee terms of reference, workflow or process maps, and evidence of review by the relevant risk owners.
We set out the main steps we follow to spot, rank and track the relevant risks and opportunities, using the same internal process notes that support management review.The assurer may challenge whether the description is complete, whether the steps are presented in the right order, or whether monitoring is actually performed as described.Process narrative, risk register, scoring or prioritisation criteria, monitoring reports, meeting packs, and records showing how updates move through the process.
We used source data from the teams closest to the underlying activities, then reconciled it back to the central reporting pack before publication.The assurer may test whether the data trail is complete, whether source inputs were reliable, and whether any manual adjustments were made without support.Source extracts, data collection templates, reconciliation workings, version history, adjustment logs, and evidence of review by preparers and approvers.
Before release, we carried out a final check to make sure the narrative, figures and scope notes were aligned and that nothing material was left out of the explanation.The assurer may look for gaps between the narrative and the underlying records, omitted qualifiers, or inconsistencies between the published text and the supporting files.Pre-publication review checklist, proofing mark-ups, approval emails, board or committee papers, and a final tie-out between the disclosure, working papers and source evidence.

Evidence pack to prepare

Common reporting gaps

The information is presented without a date or as-at point.The scope or boundary of the statement is left undefined.Key terms are used inconsistently across the report.Material changes since the previous period are not disclosed.Assertions are made without supporting detail or a source record.Boilerplate is used that does not actually answer what is asked.
Common gaps

Mistakes to avoid when collecting the data

Wrong owner
The request goes to the wrong team, so the people who actually run risk reviews never see the data call and the answer comes back incomplete.
Framework language only
The data request is written in reporting jargon instead of the organisation’s own terms, so business teams cannot tell which process or record is being asked for.
No boundary set
The collector never defines which entities, functions, or risk activities are in scope, so different teams send data from different populations.
+ Show 5 more

Where judgement is often needed

Acquisition or disposal during the reporting period
Decide whether to describe the risk picture using the business mix at period end or the mix that existed for most of the year, and explain any change in scope so readers can still follow the overall exposure.
Different local risk labels for the same issue
Where country teams use different names or categories for similar risks, map them to one group in a way that lets readers compare the whole portfolio, and say how the mapping was done.
Borderline items near the reporting perimeter
For risks that sit just inside or just outside the chosen scope, set out the rule used to include or exclude them and note any material borderline cases that were left out.
+ Show 5 more
Examples

Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Illustrative (synthetic) example — Manufacturing

We explain how our risk view is built so readers can judge the main exposures facing the group, and we show how that view is linked into our wider risk process rather than sitting apart from it. - Our quarterly risk review covers 18 principal risk areas; 5 are rated high, 9 medium and 4 low, giving a simple picture of where pressure is concentrated. - The same risk map feeds the enterprise risk register, with 18 of 18 principal risks assigned an owner, control actions and review dates. - We describe the steps used to prepare the assessment: business-unit inputs, central challenge by risk specialists, and final sign-off by the executive risk forum.

This synthetic example shows a plain-language narrative that helps a reader understand the overall risk picture, how it connects to the wider risk system, and the steps used to produce it.

Illustrative (synthetic) example — Retail

We set out the main threats and uncertainties in a way that lets users see the group’s overall exposure, and we explain how those matters are folded into our company-wide risk process. - Our latest review identifies 12 key risk themes; 3 are judged high, 6 medium and 3 low, so the balance of concern is visible at a glance. - All 12 themes are carried into the central risk log, and 12 of 12 have an assigned control owner and a scheduled review point. - We outline the method used to reach the view: store and online teams submit evidence, risk leads test it, and the board risk committee receives the final summary for challenge.

This synthetic example uses a different sector and wording, but still shows the overall exposure picture, the link to the wider risk process, and enough process detail for a reader to follow how the disclosure was prepared.

Company reportsReal published reports
Compare side by side →Get it free

How companies report s1-43

Real reports where this topic is disclosed. These are report practice, not exact disclosure templates to copy.

SITC International Holdings Company Limited
Water Transportation · Hong Kong · 2025
Open report →
SITC International Holdings Company Limited’s 2025 Environmental, Social and Governance Report provides evidence that users can assess the entity’s overall risk profile and its overall risk management process (p.190). The report also includes information on the processes, controls, and procedures used to monitor, manage, and oversee climate-related risks and opportunities, indicating process transparency (p.192). However, the integration of climate-related risks and opportunities with the enterprise risk management system is mentioned in related context but not clearly disclosed (p.190).
Enel Chile S.A.
Electric Utilities / IPP / Energy Traders · Chile · 2025
Open report →
Enel Chile’s 2025 Integrated Annual Report provides some context on risk management, noting efforts to assess the suitability of the Internal Control and Risk Management System (ICMS) (p.168) and enabling senior management to have an integrated view of main risk exposures at a global level (p.139). The report also references ongoing processes to maintain effective internal control and execute risk control procedures daily (p.142). However, it is unclear how transparent these processes are (p.122), and there is no clear disclosure on integration with enterprise risk management overall.
✓ LRA AI Assistant · Human-in-the-loop
Dr Ross Kurinko
Ask Study Studio AI assistant about this disclosure
Get practical answers for your reporting context. Your first two answers are free — join LRA Community for free to continue without a limit.
TryHow do I prepare s1-43?What data do I need to collect?Where can I see a real-report example?What mistakes should I avoid?
2 free answers
Check your understanding

Scenarios to work through

A preparer is drafting the climate and wider sustainability risk section. The draft explains that the risk team scores issues, but it does not yet show how those scores help a reader understand the organisation’s overall exposure.

QShould the write-up make clear how the process helps users judge the organisation’s overall risk picture, rather than only listing the steps used?
Reveal model answer →

The risk register is maintained by the central risk function, while sustainability risks are also discussed in the same forum as other business risks. The draft mentions the sustainability team separately, but it does not say how this sits within the wider risk framework.

QShould the narrative show how sustainability-related risk work fits into the organisation’s broader risk management set-up?
Reveal model answer →

A company has a detailed internal workflow for identifying and reviewing risks, but the draft only says that risks are “managed through established controls.” It does not explain the main stages, who is involved, or how the process operates in practice.

QShould the disclosure give enough detail for a reader to understand how the process works, rather than leaving it at a high-level label?
Reveal model answer →

The draft says the board receives a quarterly risk summary, but it does not explain whether the same risk process is used for financial and sustainability matters, or whether the sustainability risks are handled separately. The preparer is unsure how much to say without overloading the note.

QShould the disclosure explain the relationship between sustainability risk handling and the organisation’s existing enterprise risk arrangements?
Reveal model answer →
Framework references

Related framework references

How this disclosure maps across the major reporting frameworks.

IFRS / ISSB
s1-43
within IFRS-S1: IFRS S1 - General Requirements for Disclosure of Sustainability-related Financial Information
Open official source →
Primary
Related & explore
FAQ

Questions this page answers

For s1-43, what should I actually gather before I start drafting the disclosure?+
How do I use the step-by-step 'how to prepare' section for s1-43 in practice?+
What does 'overall risk view' mean for the s1-43 workbook, and who should own it?+
What evidence do I need to keep for s1-43 so the disclosure is assurance-ready?+
What are the five assurance claims I need to check for s1-43?+
What are the common reporting gaps or mistakes on s1-43 that I should avoid?+
How can I turn the s1-43 page into a first draft quickly?+
How do I use the synthetic example disclosure on s1-43 without copying it into my report?+
Where do I find the workbook and printable card for s1-43, and what are they for?+
Can I reuse the same data for s1-43 and ESRS 2 General Disclosures?+
More questions this page can help with