Climate Change Risk Assessment for ISO Management Systems

Climate Risk in Brief

Physical risks - flood, heat, drought, storm
Transition risks - policy, technology, market, reputation
TCFD-aligned reporting for larger businesses in the UK

Climate change risk management

In February 2024, the International Organization for Standardization issued amendments to all major management system standards to make climate change considerations explicit. The amendments add wording to Clause 4.1 (Understanding the organisation and its context) and Clause 4.2 (Understanding the needs and expectations of interested parties) requiring organisations to determine whether climate change is a relevant issue and to consider relevant interested parties' climate-related requirements.

The amendments apply to ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 22301, ISO 37001, ISO 22458, ISO 42001 and most other management system standards published under the harmonised structure. They are short additions but they have practical consequences: external auditors are now expected to check that climate change has been considered, and organisations need a documented record of that consideration.

This article covers what the amendments require, how to identify and assess climate-related risks and opportunities, and how the work fits into the wider risk management approach.

What the 2024 amendments require

The amendments are deliberately concise. The new wording in Clause 4.1 requires the organisation to determine whether climate change is a relevant issue when establishing its context. The new wording in Clause 4.2 notes that relevant interested parties may have requirements related to climate change.

What this means in practice:

The organisation has to actively consider climate change, not assume it is irrelevant
The conclusion can be that climate change is or is not a relevant issue, but the consideration must be documented
Where climate change is relevant, climate-related risks and opportunities flow into the strategic register the same way other context issues do
Interested parties who have climate-related expectations - customers, regulators, investors, communities - are part of the interested parties review

The amendments do not require the organisation to set climate targets, calculate a carbon footprint, or implement any particular response. They require the organisation to think through whether and how climate change matters to it, and to manage what comes out of that thinking the same way other risks and opportunities are managed.

For most organisations, climate change is a relevant issue. The exceptions are usually small organisations with limited operations and minimal external exposure, and even these tend to find that one or two climate-related considerations apply once they look properly.

Categories of climate-related risk

Climate-related risks fall into two broad categories that have become standard in financial and corporate disclosure frameworks and apply equally to ISO management systems.

Physical risks arise directly from changes in climate. They include:

Extreme weather events - storms, floods, heatwaves, drought - affecting operations, supply chains and people
Rising temperatures affecting worker health, equipment performance and product viability
Rising sea levels affecting coastal premises, infrastructure and supply routes
Changes in water availability affecting operations, manufacturing processes and communities
Changes in resource availability where raw materials are climate-sensitive

Physical risks split between acute (specific events like a storm or flood) and chronic (gradual changes like temperature rise or shifting rainfall patterns). Both matter and both should be considered.

Transition risks arise from the response to climate change rather than from climate change itself. They include:

Regulatory changes - new emissions limits, carbon pricing, mandatory disclosure, environmental taxes
Market shifts - changing customer preferences, declining demand for high-emission products, changing investor priorities
Technology changes - obsolescence of high-emission technology, pressure to adopt new methods
Reputational impact - consumer activism, media scrutiny, scrutiny from staff, partners and investors
Litigation - climate-related legal claims, including under directors' duties and disclosure obligations

Transition risks affect different sectors differently. A logistics business faces fuel pricing, vehicle emission rules and customer preference for low-carbon delivery. A financial services firm faces disclosure obligations and changing investment criteria. A construction business faces materials sourcing, embodied carbon expectations and energy efficiency standards. The risks are real for almost every sector but the specific shape varies.

Climate-related opportunities

The same amendments require consideration of opportunities, not just risks. Climate change creates opportunities in three main areas:

New markets and offerings. Demand for low-carbon products, energy-efficient services, sustainable materials, climate-resilient infrastructure and decarbonisation services has grown across most sectors. Organisations that can credibly meet that demand find new customer segments, new contracts and new revenue streams.

Operational savings. Energy efficiency, waste reduction, water conservation and supply chain rationalisation usually save money as well as reducing climate impact. The investments often pay back inside a few years and the residual benefit is permanent. This is one of the easiest opportunity types to identify and act on.

Reputational and recruitment advantage. Customers, staff, partners and investors increasingly favour organisations that take climate action seriously. Credible action - not greenwashing - opens doors that closed organisations cannot reach. Recruitment advantage in particular has become significant in many sectors as younger workers prioritise climate-aware employers.

The opportunity side is particularly important because climate-related risks often have no single solution and acceptance is sometimes the only practical answer. Capturing opportunities provides a positive narrative for the organisation's climate work that pure risk treatment does not.

Identifying climate-related risks and opportunities

The work follows the same approach as other risk identification, with sources adjusted for climate.

Operational review. Walk through the organisation's main activities and ask where climate change could affect each. Premises and infrastructure exposure to extreme weather and flooding. Supply chain exposure to climate-affected suppliers and routes. Workforce exposure to heat, cold and disrupted travel. Equipment exposure to changing operating conditions. Customer base exposure where customers are climate-sensitive.

Interested party review. Customers' climate expectations, including disclosure or carbon reporting requirements being passed down through supply chains. Regulator expectations, including pending legislation that may apply. Investor expectations where investors require climate disclosure. Community expectations where the organisation has visible local impact. Staff expectations regarding employer climate stance.

Regulatory horizon scan. Climate-related regulation is changing fast in most jurisdictions. UK requirements include the climate-related financial disclosures rules for large companies, the gradual extension of mandatory carbon reporting, energy and emissions reporting requirements, and the Streamlined Energy and Carbon Reporting framework. Organisations operating internationally face additional requirements - the EU Corporate Sustainability Reporting Directive, US SEC climate disclosure rules, and similar frameworks elsewhere.

External information. Trade associations, industry forums, government guidance and customer requests usually surface emerging climate concerns specific to a sector. Following these sources at least annually keeps the organisation informed without requiring it to track everything in detail.

For most organisations the result is a manageable number of climate-related entries on the strategic risks register - perhaps five to ten significant items - alongside a handful of opportunities. Organisations in particularly exposed sectors (energy, agriculture, transport, real estate) typically have more.

Assessing and treating climate risks

Climate-related risks and opportunities are assessed using the same methodology as other entries on the strategic register. Likelihood and consequence ratings apply, with two adjustments to bear in mind.

The first is timeframe. Climate-related risks often play out over longer timescales than other business risks - some over decades. The likelihood scale should accommodate this. A risk that might materialise within five to ten years is "Likely" in climate terms even if that feels distant compared to other entries.

The second is uncertainty. Climate science gives reliable directional information (temperatures are rising, weather is becoming more extreme, sea levels are rising) but specific consequences for a specific organisation involve uncertainty. The right response is to score on best available evidence, document the assumptions, and revisit as evidence develops.

Treatment uses the same options - avoid, reduce, transfer, accept. For physical risks, reduction (resilience measures, contingency planning, business continuity) and acceptance (with monitoring) are the most common responses. For transition risks, reduction (compliance preparation, decarbonisation work) and avoidance (exiting high-risk activities) are common. Transfer through insurance is increasingly difficult for some climate-related exposures as insurers withdraw cover.

Documenting the climate change consideration

The minimum documentation that satisfies the 2024 amendments is a record showing that climate change has been considered as part of context, with the conclusion stated. For organisations where climate change is relevant, that record is a structured climate change review covering the categories above and feeding into the strategic register.

The review does not need to be lengthy or technical. Most organisations can complete it as a structured document of one or two pages covering physical risks, transition risks, opportunities, and the actions or controls in place. The detail belongs on the strategic register and the issues and actions register; the climate review is the input that feeds them.

The review should be revisited at least annually as part of the management review and updated whenever significant climate-related developments occur - new legislation, major weather event affecting the organisation, change in customer climate requirements.

Since the 2024 amendments came in I have been asked at every external audit to show evidence that climate change has been considered. The evidence of real consideration is specifics. A statement that climate change is relevant because the organisation operates in the UK is not consideration. A statement that the company has two coastal premises identified as flood risk under the 2050 projections, and that the strategic register has entries for both with controls in place, is consideration.

The amendments caught some clients off guard because they treat climate change as something separate from their management system - environmental side only, or something the sustainability team handles. The point of the amendments is that climate change is part of context, not a separate domain. It affects quality risk, operational risk, supply chain risk, people risk, information security risk - all of it.

The clients who handle this well are the ones who run a single climate review and let its outputs flow into whichever registers they apply to. Those who run separate reviews for each standard end up duplicating work and missing the cross-cutting issues.

Climate change is happening. The standards now require you to think about it. You do not need to become climate experts. You need to look honestly at how climate change could affect your business and what opportunities it creates, write it down, and act on what matters.

Practical Compliance Guidance

IMS1 Section 1.6 covers risk-based thinking, including climate change as part of context. The dedicated climate change review is a structured input feeding both the strategic register and the environmental aspects register.

The alphaZ documents below cover the climate change consideration end-to-end - the dedicated review, the registers where outputs land, and the management review where effectiveness is evaluated.

alphaZ document	How to use it
ISO 9001/14001/45001 IMS Toolkit	Integrated toolkit including IMS1, F-IMS38, F-IMS23 and F-IMS60 - covering climate review, strategic risks and environmental aspects across the three standards.
ISO 9001 Management System Toolkit	Quality-only toolkit including F-IMS38 and F-IMS23. Suitable where ISO 9001 is the only standard in scope and climate change needs to be addressed for context.
F-IMS38 Climate Change Review	Structured review covering nine climate change impact areas - extreme weather, temperature, sea levels, water, materials, energy, emissions, regulations, demand. Output feeds the strategic register.
F-IMS23 Opportunities and Risks Register	The strategic register where climate-related risks and opportunities flowing from the climate review are recorded with rating, controls and residual position.
F-IMS60 Environmental Aspects and Impacts Register	Environmental aspects register where the organisation's emissions and other climate-relevant aspects are assessed for significance.
F-IMS22 Interested Parties Register	Records interested parties' needs and expectations, including climate-related requirements - a defined input under the 2024 amendments to Clause 4.2.
ER1 Issues and Actions Register	Tracks treatment actions arising from climate risks and opportunity capture work through to closure.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do the 2024 amendments require us to set climate targets?

No. The amendments require consideration of climate change as part of context and identification of climate-related risks and opportunities. They do not require carbon footprint calculation, net-zero commitments, science-based targets or any other specific climate action. Where the organisation chooses to set targets they sit outside the amendment requirement; where it does not, the consideration alone meets the standard.

Can we conclude climate change is not relevant to us?

Possibly, but the conclusion needs to be defensible at audit. Most organisations find that some climate-related issue is relevant once they look properly - extreme weather affecting premises or supply, energy costs, employee expectations, customer questionnaires asking about emissions. A blanket "not relevant" conclusion is rare. Where the organisation does conclude not relevant, the reasoning should be documented in the context review.

How is climate change different from environmental aspects?

Environmental aspects under ISO 14001 cover all environmental impacts including but not limited to climate change - water use, waste, biodiversity, pollution. Climate change is a specific aspect that has its own risks and opportunities at the strategic level under all standards. The two work together: the environmental aspects register records the operational climate-relevant aspects (emissions, energy use), while the strategic register records the broader business risks and opportunities (regulation, market shift, physical exposure).

How often should the climate review be updated?

Annually as part of the management review is the practical minimum. Triggered updates are appropriate when significant climate-related events occur - new legislation, major weather event affecting the organisation, change in customer climate requirements, change in business activities affecting exposure. Climate-related risk changes faster than some other context issues, so the cycle benefits from being live rather than annual-only.

Does climate change apply to information security and other non-environmental standards?

Yes. The amendments apply to all the management system standards published under the harmonised structure including ISO 27001, ISO 22301, ISO 37001 and others. Climate change can affect information security (data centre cooling, power supply resilience), business continuity (climate-related disruption), bribery risk (climate-related fraud opportunities) and so on. The relevance differs by standard but the requirement to consider it is the same.

UK Legislation relevant to climate change risk

UK climate-related legal duties are significant and increasing. The Climate Change Act 2008 sets the legal framework for net-zero by 2050 and shapes secondary legislation. Climate-related financial disclosure rules apply to large UK companies and to UK-regulated financial firms. Energy and carbon reporting under SECR applies to qualifying companies. Industry-specific climate regulation applies in energy, transport, construction and agriculture. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

Further Resources