7-Step Framework for Climate Risk Assessment Under AASB S2

Afonso Firmo
Afonso Firmo Co-Founder & Director
| | 12 min read
Seven-step framework for climate risk and opportunity assessment under AASB S2
Written for sustainability leads, risk officers, and company secretaries running their first organisation-level climate risk assessment.
April 2026 · NetNada

For most of our clients, climate risk landed on their agenda sometime in the last 12 months in a way it hadn’t before.

Maybe it was the auditors. Maybe it was a CFO who attended a conference and came back with questions they weren’t quite ready to answer. Maybe it was the realisation that their biggest client — already in the first wave of mandatory reporting — is about to start asking for their data.

Whatever the trigger, the question is always the same: how do we actually do this?

The Australian Government’s Climate Risk and Opportunity Management Program lays out a structured, seven-step process for conducting an organisation-level climate risk assessment. It’s the same framework that feeds directly into the Governance, Strategy, and Risk Management pillars of AASB S2 Climate-related Disclosures.

This guide walks you through each step in practical terms — what it requires, where organisations get stuck, and how to make the output genuinely useful rather than a compliance exercise that gathers dust.

First: understand what you’re actually looking for

Before you build a risk register, you need to be clear on the categories of climate risk you’re assessing. Both physical and transition risks must appear in your AASB S2 disclosure, and skipping either one will create gaps your assurance provider will flag.

Physical risk Acute events (bushfires, floods, cyclones) and chronic shifts (sea level rise, declining rainfall, rising temperatures).
Transition risk Policy and legal, market, technology, and reputation risks from the shift to a low-carbon economy.

Physical risks

These are what most people picture first — the extreme weather events and slower environmental shifts that directly affect operations, assets, and supply chains.

Acute physical risks include bushfires, floods, heatwaves, cyclones, and storms. These are event-driven and increasingly frequent.

Chronic physical risks are the gradual shifts: rising sea levels, declining rainfall patterns, increasing average temperatures, and changing agricultural conditions.

Australia’s National Climate Risk Assessment identified 56 nationally significant risks across eight systems. These are not hypothetical projections — they are already affecting operations, supply chains, and asset values across the country. If you haven’t reviewed this document, it should be your starting point for understanding the physical risk landscape.

Transition risks

These are less obvious but often more immediately material, particularly for organisations that don’t have major physical assets exposed to weather events.

Transition risks come from the shift to a low-carbon economy:

  • Policy and legal risks — new carbon pricing mechanisms, tightening emissions standards, litigation for climate inaction or greenwashing
  • Market risks — shifting consumer preferences, changing cost structures for carbon-intensive inputs, new competitor offerings
  • Technology risks — disruptive low-carbon technologies making existing assets or processes obsolete
  • Reputation risks — stakeholder expectations outpacing your organisation’s climate response

If you’re not thinking about your transition risk exposure, your lenders and your Tier 1 clients almost certainly are. The AASB S2 standard requires you to consider both physical and transition risks — and to explain which time horizons (short, medium, and long term) each risk is relevant to.

The part most organisations skip: opportunities. AASB S2 explicitly requires disclosure of climate-related opportunities alongside risks. Organisations that treat the assessment as purely defensive miss this entirely and produce a report that reads as though climate change is exclusively a threat, which isn't credible and doesn't serve your strategic planning. Resource efficiency gains, new products, new markets, and enhanced resilience are all within scope.

The 7 steps in practice

1. Scope — Define what is being assessed, why, and by whom.

2. Context — Identify past climate impacts and develop future scenarios.

3. Identify — Build a comprehensive list of risks and opportunities.

4. Prioritise — Narrow to the most material items using your enterprise risk methodology.

5. Act — Plan and resource the response.

6. Monitor — Review, evaluate, and communicate on an ongoing basis.

7. Disclose — Translate the work into your AASB S2 report.

Step 1 — Scope the assessment

Decide what is being assessed, why, and by whom. This is the governance foundation for everything that follows.

What to define:

  • The organisational boundaries of the assessment — are you assessing the whole group, specific business units, or specific asset classes?
  • The executive sponsor who has accountability for the process and its outcomes
  • Which committees need visibility — the board, the audit and risk committee, an ESG or sustainability committee
  • Your “values at risk” — the strategic objectives, operations, assets, and stakeholder relationships that could be affected by a changing climate

Where organisations get stuck: They scope too broadly ("assess everything") or too narrowly ("just look at our offices"). The right scope aligns with your AASB S2 reporting boundary — typically the same entities captured in your consolidated financial statements. If in doubt, match your financial reporting boundary.

The practical output: A one-page scoping document that names the sponsor, the assessment boundary, the governance arrangements, and the values at risk. This document becomes part of your audit evidence.

Step 2 — Establish your context

Identify past climate impacts relevant to your organisation and develop an understanding of how the climate may change in the future.

What this requires:

  • A review of historical climate events that have affected your operations, supply chain, or markets — including near-misses that didn’t cause material damage but easily could have
  • Climate projections under at least two emissions scenarios and two time horizons

For AASB S2 compliance, you need a minimum of two scenarios: a lower-warming scenario aligned with 1.5°C (representing rapid decarbonisation), and a higher-warming scenario. The legislation references the scenarios set out in the Climate Change Act. For time horizons, 2030 and 2050 are the standard benchmarks, but your organisation may define short, medium, and long term differently — just be explicit about your definitions and consistent throughout your report.

Key resources for Australian context:

  • The Bureau of Meteorology’s State of the Climate reports
  • CSIRO’s climate projections for Australia
  • The National Climate Risk Assessment
  • State-based climate adaptation strategies (relevant if you have geographically concentrated operations)

Where organisations get stuck: They try to do original climate modelling. You don't need to. Use published, peer-reviewed projections from the sources above. Your job is to interpret those projections for your specific operations and geography — not to produce new climate science.

The practical output: A context paper (5–10 pages) summarising the climate data relevant to your organisation, the scenarios you’ve selected, and the time horizons you’re using. This feeds directly into your Strategy disclosure under AASB S2.

Step 3 — Identify your risks and opportunities

Develop a comprehensive list of how climate change could affect your organisation and the resulting consequences.

How to approach this: Cast wide before you narrow. The goal at this stage is completeness, not prioritisation. You want a long list that captures everything plausible — you’ll filter in Step 4.

Structure each risk or opportunity as a statement with four components:

Component Example
1. Climate driver Increasing frequency of extreme heat days
2. Exposure Outdoor workforce in Queensland
3. Impact Reduced productivity, increased health and safety incidents
4. Financial consequence Increased labour costs, project delays, higher insurance premiums

That fourth component — the financial consequence — is what separates an AASB S2-grade risk assessment from a generic ESG exercise. The standard requires you to connect climate risks to financial outcomes. If you can’t articulate the financial consequence, the risk statement isn’t complete.

Where organisations get stuck: They identify risks at too high a level ("climate change will affect our business") or too granular a level ("the car park at our Brisbane office might flood"). Aim for the level at which your enterprise risk framework operates — risks that are meaningful enough to manage but specific enough to act on.

The practical output: A preliminary risk and opportunity register with 20–40 items, each structured as a four-part statement. Don’t worry about scoring or prioritising yet.

Step 4 — Prioritise your risks and opportunities

Narrow the focus to the most important: risks requiring additional treatment and opportunities requiring proactive investment.

The critical principle: This step must align with your existing enterprise risk management framework. Use the same likelihood ratings, the same consequence ratings, the same risk matrix. If climate risk lives in a separate document with a separate methodology, it won’t survive board scrutiny — and it shouldn’t.

The whole point of AASB S2 is to integrate climate-related risks into mainstream financial reporting. A separate climate risk register with its own bespoke methodology undermines that objective and creates additional work when you need to reconcile it with your enterprise risk framework later.

How to handle “long-term” risks: Your enterprise risk framework probably operates on a 1–5 year horizon. Climate risks often manifest over 10–30 years. This creates a genuine methodological tension. The most common solution is to assess likelihood over the relevant time horizon for each risk, then map the consequence rating to a financial impact that’s meaningful today (e.g., a 2050 flood risk might translate to a near-term asset impairment or insurance cost increase).

The practical output: A prioritised register with your top 10–15 risks and top 5–10 opportunities, scored using your enterprise risk methodology and with clear financial consequence estimates.

Step 5 — Plan and take action

Identify options to manage your priority risks and seize your priority opportunities. Decide which options to pursue and build implementation plans.

What each action plan needs:

  • A named owner (not “the sustainability team” — a specific person)
  • A timeline with milestones
  • Metrics for measuring progress
  • Monitoring arrangements — how will you know if the action is working?

This is the evidence folder your auditors want to see. AASB S2 requires disclosure of how you manage climate-related risks. Vague statements like “we are monitoring climate developments” won’t satisfy an assurance provider. They want to see documented decisions, named owners, and measurable actions.

Where organisations get stuck: They produce beautiful action plans that never get implemented because there's no budget attached. Every action item should have at least an order-of-magnitude cost estimate and a funding source. If you can't fund it, either descope it or escalate it to the board as an unfunded risk.

Step 6 — Monitor, evaluate, and communicate

Develop processes to regularly review your priority risks and opportunities and ensure senior stakeholders are aware of how they’re being managed.

In practice, this means:

  • Quarterly reviews of your prioritised risk register (ideally aligned with your ESG or sustainability committee meetings)
  • Annual reassessment of the full risk and opportunity landscape
  • Board reporting that includes climate risk alongside other strategic risks
  • Clear escalation paths for emerging risks that weren’t captured in the original assessment

This is what your board needs to demonstrate it is doing. Under AASB S2, you must disclose your governance arrangements for climate-related risks — including how the board exercises oversight and how management monitors and manages. If you can’t point to documented monitoring activities, your governance disclosure will be thin.

ASIC’s Regulatory Guide 280 reinforces this: directors are expected to establish systems that identify, assess, and monitor material climate-related financial risks, and to set controls and procedures for overseeing and preparing the sustainability report. The emphasis is on ongoing oversight, not a once-a-year exercise.

Step 7 — Disclose

Steps 1–6 feed directly into your AASB S2 report.

Steps AASB S2 pillar
1–2 (Scope, Context) Strategy
3–4 (Identify, Prioritise) Risk Management
5–6 (Act, Monitor) Risk Management + Governance
4 (Financial consequences) Metrics and Targets

The difference between organisations that did the process properly and those that didn’t becomes very visible at this stage. A report built on genuine assessment work reads differently from one assembled from generic templates. Assurance providers can tell the difference — and increasingly, so can investors.

Getting your first draft moving

Reporting doesn't have to be a mystery — and it definitely shouldn't require a 100-slide deck to explain. It's about clear governance, honest risk assessment, and solid data.

If you’re starting this process, there are several resources that can accelerate your progress:

  • A database of published AASB S2 reports — see how your peers are actually formatting their disclosures and what level of detail they’re providing
  • A climate reporting readiness scorecard — an honest look at where your data gaps actually sit
  • A governance disclosure checklist — exactly what needs to be in your evidence folder for the assurance provider
  • A draft metrics and targets table — a starting template so you’re not staring at a blank spreadsheet
  • A climate statement outline — the skeleton structure for your first mandatory report

The goal isn’t perfection in year one. It’s building a credible foundation that demonstrates genuine engagement with climate risk — and that you can improve on year after year.

If you’re working through your climate risk assessment and want to see how NetNada structures this process for Australian companies, book a walkthrough. We also run a 5-part Climate Reporting Series that walks through each section of an AASB S2 report in detail — register here.

Manage Climate Risk

Identify, assess, and report on climate-related risks and opportunities aligned with TCFD recommendations.

Book Demo Learn More