Building a Climate Risk Register for AASB S2: The Practical Guide for Australian Reporters
Most Australian companies preparing for AASB S2 confuse a materiality assessment with a climate risk register. They are not the same artefact, and the auditor will ask for both. Here's how to build a register that survives ASSA 5010 assurance.
A climate risk register is the operational artefact that sits underneath every defensible AASB S2 disclosure. It is not the materiality assessment. It is not the scenario analysis output. It is the working document that catalogues identified climate-related risks and opportunities, assesses their potential financial impact, assigns ownership, and tracks the management response. Without one, the strategy and risk-management disclosures under AASB S2 paragraphs 25 to 33 cannot be evidenced.
Most Australian groups preparing for first-time disclosure under ASRS Group 2 or ASRS Group 3 have a materiality assessment from a sustainability consultant. Many do not have a register that an auditor can walk through line by line. That gap is where assurance findings cluster.
What AASB S2 actually requires
The standard, AASB S2 Climate-related Disclosures, sets out four pillars: governance, strategy, risk management, and metrics and targets. The risk register sits primarily under risk management (paragraphs 25 and 26) and feeds into the strategy disclosures (paragraphs 28 to 31).
Paragraph 25 requires entities to disclose the processes used to identify, assess, prioritise, and monitor climate-related risks and opportunities. Paragraph 26 requires entities to disclose the extent to which those processes are integrated into and inform the entity's overall risk management process.
The auditor under ASSA 5010 will ask three things on this section:
- Show me the inventory of identified climate-related risks and opportunities
- Show me the assessment methodology applied to each
- Show me how this feeds into the existing enterprise risk management framework
A materiality assessment alone cannot answer those questions. A risk register can.
The five components every register needs
A defensible climate risk register has the same structural elements regardless of company size or sector. The detail varies; the structure does not.
1. Risk and opportunity inventory
A row per identified climate-related risk or opportunity, with a unique identifier, a clear name, and a category. The standard categories from the TCFD-derived taxonomy that AASB S2 inherits:
Physical risks:
- Acute (extreme weather events: cyclone, flood, bushfire, heatwave)
- Chronic (long-term shifts: rising temperatures, sea level rise, water stress)
Transition risks:
- Policy and legal (carbon pricing, regulatory reporting, litigation)
- Technology (substitution, stranded assets)
- Market (changing customer preferences, raw material costs)
- Reputational (stakeholder perception, financing access)
Opportunities:
- Resource efficiency, energy source, products and services, markets, resilience
Most Australian mid-market groups end up with somewhere between 15 and 40 identified items in the register. Fewer than 15 suggests under-identification. More than 60 usually means insufficient prioritisation has happened.
2. Time horizon classification
Paragraph 10(b) of AASB S2 requires entities to define short, medium, and long-term horizons consistent with their strategic planning and capital allocation timeframes. Each risk in the register should be tagged to the horizon over which it materialises.
A typical Australian split:
| Horizon | Period | Typical risks |
|---|---|---|
| Short-term | 0 to 3 years | Acute physical events, regulatory compliance costs, customer pressure |
| Medium-term | 3 to 10 years | Transition risks, technology substitution, carbon price exposure |
| Long-term | 10+ years | Chronic physical risks, stranded assets, structural market shifts |
The horizons should match how the business actually plans capital. A property fund running 25-year asset hold periods cannot have a long-term horizon of 5 years. A mining operation with 30-year mine life cannot truncate at 10 years.
3. Financial impact assessment
This is the part most registers either skip or treat as a subjective rating exercise. Paragraph 30 of AASB S2 requires disclosure of the current and anticipated financial effects of identified risks and opportunities. The register has to support this.
Two assessment approaches that work:
Quantified estimate. Direct dollar estimate of potential impact under defined conditions, with the source data and assumptions documented. Used where the data exists: insurance premium increases, asset write-downs against published transition scenarios, capital expenditure required for compliance with a known regulation.
Scenario-tagged ranges. Order-of-magnitude impact ranges (e.g., $1m to $10m, $10m to $50m, $50m to $250m) tagged to the climate scenario under which they materialise. Used where direct quantification isn't yet possible.
Both approaches are defensible if the methodology is documented. What isn't defensible is a register where every risk is rated "high" with no underlying analysis. The auditor will ask why, and a colour without a calculation is not a defensible answer.
4. Risk owner and management response
Every risk needs a named owner and a documented management response. The owner is the executive accountable for managing the risk, not the sustainability team. The response is the actual action being taken or planned.
Common pattern that fails assurance: the risk register is owned by the sustainability function and the management responses are sustainability initiatives. The auditor reads this as evidence the climate risks are not integrated into enterprise risk management, which is exactly what paragraph 26 requires entities to demonstrate.
The fix: align the climate risk register to the existing enterprise risk register structure. Same risk taxonomy. Same owners. Same response framework. Same review cadence. The climate risk register is a thematic view of the enterprise register, not a parallel system.
5. Review and update cadence
The register has to be a living document. AASB S2 paragraph 25(c) requires entities to disclose how the processes are integrated into the overall risk management process, which implies a regular cadence.
Practical cadence for most Australian reporters:
- Quarterly: Review of new and emerging risks, status updates on management responses
- Annual: Full re-assessment with the executive risk committee, alignment with strategic planning cycle
- Triggered: Material physical events (cyclone hitting an asset, regulatory change, major incident) prompt immediate update
The cadence should match the existing enterprise risk management cadence. If the broader risk register is reviewed quarterly by the audit and risk committee, the climate register should land in the same forum.
The two failure modes the auditor catches
Two patterns reliably trigger assurance findings under ASSA 5010 limited assurance. Both are avoidable.
Failure mode 1: The consultant report becomes the register
Many Australian groups commissioned a TCFD-aligned risk assessment from a consultant in 2023 or 2024 ahead of the mandatory climate reporting commencement. The deliverable was typically a 40-page PDF with risk descriptions, scenario analysis, and recommended mitigations.
That PDF is not a risk register. It is a point-in-time assessment. The auditor wants to see how the risks identified in that report are being tracked, owned, and managed in the months and years since the report was issued. If the answer is "we filed the consultant report and built our disclosure narrative from it", the assurance finding writes itself.
The fix: extract the consultant-identified risks into a working register with owners, statuses, and review history. Maintain it. The consultant report becomes a reference, not the artefact.
Failure mode 2: The register doesn't reconcile to the disclosure
The risk register identifies 22 climate-related risks. The strategy disclosure narrative discusses 6. The materiality assessment supports 9. The scenario analysis covers 4. The numbers don't tie.
The auditor will ask why. The defensible answer is a documented filtering rule: "the register catalogues all identified risks; the disclosure includes risks meeting the materiality threshold; the scenario analysis covers the subset of material risks where scenario-based modelling adds insight". With that rule documented and applied consistently, the discrepancy is explainable. Without it, the discrepancy looks like cherry-picking.
The climate materiality assessment and the risk register should reconcile cleanly: every disclosed risk traces back to a register entry, every register entry has a documented materiality conclusion, every materiality conclusion follows the same threshold.
A practical template
The simplest defensible structure is a single table with these columns:
| Field | Content |
|---|---|
| Risk ID | Unique identifier (CLM-001, CLM-002, etc.) |
| Category | Physical acute / physical chronic / transition policy / transition technology / transition market / transition reputational / opportunity |
| Risk description | One paragraph, specific to the entity |
| Time horizon | Short / medium / long (per defined periods) |
| Affected assets or operations | Specific business units, sites, or product lines |
| Likelihood | Defined scale (1 to 5) with anchors documented |
| Financial impact range | Dollar range or scenario-tagged range |
| Materiality conclusion | Material / not material / requires further analysis |
| Risk owner | Named executive |
| Management response | Current actions, planned actions, dependencies |
| Status | Open / monitoring / closed |
| Last reviewed | Date |
| Next review | Date |
| Linked enterprise risk | Reference to enterprise register entry where applicable |
This sits in whatever system the company uses for enterprise risk management today. SAP GRC, RSA Archer, ServiceNow, Diligent, or, for many mid-market reporters, a structured table maintained by the company secretary's office. The point is the structure, not the platform.
The integration point with metrics and targets
The risk register feeds the metrics and targets disclosures under AASB S2 paragraphs 33 to 36. For each material risk, the disclosure should be able to answer:
- What metric is the entity using to measure this risk?
- What target has the entity set, if any?
- What is the current performance against that target?
Where a risk doesn't yet have a defined metric, the register should note that gap. The auditor will accept "we are still developing the metric" as a position the first year, but will expect progress in subsequent years. A register that shows the same metrics as "to be developed" three years running is a signal that risk management has not progressed.
How this connects to NGER data
The emissions data that feeds NGER reports is the foundation for several of the metrics that show up in the risk register. The register might identify "carbon price exposure under the Safeguard Mechanism" as a transition risk. The metric is tonnes of Scope 1 emissions at facilities subject to the Safeguard Mechanism. The data source is the NGER submission. The target is the facility-specific baseline decline trajectory.
That's an integrated picture: emissions ledger feeds NGER report, NGER data feeds risk register, risk register feeds AASB S2 disclosure, all four reconcile to the same source documents. When the auditor traces from a published number back to source, every step is documented.
The opposite pattern is four separate workstreams: NGER team compiles emissions data, sustainability team writes the AASB S2 narrative, risk team maintains a generic register, and finance team handles disclosure controls. Numbers diverge. Restatements happen. Assurance findings accumulate.
What changes year over year
The first year's risk register is foundational. The second year's register has to show something more: evidence that risks have been actively managed, new risks have been identified and added, closed risks have been documented, and the methodology has been refined based on lessons learned.
Auditors will compare year-over-year. A register that looks identical to the prior year, with the same risks, same ratings, and same owners, raises a question about whether the process is genuinely active or whether the register is being maintained for compliance only.
The defensible position is to show movement: risks added, risks closed, ratings changed with documented reasoning, ownership transitions tracked, management responses progressed.
The bottom line
A climate risk register is the operational backbone of AASB S2 risk management disclosure. It is not the same artefact as the materiality assessment, the scenario analysis output, or the strategy narrative. The auditor will ask for it specifically, and the disclosure will only hold up if the register is real, current, owned by the enterprise risk function, and reconciles cleanly to everything else.
The Australian groups that get this right treat the register as part of the operating system of the company, not as a sustainability deliverable. The ones that get it wrong outsource it to a consultant, file the deliverable, and discover the gap when the auditor walks them through ASSA 5010 evidence requirements.
If you're preparing for first-time AASB S2 disclosure and you're not sure whether your existing risk artefacts will support the strategy and risk management pillars, email hello@carbonly.ai or join the waitlist. Happy to walk through how the emissions ledger, the risk register, and the disclosure narrative tie together into one defensible audit trail.