# RM2.3: Governance Risk Assessment
Cover image
:bullseye: Maximum Score2.85 points
:pen-to-square: Prefill:check: Eligible
:shield-check: ValidationEvidence and Other answer are manually validated
:arrow-trend-up: 2026 UpdatesYes
*** **Has the entity performed a governance risk assessment(s) within the last three years?** {% columns %} {% column width="75%" %}
{% endcolumn %} {% column width="25%" %} {% endcolumn %} {% endcolumns %} ## Assessment Instructions
Intent: What is the purpose of this indicator? This indicator intends to assess the entity’s implemented process for assessing material governance risk, and its understanding and mitigation of these risks. Systematic responses to governance issues include effective risk assessment, thoughtful mitigation planning, and implementation of action plans.
Input: How do I complete this indicator? **Select Yes or No:** If selecting 'Yes', select applicable sub-options. **Material governance issues:** Select all issues that are covered by the entity’s risk assessment process(es). It is possible to include an ‘Other’ answer option. ### **Terminology** **Audit committee structure/independence** > A corporate board of directors establishes an audit committee to assist in discharging its fiduciary responsibility. An effective audit committee is an important feature of a strong corporate governance culture and should have a clear description of duties and responsibilities. **Board composition** > Composition of the board and its committees by (i)Executive or non-executive, (ii) Independence, (iii) Tenure on the governance body, (iv) Number of each individual’s other significant positions and commitments, and the nature of the commitments, (v) Gender, (vi) Membership of under-represented social groups, (vii) Competences relating to economic, environmental and social impacts, (viii) Stakeholder representation. **Board ESG oversight** > The highest committee or position that formally reviews and approves the organization’s sustainability report and ensures that all material topics are covered. **Board-level issues** > Governance issues that should be recognized at board-level by the entity. **Bribery** > The offering, giving, receiving or soliciting an item of value to influence the actions of an official or other person in charge of a public or legal fiduciary duty. **Compensation committee structure/independence** > Compensation decisions are central to the governance of many entities. Compensation committees or analogous organizations are established to govern employee compensation and ensure employee remuneration decisions are made in a fair, consistent and independent manner. An independent compensation committee may be one indicator of effective governance. **Conflicts of interest** > Situations where an individual is confronted with choosing between the requirements of his or her function and his or her own private interests. **Corruption** > Abuse of entrusted power for private gain. Policies should be consistent with the United Nations Convention against Corruption. **Cybersecurity** > The protection of internet-connected systems, including hardware, software, and data, from any unauthorized use or access. Malicious attacks in particular can pose a significant threat to infrastructure assets. **Data protection and privacy** > Customer privacy includes matters such as the protection of data; the use of information or data for their original intended purpose only, unless specifically agreed otherwise; the obligation to observe confidentiality; and the protection of information or data from misuse or theft. **Delegating authority** > The process for delegating authority for environmental, and social topics from the highest governance. **Executive compensation** > The financial and non-financial compensation of executives, in a manner that motivates executives to perform their roles in alignment with the entities objectives and risk tolerance. **Fraud** > Wrongful deception intended to result in financial or personal gain. **Independence of Board chair** > A non-executive member of the board who does not have any management responsibilities within the organization and is not under any other undue influence, internal or external, political or ownership, that would impede the board member’s exercise of objective judgment. **Lobbying activities** > Any activity carried out to influence a government or institution’s policies and decisions in favor of a specific cause or outcome. **Operational issues** > Governance issues that should be recognized on operational-level by the entity. **Political contributions** > Disclosure of and guidelines for political contributions, such as the amounts and recipients of all monetary and non-monetary contributions made by an organization, which include political contributions made through third parties. Financial or in-kind support given directly or indirectly to political parties, their elected representatives, or persons seeking political office. **Risk analysis** > Studying probabilities and consequences given the existing controls, to identify the level of residual risk. **Risk assessment** > Careful examination of the factors that could potentially adversely impact the value or longevity of an infrastructure asset. The results of the assessment assist in identifying measures that have to be implemented in order to prevent and mitigate the risks. **Risk evaluation** > Comparing risk analysis results with risk criteria to determine whether the residual risk is tolerable. **Risk identification** > Identifying what could prevent an organization from achieving their objectives. **Risk treatment** > Control / mitigation of the risk. > Assessing the potential risk of breaking or working against the entity’s contractual shareholder rights. Shareholder rights are defined in the company’s charter and bylaws. **Shareholder rights** > Assessing the potential risk of breaking or working against the entity’s contractual shareholder rights. Shareholder rights are defined in the company’s charter and bylaws. **Whistle-blower mechanism** > A process that offers protection for individuals that want to reveal illegal, unethical or dangerous practices. An efficient whistle-blower mechanism prescribes clear procedures and channels to facilitate the reporting of wrongdoing and corruption, defines the protected disclosures, outlines the remedies and sanctions for retaliation.
Validation: What evidence is required? The evidence and ‘Other’ answer provided will be subject to manual validation. #### Evidence The provided evidence must include the following elements: * Confirm that a governance risk assessment was conducted and clearly present the outcomes of the risk assessment. * Covers all elements of the risk assessment process aligned with the ISO 31000 Risk Management standard, including risk identification, analysis, evaluation, and treatment, for all selected governance issues, highlighting or bringing attention to these where possible. * Include all selected governance issues within the assessment, highlighting or bringing attention to these where possible. * Relate to an assessment that has taken place within the last three years, up to and including the end of the reporting year identified in EC4. Evidence examples may include, but are not limited to: * Documents or sections of documents, in their original or redacted form, such as: * Corporate risk registers * Governance-specific risk register or a section of a governance, Board, ethics, cybersecurity plan/report * H\&S inspections and audits * Impact registers * Corporate/Governance internal audits * Monitoring reports * Annual reports * Meeting minutes or company presentations * Procedure or process document(s) (e.g., from a risk management system) when supported with documentation that details the outcome of the risk assessment for selected issues. See below for an example of a risk register structure: | | Risk identification | Risk analysis | Risk evaluation and treatment | | ----------------- | ------------------- | ------------- | ----------------------------- | | Governance issues | Risk description | Risk rating | Mitigation measures | | Likelihood | Consequence | Rating | | {% hint style="info" %} **Note:** If certain governance issues are embedded in law and/or regulation in the countries of operation, the entity may select the issue and provide evidence that references the specific law or regulation and how it has been complied with. {% endhint %} **Contractor and/or operator engagement:** In some cases, an indicator addresses an activity that applies to the reporting entity, yet is undertaken by an assigned contractor, operator, and/or contracted entity. This is often the case, for example, for PPP-type arrangements. In these cases, when providing evidence, the participant should specify the entity undertaking the activity and the relationship to that entity, to verify how these actions apply to the reporting entity. Copies of redacted contractual agreements/clauses to verify these relationships are acceptable. #### Other Answer Ensure that the ‘Other’ answer provided is not a duplicate or subset of another option selected. It is possible to report multiple ‘Other’ answers. If multiple ‘Other’ answers are accepted, only one will be counted towards scoring. Answers referring to evidence and/or other indicators will not be accepted. Validation Basics
## Scoring {% columns %} {% column width="75%" %}
{% endcolumn %} {% column width="25%" %} {% endcolumn %} {% endcolumns %}
Scoring: How does GRESB score this indicator? #### **Materiality-Based Scoring** The scoring of this indicator is equal to the sum of the fractions assigned to the selected options and respective sub-options, multiplied by the total score of the indicator. The fractional points assigned to each option depend on their material relevance (as determined by the GRESB Materiality Assessment). The entity **must** select all issues of ‘Medium relevance’ and ‘High relevance’ to obtain the maximum score. Specific materiality weightings are assigned to the entity for each sustainability issue. The weightings are set at one of four levels for each of the issues: * No relevance (scoring weight: 0) * Low relevance (scoring weight: 0) * Medium relevance (scoring weight: 1) * High relevance (scoring weight: 2) For more details, refer to the [Asset Scoring Basics](/completing-gresb-assessments/getting-started/scoring-basics.md) page or download the [Asset Materiality & Scoring Tool.](https://cdn.svc.gresb.com/gresb-prd-public/2026/INF_Documents/2026_GRESB_Infrastructure_Asset_Materiality_and_Scoring_Tool.xlsx) #### **Evidence** The evidence is manually validated and assigned a multiplier, according to the table below. The evidence must support the validation requirements. If any requirements are not met, the evidence may be partially accepted or not accepted, depending on the level of alignment with the requirements. | Validation Status | Multiplier | | ------------------ | ---------- | | Accepted | 2/2 | | Partially Accepted | 1/2 | | Not Accepted | 0 | #### **Other Answer** The 'Other' answer is manually validated and assigned a score, which is used as a multiplying factor, as per the table below. Any accepted ‘Other’ answers will be scored at ‘Medium' material relevance (i.e., with a scoring weight of 1). | Validation Status | Multiplier | | ----------------- | ---------- | | Accepted | 1/1 | | Not Accepted | 0 | | Duplicate | 0 |
***
References [ISO 31000 Risk Management standard](https://www.iso.org/iso-31000-risk-management.html) [Alignment with External Frameworks](https://www.iso.org/iso-31000-risk-management.html) [SAM Corporate Sustainability Assessment (CSA) - 3.3.3 Emerging Risks](https://portal.csa.spglobal.com/survey/documents/SAM_CSA_Companion.pdf)[SAM Corporate Sustainability Assessment (CSA) - 3.3.4 Risk Culture](https://portal.csa.spglobal.com/survey/documents/SAM_CSA_Companion.pdf) [GRI Standards 2016 - 102-29: Identifying and managing economic, environmental and social impacts](https://www.globalreporting.org/standards/gri-standards-download-center/)
## Get Support: Solution Providers GRESB Solution Providers are independent, third-party organizations within the GRESB Partner network that offer specialized products, tools, and services to support sustainability performance outside the GRESB Assessment process. The organizations below deliver commercially available solutions designed to help drive improvement for this indicator. Engagement is managed directly between the reporting entity and the Solution Provider. GRESB will continue to update this section as the GRESB Solution Provider network grows. Please check back regularly to find GRESB Solution Providers who can support your sustainability performance.
Cover image
See Directory Profile/files/xRqpQsaDD4rtlfZHs5Z2
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://guides.gresb.com/completing-gresb-assessments/completing-the-assessment/2026-asset-assessment/management-component/risk-management/rm2.3-governance-risk-assessment.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.