Overview Carbon Water Waste Ecosystems Appendix 88 Appendix D (continued) Key area Description of work Source location Risk Identification • Subject matter leadership on climate change risk resides with our Environmental Sustainability (ES) team, Download and assessment led by our Chief Environmental Officer. This team assesses Microsoft’s climate-related physical and transition here risks and opportunities across the business portfolio using quantitative and qualitative scenario analysis, management of climate- along with other risk assessments (including the use of internal company methods). related risks • The results from these analyses are assessed and validated through consultation with subject matter experts across the company and then used to inform Microsoft’s formal, robust, and rigorous enterprise risk assessment process led by the Enterprise Risk Management (ERM) program. • The ERM program’s formal risk assessment process is used to assess the size, scope, financial impact, and relative significance of any risk that Microsoft may face, today and into the future, including those related to climate change. • The process involves categorizing risks according to their inherent impact on a scale of 1 (minimal) to 5 (critical) in four categories: trust or reputational; operational scope; legal, compliance, or environmental; and enterprise value. Risks are then rated according to their inherent likelihood on a scale of 1 (remote) to 5 (expected). These two ratings are used to produce an inherent risk score and are then aggregated with a management action/control effectiveness rating for a residual risk calculation. Organizational • The quantitative climate risks analysis focused on seven climate physical hazards (chronic temperature * italics denotes new processes for increase effects on energy demand, extreme temperatures, heat storms or waves, sea level rise, flood intensity, disclosures not included drought frequency, and drought length) in 2030 and 2060 and several transition risks and opportunities in 2020 CDP Response managing (energy efficiency, energy resilience, materials efficiency, renewable price stability, water efficiency, climate risks employee impacts from climate change).* Processes for • To determine our enterprise risks related to climate change, we use our enterprise risk management (ERM) Download identifying, risk prioritization criteria in the context of business continuity and service resilience, which include the scope here of impact (e.g. reputational, regulatory, and cost), potential return on investment, and time and resources assessing, and required to implement changes. managing risks in • An example of a physical risk managed through this process is the risk of facility damage from an acute risk management weather event, such as flooding. To mitigate this risk, the Microsoft Enterprise Business Continuity Management (EBCM) program uses its relevant standards to help ensure the existence of effective, strategy reliable, well-tested plans, systems, and processes during such a disruptive event to support the continuity and resilience of business operations and services and minimize adverse impacts. • The EBCM program works with the ERM program to ensure consistent alignment among risks and risk prioritization criteria and, ultimately, the final risk ratings.