Company Risk Management in Light of the Sustainability Transition

: Many of the most important business and economic risks are directly linked to environmental and social issues. This includes both threats and opportunities, not only in relation to reputation, which is often mentioned in this context, but, even more importantly, in relation to innovation capability and legislative change on inevitably more and more sustainability-driven markets. It is, however, unclear through which mechanisms such sustainability risks currently affect companies and how they can be systematically identiﬁed and managed. Based on the Framework for Strategic Sustainable Development, this study investigates the dynamics and implications of society’s sustainability transition from a company risk management perspective. In addition, exploratory and descriptive studies were conducted at two large product innovation companies to identify current risk management practices and preconditions for sustainability integration. The results reveal that a society moving closer towards a collapse of environmental and social systems leads to increasing sustainability-related threats for unsustainable businesses and increasing opportunities for sustainable businesses. Also, risk management is found to be a promising way for maneuvering in a smart zone between being too passive and being too pro-active in relation to sustainable innovation. The study participants at the case companies were knowledgeable about risk in general but were largely unfamiliar with risks associated with sustainability and no processes or support tools exist to work such Key steps to accomplishing an integration of a strategic sustainability perspective into risk management proposed as: (i) identifying the effects of sustainability issues on internal and external stakeholder value; (ii) actively including sustainability in objective setting and cascading objectives across the levels of the organizational hierarchy; and (iii) developing concrete support for identifying, assessing, and managing economic sustainability risks. Thereby, companies can enhance their competitiveness while providing leadership in the sustainability transition.


Introduction
A societal transition is needed to deal with the accelerating degradation of the ecological and social systems, for example in terms of biodiversity loss and the erosion of trust [1,2]. A transition can be defined as "a long term process-it may take one or more generations-of non-linear social change leading to new constellations of actors, structures and practices, which determine the functioning of the system" [3]. Product innovation companies play a key role in leading society's transition towards sustainable development as they can contribute to production and consumption patterns that fulfill human needs in a sustainable way. At the same time, this transition poses both great opportunities and challenges and requires companies to adapt on all levels, from vision and strategy, The framework has the purpose of providing leaders and decision-makers with the necessary perspective and understanding to plan for and strategically move towards sustainability in complex systems. Five distinct but interconnected levels make up the structure of the FSSD: (i) an understanding of the overarching system, i.e., human society within the biosphere; (ii) a definition of success in that system, i.e., the aforementioned boundary conditions for sustainable re-design; (iii) strategic guidelines for how to move towards success; (iv) actions to accomplish the change; and (v) tools to facilitate the actions (ibid.). A central element of the FSSD is a backcasting perspective [24]. In contrast to forecasting, which is making predictions of what is likely to happen in the future based on existing trends, resulting in the risk of path dependencies, backcasting starts with the goal in mind. It asks what has to happen today and tomorrow in order to reach that goal, thereby making sure that actions lead in the right direction. The definition of the goal, i.e., success in the system, therefore, plays a key role in backcasting. A detailed vision of a sustainable future society is, however, difficult for people to agree upon. It is also inflexible and easily becomes obsolete in the face of technology shifts and breakthroughs. A definition that is too general and vague, on the other hand, is not useful as guidance for innovation. For that reason, the FSSD uses the following first-order sustainability principles (SPs) as a definition of success [25]: "In a sustainable society, nature is not subject to systematically increasing . . . These principles represent the root-causes, i.e., the basic mechanisms of destruction in upstream practices in the ecological and social systems. Effects like biodiversity loss, erosion of trust, and climate change are symptoms that are rooted in the violation of the sustainability principles [18]. In practice, the principles can be used as a lens for analyzing an organization's or product's sustainability impact and potential to lead towards a sustainable society [21]. By using the principles, it is also possible to derive a well-defined sustainable solution and to obtain guidance on how to work towards it in a strategic, step-by-step way. Sustainable product development is when such a strategic sustainability perspective is integrated into the early phases of the product innovation process, including life-cycle thinking, which is different from traditional eco-design that focuses simply on decreasing the environmental impact of a product [22].

Method
The research design is based on the interactive, systemic research design model proposed by Maxwell [26], following an interconnected and flexible structure. The study consists of two main parts: (i) a theoretical part that includes a review of existing literature and the application of the FSSD lens with the purpose of increasing the conceptual understanding of what sustainability risks are, as well as the implications for the sustainability transition for company risk management (research question 1); and (ii) an empirical part, including an exploratory and a descriptive study at two case companies, with the purpose of deriving hypotheses regarding preconditions for sustainability integration in risk management activities in practice (research question 2), see Figure 1. The research design, focusing on two case companies, results in limited external validity of the findings from the empirical part of the study. This design was chosen based on the aim of gaining in-depth insights, rather than a broad overview.
The exploratory study, utilizing a workshop session and semi-structured interviews, was characterized by broad and open questions with the aim of capturing a wide variety of ideas and perspectives and identifying relevant themes and questions. The descriptive study then focused on and investigated those themes and questions in depth. The number of interviews and self-assessments was a result of a combination of factors: firstly, the aim was to include employees across all levels of the organizational hierarchy. Secondly, a point of diminishing return was reached in relation to the purpose and scope of the study on the one hand and the required resources on the other hand.
The two case companies are large, multinational companies located in Sweden. They were selected because they are working with sustainability issues beyond the level of mere compliance, without being companies that entirely define themselves in sustainability terms. As a result, these companies are relevant for investigating the connection between risk management and sustainability, and, at the same time, they are representative of a broad spectrum of companies, increasing the generalizability of the results. This purposeful sampling method has been previously applied within the field of corporate sustainability [4,7]. Company A (ca. 2000 employees) is a large product innovation and manufacturing company in the aerospace industry, while Company B (ca. 4000 employees) is in the construction equipment business. assessments was a result of a combination of factors: firstly, the aim was to include employees across all levels of the organizational hierarchy. Secondly, a point of diminishing return was reached in relation to the purpose and scope of the study on the one hand and the required resources on the other hand. The two case companies are large, multinational companies located in Sweden. They were selected because they are working with sustainability issues beyond the level of mere compliance, without being companies that entirely define themselves in sustainability terms. As a result, these companies are relevant for investigating the connection between risk management and sustainability, and, at the same time, they are representative of a broad spectrum of companies, increasing the generalizability of the results. This purposeful sampling method has been previously applied within the field of corporate sustainability [4,7]. Company A (ca. 2000 employees) is a large product innovation and manufacturing company in the aerospace industry, while Company B (ca. 4000 employees) is in the construction equipment business.

Literature Review
As the first step, a literature review was conducted with the purpose of mapping existing research in relation to theories, tools, and concepts for sustainability integration in risk management. These findings were then used to identify relevant themes, gaps, and hypotheses to be further investigated in the following steps and to derive a first set of questions for the exploratory interviews [27]. As sustainability risk management is a young and rather immature area, which is not extensively researched, the literature review started with an exploratory approach, as recommended by Karlsson et al. [28].
Web of Science and Scopus were used to find journal and conference articles, but also other sources were included in the review, such as books, standards, and reports from consultancies and the Risk and Insurance Management Society (RIMS). Key sources, based on their relevance and influence within the topic, were used as starting points for forward and backward snowballing to identify articles that are relevant but not precisely within the specific area. This exploratory review resulted in an overview of the main publications, research directions, and terminology used. It was then complemented with a more structured review, using a search string based on the key words risk management, sustainability, product innovation, and applicable synonyms. The article selection process started with reading of the title; dependent on relevance, abstract, introduction and conclusions, results, and finally background, objectives and setup were studied [29]. A record-and a worksheet were created, including a summary of each reviewed publication alongside other key attributes, e.g., publication year, degree of relevance, which risk management sub-discipline is addressed, etc. The most relevant publications are reviewed and discussed in Section 4.1.

Application of a Framework for Strategic Sustainable Development (FSSD) Lens
The FSSD was used as a lens with the purpose of contributing to understanding what sustainability risks are, as well as the implications of a transition to strategic sustainable development

Literature Review
As the first step, a literature review was conducted with the purpose of mapping existing research in relation to theories, tools, and concepts for sustainability integration in risk management. These findings were then used to identify relevant themes, gaps, and hypotheses to be further investigated in the following steps and to derive a first set of questions for the exploratory interviews [27]. As sustainability risk management is a young and rather immature area, which is not extensively researched, the literature review started with an exploratory approach, as recommended by Karlsson et al. [28].
Web of Science and Scopus were used to find journal and conference articles, but also other sources were included in the review, such as books, standards, and reports from consultancies and the Risk and Insurance Management Society (RIMS). Key sources, based on their relevance and influence within the topic, were used as starting points for forward and backward snowballing to identify articles that are relevant but not precisely within the specific area. This exploratory review resulted in an overview of the main publications, research directions, and terminology used. It was then complemented with a more structured review, using a search string based on the key words risk management, sustainability, product innovation, and applicable synonyms. The article selection process started with reading of the title; dependent on relevance, abstract, introduction and conclusions, results, and finally background, objectives and setup were studied [29]. A record-and a worksheet were created, including a summary of each reviewed publication alongside other key attributes, e.g., publication year, degree of relevance, Sustainability 2018, 10, 4137 6 of 25 which risk management sub-discipline is addressed, etc. The most relevant publications are reviewed and discussed in Section 4.1.

Application of a Framework for Strategic Sustainable Development (FSSD) Lens
The FSSD was used as a lens with the purpose of contributing to understanding what sustainability risks are, as well as the implications of a transition to strategic sustainable development on company risk management. This framework was chosen primarily because it (i) focuses on the root-causes of un-sustainability rather than on the symptoms; (ii) provides a deep understanding of the full scope of sustainability; (iii) includes a science-based definition of sustainability; (iv) is based on strategic thinking; and (v) was designed to also be useful and operationalizable in a company context.
While extensive research has been conducted on the development and application of the FSSD during the past decades [23], the novel contribution of this study is about testing if and how risk management coupled with a FSSD perspective can support companies in handling the threats and opportunities that rise in the transition of society towards sustainability. The application of the FSSD lens started by reviewing the most recent sources (published in 2015 or later) that describe the framework. Backward snowballing was then applied, especially from [23,30], to identify other FSSD-related articles. Some of the main elements of the FSSD, such as the funnel metaphor and backcasting from basic sustainability principles, were then investigated for their relevance from a risk management perspective.

Workshop Session
An exploratory workshop session was hosted with the purpose of gaining a first insight into how people at the case companies think about risk management and generating ideas for the following steps of the study. In total, 12 people participated in the workshop, including representatives from both companies and researchers from two universities. The participants were divided into four groups. After a short introduction to the concepts of risk and sustainability, the workshop was divided into two parts with two of the following questions in each: (i) what are your top 5 risks from an enterprise perspective; (ii) what are your main needs and challenges regarding risk management; (iii) which risk categories should be considered for your products; and (iv) can you give examples of how these risks could be influenced by sustainability aspects? The groups would first work individually on generating ideas for the questions and then present their results for each other after each part. After the workshop, the results were compiled and sent back to the workshop participants for validation.

Interviews and Document Review at Case Companies
To gain an in-depth insight into the case companies' current risk management practices and to identify opportunities and challenges for sustainability integration, a total of 22 semi-structured interviews were conducted [31]. Interviews were selected as the primary data collection method, because they can capture attitudes, perceptions and other human elements which was of high relevance for this study. Furthermore, they can provide nuanced insights and have a high validity with practitioners [28].
In a first step, based on the findings of the literature review and the workshop, an interview protocol was developed. Five exploratory interviews, characterized by mostly broad and open questions, were conducted with risk managers at different organizational levels, who were identified and contacted with the help of a principal informant [28]. This first set of interviews resulted in an overview of company structure, processes, and central support tools for risk management. This overview was used to develop a refined protocol for the following 17 descriptive interviews. Also, it provided the necessary information in terms of relevant roles and functions for purposive and strategic sampling. This means that both persons with deep knowledge on risk management or sustainability and persons with less but still some connection to the subjects were included, which ensures variation and multiple perspectives [28]. In line with the research questions and the purpose of the interviews, the goal was to include roles from all levels of the organizational hierarchy, i.e., both the strategic, tactical, and operational levels, see Table 1. Prior to the descriptive interview phase, pilot testing was done, which led to clarification and improvement of the interview protocol. The questions targeted two main areas: the first part of the interview was about risk management practices in general, while the second part addressed social and environmental aspects in connection with risk management in particular. The questions were slightly modified and adjusted based on the interviewees' roles. More specifically, the interview questions addressed the following areas: (i) theoretical background, including the concept of risk, how it relates to the interviewee's work, the purpose of risk management, and how risk management sub-disciplines are connected across the organizational hierarchy; (ii) pure inquiry about risk management processes and decision support tools; (iii) exploratory diagnostic inquiry, focusing on existing challenges and strengths; and finally (iv) confrontive inquiry about whether the interviewee had thought about sustainability-related risks. The set of main questions can be found in Appendix A. All interviews took about one hour and were recorded and transcribed. The transcripts were sent back to the interviewees for validation and they had the opportunity to make changes to their statements, which resulted in minor changes and clarifications. Together with meeting notes and other documentation, the transcripts were used to create case narratives [28].
In the next step, the data was coded, guided by the coding scheme suggested by Strauss and Corbin [32], consisting out of open coding, axial coding, and selective coding. To derive the codes, an outsider approach was applied [33]. One set of codes was derived deductively, i.e., pre-defined, based on key concepts, such as the division into risk management sub-disciplines on the strategic, tactical, and operational levels, or the different steps of the general risk management process as described in ISO 31000. This was complemented by codes that were derived inductively, i.e., post-defined, directly from the data [34]. To allow for multiple ways of structuring the data, dual coding was allowed [29]. A total of 41 codes were defined and 694 incidents were assigned to those codes. Following guidance by Eisenhardt [35], within-case analysis was undertaken to acquire a depth of understanding of each case as a stand-alone entity, before doing cross-case analysis and generalizing the results. Comparisons, clustering, noting relations, and making conceptual coherence, were the primary tactics for analyzing the data [34]. The emerging relationships between key aspects were visualized with concept maps and feedback on the networks was collected from academic researchers as well as industry practitioners. An example of a concept map can be found in [36].
The interviews were complemented with a study of the companies' operational management systems and a review of relevant and accessible documents. This includes process descriptions for enterprise risk management, product planning, and operational product risk management.

Development and Application of a Self-Assessment Tool
While there are both RMMs that address risk management in general [37], as well as models for specific sub-disciplines like ERM [38][39][40], or for specific industries [41], none of these models is applicable for assessing current practices at both the strategic, tactical, and operational levels at product innovation companies. For this reason, a novel self-assessment tool was developed [42]. Self-assessments are an effective way to study employees' perceptions of practices and their current maturity levels and have been previously applied in the area of corporate sustainable development, e.g., [43]. The self-assessment approach was used for data triangulation and to complement the interviews and other methods by focusing more on the actual risk management practices.
Oehmen et al. [18] and Olechowski et al. [44] empirically investigated the relationship between risk management practices and overall product development performance, as well as other risk management performance metrics. Thereby, characteristics of successful risk management were identified, which were used as the foundation for the self-assessment tool, which asks the respondent to assess the current capabilities in relation to each characteristic. The following categories are covered in the tool: (i) organizational design experience; (ii) risk management personnel and resources; (iii) tailoring and integration of the risk management process; (iv) risk-based decision making; (v) specific mitigation actions; (vi) monitoring and review; and (vii) remaining ISO risk management principles. In addition, category (viii) sustainability risk management, was added based on the results of the literature review. In total, about 50 aspects are included in the tool within the categories. For each aspect, the respondent both assesses the current capabilities and the degree of certainty of that assessment on a 1-10 scale, indicating how much weight this assessment should be given.
In total, 14 people at the case companies filled in the self-assessment, which was slightly adjusted to fit the strategic, tactical, and operational levels, resulting into three versions of the tool. An excerpt is presented in Table 2; a list of all aspects can be found in the Supplementary Material. Connections between sustainability risks and other risks are actively managed 1-10 1-10

Literature Review
Sustainability risks result from environmental or social issues. In the literature, six categories for sustainability risks have been proposed: physical, regulatory, litigation, competitiveness, reputational, and supply chain risks [45]. Except for some early attempts by Lindahl [46], who proposed an integration of environmental aspects into Failure Mode and Effect Analysis (FMEA), the field of sustainability risk management gained recognition first in conjunction with Dan Anderson's book "Corporate Survival-The Critical Importance of Sustainability Risk Management", which was published in 2005. The book provides numerous examples and describes in detail how companies are affected by sustainability risks.
A few years later, Palousis et al. [45,47] presented the sustainability risk assessment (SRA) framework, which still can be considered as one of the most comprehensive works in the field. It focuses specifically on product development and includes a suggestion for the underlying mechanisms of how sustainability risks affect companies and product development. The SRA framework is based on an integrated bottom line (IBL) perspective, which means that social and environmental aspects are treated as functions of the economic domain. This is different to the triple bottom line (TBL) approach [48], in which the environmental, social, and economic domains are considered as separate and equally important. The IBL perspective implies that social and environmental issues that do not affect the economic bottom line are not considered sustainability risks. Instead, the identification of sustainability risks is tied to a line of cause and effect reasoning to establish the connection between the environmental and social domains and the economic domain. According to Palousis et al. [47], for a social or environmental issue to be considered a sustainability risk, the following three conditions must be fulfilled: firstly, the environmental impact of a product or concept, analyzed through life-cycle assessment (LCA), must contribute to an unsustainable trend, for example climate change. Secondly, there must be some societal response in relation to that trend, for example regulation, emission taxes, consumer boycott, etc. Thirdly, this societal response must have an effect on the life-cycle cost of the product or concept, for example through increased material, transportation, or manufacturing costs. The cause and effect chains are visualized and assessed with so called sustainability risk trees, which can be used to make statements like: ecotoxicity due to the emissions of heavy metals leads to tougher political action, resulting in the ban of a certain substance, leading to increased material and manufacturing cost of the product. The likelihoods and effects of each link in the chain are assessed, which, in the end, results in the sustainability-adjusted life-cycle cost as the final output. This shall then be used to improve the design, for example through substituting critical materials, or to choose between different design concepts.
Krysiak [49] discussed the connection between the concepts of risk management and sustainability in more general terms. He proposed to use a fairness-based criterion of sustainability under uncertainty, which provides a link between risk management tools and sustainable development. In 2011, Herva et al. [50] combined ecological footprint with environmental risk analysis, however, the scope was limited to the exposure to hazardous substances and resulting human health risks. Merad et al. [51] used a multi-criteria decision aid methodology to assess corporate sustainability and related risks. In the conceptual paper by Wong [52], it is discussed how non-financial risk management can contribute to corporate sustainability and what challenges have to be overcome. Hallstedt et al. [53] proposed a new method called sustainability assessment and value evaluation (SAVE). Based on a strategic sustainability assessment and net present value analysis, scenarios for future manufacturing costs are derived.
More recently, Gargalo et al. [54] presented a multi-level framework for techno-economic and environmental analysis through risk assessment to be used in early design phases. In the same year, Anand et al. [55] proposed a framework for sustainability risk assessment of mechanical systems in the concept design phase, using sustainability risk parameters and a newly developed index to evaluate different design concepts. Cucuzzella [56] critically discussed the relationships between sustainable design, creativity and risk management. Schulte and Hallstedt [10] mapped challenges for sustainability integration in risk management, including managerial challenges and challenges that are due to the intrinsic properties of sustainability risks. At the enterprise risk management level, the importance of considering sustainability risks is increasingly acknowledged and several approaches for integrating sustainability into existing frameworks have been presented [57][58][59][60][61][62], as well as entirely new frameworks and methods [63,64].

Risk Management within the Framework for Strategic Sustainable Development
A funnel metaphor is used in the FSSD to visualize and explain the dynamics of the sustainability challenge and the necessary transition to a sustainable society, see Figure 2. The decreasing cross-section of the funnel represents the systematic decline of the social and ecological systems' potential to support human civilization, leading to a decrease of the room for maneuver. It is worth emphasizing that the decline is systematic: the situation is getting worse and worse as, on global average, the world is losing biodiversity, forests, trust, etc., i.e., violating the basic sustainability principles introduced earlier. The vision, represented by the funnel turning into a cylinder in Figure 2, is to reach a state where the ecological and social systems are no longer systematically degraded, which means compliance with the SPs. Over time, society could restore some of the caused damage and increase the room for maneuver, which is indicated by the increasing cross-section of the funnel on the right in Figure 2 [23].
for sustainability integration in risk management, including managerial challenges and challenges that are due to the intrinsic properties of sustainability risks. At the enterprise risk management level, the importance of considering sustainability risks is increasingly acknowledged and several approaches for integrating sustainability into existing frameworks have been presented [57][58][59][60][61][62], as well as entirely new frameworks and methods [63,64].

Risk Management within the Framework for Strategic Sustainable Development
A funnel metaphor is used in the FSSD to visualize and explain the dynamics of the sustainability challenge and the necessary transition to a sustainable society, see Figure 2. The decreasing cross-section of the funnel represents the systematic decline of the social and ecological systems' potential to support human civilization, leading to a decrease of the room for maneuver. It is worth emphasizing that the decline is systematic: the situation is getting worse and worse as, on global average, the world is losing biodiversity, forests, trust, etc., i.e., violating the basic sustainability principles introduced earlier. The vision, represented by the funnel turning into a cylinder in Figure 2, is to reach a state where the ecological and social systems are no longer systematically degraded, which means compliance with the SPs. Over time, society could restore some of the caused damage and increase the room for maneuver, which is indicated by the increasing cross-section of the funnel on the right in Figure 2 [23]. The funnel metaphor has far-reaching implications from a company risk management perspective: as society is currently moving closer and closer towards the walls of the funnel, which represent a collapse of human society (point 1 in Figure 2), the risk profiles of companies change. Assuming that people eventually realize the increasing threats for survival and the need for a transition, sustainability risks for companies will become more and more prominent. Companies that contribute to the problem, violating the SPs, face increasing threats in terms of (i) damage to reputation and brand; (ii) regulatory change; (iii) failure to innovate and meet stakeholder needs; (iv) third-party liability; (v) failure to attract and retain top talent; and (vi) supply chain disruptions, all of which lead to reduced competitiveness [10,65]. The likelihood and severity of such threats will just increase for unsustainable companies as society approaches the walls of the funnel. The funnel metaphor has far-reaching implications from a company risk management perspective: as society is currently moving closer and closer towards the walls of the funnel, which represent a collapse of human society (point 1 in Figure 2), the risk profiles of companies change. Assuming that people eventually realize the increasing threats for survival and the need for a transition, sustainability risks for companies will become more and more prominent. Companies that contribute to the problem, violating the SPs, face increasing threats in terms of (i) damage to reputation and brand; (ii) regulatory change; (iii) failure to innovate and meet stakeholder needs; (iv) third-party liability; (v) failure to attract and retain top talent; and (vi) supply chain disruptions, all of which lead to reduced competitiveness [10,65]. The likelihood and severity of such threats will just increase for unsustainable companies as society approaches the walls of the funnel.
Also, considering the semantics of 'sustainability', there are only two possible outcomes over time: either society will reach a sustainable state, or it will perish. As the pressure and incentives for change will become immense in the face of catastrophe, a transition towards sustainable development (point 2 in Figure 2) is inevitable. Companies must make the transition at this point, becoming part of the solution instead of the problem. Otherwise, if they fail to react to the turning tides of sustainability risks and the sustainability-driven market, they will be outcompeted and drown. This is certain, as, by definition, a long-term successful company in a sustainable society is not dependent on solutions and actions that contribute to violations of the SPs (point 3 in Figure 2) [23]. Therefore, it is derived that increasing threats for society lead to increasing threats for companies that enforce unsustainable development.
At the same time, society moving closer towards the walls of the funnel also leads to an increasing urge for products and solutions that can turn the direction of development towards the opening of the funnel. As a result, new innovation possibilities and sustainability-related opportunities open up for companies that create stakeholder value with operations and solutions that serve as stepping stones towards compliance with the sustainability principles. These companies are more likely to benefit from a good reputation, being ahead of legislation, and attracting top-talented, loyal and motivated employees, while being less susceptible to changes in resource availability and cost. Therefore, it is derived that increasing threats for society lead to increasing opportunities and decreasing threats for companies that contribute to strategic sustainable development.
Hence, in contrast to the common belief that sustainability efforts only pay off if shared by all actors, there is a significant self-benefit, i.e., business case, of sustainability proactivity that is direct and independent of what other actors, including legislators, do [30]. Also, numerous examples have shown how proactive companies can push legislators to implement harsher regulation, as they would be affected relatively less than passive companies, resulting in a competitive advantage. However, there is a balance to strike between being too passive, falling behind competitors, and being too proactive, risking not getting a sufficiently high or timely return on investment (ibid.) Based on this reasoning, sustainability risks can be defined as threats and opportunities that are due to an organization's contribution or counteraction to society's transition towards strategic sustainable development.
Strategic sustainability risk management could enable companies to anticipate the direction of change by understanding the long-term vision, including compliance with the sustainability principles, and to both avoid related threats, but also actively exploit business opportunities that appear in the transition. Therefore, it is important to point out that it is not only about avoiding un-sustainability. It is as much about taking leadership by understanding how the company can contribute to society's transition towards sustainability. This is different to mere transition survival, which also requires action, but not necessarily leadership, as such action may be reactive and primarily focus on avoiding threats, rather than being proactive and exploiting opportunities as well.

Perspectives on Sustainability Risks
Even though sustainability is often referred to as including an ecological, social, and economic dimension, it is important to recognize the nested dependencies between them [66]: thriving business is dependent on a prospering society, which in turn is dependent on a healthy and functioning environment. Sustainability risks can, therefore, be viewed from different perspectives. From a societal perspective, the economic system is only a means to achieve social and ecological sustainability, but it is not a necessity for reaching a sustainable state. Based on this perspective, societal sustainability risks are primarily threats and opportunities related to the ecological and social systems' ability to support the fulfillment of human needs, e.g., in terms of access to clean water, climate stability, or biodiversity. From a company perspective, which is the main focus of this study, the main objective is to sustain the company within the economic system through stakeholder value creation. From this perspective, it is primarily about the risk of the societal sustainability transition on company objectives, meaning that the sustainability transition is a source of uncertainty, see Figure 3.

Risk Thinking and the Concept of Risk
All interviewees were familiar with the concept of risk and risk thinking and consider it to be an integrated and natural part of their daily work. Several respondents, even some that have no formal risk management role, said that "risk management is all that I'm doing" (senior manager at Company B). However, the respondents were sampled as they should at least have some connection and knowledge about risk management. Hence, this mindset and these answers are not representative for all employees at the companies. In fact, the interviewees state that many people have difficulties applying a risk perspective to their work and think that it "needs to be de-dramatized and made tangible" (after market manager at Company B). Still, capabilities for risk management in general are perceived to have improved over time.
Threats and opportunities were considered as "two inseparable sides of the same coin" (several respondents), in part because threats can be turned into opportunities through mitigation actions. The work in practice is, however, mostly focusing on potential negative events, i.e., threats. There are exceptions, mostly cases in which the project leader had a special interest or training in risk management, and the interviewees described that actively working with the opportunity side was appreciated by the employees as it can open up new perspectives. Also, the experiences from those cases were that it "[…] went well and we actually made certain decisions to exploit some of the opportunities" (risk manager at Company B). The use of terminology is, however, inconsistent and leads to some confusion as some interviewees are talking about positive and negative risks, others about threats and chances, or risks and opportunities.

Risk Thinking and the Concept of Risk
All interviewees were familiar with the concept of risk and risk thinking and consider it to be an integrated and natural part of their daily work. Several respondents, even some that have no formal risk management role, said that "risk management is all that I'm doing" (senior manager at Company B). However, the respondents were sampled as they should at least have some connection and knowledge about risk management. Hence, this mindset and these answers are not representative for all employees at the companies. In fact, the interviewees state that many people have difficulties applying a risk perspective to their work and think that it "needs to be de-dramatized and made tangible" (after market manager at Company B). Still, capabilities for risk management in general are perceived to have improved over time.
Threats and opportunities were considered as "two inseparable sides of the same coin" (several respondents), in part because threats can be turned into opportunities through mitigation actions. The work in practice is, however, mostly focusing on potential negative events, i.e., threats. There are exceptions, mostly cases in which the project leader had a special interest or training in risk management, and the interviewees described that actively working with the opportunity side was appreciated by the employees as it can open up new perspectives. Also, the experiences from those cases were that it "[ . . . ] went well and we actually made certain decisions to exploit some of the opportunities" (risk manager at Company B). The use of terminology is, however, inconsistent and leads to some confusion as some interviewees are talking about positive and negative risks, others about threats and chances, or risks and opportunities.
Hypothesis 1. Sustainability risks should be made as tangible as possible.

Hypothesis 2.
Highlighting both the threats as well as the opportunities dimensions of sustainability risks could facilitate the introduction of sustainability risk management.

The Purpose of Risk Management
In general, the purpose of risk management is not at all said to be the creation of a risk-free enterprise: "We always have risks. A completely risk-free company would not be successful and definitely not creative and innovative. It's about making the right decisions. We need risk management, so we get the information our decision-makers need to make the right decisions" (senior manager at Company B). On the strategic level, ERM was initially perceived only as a compliance issue, but, over time, it evolved into a value-creating process with two purposes. Firstly, it is about strategy: "There is a current state and a future state. There is a gap between them and the question is how to move from the current state to the future state. [ . . . ] ERM is about ensuring that the long-term strategy can be realized" (ERM expert at Company A). ERM is used to manage the risks that are inherent in all actions to bridge the gap. This also means that ERM includes a backcasting perspective. Secondly, the purpose of ERM is also to "[...] ensure the current operational capabilities that we have today" (ERM expert at Company A). Hence, "at the end of the day, all risks are in some way measured in terms of a) profitability or b) sustainability. And when I say sustainability, I'm not talking about the world, but about the company" (senior manager at Company B). This description is well in line with the definition of ERM by COSO (Committee of Sponsoring Organizations of the Treadway Commission) [67].
On the tactical level, the purpose of risk management in product-and technology planning is about "[ . . . ] balancing the portfolio regarding risk" (Product planner at Company B), which includes both financial aspects, but also the strategic fit of development projects.
On the operational level, within projects, the purpose of risk management is described as "[ . . . ] making sure that project goals, mainly in terms of time, cost, and quality, are met" (project manager at Company B). In the actual product development, risk management is used to ensure that "[ . . . ] requirements, e.g., in terms of compliance with regulation and standards, or customer needs, are met and that remaining risks are manageable or acceptable" (product developer at Company B).
On the manufacturing level, a process risk manager at Company A explains that risk management is used to check that the company can "[ . . . ] manufacture products in line with the requirements of the technical drawing". In summary, the descriptions of the purpose of risk management on all levels are perfectly in line with the definition of the ISO 31000 standard: it is about managing the effect of uncertainty on objectives. The only difference between the organizational levels is that the objectives look differently, for example long-term strategic goals, or specific product requirements. Hypothesis 3. Sustainability risk management can build on the ISO 31000 definition of risk as the effect of uncertainty on objectives.

Connections across Organizational Levels
In general, the interviewees' understanding of how risk management sub-disciplines are connected across the organizational hierarchy was mostly limited to the areas that are close to a person's role. Product developers, for example, clearly saw a connection between the product risks that they are working with and project risks. The full picture of how risks are linked all the way from product risk management to ERM was, however, unclear. Interviewees at both companies provided consistent answers stating that risks are escalated upwards in the organizational hierarchy, if they exceed a certain level regarding consequences and likelihood. Thereby, it is ensured that important risks are dealt with at the right level and that decisions are made by people with the corresponding responsibility. This bottom-up escalation of significant risks is mostly formalized and included in company processes and tools, which was confirmed by the document review. However, no corresponding top-down flow of risks was identified in the processes, nor did the interviewees mention such a flow or a need for it.
"If we work with risk management the right way, we start with targets and requirements" (risk manager at Company B). Therefore, the interviewees were asked how the objectives that they are working with on their level are derived, representing the anchoring point for risk management. Based on the answers, two main pathways for how objectives are derived emerged. Pathway one has its source in the company vision and purpose, which can be based on, for example, core values, CEO commitment for certain issues, or company heritage. The resulting internal objectives do not necessarily need to contribute to a business case, as they are part of the company identity and how the company defines itself. Pathway two is rooted in stakeholder value creation. It can be argued that the main purpose of a company is to create value for stakeholders within the societal system it is operating in [68]. As emphasized by the interviewees, this includes both external stakeholders, such as customers, regulators, and the local community, as well as internal stakeholders, for example employees and company owners. All of these stakeholders have needs or requirements, which can be either direct, such as compliance with legislation, or in relation to value drivers, which is the case for customers. Examples of customer value drivers include product reliability, maintainability, purchasing cost, image, and efficiency. For internal stakeholders, value drivers can be decreased production cost, higher resilience, reputation, employee motivation, etc. In contrast to objectives derived through pathway one, companies set objectives based on stakeholder value creation only if they contribute to a business case through either short-term profitability (e.g., lower cost or increased sales) or long-term competitiveness (e.g., strategic fit or being ahead of legislation).
The ability to translate the company vision and stakeholder value creation into tangible objectives is, therefore, the foundation and a prerequisite for effective risk management. "We never get better than our requirements. If requirements for some aspect are missing, it won't be addressed" (risk manager at Company B). The interviewees state that objectives, with some exceptions, start at the top with the vision and strategy and interpretation of stakeholder needs. These high-level objectives are then broken down and cascaded top-down to derive objectives for portfolios, projects, and to set specific product requirements. Hence, objectives and risks constitute two supplementary flows, where objectives are cascaded top-down to translate strategic commitments into practice to reach the vision, while risks are escalated bottom-up to manage uncertainty that can affect the achievement of the objectives on each level (Figure 4).

Hypothesis 4.
Establishing the connection between stakeholder value creation and the company's contribution or counteraction to strategic sustainable development is of key importance for sustainability risk management. This requires the integration of sustainability into objective-and requirement-setting and the cascading of those across the organizational hierarchy. the company vision and purpose, which can be based on, for example, core values, CEO commitment for certain issues, or company heritage. The resulting internal objectives do not necessarily need to contribute to a business case, as they are part of the company identity and how the company defines itself. Pathway two is rooted in stakeholder value creation. It can be argued that the main purpose of a company is to create value for stakeholders within the societal system it is operating in [68]. As emphasized by the interviewees, this includes both external stakeholders, such as customers, regulators, and the local community, as well as internal stakeholders, for example employees and company owners. All of these stakeholders have needs or requirements, which can be either direct, such as compliance with legislation, or in relation to value drivers, which is the case for customers. Examples of customer value drivers include product reliability, maintainability, purchasing cost, image, and efficiency. For internal stakeholders, value drivers can be decreased production cost, higher resilience, reputation, employee motivation, etc. In contrast to objectives derived through pathway one, companies set objectives based on stakeholder value creation only if they contribute to a business case through either short-term profitability (e.g., lower cost or increased sales) or longterm competitiveness (e.g., strategic fit or being ahead of legislation). The ability to translate the company vision and stakeholder value creation into tangible objectives is, therefore, the foundation and a prerequisite for effective risk management. "We never get better than our requirements. If requirements for some aspect are missing, it won't be addressed" (risk manager at Company B). The interviewees state that objectives, with some exceptions, start at the top with the vision and strategy and interpretation of stakeholder needs. These high-level objectives are then broken down and cascaded top-down to derive objectives for portfolios, projects, and to set specific product requirements. Hence, objectives and risks constitute two supplementary flows, where objectives are cascaded top-down to translate strategic commitments into practice to reach the vision, while risks are escalated bottom-up to manage uncertainty that can affect the achievement of the objectives on each level (Figure 4).

Hypothesis 4. Establishing the connection between stakeholder value creation and the company's contribution or counteraction to strategic sustainable development is of key importance for sustainability risk management.
This requires the integration of sustainability into objective-and requirement-setting and the cascading of those across the organizational hierarchy.

Processes and Support Tools
Formalized processes that include risk management activities are in place on all levels at both companies. ERM is further divided into hierarchical levels, e.g., site level, business unit level, and company group level. While Company A has a highly formalized and well-developed ERM process based on backcasting from the company strategy, Company B is struggling with the integration of ERM and other existing processes on the strategic level, according to the ERM expert. It is, for

Processes and Support Tools
Formalized processes that include risk management activities are in place on all levels at both companies. ERM is further divided into hierarchical levels, e.g., site level, business unit level, and company group level. While Company A has a highly formalized and well-developed ERM process based on backcasting from the company strategy, Company B is struggling with the integration of ERM and other existing processes on the strategic level, according to the ERM expert. It is, for example, unclear which time perspective ERM should apply. There is active work ongoing at Company B to increase the maturity of ERM and to develop a more systematic process.
On the tactical level, there is no distinct risk management process; however, a risk perspective is integrated into other processes and tools, for example business case development, customer buying criteria, and competitive intelligence.
On the operational level, project and product risk management are described in detail in the companies' operational management systems, where product risk management is coupled to the stage-gate development process. Especially the respondents at Company B perceived the processes to be very systematic, mature, and mostly followed in practice. However, several interviewees noted that there is variation in the quality of performed risk management activities. The awareness and attitude of the project leader, as well as varying top-down demand from managers are considered as the main reasons for the variation. Also, while the value of formalized processes is clearly acknowledged, several interviewees emphasize the importance of experience and sometimes gut feeling for risk-related decision-making, especially on the strategic and tactical levels. Therefore, processes' degree of formalization has to be balanced with flexibility and leaving room for experience.
Regarding support tools, it is noticeable that qualitative and deterministic tools dominate, even though there are some thoughts at both companies on slowly introducing some quantitative and probabilistic tools, for example Monte Carlo simulation. Brainstorming exercises and risk matrix templates, sometimes combined with pre-defined risk categories, are the most used tools within ERM.
In product and technology planning, there are no pure risk management tools, but many tools include a risk dimension, for example PESTEL (political, economic, social, technology, environment, legal) analysis and the assessment of customer buying criteria.
On the operational level, FMEA is the central tool at both companies. In some cases, it is complemented through other traditional risk management tools, such as fault tree analysis, 5 Why, and Ishikawa diagrams. Risk management is also integrated within procurement and is part of the supplier evaluation and selection process.
Guiding questions are appreciated on all levels as a complement to the tools. The tools are in general perceived to be functional. The challenge is rather said to be about making people use the tools in value-adding ways, instead of as box-ticking activities. Also, clear objectives are needed as the anchoring point for any risk-management tool.

Hypothesis 5.
A sustainability perspective should be integrated into existing processes and, at least initially, traditional, mostly qualitative tools.

Challenges and Success Factors
Competence and awareness are key factors for building a risk-aware culture and overall effective risk management as pointed out by a senior manager: "[ . . . ] 1. Awareness and 2. Competence. If you can fix or protect those two, the rest becomes really easy". Setting targets is considered as crucial for creating awareness, just as training is for developing competence. Selective hiring and the proper introduction of new employees are additional important factors. Many of the other challenges are a result of a lack of either competence or awareness, for example managers' request for high-quality risk activities. However, managers also make the point that "Risks are far away in time; we have problems now" (product planner at Company A). Other general challenges and success factors mentioned in the workshop or by the interviewees include (i) de-dramatizing risk management and making it more tangible; (ii) risk management can be bureaucratic and time-consuming and a ticking-box activity, rather than a value-adding one; (iii) a lack of a clearly defined risk appetite and guidelines for which risks that must be mitigated; (iv) too much time spent on risk identification and assessment, while too little on risk mitigation; (v) too much focus on obvious and known risks; (vi) assigned persons that can follow up on risks; (vii) easier support tools to lower the threshold for people to engage with risk management; (viii) the allocation of resources and prioritization of risk management; and (ix) lack of documentation as risk management often is done only in the head of people.
For ERM specifically, the volatility, complexity, and unpredictability of today's business environment is making long-term planning and risk management very difficult. Also, the identification of risks, especially black swan risks [69] is a challenge, as well as the assessment of many emerging risks, such as reputational risks and sustainability risks, as they are characterized by deep uncertainty [70]. This is also true for procurement staff, who is acknowledging the importance of new kinds of risks like CSR (corporate social responsibility) and sustainability, but is struggling with integrating them in practice, especially with small suppliers.
Success factors on the operational product development level are pointed out as starting early and working continuously with risk management. A leaner way to work with FMEA, including some reuse, is also asked for as many of the risks are the same for different projects and products. While the importance of experience was pointed out as important (see Section 4.3.4), formalized mechanisms for knowledge sharing and lessons learned in relation to risk management are missing at both companies. FMEA and risk registers were suggested to be used as vessels to build and carry experience within the companies.
With the help of the self-assessment tool, additional areas of strengths and weaknesses in relation to characteristics of successful risk management were identified. The complete results of the self-assessment are presented in the Supplementary Material. In general, the outcomes are in line with and complement the results from the workshop and interviews well. Aspects that were rated highly include (i) quantification of probabilities and consequences on scales of, for example, 1-5; (ii) risk management contributing to continuous improvement; and (iii) risk management teams being cross-functional. On the other hand, aspects that have received the lowest scores are: (i) the opportunity side of risk being systematically and effectively considered; and (ii) risk management contributing to setting better goals and more realistic objectives. The self-assessment results also confirm the findings regarding the flow of risks between organizational levels (see Section 4.3.3). The aspect "we coordinate and integrate risk management activities of different functions and across the hierarchy" received high scores on the strategic level by people within ERM, while the corresponding aspect on the operational level "risk management is integrated with higher-level risk management processes" was rated rather low by people within project management and product development. These results strengthen the findings presented in Figure 4: important risks are escalated to the ERM level, hence, ERM actively taking risks from other functions and levels of the hierarchy into account receives high scores. At the same time, there is no direct flow from ERM to other risk management sub-disciplines as risks are not cascaded top-down. As a result, people on the operational level do not see, for example, product risk management to be integrated with higher-level risk-management processes.

Hypothesis 6.
Increasing the awareness of the existence and importance of sustainability risks, e.g., through rough but simple methods, is one of the most important first steps.

Hypothesis 7.
Including a long-term perspective in risk management is of major importance for integrating a sustainability perspective, but it is also a major challenge.
Hypothesis 8. Sustainability risk management needs to be value-adding and also provide guidance for how to mitigate sustainability-related threats and exploit opportunities.

Integration of Sustainability into Risk Management
The term "sustainability risk" was largely unknown at both companies, but the workshop participants agreed that such risks are relevant and that there should be a category for social and environmental risks. However, several interviewees pointed out that a necessary prerequisite is "a shared understanding of sustainability, which definitely does not exist at the company today" (project manager at Company B). While the importance of sustainability issues for long-term company success is very much acknowledged, as also found in a previous study [5], the actual content of sustainability is perceived to be unclear and just "many nice words" (manager at Company B). An enterprise risk manager at Company A added that a holistic perspective is missing: "people think of sustainability more in terms of the emissions that we have locally at our site". After creating a shared and holistic definition of sustainability at the companies, the second step would be to "make people understand that there are risks for the company related to these sustainability issues" (senior manager at Company B). However, after getting deeper into the discussion, it became clear that several social and environmental risks already are considered, for example in relation to reputation, legislative change, employee motivation, and attracting top talent. "These risks are a big part of my work. How do I know that the processes that we are using today will be allowed in 5, 10, or 20 years?" (product planner at Company A).
The workshop participants also recognized that most of the companies' important risks can be influenced by sustainability issues, e.g., material costs, supply-chain disruption, and market competitiveness. The inevitability of the sustainability transition is acknowledged, as pointed out by a product planner at Company B: "If you want to run a profitable business, you must be aware of environmental issues. We see that, over time, society will get to circular economy and sustainability, even if we are not there yet". Furthermore, the self-benefit of sustainability proactivity is also understood to some degree: "We show that sustainable solutions are possible and thereby help legislators to see that the technology actually exists. Then they dare to pass tougher laws, which will give us a competitive advantage. We will be able to comply with them more easily than our competitors" (product planner at Company B). Still, as an engineer at Company A said: "[the] work with sustainability risks is not structured and systematic". Challenges specifically for integrating sustainability into risk management, mentioned by the study participants, are (i) the difficulty to measure and make sustainability tangible; (ii) sustainability integration requiring a long-term planning perspective, which must be balanced against short-term priorities; (iii) "sustainability assessments easily become complex and time demanding" (process risk manager at Company A); in part as (iv) "a systems perspective that considers the whole life-cycle, value chain, and all actors" (project manager at Company B) is required; and, therefore, (v) "it is difficult to simplify and communicate" (environmental manager at Company A).

Hypothesis 9.
The concept of sustainability risks is largely unknown. While some environmental and social risks already are considered, sustainability risks are not systematically and strategically identified and managed.

Sustainability Risks Affecting Product Innovation Companies
Key for integrating a strategic sustainability perspective into risk management is to understand and clarify how sustainability risks affect product innovation companies: "if the effect for the business is not clear, people will not care about sustainability risk" (enterprise risk manager at Company A), because, as one manager put it, people are "so occupied with struggling to live up to the requirements specification that it is hard to think about mining in the Amazon area at the same time".
Based on the investigation of current risk management practices, especially regarding the connections between risks and objectives on different company levels (Section 4.3.3), two steps are needed to make sustainability risks tangible and operationalizable. Firstly, companies need to assess how their objectives can be affected by sustainability issues. This includes both internal objectives derived from the company vision and purpose, and objectives which are based on stakeholder value creation. It is important to note that this is not limited to the effect on distinct sustainability objectives, but on all kinds of objectives. For example, in relation to customer value drivers and resulting product requirements, affected objectives could be durability, total cost of ownership, reliability, resale value, etc. Secondly, once the relationships between stakeholder value, objectives, and sustainability issues are established, effective tools for how to assess and manage sustainability risks are required.
However, the interviewees pointed out difficulties for quantifying and assessing such risks due to the complexity of sustainability issues, requiring a systems-and life-cycle perspective to avoid sub-optimization. Within product innovation, considering sustainability risks early on, before concepts are chosen and many parameters get fixed, was emphasized as a decisive success factor. This was also found to be the problem with LCA, which was tested at one of the companies, as LCA requires detailed information, which is available first in the later stages of product development. However, once this information is available, it is usually too late to go back and make changes based on the LCA results.
Suggestions from the interviewees on how to get started with sustainability risk management include: (i) developing a rough and easy way to identify sustainability risks, for example with the help of guiding questions or a new risk category, to raise awareness; (ii) establishing a support function at the company that can train and help employees and teams, who are working with sustainability risk management; (iii) doing simplified LCA in the concept selection phase and mapping how hot-spots of sustainability impact can affect stakeholder value; and (iv) making a screening of which and how objectives in general and customer value drivers specifically can be affected by sustainability issues.

Hypothesis 10.
In product development, sustainability risk management should start early and should then be conducted continuously throughout the process.

Conclusions
This study has reviewed the existing research on sustainability risk management and applied the FSSD as a lens to improve the understanding of the implications of the sustainability transition for company risk management. A workshop session, document review, as well as exploratory and descriptive interviews were conducted at two product innovation companies to gather empirical data and derive hypotheses regarding current practices and preconditions for sustainability integration in risk management across the organizational hierarchy. Both parts of the study indicate that a risk management perspective could be useful to understanding and addressing sustainability-related challenges from a company perspective. This is further elaborated on in the following sections.

Implications of the Sustainability Transition for Company Risk Management
Based on the funnel metaphor of the FSSD, a new definition was proposed, stating that sustainability risks are threats and opportunities that are due to an organization's contribution or counteraction to society's transition towards strategic sustainable development.
As the awareness and perceived threat of an ecological and social collapse grow, due to the downstream impacts from the violation of the sustainability principles, risks will inevitably turn into increasing threats for those organizations that are relatively large part of the problem. It is their relatively large and polluting use of resources, their responsibilities in face of new legislation, and their brands, that are facing the largest threats. At the same time, sustainability-related opportunities are increasing for companies who can apply the same basic sustainability principles to foresee changes that are inevitable on markets to come. This is not only about internal stakeholder value and costs, but also aboutpreparing for new demands by innovatively creating new value offers for customers and other external stakeholders on more and more sustainability driven markets. This means helping others to avoid violating the sustainability principles, for example, by offering modern energy and transportation systems, more effective means of supply chain management, healthy food, etc.
These dynamics of the sustainability transition are increasingly understood also by the investment sector. For example, Nordea, one of Scandinavia's largest asset managers with more than €300 bn in assets under management, recently investigated how Sweden's largest publicly traded companies live up to the Paris Agreement. Risk management was the reason, as Nordea wanted to gain an overview of which companies that are more likely to be winners in the sustainability transition, and direct investments accordingly [71]. Investments in companies that are dependent on unsustainable practices come with an increasingly large threat. This is especially true as the funnel walls are not smooth and predictable. Both the ecological and social systems, as well as the market, can and often do show non-linear behavior with abrupt changes [30]. In the investment sector, some formal methods and tools are in place, such as ESG-analysis (Environmental, Social, and corporate Governance), the Principles for Responsible Investment (PRI), and the Equator Principles (EPs), which aim to include some aspects of sustainability into financial risk management. However, it is worth emphasizing that blind proactivity and simply decreasing company sustainability impact are not enough. Efforts also need to be strategic: they must be stepping stones that lead towards the vision of a sustainable society, framed by the basic sustainability principles. Therefore, only understanding a company's current contribution to society's violations of the sustainability principles is not enough to assess its risk profile. It needs to be complemented with an assessment of the company's strategy for how to move forward and navigate in the sustainability transition.
The policy-environment will certainly influence the speed by which change may happen, but the direction of change can be foreseen by understanding the basic mechanisms of the funnel dynamics. The ideal position is to be in a smart zone between being too pro-active and too passive. Risk management could be a key element for finding and maneuvering in this smart zone. When the company becomes too pro-active, threats increase by not getting return on investments in time; for example, not attracting enough customers in time, or by substitutions to more sustainable options that are implemented too much and too early, before learning curves have pushed prices down. Correspondingly, when the company becomes too passive, threats increase; for example, in the form of high opportunity costs from failing to see how the sustainability transition is making current practices increasingly obsolete, resulting in costly fire-fighting later on when the market changes are too abrupt to allow for gradual and step-wise changes. Thereby, sustainability risk management would establish an equilibrium that could guide companies and product innovation in contributing to strategic sustainable development, both of the company as such and of society at large.

Risk Management Practices and Preconditions for Sustainability Integration
The study participants at both companies were familiar with risk thinking and management and considered it to be an important part of their work. However, both in the literature and among the study participants, the understanding of what sustainability risks are and how they affect product innovation companies is limited.
The investigation of the connections between different organizational levels found that risks are almost entirely escalated bottom-up across the hierarchy, while the corresponding top-down flow consists of the objectives which risk management by definition is based on. The function of risk management is to ensure that objectives on each organizational level are achieved. Effective risk management is, therefore, dependent on having set the right objectives.
While existing literature has focused on the potential effects of sustainability issues on the life-cycle cost of a product [47], the results of this study suggest that sustainability risks need to be managed in relation to all kinds of objectives on all organizational levels. This leads all the way back to assessing how sustainability issues can affect stakeholder value, both internal stakeholder value, including but not limited to cost, and external stakeholder value, such as the product properties desired by the customer. Thereby, this study proposes a shift from focusing on cost to focusing on value as the anchoring point for sustainability risk management.
While the sustainability transition primarily is a source of uncertainty from a company perspective, it remains unclear which approach is more effective for the introduction of sustainability risk management in practice. Either, sustainability risks could constitute a new risk category, which could be perceived as clearer and easier in a company context, or a sustainability perspective could be integrated and applied on all existing risk categories, which would highlight the connections between the company's contribution or counteraction to strategic sustainable development and achievement of objectives.
In conclusion, the managerial implications of these findings are: (i) a shared understanding needs to be created of sustainability in general and sustainability risks in particular; (ii) a strategic sustainability perspective needs to be systematically included into company strategy and objectives, which have to be cascaded into requirements for product innovation projects and products, to create a red thread across the organizational hierarchy; (iii) the driving forces for working with sustainability risks must be clarified by identifying how sustainability issues can affect internal and external stakeholder value; and (iv) there is a lack of practical tools for how to systematically and effectively identify, assess, and manage sustainability risks in practice. By addressing these four consecutive challenges, a strategic sustainability perspective can be integrated into company risk management, increasing company competitiveness, while leading the transition towards a sustainable society.

Limitations and Future Research
This study utilized a literature review and the application of a FSSD lens, as well as exploratory and descriptive methods at two product innovation and manufacturing companies in Sweden. The generalizability of the findings from the empirical study is, therefore, limited. However, the purpose of the study was to acquire a depth of understanding rather than a broad overview.
Areas for ongoing and future research are to investigate how a strategic sustainability perspective can be integrated into company objectives and the requirement setting, and how the relation between internal and external stakeholder value and sustainability can be clarified and assessed from a risk-management perspective. Prescriptive research is also needed to develop tools and methods that can be validated and tested in practice. Finally, other existing frameworks and concepts, such as Planetary Boundaries and the United Nations Sustainable Development Goals, may also be interesting to investigate from a risk-management perspective.
12. How do you assess and/or quantify risks? Do you use price, quality or something else to translate a risk?

13.
What time perspective do you use in risk management activities?
(a) How do you balance short-term versus long-term risks? (b) Do you have an idea for how a long-term perspective can be included? 19. Do you have any suggestion of how such sustainability risks could be included in existing processes and support tools? 20. How would such a method need to look like? 21. How do you work with risks in your environmental management system (environmental managers only)? 22. What potential barriers do you see to including a sustainability perspective in risk management? 23. What could be success factors for integrating a sustainability perspective? 24. Is there anything else you would like to add?