Australia's leading infrastructure researchers say most organisations are confusing exposure with risk, and the gap between what climate science can now tell us and what's actually being used in asset decisions has never been wider.

By Thomas Walmsley 

Last updated: 22 May 2026

There is a quiet crisis in the way organisations are responding to climate risk. Not a crisis of awareness, most leadership teams now understand that floods, bushfires, coastal inundation, and extreme storms pose material threats to their assets. The crisis is one of quality. The assessments being produced, in many cases, are not what they claim to be.

That is the view of Dr Mahesh Prakash, a principal research scientist at CSIRO and one of Australia's foremost experts in climate hazard modelling and asset resilience. In the lead-up to the Climate Risk & Asset Resilience Summit, where he will facilitate a pre-conference masterclass, Dr Prakash was direct about what he sees in practice.

"Many of these assessments are either being carried out non-transparently using 'black box' tools that claim to already have an answer for risk," he says, "or they claim to be risk assessments but are actually exposure assessments being couched as risk assessments."

The distinction matters enormously, and understanding it is the first step toward doing this properly.

"Tools that claim they already have all the data needed to carry out a risk assessment are a lazy way of getting an answer."

What are the 3 climate risk assessment gaps you need to worry about?

Take gap two as an illustration. A climate model might project a significant increase in extreme rainfall events for a given region by 2050. That is useful information. But it is not, by itself, a flood risk assessment. Whether that rainfall produces flooding depends on the slope of the terrain, the permeability of the surface, the capacity of drainage infrastructure, and a dozen other variables. Feeding climate data into a downstream hazard model, a flood model, a bushfire spread model, a coastal inundation model, is a separate and essential step that many organisations are not taking.

"An extreme rainfall event does not always lead to a flood outcome," Dr Prakash explains. "The latter is a function of a range of other factors." Without that step, what an organisation calls a physical climate risk assessment is, in reality, something considerably less.

The same logic applies to vulnerability. Risk is conventionally understood as the product of likelihood and consequence, or in climate terms, exposure and vulnerability. Exposure tells you that an asset sits in a flood-prone region. Vulnerability tells you what happens to that asset when the flood arrives: does it go offline for a day, a month, or permanently? Does it fail catastrophically or degrade gradually? Most organisations either do not hold fit-for-purpose vulnerability data at all, or they hold it but have never translated it into a form that can be used in a climate risk context. Either way, the consequence component of their risk equation is effectively missing.

"The practical consequence is that decisions about where to invest in adaptation, what to insure, what to disclose under frameworks like TCFD, TNFD, and the new AASB standards, are being made on a flawed evidence base."

How do climate risk assessments lead to flawed asset decisions?

That last point, disclosure, is where the methodology problem collides most directly with the pressures sustainability teams are navigating right now.

TCFD, TNFD, and the Australian Accounting Standards Board's new climate disclosure standard (AASB S2) are now the dominant context in which sustainability teams encounter physical climate risk. For many organisations, the question has shifted from "should we assess our climate risk?" to "how do we satisfy our disclosure obligations?" and the answer, for most, has been to reach for the tools that promise the fastest path to an output.

This is precisely the dynamic Dr Prakash is concerned about. The "black box" tools he describes, platforms that claim to contain all the data necessary to produce a risk rating for any asset, are, in many cases, the product of choice for organisations under disclosure pressure. They are fast, they produce a number, and they appear to satisfy the requirement. But what they typically produce is an exposure score, not a risk assessment. The vulnerability of the specific asset, in its specific condition, with its specific operational dependencies, is almost never in there.

"Tools that claim they already have all the data needed to carry out a risk assessment are a lazy way of getting an answer," Dr Prakash says. The concern is not merely academic. Disclosures built on exposure assessments rather than genuine risk assessments are, at best, incomplete, and as regulatory scrutiny tightens, potentially a source of legal and reputational exposure in their own right.

Dr Prakash is emphatic, however, that the regulations themselves are not the problem. "These frameworks have come through not to make life difficult for organisations," he says, "but to provide them an opportunity to materially improve their climate risk profile and reduce such exposure, thereby improving the organisation's ability to thrive in a climate-constrained environment." The issue is not that TCFD or AASB S2 demands too much, it is that organisations are satisfying the letter of those demands with tools and methods that do not meet the underlying intent.

Who should contribute to climate risk assessments & asset decisions?

Part of the reason assessments fall short is structural. Physical climate risk, done properly, is not a single-discipline problem. It requires climate scientists to produce credible hazard projections, civil and environmental engineers to translate those projections into asset-level hazard outputs, socio-economic modellers to quantify the consequences of asset failure, and asset management practitioners who understand what the data actually means for operational decisions.

In practice, assessments are typically commissioned from one of those groups, usually a consultancy with climate science or engineering capability, and the others are either absent or represented superficially. The result is that the exposure component may be technically rigorous while the vulnerability component is a rough estimate, or vice versa. A genuinely robust assessment, Dr Prakash argues, requires all four disciplines working together, with each component transparently documented so that the sources of both exposure and vulnerability data can be interrogated and verified.

This transparency requirement is one of the defining features of what he considers a genuine assessment. "[You] need to be able to demonstrate the source of data used for both the exposure and vulnerability components," he says, a standard that the black-box tools, by their nature, cannot meet.

How should organisations translate a climate risk assessment into an asset decision?

Even for organisations that manage to produce a technically sound risk assessment, the hardest part may still lie ahead. Translating a risk assessment into an adaptation response that actually reduces exposure is where Dr Prakash sees the third and most consequential gap emerge.

Maladaptation is the term for adaptation measures that, when their full consequences are accounted for, make an organisation's climate position worse rather than better. It can happen when direct costs and benefits are considered but indirect ones are not, when, for example, a flood mitigation measure protects one asset but increases inundation risk downstream, or when investment in hardening infrastructure at one site draws resources away from more vulnerable assets elsewhere. Without a framework that incorporates both direct and indirect costs and benefits, the business case for any adaptation investment is incomplete, and the risk of committing significant capital to the wrong solution is real.

This is the link, Dr Prakash argues, between physical climate risk assessment and genuine resilience. Risk assessment tells you where you are exposed and how severely. Resilience and adaptation planning tells you what to do about it, but only if the assessment was sound enough to support those decisions in the first place.

"A well-prepared organisation treats climate risk not as a compliance cost but as an opportunity to materially improve its asset base"

The tools and data required to reach that standard are, Dr Prakash notes, increasingly available. The barrier is less technological than it is organisational: a willingness to invest in assessments that are transparent, multidisciplinary, and genuinely integrated into asset decision-making, rather than assessments that produce a disclosure-ready output at the lowest possible cost.

For sustainability teams operating under the weight of TCFD, TNFD, and AASB S2, that reframe may be the most important shift of all. The regulations are not just asking organisations to report on climate risk. They are asking organisations to understand it, and there is an increasingly meaningful difference between the two.

Dr Prakash will facilitate the Pre-Conference Masterclass at the Climate Risk & Asset Resilience Summit, where he will go deeper on the methodology of fit-for-purpose physical climate risk assessment, and what genuine adaptation looks like for asset owners and operators.