Managing regulatory expectations

PRA: Banks and Insurers

ECB: Banks

• The PRA does not reference overall institutional architecture, but comments on firms’ levels of embeddedness and effective practices.
• Firms have advanced their capabilities but further progress is needed to embed them.  

• Over 85% of banks now have at least basic practices in place for most of the ECB’s expectations, including: initial mapping of risk exposures, allocated responsibilities, setting initial KPIs and KRIs, and developing a qualitative mitigation strategy for part of their risk exposures.
• However, 10% of banks are lagging, with no C&E-related governance in place, and no material progress shown since 2021.

Risk Management

• Firms have generally made progress on risk management processes, though the maturity of those processes varies, and all firms have more work to do.
• In many cases, climate risk considerations still need to be embedded fully into overall risk management frameworks (RMF), risk appetite statements (RAS), committee structures and all three lines of defence, using both quantitative and qualitative measures. 

• Having a well-defined quantitative RAS that is aligned with the overarching RMF for climate and tailored to the business strategy, business model and balance sheet.
• Having effective RMFs and/or quantitative risk appetite metrics for climate risk.
• Appropriately factoring climate risk (including prudent assumptions and proxies) into modelling capabilities.
• For insurers, this will include climate risk management for underwriting purposes.
• Banks will have clear timelines for including climate factors in credit processes and a complete picture of counterparty exposures and transition plans.
• Carrying out methodical analysis on whether to hold capital for climate change risk.
• Including sufficient contextual information in capital methodologies to explain the analysis.

• Nearly all banks need more forward-looking approaches to manage C&E risks.
• There are significant weaknesses in banks’ ability to manage C&E risks. 96% of banks have blind spots in the identification of C&E risks and their drivers in key sectors and geographies – and 60% of firms were deemed to have major gaps by the ECB. For example, only certain risk drivers, such as flood risk, are considered in some portfolios instead of the full range of risk drivers.

• Establishing lending criteria for sectors and activities, including exclusion criteria.
• Applying acceptance criteria based on portfolio thresholds.
• Repeating the due diligence process on a regular basis.

Data

• All firms need more “robust, standardised climate-related data of sufficient coverage”.
• Most rely on third party data. Where data gaps are still identified, interim approaches using proxies are required.
• The most effective practices were observed where firms have identified their significant data gaps and are developing a strategic approach to close them, including balancing the use of third-party providers with developing short-, medium- and longer-term in-house capabilities.
• Use of appropriately conservative assumptions and proxies, internal documentation of estimates and disclosure of relevant material to users was also observed to be effective practice.

• Fewer than 10% of banks use sufficiently granular and forward-looking information in their risk management and governance practices.
• Banks need to develop their data frameworks and then actively collect granular data from their counterparties. Additionally, C&E risks should be integrated into ratings systems, pricing, and collateral valuations.
• An example of good practice is firms using client questionnaires to collect qualitative and quantitative data about the client and specific assets.

Scenario Analysis

• Limitations in data mean that firms' use of scenario analysis is not yet sophisticated enough to be useful in decision-making. Where firms are using climate risk models, these are at an early stage of development. It is good practice for firms to recognise the uncertainty of scenario analysis, and reflect this in prudent assumptions, manual adjustments or sensitivity analysis.

• Incorporating contextual information into scenario analysis.
• Integrating scenario analysis output into ICAAPs and ORSAs.
• Providing clarity on how the selected data and assumptions are appropriate to firms' own business vulnerabilities.

• Only a subset of firms use scenario analysis to test the adequacy of their strategic responses to climate change risk (e.g. by quantifying the impact of climate-related risks on profits and losses, risk-weighted asset and regulatory capital).
• Additionally, where some firms were using scenario analysis, they used third-party proxies rather than relying on actual client information held within the business (e.g. for energy performance certificate (EPC) data).

Governance

• Firms have made ‘significant progress’ in embedding supervisory expectations around governance.
• They have generally implemented an effective level of climate governance, trained appropriate key personnel to both understand and manage this risk, and are producing management information that allows Executive teams and Boards to lead and challenge in this area.
• The most effective firms demonstrate strong Board and Executive oversight through a coherent approach to business strategy, planning, governance and risk management processes. This is supported by appropriate metrics and risk appetites.
• Most firms have given overall responsibility of climate-related financial risk to a Senior Management Function (SMF) holder. The PRA regards this as positive step but cautions that all SMFs should be able to speak to and take appropriate ownership of the broad institutional strategy for climate risks.

• Most institutions have defined roles and responsibilities for the Executive team, as well as the first and second lines of defence.
• Management teams frequently receive some information on C&E risks that are monitored using an initial set of KRIs. However, this does not always enable management to effectively manage these risks, as monitoring and reporting is mostly done without granular and forward-looking data.
• Additionally, internal audit activities and remuneration policies do not currently support banks’ efforts to manage C&E risks.
• The inclusion of C&E related KPIs in remuneration policies for the executive team and senior managers is an example of good practice. Some banks have gone further and adjusted remuneration policies for all staff (e.g. including environmental targets in their variable remuneration component).

Disclosures

• Although progress has been promising, reflecting other work relating to SS3/19 as described above, firms need to continue to develop their disclosures.
• Firms are generally making disclosures via their annual reports or through a standalone climate report, rather than through Pillar 3 reporting or Solvency and Financial Condition Reports (SFCRs).
• Effective practice would include disclosures in these “mainstream filings” and provide consistent messaging and cross referencing across all reporting and disclosures.
• Where there is no mention of climate risk in Pillar 3 reporting or SFCRs, firms should be able to explain why the risk is considered immaterial.

• This was excluded from the scope of the ECB’s review. However, an ECB report published in March 2022 revealed that “virtually none of the banks disclose all the basic information on climate-related and environmental risk that would align with all of the ECB’s expectations.”