Managing regulatory expectations

December 2022

The PRA's Model Risk Management (MRM) principles for banks are now live — see below for more on the requirements and how firms should be addressing them.

A comparison of findings

Prudential regulators focusing on the financial risks of climate change have had a busy year. In May, the UK’s Prudential Regulation Authority (PRA) released the results of its Climate Biennial Exploratory Scenario (CBES), followed in October by thematic feedback for banks and insurers on the expectations set out in Supervisory Statement 3/19, the 2020 Dear CEO letter and the 2021 Climate Adaptation Report. This feedback provides the first indication of how well banks and insurers are meeting regulatory expectations.

Similarly, having published its final Guide on Climate and Environmental (C&E) Risk in 2020, 2022 has seen the European Central Bank (ECB) ramping up its activity. In March it published a review of banks’ climate-related and environmental (C&E) disclosures, the results of a stress test on banks’ preparedness for managing climate risks in July, and in November it shared the results of its thematic review on the supervision of C&E risks.

Both regulators are now actively supervising climate-related financial risk and the two most recent sets of feedback represent a call to action for firms. While there are some similarities in the findings, with all institutions needing to do more, there are notable differences in approach when it comes to the overall regulatory view and remediation plans. Our ‘compare and contrast’ analysis below helps identify material divergences.

Scope

In terms of scope, the PRA’s feedback covers both banks and insurers, whilst the ECB’s findings are banking-specific. Although the European Insurance and Occupational Pensions Authority (EIOPA) has issued supervisory guidance for insurers and has assessed their exposure to physical risks, it has not yet released equivalent thematic findings to the ECB.

Additionally, the PRA’s review covers climate-related risk only. The ECB, on the other hand, also considers environmental risks, encompassing ‘water stress, biodiversity loss and resource scarcity’.

Key messages

The overarching message from the PRA is that banks and insurers have taken “concrete and positive steps” to implement supervisory expectations. It finds that governance of climate risks has advanced in most firms and that there is a general improvement in risk management practices. Firms have invested in improvements and, even where they still need to refine their approach, the actions taken have advanced their ability to address the risks and opportunities from climate change. However, the levels of embedding of overall practices vary and further progress is needed by all firms.

The ECB takes a more critical stance, noting that “banks are still far from adequately managing climate and environmental risks” and “continue to significantly underestimate the breadth and magnitude of such risks”. It notes that, although 85% of banks now have in place at least basic practices in most areas, they continue to lack more sophisticated methodologies and granular information on climate and environmental risks. It also expresses concern around the execution capabilities of most banks, with effective implementation of their practices still lagging.

The comparison below includes the most significant elements of the PRA and ECB reports. To note, the ECB has provided more quantitative data on how firms are performing in each area, whereas the PRA provides high-level commentary only.

	PRA: Banks and Insurers	ECB: Banks
Institutional Architecture (overall approach and capabilities, mapping of responsibilities, mitigation strategy etc)	The PRA does not reference overall institutional architecture, but comments on firms’ levels of embeddedness and effective practices. Firms have advanced their capabilities but further progress is needed to embed them.	Over 85% of banks now have at least basic practices in place for most of the ECB’s expectations, including: initial mapping of risk exposures, allocated responsibilities, setting initial KPIs and KRIs, and developing a qualitative mitigation strategy for part of their risk exposures. However, 10% of banks are lagging, with no C&E-related governance in place, and no material progress shown since 2021.
Risk Management	Firms have generally made progress on risk management processes, though the maturity of those processes varies, and all firms have more work to do. In many cases, climate risk considerations still need to be embedded fully into overall risk management frameworks (RMF), risk appetite statements (RAS), committee structures and all three lines of defence, using both quantitative and qualitative measures. Effective practice will include: Having a well-defined quantitative RAS that is aligned with the overarching RMF for climate and tailored to the business strategy, business model and balance sheet. Having effective RMFs and/or quantitative risk appetite metrics for climate risk. Appropriately factoring climate risk (including prudent assumptions and proxies) into modelling capabilities. For insurers, this will include climate risk management for underwriting purposes. Banks will have clear timelines for including climate factors in credit processes and a complete picture of counterparty exposures and transition plans. Carrying out methodical analysis on whether to hold capital for climate change risk. Including sufficient contextual information in capital methodologies to explain the analysis.	Nearly all banks need more forward-looking approaches to manage C&E risks. There are significant weaknesses in banks’ ability to manage C&E risks. 96% of banks have blind spots in the identification of C&E risks and their drivers in key sectors and geographies – and 60% of firms were deemed to have major gaps by the ECB. For example, only certain risk drivers, such as flood risk, are considered in some portfolios instead of the full range of risk drivers. Good practice - some banks have developed advanced approaches to embedding C&E risks into client due diligence and lending policies including: Establishing lending criteria for sectors and activities, including exclusion criteria. Applying acceptance criteria based on portfolio thresholds. Repeating the due diligence process on a regular basis.
Data	All firms need more “robust, standardised climate-related data of sufficient coverage”. Most rely on third party data. Where data gaps are still identified, interim approaches using proxies are required. The most effective practices were observed where firms have identified their significant data gaps and are developing a strategic approach to close them, including balancing the use of third-party providers with developing short-, medium- and longer-term in-house capabilities. Use of appropriately conservative assumptions and proxies, internal documentation of estimates and disclosure of relevant material to users was also observed to be effective practice.	Fewer than 10% of banks use sufficiently granular and forward-looking information in their risk management and governance practices. Banks need to develop their data frameworks and then actively collect granular data from their counterparties. Additionally, C&E risks should be integrated into ratings systems, pricing, and collateral valuations. An example of good practice is firms using client questionnaires to collect qualitative and quantitative data about the client and specific assets.
Scenario Analysis	Limitations in data mean that firms' use of scenario analysis is not yet sophisticated enough to be useful in decision-making. Where firms are using climate risk models, these are at an early stage of development. It is good practice for firms to recognise the uncertainty of scenario analysis, and reflect this in prudent assumptions, manual adjustments or sensitivity analysis. The following areas require further work: Incorporating contextual information into scenario analysis. Integrating scenario analysis output into ICAAPs and ORSAs. Providing clarity on how the selected data and assumptions are appropriate to firms' own business vulnerabilities.	Only a subset of firms use scenario analysis to test the adequacy of their strategic responses to climate change risk (e.g. by quantifying the impact of climate-related risks on profits and losses, risk-weighted asset and regulatory capital). Additionally, where some firms were using scenario analysis, they used third-party proxies rather than relying on actual client information held within the business (e.g. for energy performance certificate (EPC) data).
Governance	Firms have made ‘significant progress’ in embedding supervisory expectations around governance. They have generally implemented an effective level of climate governance, trained appropriate key personnel to both understand and manage this risk, and are producing management information that allows Executive teams and Boards to lead and challenge in this area. The most effective firms demonstrate strong Board and Executive oversight through a coherent approach to business strategy, planning, governance and risk management processes. This is supported by appropriate metrics and risk appetites. Most firms have given overall responsibility of climate-related financial risk to a Senior Management Function (SMF) holder. The PRA regards this as positive step but cautions that all SMFs should be able to speak to and take appropriate ownership of the broad institutional strategy for climate risks.	Most institutions have defined roles and responsibilities for the Executive team, as well as the first and second lines of defence. Management teams frequently receive some information on C&E risks that are monitored using an initial set of KRIs. However, this does not always enable management to effectively manage these risks, as monitoring and reporting is mostly done without granular and forward-looking data. Additionally, internal audit activities and remuneration policies do not currently support banks’ efforts to manage C&E risks. The inclusion of C&E related KPIs in remuneration policies for the executive team and senior managers is an example of good practice. Some banks have gone further and adjusted remuneration policies for all staff (e.g. including environmental targets in their variable remuneration component).
Disclosures	Although progress has been promising, reflecting other work relating to SS3/19 as described above, firms need to continue to develop their disclosures. Firms are generally making disclosures via their annual reports or through a standalone climate report, rather than through Pillar 3 reporting or Solvency and Financial Condition Reports (SFCRs). Effective practice would include disclosures in these “mainstream filings” and provide consistent messaging and cross referencing across all reporting and disclosures. Where there is no mention of climate risk in Pillar 3 reporting or SFCRs, firms should be able to explain why the risk is considered immaterial.	This was excluded from the scope of the ECB’s review. However, an ECB report published in March 2022 revealed that “virtually none of the banks disclose all the basic information on climate-related and environmental risk that would align with all of the ECB’s expectations.”

What next?

It appears that the PRA and ECB differ in their assessment of the extent to which firms are currently meeting supervisory expectations. Where the PRA recognises overall progress, though acknowledging the need to do more, the ECB is more critical.

What does this mean for banks and insurers operating in the UK and the EU? The PRA has been clear that every firm in scope of SS3/19 should by now be able to demonstrate how it is responding to supervisory expectations. It will continue to engage on this issue through BAU supervision and, where firms are not making sufficient progress, they will be asked to provide a roadmap to articulate how any gaps will be overcome. The PRA has also warned that supervisors will have recourse to the wider supervisory toolkit if firms do not adequately address climate risk.

For EU banks, the implications are more concrete. The ECB has sent feedback letters to individual banks. For significant institutions, these contained an average of 25 shortcomings, and more than 30 firms included in the review have been issued with binding requirements as part of the Supervisory Review and Evaluation Process (SREP) to address severe weaknesses. Full alignment with supervisory expectations is required by the end of 2024:

By March 2023 - banks are expected to adequately categorise C&E risks and conduct a full assessment of their impact on activities
By the end of 2023 at the latest - banks are expected to include C&E risks in their governance, strategy and risk management
By the end of 2024 - banks must meet all the remaining supervisory expectations first set out in 2020 in the Guide on Climate-Related and Environmental Risks, including full integration into the ICAAP and stress testing

The ECB has made clear that it will monitor the deadlines and may use enforcement action to ensure compliance.

UK and EU firms should continue to monitor the PRA and ECB’s expectations as they evolve.