Introduction
The management of environmental, social and governance (ESG) risks is becoming increasingly important. EBA published on 8 January 2025 guidelines on ESG risk management for credit market companies and banks (institutions) under the updated mandate in Article 87a(5) of the Directive 2013/36/EU (CRD). FI announced on 23 May 2025 that they intend to follow the related guidelines. The guidelines will apply from 11 January 2026, except for small and non-complex institutions (SNCIs) where they will apply from 11 January 2027.
The guidelines cover three main areas: identification and measurement of ESG risks, minimum standards for the management and monitoring of ESG risks, and the design of ESG risk plans under Article 76(2) of the CRD. The guidelines place the greatest emphasis on environmental risks and prioritise quantitative risk measures in the medium and short term. However, it is recommended to strive to also analyse societal and governance risks, to conduct long-term risk assessments, and to use qualitative risk measures in the absence of quantitative measures. Management should integrate ESG risks into the rest of risk management and include how they interact with financial risks.
Identification and Measurement of ESG Risks
The Guidelines recommend that an institution should base its management of ESG risks on annual materiality assessments for all applicable risks, with the exception of SNCIs, which should be assessed at least every two years. The materiality assessments should also identify the transmission channels and estimate the expected losses in the institution's financial risk categories resulting from the ESG risks. The greatest emphasis is placed on environmental risks, where institutions should at least include climate risks, risks from ecosystem degradation, risks from biodiversity loss, physical risks and risks from the transition to a sustainable society. These impacts should also be included in the internal capital and liquidity adequacy assessment process (ICAAP/ILAAP).
Institutions should actively measure and monitor risk factors for at least the material ESG risks, using relevant risk metrics. Taking into account the principle of proportionality, and the outcome of the materiality assessment, institutions should prioritise establishing quantitative risk metrics for short- and medium-term environmental risks. Where there is a lack of appropriate quantitative data for societal risks, corporate governance risks, environmental risks of non-major institutions, and risk metrics that consider longer time horizons, institutions are recommended to initially use qualitative metrics. However, they should endeavour to increase the use of quantitative measures as the availability and quality of such data increases.
The measures should be chosen so that, in combination, they take into account the three relevant time perspectives for material risks:
- Risks analysed in the short-term perspective should be done at the level of individual exposures. Within this perspective, methodologies for environmental risks should take into account both physical and transition risks, while methodologies for social responsibility and corporate governance risks should primarily take into account potential litigation detected through due diligence procedures.
- For the medium-term perspective, institutions should use portfolio and sector-level analyses. The analysis in this perspective should identify any concentrations of ESG risk factors in sectors and in institutions' portfolios. Institutions should take the results into account in order to adjust the content of their portfolios to achieve internal ESG objectives.
- For the long term, institutions should use scenario-based methods. The recommended methods for scenario analysis are described in a separate guideline which was published on 2025-11-05.
Minimum Standards for Managing and Monitoring ESG Risks
The guidelines provide recommended minimum standards to ensure adequate management of ESG risks. They should be included in the overall system used to manage other risks. For example, the evaluation of credit risk should already include ESG metrics at the issuance stage, in line with paragraph 56 of the EBA/GL/2020/06. That system should also include the impact on the institution's financial risk categories.
Institutions should set thresholds for key risk indicators and risk limits for material ESG risks. Relevant employees and parts of the organisation should understand these risk limits and thresholds, how they apply them and how sensitive the organisation is to the underlying risks. To ensure that a comprehensive overview can be communicated, risks should be continuously monitored. The Guidelines provide several examples of appropriate metrics and indicators, including the amount of GHG emissions the institution historically funded or is expected to fund and the number/amount of exposure to ESG litigation in which a counterparty has been involved. Institutions should also include the material ESG risks and their impact on financial risks in the ICAAP and the material environmental risks and their impact on financial risks in the ILAAP.
A combination of tools should be used to manage ESG risks, including: direct communication with counterparties, customisation of financial terms and conditions, taking them into account in internal objectives, and taking them into account when diversifying holdings and exposures. These tools should be integrated into the work of institutions' three lines of defence. Institutions should also align their internal culture with their ESG risk appetite, for example by adjusting the tone of communication from the senior management team and promoting awareness of ESG factors and objectives throughout the organisation. Institutions should also take ESG risks into account when setting their business and risk strategies. This includes, among other things, reviewing the impact on the business model of long-term changes to the economy and the financial system. When planning, institutions should take into account both physical environmental risks and environmental transition risks, as well as consider, at least at a high level, societal and corporate governance risks.
How to Design ESG Risk Plans in Accordance with the CRD
CRD 6, adds 3 paragraphs to Article 76(2) of the CRD. As a result, institutions now need to establish and adhere to plans with quantifiable objectives and processes to manage ESG risks. The guidelines specify that these plans should be developed as a product of the transition planning process.
The transition planning process is described as the institution's process for developing strategic actions to manage the risks arising from the transition to a sustainable economy. Institutions should use a combination of risk metrics to enable the board to guide the process. These should include, but not be limited to, the risk metrics developed for risk appetite. The process should take into account the three relevant time horizons, for example by setting well-designed and interacting milestones.
The Guideline describes a recommended minimum content of the resulting plans and provides a support tool for preparing these plans. All institutions are recommended to include 5 overarching elements in their plans, but large institutions are recommended to include additional details. Institutions should describe in all plans how they will be implemented and measured. The plans should also include a clear division of responsibilities, taking into account existing responsibilities and potential conflicts of interest in the existing reporting structures. A clear recommendation is to incorporate implementation and monitoring into the work of the existing three lines of defence. For the plans to be executed by institutions, they should develop their internal competences and allow the responsible parts of the organisation to contribute to the planning. See Table 1 below.
| Contents | For all institutions | Only for large institutions |
|---|---|---|
| Strategic objectives | i. An overarching high-level strategic objective to manage ESG risks. ii. A comprehensive set of long-term objectives with intermediate milestones to ensure the resilience of the business model to ESG risks. | iii. Key assumptions, considerations and background information relevant to the understanding of the institutions' objectives and goals. |
| Targets and measures | i. Quantitative targets set to manage ESG risks. ii. Portfolios, sectors, asset classes, business lines and, where applicable, economic activities (i.e. individual technologies) covered by targets and monitoring metrics. | iii. Time horizons for the application of the targets and measures. |
| Governance | i. a governance structure for the plans, including roles and responsibilities for the design, validation, implementation, monitoring and updating of the plans. | ii. Capacity and resource related actions to ensure appropriate knowledge, skills and expertise for the effective implementation of the plans. iii. Remuneration policy and practice. iv. Data and systems used for the process of transition planning. |
| Implementation strategy | i. an overview of the short-, medium- and long-term actions taken or planned to achieve the objectives of the plans. ii. Adaptations to policies and procedures. | iii. Changes introduced in the mix and pricing of services and products to support the implementation of the plans. iv. Investments and strategic portfolio allocation that support the institution's business strategy and risk appetite in relation to ESG risks. |
| Contact strategy | i. policies on contacts with counterparties, including information on the regularity, purpose and objectives of contacts. ii. Processes, methodologies and metrics used to collect and assess information on counterparties' exposure to ESG risks and their alignment with the institution's objectives and risk appetite. | iii. The outcomes of the engagement, including an overview of the adaptive capacity and resilience of counterparts in the transition to a more sustainable economy. |
Table 1: Recommended minimum content of ESG risk plans
Next Steps
To ensure that you comply with the new guidelines, we recommend that you examine how your organisation manages environmental, social and governance risks, identify any gaps, and implement the necessary measures. NFC can support you in examining, suggesting measures and helping you implement any measures. Read more about our risk management and control services or contact us below to find out more!
