Article

The PRA consults on climate risk management

Irina Velkova
By:
Business meeting image
The PRA has published CP10/25, raising supervisory expectations for banks' and insurers’ approach to climate-related risk management. Irina Velkova looks at the proposed changes and what firms need to do now to continue to meet regulatory requirements.
Contents

When the PRA published SS3/19, it was the first supervisory statement of its kind, aiming to help banks and insurers manage climate-related risk. Six years on, the PRA has proposed changes to its approach, targeting uneven implementation across the sector and reflecting emerging good practice. It brings together guidance from the Climate Financial Risk Forum (CFRF), PRA feedback letters, and the Climate Change Adaptation Report, among others.

A non-prescriptive approach

With climate risk being an emerging field, SS3/19 was inherently focused on acknowledging that risk management practices would mature over time. While the field has moved forward somewhat, the PRA has deliberately retained a non-prescriptive approach. It asks banks and insurers to focus on their climate-related material risks and factor them into their strategic decision-making processes. This will affect risk appetite and determine how the firm manages physical and transition risks.

Although banks and insurers have made progress, they both face sector-specific implementation challenges, which the draft supervisory statement within CP10/25 aims to address.

PRA feedback for banks

With the exception of reputational risks, many banks still don't perceive climate-related risks to be material. Furthermore, the PRA highlights that the underlying risk assessments are not robust enough. Additionally, most banks don’t have clear climate-related risk metrics or a climate-specific risk appetite. This makes it difficult to take a coherent strategic approach.

Scenario analysis is a key challenge, and banks are not making the most of this tool. The underlying issue is a lack of data – covering both climate projections, and the bank’s own operations, exposures and counterparties. As a result, many banks are struggling to assess physical risk exposures in relation to their assets and portfolios. This also makes it tricky to tailor scenarios to the bank’s individual business model, with a reliance on qualitative, rather than quantitative data.

PRA feedback for insurers

Insurers’ scenario analysis currently covers a variety of risks and time horizons. However, there are still gaps in climate risk data, capabilities and tools, so scenarios don’t fully reflect the climate-risk universe. They also often don’t consider a broad enough range of plausible outcomes or worst-case scenarios. The PRA also notes that while insurers included climate scenario finding in their own risk and solvency assessment (ORSA), the information is typically not used to inform wider decision-making processes.

Like banks, insurers are also struggling with climate-risk management appetite statements. Most have embedded climate-related risks in the firm’s risk appetite statement, however they are not quantified. That makes it tricky to monitor and track climate-risk exposures against the risk appetite.

Governance

The biggest changes in the PRA’s CP10/25 focus on governance arrangements. Particularly, around how the Board integrates climate considerations into risk management and strategic decision-making. Firms need to move beyond an awareness of climate risk, to active oversight and accountability at the highest levels.

To achieve this, Boards need clear climate-related risk analysis, with appropriate training to interpret and act on those findings. This includes evaluating how the firm’s strategy performs in a range of climate scenarios to assess business model resilience. A periodic review of the climate-related risk strategy, appetite and management is crucial, overseen by the relevant Senior Management Function.

With risk appetite statements remaining a key challenge, CP10/25 proposes that firms should create climate-specific risk appetite statements. The statement must include risk metrics and limits (business and firm-wide), with input from scenario analysis (including reverse stress testing). It must also cover risk appetite and tolerances for outsourced and third-party arrangements. Firms need to include a clear statement on how they plan to manage the risks outlined.

Additional proposals to note include:

  • Ultimate responsibility for climate-related risks to sit with a senior member of the organisation, with clear reporting lines.
  • Inclusion of climate-related risk into the control framework across all three lines of defence.
  • Effective use of reward to boost accountability for climate risk management.

As a final point on governance; many firms have adopted climate risk targets, such as tracking carbon emissions. In these instances, firms need to reflect those targets in their management frameworks.

Risk management

Risk identification and assessment is a key area of concern for the PRA, with firms potentially not recognising material risks. It proposes that firms carry out a regular, structured risk identification and assessment exercise, with substantiated judgements to inform next steps. This should include relationships with counterparties, investees, policyholders and clients.

Establishing effective climate-related metrics will provide a stronger basis to discuss business strategy, and allow firms to track progress. As such, the PRA proposes that firms develop quantitative risk appetite metrics and limits for each material climate-related risk. Firms must review these regularly to stay up to date and apply appropriate risk management tools as the landscape evolves.

Appropriate metrics are also vital for operational resilience arrangements. The PRA clarifies the need to consider a firm’s individual resilience to climate-related risks, and the ability to provide critical operations.

Building on SS3/19, the PRA’s CP10/25 highlights the importance of regular and ad-hoc internal risk reporting. This is vital for board decision making, and frequency should reflect their materiality.

Climate scenario analysis

As a recurring theme, the PRA highlights that firms are not making effective use of climate scenario analysis. It is an integral tool that needs to capture all material climate-related risks to inform decision-making. As such, it must have clear objectives while recognising, and working to address, current gaps in knowledge over the scale and range of climate risks. It should also include reverse stress testing to identify climate risk scenarios that could result in material outcomes.

Firms need to select, tailor and match scenarios to achieve key objectives and use-cases, and should update the scenarios regularly, in line with scientific updates and models. It’s important to apply this climate scenario analysis proportionately for a wide range of purposes. This may include setting the risk appetite or valuations, or internal capital setting, among others. When detailing capital setting in the ORSA or ICAAP, firms need to document how the climate scenario analysis informed these decisions.

Data

Lack of reliable climate risk data is well documented and continues to be a challenge for banks and insurers. Under CP10/25, firms should demonstrate how they plan to close any data gaps, using proxies or assumptions in the meantime. With most firms still relying on external data, the PRA stresses the importance of oversight and governance over it. Moving forward, and maintaining a proportionate approach, firms should have systems in place to collect and aggregate climate-related data.

Disclosures

Disclosures are one of the more mature areas of climate risk management and as such the PRA hasn’t proposed significant changes. Firms should continue to align with the International Sustainability Standards Board (ISSB) disclosure framework, which supersedes the Task Force on Climate-related Financial Disclosure (TCFD) requirements. All references have been updated in the draft supervisory statement.

Sector specific requirements

With different challenges facing banks and insurers, the PRA also makes targeted provisions for each sector, as outlined below.

Requirements for banks

Banks need to include climate-related risks in their financial reporting, and document the underlying climate risk data processes and controls to inform balance sheet valuations. They also need clearer practices and policies to inform climate-related expected credit losses.

To support the ICAAP, banks need to include further information on how they have determined materiality. This includes assumptions, judgements, proxies and methodologies. Addressing liquidity and funding risk, banks must include climate-related risks into their liquidity buffers and risk management frameworks.

With varying capabilities at present, firms need processes and policies to identify, measure and mitigate climate-related credit risk. Similarly, firms need to understand how climate-related risk translates to market risk, with scenario analysis once again highlighted as a key tool.

Requirements for insurers

Risk management frameworks need to further reflect climate risk, ensuring they don't underestimate the impact of climate change on the insurers technical provisions and assets.

Where climate-related risks are material, they should be included in the ORSA, with supporting information such as robust climate scenario analysis. This should also include the impact that those risks have on investment and underwriting activities.

Where relevant, Solvency Capital Requirements should reflect the impact of climate-related risks on reserving, underwriting, market, credit and operational risk. There are no additional capital requirements, but firms need to make sure that existing capital requirements don’t underestimate the impact on those traditional risk categories.

Firms also need to factor climate risks into the balance sheet, considering its impact on the valuation of assets and liabilities.

Next steps

While the PRA’s CP10/25 continues to apply a proportionate approach, it has raised the bar significantly. Firms must justify their approach to materiality assessments and demonstrate how climate risk is being factored into business and strategic decisions. This includes good use of climate scenario analysis and adequate risk appetite statements to set appropriate thresholds.

Firms need to take a more proactive approach to embed climate risk management across all relevant risk types. Rather than treating climate risk as a standalone risk, firms must integrate it into their existing risk frameworks, controls, and reporting processes. Supported with effective metrics, firms need to draw these elements together for effective internal reporting to promote good governance and Board decision making processes.

Comments are open until 30 July 2025, and it’s worth noting that once approved the new rules will take effect immediately. Taking early action will help banks and insurers meet regulatory expectations and improve risk management across the firm.

For further information on climate-related risk management, contact Irina Velkova.