Final EBA Guidelines on ESG Risk Management – Implications for Governance and Risk Management

Final EBA Guidelines on ESG Risk Management – Implications for Governance and Risk Management


The European Banking Authority (EBA) has published its final Guidelines on ESG risk management, requiring financial institutions to integrate ESG risks into their governance, ICAAP, credit risk frameworks, and other risk categories. These guidelines align with the EU’s sustainability objectives, including the Green Deal and net-zero emissions by 2050, and complement CRD VI and CRR III.

This paper highlights the significant changes from the consultation draft to the final EBA Guidelines and shares practical implications from current implementation projects:


Enterprise Risk Management

  • ESG risks must be embedded into strategic decision-making and governance structures. The operationalization is steered via metrices to direct management interventions and trigger corrective actions, in case of material deviations.
  • Institutions must incorporate long-term scenario analyses and transition planning into their business strategies.
  • Compliance with Capital Requirements Directive (CRD VI) and Capital Requirements Regulation (CRR III) ensures that ESG risks are fully integrated into risk frameworks and capital planning.
  • Alignment with EU disclosure frameworks such as CSRD, EU Taxonomy, and Pillar 3 requirements is essential for transparency and regulatory compliance.
  • To enhance board-level risk governance, ESG risks must be linked to risk appetite frameworks and governance reporting to ensure compliance at strategic levels. This will improve accountability and facilitate consistent monitoring of ESG risks in decision-making processes.
 

Data Collection 

  • Data collection is now based on the ESG risk materiality assessment, allowing a certain flexibility in terms of granularity vis a vis the materiality assessment results. The list of data points for large corporates is therefore indicative and should reflect the risks identified.
  • The alignment with CSRD disclosures is emphasized, meaning banks should use publicly available data, especially on emissions and climate plans.
  • The use of proxies when data is unavailable is allowed but, a reduction over time is expected as data quality improves.
  • Specific data points are required, such as GHG emissions, energy consumption, social standards, and governance issues where engagement with clients is required to close the gaps, data from CSRD disclosed publicly should be used primarily
  • Sector-specific risk metrics, especially for high-emission industries, need refinement. Integrating detailed exposure and risk metrics for carbon-intensive sectors will enhance transparency and differentiation.
 

Internal Capital Adequacy Assessment Process (ICAAP)

  • ESG risks must be explicitly factored into ICAAP, ensuring their integration into capital adequacy assessments from both normative and economic perspectives.
  • Banks must assess the impact of climate-related, social, and governance risks on their internal capital planning and risk-bearing capacity.
  • Scenario-based stress testing must include ESG-related shocks to assess financial stability in different transition scenarios. In addition to exposure-based, sector-based, portfolio-based and portfolio alignment methods, institutions should integrate scenario-based analyses into their ICAAP to test their resilience to ESG risks under various scenarios, as outlined in the forthcoming EBA Guidelines on ESG scenario analysis.
 

Credit Risk

  • ESG factors must be explicitly embedded into credit underwriting, risk classification, and portfolio management.
  • Materiality assessments should analyze the financial impact of ESG risk drivers on counterparties, sectors, regions and loan (sub-) portfolios.
  • Institutions must evaluate sectoral exposures to climate risks and sustainability goals, ensuring alignment with net-zero transition strategies and the broader EU sustainability agenda.
  • Banks are expected to demand forward-looking transition plans to mitigate transition and physical risks from its clients, especially in high-emission industries, where transparency on strategies is vital for credit risk assessments.
 

Exposure based methods

  • The final guidelines allow smaller institutions to use more flexible, qualitative methods based on their size and complexity.
  • Clarification that large institutions must assess portfolio alignment with climate goals, including an assessment at sector and counterparty level.
  • The finale guidelines are stressing the importance of quantifying environmental risks, including physical and transition risks.
  • Clarity on using proxies and scenario analysis, allowing flexibility as data improves. That represents an analogy to the treatment of overlays in the context of novel risks.
  • No significant changes have been made to sector-based, portfolio-based, and portfolio alignment methods in the transition from the consultation draft to the final version of the guidelines.
 

Implementation Timeline

  • January 11, 2026 – Guidelines apply to ECB-supervised institutions.
  • January 11, 2027 – Small and non-complex institutions (“SNCI’s”) are expected to comply with the Guidelines.
 

What are key take aways for the practical implementation?

Materiality Assessment

✔     Financial materiality needs to be consistent in ICAAP and CSRD Materiality Assessment considering likelihood of occurrence and the potential magnitude of the financial effects of ESG risks in the short and medium term and over a long-term horizon of at least 10 years. 

✔     Risk identification, measurement methods and metrics should support and inform the regular updates of the materiality assessment, proportionality principle applies to less complex smaller institutions. 


Identification and measurement of ESG Risks

✔     Tools and methodologies shall continuously evolve to assess ESG drivers and their transmission channels into different prudential risk categories. 

✔     Institutions level of granularity and accuracy of data points, quantification tools, methods and indicators used by institutions should consider their materiality assessment and their size and complexity and generally be higher for the short and medium term. Long-term time horizons should at least be considered from a qualitative perspective and support strategic assessments and decision making.


Data Collection

✔     A gap analysis for ESG data collection should be conducted and continuously updated to identify missing elements and track the evolution of internal and external data infrastructure. This ensures optimized assessment, management, and monitoring of ESG risks. In particular, information disclosed under the ESRS remain crucial. Institutions shall also review their practices in light of public and market developments. Where data quality is initially insufficient, proxies may be used in line with best-effort principles, especially for credit exposures to counterparties other than large corporates. 

✔     It is expected that the bank-wide data infrastructure as well as the internal governance and controls on ESG data are continuously enhanced and the use of proxies is reduced over time. A dedicated data capacity and quality enhancement plan with dedicated owners and accountable stakeholders can be seen as good practice to ensure a sound operationalization.

 

Exposure based methods & credit risk

✔     For credit risk, it is expected that counterparties / clients are establishing forward looking transition plans with respect to effective management of transition and physical risks. Decision-making methodologies need to incorporate clear ESG-related criteria in an explicit way into credit origination considerations which are supplementing other financial metrices like DSCR, LTV etc.

✔     Institutions need to have sector-based heatmaps as an addition to portfolio / regional heat maps of ESG risks drivers and identify relevant concentrations. Portfolios need to be aligned according to at least one of the portfolio alignment methodologies. For SNCIs, scenarios that are science-based, relevant to sectors of economic activity and the geographical location of their exposures, can also be used.

 

ICAAP

✔     Time horizons considered for the determination of adequate internal capital to cover ESG risks should be consistent with the time horizons used as part of the institutions’ overall ICAAP. This means that the anticipation of medium / long-term losses vis a vis the usual risk measurement horizons (normative perspective: 3 years; economic perspective: 1 year) can be seen as an appropriate practice. 

 

Single Risk Considerations

✔     Good practices for the management of ESG risk driver related to single risks have been expanded, especially for operational risk. 

The final guidelines introduce several new elements related to the management of ESG risk drivers for operational risk management. Two notable additions are:

  1. Identification and labeling of environmental risk losses in operational risk registers / loss data bases – 
    Financial institutions are now required to identify and categorize losses specifically related to environmental risks within their operational loss registers / loss data bases. This must be done in alignment with the regulatory technical standards on loss event classification under Article 317(9) of Regulation (EU) No 575/2013. This change enhances transparency and allows banks to track and manage ESG-related operational risk in a systematic manner, i.e. as an input for operational risk models.
  2. Enhanced measures against ESG-related reputational risks - 
    The guidelines emphasize the need for financial institutions to integrate ESG factors into reputational risk management. This includes considering risks associated with lending to or investing in businesses that may face ESG-related controversies (e.g., human rights violations). Additionally, institutions must now monitor reputational risks arising from failing to deliver on sustainability commitments or having transition plans that lack credibility.

 

✔     In terms of risk monitoring, institutions should consider an increasing granularity through specific KPIs e.g. financed GHG emissions with a breakdown by scope 1, 2 and 3 emissions in absolute value and, where relevant, intensity relative to units of production or revenues, split by sectors, using a sectoral differentiation.