Climate Risk Management expectations for banks and insurers

The PRA issued its long-awaited consultation paper CP10/25 on 30 April 2025, outlining significant updates to existing regulatory expectations for banks and insurers with respect to managing climate-related risks, hence updating the Supervisory Statement SS3/19.

Having previously outlined our predictions for what would be included, here are our highlights of what this means and where to focus.

Climate governance

There is a firm expectation that boards are informed and educated on the potential range of impacts of climate change on their business, strategy, and viability. There is a clear signal that information needs to be tailored, relevant to each organisation, and actionable.

There is an expectation that the board considers impacts under different scenarios and over a range of timescales in forming a view on risk appetite, and as a result, what needs to be done. Climate scenarios and risk registers are tools that are expected to be used by management and boards. There is a strong focus on actionable insights – ‘So what’ – and less on reporting for reporting’s sake.

Risk appetite

The draft supervisory statement is very directional on what is expected from firms’ risk appetite frameworks. There is an expectation that enterprise-risk appetites are cascaded within a hierarchy into line of business appetites for all material climate risks. Adherence to risk appetites should be demonstrable through ongoing monitoring of quantitative key risk indicators that are in place to track exposures against these limits. There is a strong hint that a two-way process is required up and down the organisation to ensure the process operates effectively and adjustments are made when necessary.

Firms will be required to complete monitoring and reporting activities at a sufficient frequency to spot trends and recognise early warning signs. Risk preferences are expected to be expressed in simple terms (accept, manage, avoid), which are translated into actions such as exclusion policies or accumulation monitoring regimes.

Through the document, there is a clear emphasis on embedding climate considerations into existing processes, which is equally true of risk appetite, where common business language (such as probable maximum loss) needs to be used to articulate climate risk measures in ways that Boards and management can engage with.

Counterparty evaluation

Clause 4.2.9 is one of the requirements with potentially the widest implications. The regulator expects firms to understand the potential climate impacts on all its ‘material relationships’. The requirement spans all types of relationships, including policyholders, brokers, investees, reinsurers, and critical suppliers. The requirements are quite specific in providing examples of eight key considerations firms need to take into account in evaluating these material relationships.

There is a strong hint for firms to engage in transition plans (including the vulnerability to transition risks of these partners), ensuring that adaptation and impact on their supply chain are properly evaluated. Assessments need to consider litigation and reputational risks associated with these relationships, and not just the immediate physical or transition risk exposures.

The implications of this analysis need to be carried through to decision making. The approach needs to be well structured and consistently applied across the business. In other words, this needs to inform who the organisation chooses to insure, invest in or partner with. Again, there needs to be a strong feedback loop into enterprise-level risk assessments to ensure these processes operate top-down and bottom-up.

Not having adequate information is not an excuse for inaction, quite the opposite.

Data management

It is clear in the regulations that firms are expected to tackle climate risk data head-on and not hide behind data quality or availability challenges. Firms are expected to build the required capabilities and tools, including scenario analysis, to overcome these issues. Rather than waiting for the perfect data set, firms are allowed (and expected) to fill the gaps with proxies and/or conservative assumptions, but they need to be prepared to justify these choices.

There are clear hints that strong governance over climate data and models, aligned with the expectations over internal models, should be the norm. Firms are expected to complete an assessment of data gaps. While this might seem a further burden, it also highlights the fact that this should be considered an evolving journey, and firms should consider how they prioritise some of these areas in the short and long term. In addition, there might be some learning to glean from the Partnership for Carbon Accounting Financials' approach to data quality scores as applied to the evaluation of insurance associated emissions. Organisations should be reaching out to counterparties for data as part of their ongoing due diligence.

Climate Scenario Analysis (CSA)

CSA is front and centre of this draft supervisory statement, with the proposal currently having 23 specific scenario-related expectations. These are, in many ways, very sensible requirements. Starting with clearly defining objectives for scenario analysis and explaining how scenario selection links to achieving these objectives. There must be a clear line of sight between scenario analysis and business planning, strategy setting, and capital management. In other words, what are the questions the business needs to answer, and how the chosen set of scenarios address them?

This implies moving on from a tick box exercise and seeking to use CSA to inform decision-making and understand the boundaries of the viability of a firm’s business model and strategy, which is the essence of any risk management framework. This reaches its full implications with respect to Reserve Stress Tests (RST), which start with the premise that the firm has failed and are used to explore extreme but credible ways this could occur. RSTs provide an insightful perspective to the management and board, ensuring they are comfortable with the related mitigating actions.

Ownership is key, and it is made clear that CSA is done for the benefit of the board, as they are expected to own the outcomes and ensure that sufficient resources are provided to achieve an appropriate standard.

Supply chains and operational resilience

Firms are expected to integrate climate risk management, operational resilience, and third-party risk management. Firms need to understand the intersectionality of these risks and where climate change can create an additional or multiplicative impact on resilience. Severe but plausible scenarios need to be considered (floods, heatwaves, wildfires, windstorms) that could impact a firm’s own operations or those of critical third parties. Firms should build from existing capabilities – for example, from an operational resilience perspective, firms should have already identified key business processes and thresholds for material impacts on customers.

Operating Model implications

The regulator has done an excellent job in identifying all the key business processes within banks and insurers that should embed climate risk. Some prime examples include the extent to which Own Risk and Solvency Assessment (ORSA) reports are required to explain and justify how CSA has been used in practice and what tangible management actions are being taken as a result.

Climate is clearly shown to impinge on the setting of regulatory capital and hence on solvency ratios and technical provisions in terms of the quantum of reserves held to fund expected claims. By focusing on regulatory balance sheets, the regulator is giving itself a lot of leeway for applying pressure to firms to take this seriously. Detailed guidance now covers all categories of risks which impact firms including credit, market, liquidity, operational, underwriting, and reserving. 

One of the most powerful requirements involves driving closer cross-functional cooperation within firms and timely information sharing across claims, reserving, underwriting, exposure management, and risk functions. Being able to demonstrate this is happening is going to bring a focus on operating models in terms of how decisions are made and how various governance meetings fit together into an overall effective framework.

Immediate next steps for financial services firms

We recommend focusing on two key areas to address the new climate risk management expectations.