Incorporating ‘sustainability risk’ into risk management – a look at BaFin’s guidance (and beyond)

With sustainability becoming a hot topic of late, legislators and regulators are putting greater emphasis on ensuring that financial institutions understand and manage the environmental, social and governance (ESG) risks they face.

For example, the German Federal Financial Supervisory Authority (BaFin) recently published a guidance notice (German/English) on dealing with sustainability risks. The document applies to German credit institutions and investment firms, insurance undertakings, pension funds and asset management companies (collectively ‘institutions’).

The guidance notice requires institutions to establish adequate risk management processes related to sustainability risks. These processes complement the general obligations set out, for example, in article 73 of the 2013 capital requirements directive (known as CRD IV) or article 51 of the 2014 undertakings for collective investment in transferable securities directive (known as UCITS V).

BaFin emphasises that duties under CRD IV and UCITS V and other guidance, such as the minimum requirements for risk management (MaRisk) and the minimum requirements for risk management of management companies (KaMaRisk), remain unaffected by the guidance notice, which instead sets out non-binding good practice principles that can be aligned and adapted to the relevant institution’s needs. However, BaFin expects entities to ensure that the risks are considered and that such consideration is appropriately documented.

Sustainability risks

BaFin defines ‘sustainability risks’ as ’environmental, social or governance (ESG) events or conditions, which, if they occur, have or may potentially have significant negative impacts on the assets, financial and earnings situation, or reputation of an entity’.

The list of environmental factors comprises, among other things, climate mitigation, adjustment to climate change, protection of biodiversity, and the sustainable use and protection of water and maritime resources.

Examples of social factors are: compliance with recognised labour standards (no child and/or forced labour or discrimination); compliance with health and safety laws and standards; recognition of trade union rights and freedom of assembly; a guarantee of adequate product and employment safety, including the protection or workers’ health; the application of the same requirements to entities in the supply chain; consideration of the interests of communities and social minorities; and tax honesty.

Governance factors include anti-corruption measures, a commitment to sustainability by the management and supervisory boards, a board remuneration policy based on sustainability criteria and data protection guarantees.

In order to integrate these factors into their risk management processes, institutions must assess how these factors can have a significant negative impact on their assets, finances and reputation.

Sustainability risks relating to the environment are divided into physical risks, transition risks and reputational risks:

• Physical risks arise both from short-term events such as extreme weather situations (eg heatwaves, droughts, floods, forest fires and avalanches) and longer-term changes in climate and environmental conditions (eg rainfall frequency and volume, rising sea levels, global warming with regional extremes) and indirect results, such as a collapse of supply chains. BaFin mentions in this context that institutions that have allegedly contributed to climate change might face claims both by investors and state actors. For more on this issue, see our report on legal risk and climate change.
• Transition risks include risks deriving from the change to a low-carbon economy. These may stem from political measures such as fostering green energy as opposed to fossil fuels, new technologies replacing existing ones or changed investor expectations.
• Reputational risks typically arise from direct exposure to physical and transition risks. However, they may also arise indirectly, such as having a business relationship with an entity exposed to sustainability risks or lacking appropriate sustainability standards.

BaFin argues that sustainability risks may also arise from social and governance issues. However, the described situations (ie successful mass claims against a tobacco company or fines for tax evasion) are not clearly distinct from traditional litigation and sanctions risks and will in many cases already be included in established risk management frameworks.

The BaFin definition links sustainability risks to economic losses. For this reason, BaFin concludes that sustainability risks do not qualify as a new risk category but are expressions of the types of risks that are already covered by the risk management framework such as credit risk, market risk, liquidity risk or operational risk.

Business organisation

Sustainability risks need to be incorporated into existing internal guidelines and processes, particularly the processes for credit business/underwriting/investment decisions, risk management and risk control.

In BaFin’s view, it is good practice but not mandatory to establish a dedicated 'sustainability unit' to deal with sustainability risks. Instead of or in addition to this, the management of sustainability risks should be extended to other business units or functions, such as the front and back office, internal risk control, compliance and audit functions.

Risk management

The main focus of the guidance notice is on the integration of sustainability risks into the institutions’ risk management frameworks, and BaFin’s considerations in this regard are highly detailed.

Institutions’ primary obligation in the guidance notice is certainly to (regularly) review how they evaluate, manage, monitor and report sustainability risks, including the quality of the underlying data.

The identified risks then need to be managed. BaFin suggests several methods to this end, eg excluding companies or sectors that match certain criteria, positive lists, best-in-class approaches or screening against established standards, such as the United Nations’ principles for responsible investment or principles for responsible banking.

Institutions may also use risk analysis or classification procedures (eg heat maps and ESG procedures) to identify or evaluate sustainability risks and then set a risk classification for the counterparty or the investment target. Institutions may then mitigate the identified risks via stewardship measures, such as entering into a dialogue to raise risk awareness, exercising voting rights, planning with the investee company/counterparty how to reduce negative sustainability risks (including deadlines and progress reporting), or even rejecting certain transactions.

Stress tests and scenario analyses

BaFin recommends that institutions incorporate sustainability risks in their internal stress tests and scenario analyses, in particular by conducting long-term scenario analyses.

Specific 'transition scenarios' may also be part of the analysis. These scenarios forecast compliance with a specific climate goal (such as carbon neutrality by a specific date) although BaFin says they are not always suitable.

Other sustainability risk-related topics

The guidance notice also deals with other sustainability risk-related topics, such as the group-wide implementation of rules for dealing with sustainability risk and outsourcing. For instance, with regard to material outsourcings, BaFin expects institutions to consider including a term in the outsourcing agreement that requires the service provider to comply with certain sustainability standards.

BaFin also addresses the use of ESG ratings. These can help determine the sustainability of entities but need to be clearly distinguished from credit ratings, which only consider the creditworthiness of entities or the credit risk of a financial instrument. On the other hand, ESG ratings may also incorporate ESG considerations that do not have any impact on creditworthiness.

Zooming out to the European level

European regulatory initiatives are putting the management of sustainability risks front and centre. For example, action point 8 of the European Commission’s action plan on financing sustainable growth, which was published in March 2018, aims, among others things, to manage financial risks arising from climate change, resource depletion, environmental degradation and social issues.

In June 2019, the European Banking Authority (EBA) launched a consultation on draft guidelines on loan origination and monitoring, which state that institutions should, among others things, include ESG factors and risks in their risk management policies, and credit risk policies and procedures. However, these guidelines have yet to be adopted.

The EBA’s competences and obligations have been extended in relation to credit institutions by the 2019 capital requirements regulation (known as CRR II) and the 2019 capital requirements directive (known as CRD V). Under this legislation, the EBA must, among other things, assess the potential inclusion of ESG risks in the supervisory review and evaluation process (SREP) by 28 June 2021. This assessment must include:

• a uniform definition of ESG risks, including physical and transition risks;
• processes and other measures to identify, assess and manage ESG risks; and
• methods and tools for assessing the impact of ESG risks on institutions’ lending and financial intermediation activities.

While these measures will only materialise over the longer term, the EBA has already published its own action plan on sustainable finance in December 2019. The plan 'encourages institutions to integrate ESG risks into their business plans, risk management, internal control framework and decision-making processes'. We expect the BaFin guidance notice to influence the EBA’s future work.

Patrick Horwitz also contributed to this article.