Scheer Wiki




ESG Requirements Coming to Risk Management at Financial Institutions

In the seventh amendment of its Minimum Requirements for Risk Management (MaRisk, a draft of which was published by BaFin in September 2022), the subject of sustainability has been added to the components of risk management that are to be considered at financial institutions. In this article, we take a closer look at the demands and implications this entails for firms in this sector.

The fact that Germany's financial oversight authorities have taken this step comes as little surprise following their publication of a corresponding guidance notice back in 2020. The recommendations it contains on dealing with sustainability-related risks as part of risk management have now become requirements that are subject to auditing. In addition to the BaFin regulations, the European Banking Authority (EBA) guidelines on granting and monitoring loans contain explicit requirements on dealing with environmental, social, and governance (ESG) factors in the lending process. The actions that affected financial institutes need to take as a result of these requirements can be significant, especially with regard to data and processes.

The latest updates at a glance 

This overview offers a summary of the key changes that have recently been made. The ESG requirements for risk management affect the following areas of the existing guideline:

  • AT 2.2 | Risks

    ESG factors are defined as risk factors that impact on existing risk categories. ESG risks must be taken into account as part of materiality analysis. They are to be assessed on the basis of scenarios that are to be built on economically plausible insights. The evaluation involved is to be conducted in as quantitative a manner as possible. In addition, the evaluation period is to extend far enough into the past to ensure that valid findings are included.

  • AT 3 | Joint responsibility of management board members

    Each organization's management board is responsible for implementing an appropriate risk management system. In the future, this obligation will only be considered fulfilled if the system adequately incorporates and assesses ESG risks as well.

  • AT 4.1 | Internal capital adequacy

    Assessments of an organization's ability to bear risk must factor in ESG risks from both a normative and an ecological perspective. Simply incorporating historical data without consideration of the respective market phase will not be considered sufficient.

  • AT 4.2 | Strategies

    Each organization’s management board is responsible for devising an economically sustainable business strategy. To that end, a long-term perspective must be adopted that takes both changing environmental conditions and the transition to a sustainable economy into account. Assessments of an organization's appetite for risk must also include ESG factors.

  • AT 4.3.2 | Risk management and risk control processes

    Corresponding data must be maintained to facilitate the quantitative assessment of ESG risks and their effects on known types of risk.

  • AT 4.3.3 | Stress tests

    The impacts of ESG risks must occur over a period that exceeds the typical time horizon for examining risk. The insights gained through scenario analysis must be adequately reflected in each organization's strategy.

  • AT 4.4.1 | Risk control function

    ESG factors must be taken into account in risk controlling efforts. In addition, each organization’s risk controlling department is responsible for monitoring and communicating ESG risks.

  • AT 4.5 | Risk management at group level

    An explicit effort must be made to take ESG factors into account at the group level as well.

  • AT 5 | Organizational guidelines

    Organizational guidelines that are designed to ensure orderly business operations must be extended to include rules on factoring in the effects of ESG risks.

  • AT 9 | Outsourcing

    ESG risks must also be taken into account when analyzing risks in connection with outsourcing.

  • BT 3.1 | General requirements relating to risk reports

    Risk reporting should provide as quantitative an overview as possible of the impacts of ESG risks. The period under consideration should include short-, medium-, and long-term perspectives.

Source: Germany's Federal Financial Supervisory Authority (BaFin)

Data quality requirements

The changes described above relate in particular to stricter requirements on the quality of ESG data. Data collection and analysis must be designed to facilitate the quantitative assessment of ESG risks. Up to this point, the effects of ESG risks have primarily been evaluated from a qualitative point of view. For many institutions, the situation is also exacerbated by the need to assess risk over a sufficiently long historical period. At the same time, risk assessments must cover an economically realistic period that includes both stable and unfavorable market phases. Since the consideration of ESG risks has only begun to gain importance in recent years, many institutions’ historical data does not extend far enough into the past. In the short term, the only option for many of them will be to obtain corresponding data from external sources. In order to assess their business activities as accurately as possible, these organizations will need to focus in the medium and long term on implementing their own structures for collecting data.

Synergies and necessary developments 

From a process perspective, however, these demands also present potential synergies with certain disclosure requirements, such as those related to the EU taxonomy. This is another area where institutions will need to collect a great deal of additional information in the realm of ESG. It therefore makes sense for them to closely coordinate their internal efforts to gather the information required for managing risk and meeting their disclosure obligations. In this way, organizations can avoid collecting the same data twice, which in turn will improve their data management and quality.

In addition, subsequent processes in risk management and reporting will then take place on a uniform basis of data, which will safeguard the verifiability of this information to a significant extent. That said, the fact that ESG factors are not viewed as a separate risk category and are to be assessed in terms of their impact on existing categories means that evaluation processes will need to be extended in the area of risk management.

To enable financial institutions to collect the necessary data themselves whenever possible, central processes (in loan application, for example) will also require further development. While ensuring the completeness of data requires constant attention during collection, the same can be said of the focus on the customer. Over the course of the loan life cycle, the ability to map changing ESG benchmarks within the evaluation process will be crucial. It may become necessary, for example, to collect additional current information from borrowers in order to conduct assessments as required.


It is clear that financial institutions are currently contending with the need to invest considerable effort in meeting extensive ESG-related requirements in their internal reporting and risk management processes. In many cases, these two areas present similar challenges of their own. We therefore recommend addressing both aspects in a coordinated sustainability strategy and implementing it adequately on the technical side. This is the only way to take advantage of available synergies, get the most out of the potential at hand, and meet the relevant requirements in every area in an efficient manner.

The process experts in our Financial Services business unit will be happy to provide you with detailed guidance on how your institution can fulfill its obligations. Contact us today for a consultation without obligation!