Banks and analysts in the EU agree that good corporate governance remains the most relevant and financially material ESG factor, but there is also increasing focus on cybersecurity and the new Sustainable Finance Disclosure Regulation.

These were the main points of discussion in a workshop held in November 2021 between investors and 14 representatives from eight EU banks: Belfius, CaixaBank, Crédit Agricole, Deutsche Bank, KBC, Nordea, UBS and UniCredit.

The event attracted 56 market participants, including asset managers, credit analysts and credit rating agencies, and forms part of the PRI’s Bringing credit analysts and issuers together series[1]. For a full list of participating organisations, see the box below.

The workshop was hosted in collaboration with the Société Française des Analystes Financiers (SFAF), part of the European Federation of Financial Analysts Societies (EFFAS). Talks were held under the Chatham House Rule, and were structured around guidelines that were circulated to participants prior to the event and tailored by sector. (See Appendix)

Workshop participants

The PRI split the engagement between credit analysts and banks by region to reflect different business models and regulations that banks are subject to. This workshop was followed by events focusing on British and North American banks.[2]

The discussions among EU stakeholders concentrated on the governance pillar and its impact on risk management policies, given its importance in ensuring how environmental and social factors are incorporated in the financial institutions’ strategy. Variations arose based on business models (i.e. investment bank vs retail).

Issuers, investors and CRAs found common ground on the lack of data standardisation, the importance of access to comparable data and the need to build links between non-financial and financial data. In addition, credit analysts from both investors and CRAs expressed increasing concerns over cybersecurity, due to the lack of disclosure among issuers and the difficulty of assessing the financial impact of such a risk.

Additionally, participants discussed the impact of the EU Sustainable Finance Disclosure Regulation (SFDR) on banks and on their internal credit analysis, especially regarding climaterelated disclosures and supervisory mechanisms. Finally, on the financial impacts of social factors, the conversation focused on the benefits of ESG policies on banks’ talent recruitment and retention.

This report contains highlights from the workshop, which was convened with the objectives of:

  • promoting consensus around credit-relevant ESG issues in the EU banking sector;
  • aligning expectations around sustainability considerations (e.g. financially material ESG factors, ESG questionnaires, ESG disclosures, impact on balance sheets);
  • improving communication between credit analysts and companies.

Several observations were common to those in previous workshops, therefore this report focuses mostly on new and/or banking sector-specific credit-relevant themes. This article also highlights some emerging solutions that participants are considering.

Key discussion findings are grouped into four main areas, as follows:

Governance: The dominant issue

During the discussion, it was evident that governance continued to be seen as the most relevant and financially material pillar among ESG risk factors. Governance is captured not only through board composition and executive compensation, but also, and more importantly, through strategy stability and credibility and various aspects of risk management (e.g. risk appetite, origination policy, risk mitigation policies, incidences of controversy).

For CRA and investor participants, a qualitative analysis, even if sometimes subjective, is the best way to evaluate the materiality of these issues. According to one CRA, governance aspects are affecting the credit ratings of several banks, often reflecting track record/legacy issues.

“Risk management culture should be visible throughout the entire institution, not only at the executive board level.”


According to participating investors and CRA analysts, the risk of litigation continues to be one of the greatest concerns for the banking sector, despite an overall diminution of litigation cases due to increased scrutiny from governments. According to one investor, an emerging issue is the growing risk of government penalties and fines, which could lead to reputational damage and unforeseen costs, thus negatively influencing risk assessments. Additionally, two banks expressed concerns regarding the slow adjustment of ESG scores to reflect remedial action that banks have taken to address past controversies. Because these controversies weigh negatively on the scores for a prolonged period, these synthetic indicators may not accurately reflect the current level of risk.

When dealing with litigation risk, most CRA and investor participants seemed to be communicating directly with the banks’ risk management department. They mentioned that they looked mostly at metrics related to prevention (e.g. risk management practices and culture) or, if an incident has occurred, they look at its reputational and monetary impact (e.g. ability to pay the fine), and remediation strategy, which can be assessed by an audit report. According to one investor participant, if a large fine must be paid, its impacts will be included in projections, but sometimes fines grow over time and are difficult to quantify upfront.

“[When assessing the risk of litigation] standards keep increasing so banks will increasingly be scrutinised. It is important to see that issues are being tackled.”


With regard to governance practices in general, EU bank participants said they are incorporating ESG issues in their governance structure and strategy, which, in turn, is pushing changes in risk management and loan origination policies. For credit analysts, this means assessing whether banks have the resources needed to achieve these strategies and whether previous strategies have been implemented successfully.

In relation to changes in loan origination, which reflect risk management policy changes, some banks are implementing ESG questionnaires for corporate clients to determine the level of ESG risk that companies face. The risk exposure is then represented in internal ESG scorecards, which banks use to better understand ESG risk exposure for their clients and overall portfolios. While some banks have not linked ESG scorecards with loan pricing, a representative of one bank stated that, beyond the exclusionary policies, it also may adjust pricing in the case of large companies, using a mix of penalisations and incentives. Although CRAs acknowledged that regulators are pushing in this direction and that ESG factors may become more financially material in the future, some showed concerns about potential short-term profitability trade-offs.

“We recognise that many regulators are pressuring banks to be more aware of ESG risks and to incorporate them into strategy and risk management. The most difficult issue, we believe, is translating such factors into a financial risk perspective.”


Emerging solutions

  • Internal ESG scorecards are helping bank clients become more aware of the growing ESG risks that their businesses face, as well as learn about areas for improvement. Some banks mentioned that this is particularly important for small- and medium-sized enterprises (SMEs) that neither are very familiar with incoming ESG regulation, nor have the resources to produce ESG information. This process is proving to also be a good approach to helping SMEs develop sustainability transition plans.
  • Regarding risk management strategies, one company mentioned that disinvestment from sensitive areas and sectors may be a good approach to risk reduction.

Cybersecurity: A key emerging risk

All participants considered cybersecurity as a key risk with future financial materiality implications. To address this issue, banks are increasing their investments in prevention technology, infrastructure, and training. Moreover, one investor stated that some banks are conducting internal cybersecurity stress tests to spot less resilient areas that need to be improved. However, disclosures around cybersecurity risks are a very sensitive topic for banks, given that any disclosure on the topic could increase vulnerability to cyber-attacks.

“I think we can all agree that cyber risk is an important risk for the future. This is really a key area for improvement and for transparency.”


Investor participants expressed that they generally have very little visibility on cybersecurity risks. CRAs, on the other hand, have access to relevant information (e.g. in management meetings). Nevertheless, the consensus among analysts was that greater access to information is needed to allow for more accurate cyber risk assessments. In terms of prevention, aside from budget allocation, credit analysts look at multiple indicators showing banks’ preventive efforts. These include data recovery plans, presence of any cyber issues and quality of system scans for tech malware. Both investors and CRA representatives agreed that the nature of cyber risks makes it challenging to develop key risk indicators (KRIs) for improved risk detection and key performance indicators (KPIs) to improve effectiveness in mitigating cyber risks. According to one investor, there are not many industry reports on the issue to help understand which metrics are important to monitor breaches. Moreover, one investor stated that it is difficult to identify preventive best practices due to differences in business models, legacy issues, and sensitive information.

Governments’ role in cybersecurity management was also discussed during the workshop. Inspired by the example of the Bank of England[3], one investor mentioned that regulators’ stresstesting and related disclosures could become a possible good practice to help mitigate cyber risks. Moreover, one EU bank participant mentioned the possibility of add-ons to capital requirements from regulators.

Emerging solutions

To have access to more cybersecurity data, one CRA suggested using an external data provider that assesses data security and monitors the resilience of companies (including banks) and their websites. However, some investors believe that this cannot be the primary solution, as its cost limits the number of market participants that have access to this data. Instead, they believe that better reporting on cybersecurity risks and on related risk management strategies is critical for market participants to make informed decisions.

SFDR: Impact on credit risk assessment

For most participating banks, incorporating ESG factors in their business models is mainly driven by the new European regulation SFDR. Others claimed that the increased focus on ESG issues is, foremost, a strategy-led decision.

The strong environmental component of SFDR is creating incentives for banks to decarbonise their portfolios, in preparation for the European Central Bank (ECB) climate stress tests.[4]

“Stress testing is a learning exercise. Most banks will not see the effect of it next year, but laggards will likely suffer consequences.”

–Corporate borrower

Considering this, many banks are requesting environmental metrics from corporate clients, such as greenhouse gas (GHG) emissions. Moreover, some are implementing plans to exit coal, which in some cases implies the complete divestment from brown companies through exclusionary policies. However, one bank expressed concerns about the short-term consequences of those strategies, given that other banks will remain willing to finance those companies. To mitigate that risk, some EU banks have argued for a different/complementary approach, in which they would finance the transition of brown companies. These banks argued that this approach is both the most economically viable strategy and, at the same time, the most effective way to support the transition to a low-carbon economy.

The financial materiality of these efforts is difficult to measure for CRAs and investors. According to them, barriers include poor data quality and a lack of standardised reporting or track records of the financial effect of ESG-led strategies. In addition, many CRAs say the perceived medium- to long-term materiality of climate-related risks does not justify changes to their banks’ credit assessment model.

“We believe the most challenging issue is related to translating such [environmental] factors into financial risk perspective. We are still missing this, but we recognise it is probably a matter of having enough information and disclosure on this type of exposure to climate risks.”


As of now, investors and CRAs are incorporating ESG factors, generally, in a qualitative way. However, most seem to recognise that ESG issues, and particularly climate-related risks and opportunities, will be of increasing importance in assessing banks’ credit profiles. According to one investor, the EU sustainable finance package, and more particularly the SFDR, will accelerate this process, given that most European investors will have to comply with ESG disclosure obligations, similar to those applying to EU banks. In addition, another investor highlighted the increasing risk of fines and penalties, due to regulatory non-compliance, as an additional argument for integrating ESG risks in their risk assessment.

Investors raised concerns about the potential impacts of increased regulatory requirements on credit risk. In particular, smaller banks with fewer resources could see profit margins affected by the costs of complying with reporting regulations (e.g. data collection, purchase of information management tools, report development costs, etc.)

Emerging solutions

  • The short-term financial implications of ESG-related changes, which are being promoted by the EU sustainable finance programme, are uncertain. Nevertheless, as data quality and report standardisation improve, it should become easier to translate ESG information into financial metrics.
  • As bigger banks start implementing standard methodologies for calculating GHG portfolio emissions, smaller banks should be able to access these tools at lower prices, making the incorporation of such processes more affordable.

Human resources: Talent recruitment and retention

While some investors and CRA representatives do not consider metrics related to talent recruitment and retention as financially material, others have mentioned its growing importance. In one of the breakout rooms, one CRA analyst communicated some concerns about the reputational costs that may arise from poor downsizing strategies, and about the need to develop expertise and skills in new areas. Moreover, one investor and one bank mentioned that the low attractiveness of the banking sector for young people constitutes an increasing risk with financial impacts.

“Talent retention and attraction is very important. I do not have the feeling that the banking sector is the most attractive for young people, especially in the context of digitalisation.”


Emerging solutions

Several participants mentioned that their increasing sustainability focus and workplace flexibility may contribute to talent retention.


Appendix: Discussion guide

General Questions

Questions to all participants

  • Materiality: What are the most financially material ESG issues for European banks? What are the biggest challenges and biggest opportunities posed by ESG risks?
  • Time horizons: How do you see the incorporation of long-term ESG risks (15-30 years) in today’s credit analysis?
  • Transparency and communication: How do fixed-income investors, CRAs and European banks engage with each other? How can communication be improved? How useful and relevant are ESG questionnaires?

Questions to credit analysts

  • In which ways do you include ESG risks in the risk analysis? Do they affect the qualitative and quantitative factors and sub-factors in risk scorecards/models/projections/scenario planning? Are there any specific metrics for European banks and/or banks with activities in multiple countries?


Questions to banks

Board’s oversight:

  • What is the legal structure and ownership structure of your institution? Are CEO and Chairman roles held separately? How are committees incorporated in the executive board? How has the incorporation of recent Basel recommendations been dealt with? Does your institution have specific, non-mandatory committees (for example Cyber, ALM or ESG committees)?
  • What are the reporting lines of your sustainability officer to the executive board?

Organisational structure:

  • Considering the increasing risks associated with ESG factors, how have you changed executive boards, top management and other personnel remuneration and incentives? How are you integrating ESG issues and metrics in job descriptions and in corporate compensations and incentives? Has your bank incorporated ESG metrics in CEO pay plans?
  • Do you have a different team working on ESG risk and another team working on traditional finance/cash flow risk, and therefore separate lines of command? Why? What are the pros and cons of that functions’ structure?

Strategy and quality of management:

  • Do you have a sustainability strategy set up? If yes, what are the main materiality topics and priorities identified?
  • How is your company’s ESG strategy translated into the different department plans and operations? How can credit analysts access information on whether you have previously succeeded in implementing previous strategies? How do you decide whether to invest in a new business/invest in new technology or not? What’s the process behind it?
  • How does your institution adapt to changes in operations, regulation, etc, to ensure that it does not stay behind the curve in the event of a paradigm shift?

General approach to risk:

  • How do you contemplate credit risks that you are exposed to? How do you manage the risk when operating in several countries: reconciling the risk of being too connected (too close to local branches) and the risk of being too far away (risk functions in headquarters)? In case of fast growth in new segments, do you have appropriate checks and balances in place?
  • How does your risk-taking policy addresses complexity of products and operations? (if over-engineered, this could expose the banks to more risks - e.g. including mis-selling).
  • What is the process behind setting a particular asset on or off the balance sheet or a particular item in the P&L?
  • What has changed in your end-client use? Any impact on your business model? Are you aware of the reputation risks that you are exposed to? What are you doing to mitigate these risks?

Cybersecurity risk:

  • Do you have a cybersecurity risk management/governance strategy? How much (in %) of your annual revenues go to cybersecurity and cyber risk mitigation? Which KRIs and KPIs do you track?


  • How have you dealt with past poor experience (litigations, trading losses etc.)? How did you find out? How did you address it? In case of litigation, when does your bank start building provisions? If a bank has operations in multiple countries and is under pending investigation in one country on a certain product, there is the risk that other countries also sue the bank for a similar case. What would this mean for you, in terms of business, franchise and potential legal costs?

Questions to credit analysts

  • What are the most relevant metrics for the assessment of European banks’ financial material governance issues? How has the assessment of governance issues changed over time? What do you think will be the rising governance issues with financial materiality in the next 5-10 years?
  • How do you access executive boards’ and top management’s ability to articulate and deliver their strategy, policies and objectives? How do you access if a company has successfully delivered previous strategies? How do you access whether a certain strategy is consistent and realistic? How do you build trust with European banks?


Questions to banks

Loans origination and management:

  • Do you do any ESG screening in the loan origination process?
  • How do you assess the physical risk of your clients? And how do you use these risks to define your policy (physical risk mapping)? How do you monitor the physical risks you are exposed to? Which KPIs do you track? Convergence on the risk and the measurement of this risk? Asset impairment: what are your rules/policies in this matter?
  • Do you know how is climate change impacting the capital ratio/capital requirement (SREP / Stress tests)?

Climate resilience strategy:

  • How are you managing the transition towards greener businesses? What are your emissions reduction targets and what actions have you put in place to achieve them? Are you going beyond EU regulations and compliance? If yes, how?
  • What have you done to mitigate nature-related risks (forest, water, biodiversity, soil)?
  • Do you engage your clients in your green transition strategy? Do you engage with portfolio companies (fiduciary duty; feedback loop to decarbonise the economy…) on disclosure practices, dialogue and vote? How?

Physical and transitional climate risks:  

  • How are you quantifying and mitigating climate-related risks in terms of operational/credit/market risks (e. g. stranded assets)?
  • What is your credit exposure to fossil energies: Are you performing scenario analysis? Do you feel you have the information, tools, methodologies and channels for being able to forecast extreme events down to relatively precise levels, in order to evaluate their financial impact?
  • What are your views and how are you dealing with the upcoming climate stress testing from the ECB? And what do you think of the results published by EBA and ECB of the 2021 EU-wide stress test exercise?


  • What challenges are posed by new EU reporting requirements?
  • How important is/will be the issue of double materiality for you? How can the bank finance the transition and how do you reconcile this with the risks? If important, how do you measure it? What is the rationale for a change in a reporting perimeter or a change in reporting standards?
  • How do you approach Scope 3 emissions reporting requirements? What are the implications? Which methodology and KPIs do you use?

Questions to credit analysts

  • What environmental-related metrics do you track and how do you source them? Please comment on how easy it is to find these metrics.
  • Is it of value for the analysis if companies use any of these reporting frameworks: CDP, SASB, GRI, TCFD, or others?


Questions to banks

Efficiency of human resources:  

  • How do you attract and retain talent? How do you support the professional transition of employees towards new businesses? Which KPIs are most relevant to access the business impact/budget ratio of training and education plans? How do perceive the impact of remote work in the future? How does it affect productivity/creativity? What are the social implications of your network’s reorganization (e. g digitalisation)?
  • Are there any associated risks related to changing demographics? Average age structure? Aging employee structure? How do you mitigate this risk factor?
  • Which KPIs do you track to measure diversity?
  • What is your CEO-to-Worker Pay Ratio? Is your institution planning to lower it?
  • How do you protect whistle-blowers? What kind of warnings have you already received?

Questions to credit analysts

  • What are the most relevant financial material social issues for European banks? How do you think that will change in the next 5-10 years?

Joint Discussion Questions (to Everyone)

  • Is there a consensus between analysts and companies on the most financially material ESG issues to European banks and in what way they differ from other sectors?
  • How can ESG credit-relevant information be disseminated more effectively and how can communication between fixed-income investors, CRAs and European banks be improved?
  • How are ESG risks impacting European banks’ balance sheets? How will that change in the future?
  • What are the biggest opportunities and challenges of the European financial sector, related to increasing EU decarbonisation and sustainable finance regulations?
  • What are the biggest impacts of increasing physical climate risks for European banks?