Risk management 2025: BaFin guidelines on ESG, climate & geopolitics – strategic decisions for banks

Executive summary

• Urgent need for action:UntilSeptember 2025Risk strategies must explicitly reflect geopolitical scenarios - a direct BaFin requirement that does not tolerate any delay.
• Climate risks in credit focus:The integration of physical climate risks into credit risk and portfolio management is up toEnd of 2025unavoidable and requires profound data and process adjustments, which are often underestimated.
• ESG stress testing as the new norm:The continuous development and tightening of ESG stress tests for extreme but plausible scenarios is becoming the standard - with direct implications for capital, risk-bearing capacity and strategic direction.
• More than compliance:Proactively addressing these issues is not just a matter of checking off requirements, but rather a decisive factor for the future viability, reputation and ultimately the capital resources of your institution.
• Supervisory pressure increases significantly:BaFin, ECB and EBA are signaling clear expectations regarding implementation and will closely examine substantial progress that goes beyond superficial adjustments. Delays are increasingly viewed critically.

Introduction: The new risk landscape requires strategic rethinking

The year 2025 marks a turning point in strategic risk management for German banks. In view of a more volatile world order and the obvious consequences of climate change, theFederal Financial Supervisory Authority (BaFin)Clear and time-critical specifications formulated. These are aimed at establishing a more robust positioning of the institutionsgeopolitical upheavals, thephysical impacts of climate changeand the comprehensive oneESG risk areas.

For you as a CRO, head of reporting, CFO or person responsible for regulatory and operations, this means more than just another regulatory exercise. It's about fundamentally reassessing risk drivers, adapting business and risk strategies and ensuring the long-term stability and profitability of your company. This article not only provides you with an overview of the requirements, but also highlights practical best practices and strategic implications for successfully mastering the upcoming challenges and using them as an opportunity to strengthen your organization.

Geopolitical risks: From abstract danger to concrete risk strategy – deadline September 2025

The days when geopolitical risks were considered distant, elusive factors are over. BaFin and the ECB now explicitly expect banks to...uncertain nature of geopolitical risksanchor it in your risk strategy and risk management – untilSeptember 2025. This is not a trivial task, as historical data has little meaning for current, often unprecedented, scenarios.

Why should you pay close attention to this issue now?An unadapted or insufficiently adapted risk strategy not only jeopardizes regulatory compliance, but can lead to unexpected losses, reputational damage and erosion of the capital base when geopolitical shocks occur.

Best practices for implementation:

• Scenario planning as the core:Develop robust but plausible geopolitical stress scenarios (e.g. escalation of regional conflicts, sudden sanctions regimes, collapse of critical supply chains). Quantify their potential impact on your portfolio and capital planning.
• Operational challenge: Defining “plausible” extreme scenarios requires interdisciplinary expertise and the courage to make unconventional assumptions that go beyond pure extrapolations.
• Understanding and evaluating transmission channels:Systematically analyze how specific geopolitical events impact your institution - across financial markets (volatility, asset price declines), the real economy (credit defaults due to disrupted supply chains, demand shocks) and operational risks (cyberattacks, infrastructure failures).
• Rarely articulated risk:The secondary and tertiary effects of geopolitical shocks, such as changing customer behavior or sudden outflows of liquidity from certain regions, are often underestimated.
• Sharpen the Risk Appetite Framework (RAF):Explicitly integrate geopolitical risks into your RAF. Define clear quantitative and qualitative limits as well as early warning indicators. This goes beyond mere naming and requires measurable thresholds.
• Mistakes in the industry:Many institutes stick to qualitative statements but shy away from setting hard limits for geopolitical risk concentrations, which limits the ability to manage them.
• Establish governance and emergency plans:Clearly anchor responsibility for geopolitical risks at board level and in the relevant committees. Develop concrete emergency and continuity plans for defined crisis scenarios.
• Experience value:Pure paper emergency plans are worthless. Regular simulations and “wargaming” exercises are essential to ensure the ability to react in an emergency

Table 1: Measures to anchor geopolitical risks

Integrating geopolitical risks is a marathon, not a sprint. However, the deadline in September 2025 is a clear starting point for far-reaching adjustments.

Physical climate risks in lending: data, models and the harsh reality to the end of 2025

The increasing frequency and intensity of extreme weather eventsphysical climate risksan immediate threat to the portfolios of German banks. BaFin requires untilEnd of 2025the integration of these risks into credit risk and portfolio management. This means understanding and managing climate risk not as a separate category, but as a driver of established risk types such as credit, market and operational risks.

Why is this critical for you as a manager now?Inadequately assessed physical climate risks can lead to significant loan defaults, collateral impairments and an underestimation of the actual risk concentration in the portfolio. This threatens the earnings situation and capital adequacy.

Best practices for implementation:

• Creating a data foundation – the Achilles heel of many institutes:Systematic collection of location data (granularity is crucial!) of borrowers and collateral. Enrichment of this data with external hazard maps (flood, storm, drought, etc.).
• Operational challenge:Acquiring, validating and integrating high-quality, granular geospatial data and climate risk information into existing IT systems is complex and resource-intensive. Many people massively underestimate this effort.
• Adjust credit processes and creditworthiness analysis:Integrate climate risk factors into creditworthiness assessment (e.g. via ESG ratings, climate risk scores). Consider the vulnerability of collateral (particularly real estate) to climate change impacts.
• Rarely articulated risk: The impairment of collateral due to climate risks can dramatically increase the Loss Given Default (LGD), which is not yet adequately reflected in many current models.
• Strategically align portfolio management:Use portfolio heatmaps to identify cluster risks in highly exposed regions or sectors. Define limits and initiate strategic reallocations if necessary.
• Mistakes in the industry:Relying solely on insurance solutions is deceptive. The availability and affordability of insurance protection against climate risks can change rapidly and is not a sustainable solution for the bank's risk management.
• Further develop and validate models:Extend existing credit risk models (PD/LGD) to include climate risk variables. Use scenario analysis to simulate the impact of specific climate events on your portfolio.
• Experience value:Modeling physical climate risks is often still in its infancy. A pragmatic start with qualitative and semi-quantitative approaches, combined with a clear roadmap for refinement, often makes more sense than waiting for the "perfect" model.

Table 2: Steps for integrating physical climate risks

The integration of physical climate risks is a cross-sectional task that deeply affects the bank's core processes. The deadline of the end of 2025 requires decisive action now.

ESG stress tests: More than just simulation – The strategic necessity of extreme but plausible scenarios

The continuous development ofESG stress testingis a central building block of regulatory expectations. Banks have to regularlyextreme but plausible scenariosto assess their resilience to a broad range of ESG risks – particularly climate, but also social and governance risks. These tests are not only a regulatory obligation, but also a valuable tool for strategic foresight.

Why are ambitious ESG stress tests essential for your strategic planning?They uncover hidden vulnerabilities and risk concentrations that often go undetected in standard models. The results have a direct impact on capital planning (ICAAP), risk-bearing capacity and may make strategic adjustments to the business model necessary.

Best practices for implementation:

• Scenario design – creativity and scientific foundation:Use established reference scenarios (e.g. NGFS for climate), but don't be afraid to adapt them to your institution and add your own creative scenarios. Think in terms of combined shocks (e.g. physical climate damage plus abrupt transition measures).
• Operational challenge:Defining “extreme but plausible” is a balancing act. It takes courage to test scenarios that go beyond what has been experienced so far, without drifting into unrealistic speculation.
• Robust impact modeling:Translate the scenario parameters into an informed impact on your portfolio. Combine top-down approaches (macroeconomic effects) with bottom-up analyzes (impact on individual borrowers and assets).
• Rarely articulated risk:The cascading effects and interdependencies between different ESG risk factors (e.g. how social unrest is triggered by climate change and disrupting supply chains) are often still inadequately taken into account in stress tests.
• Courage to make extreme assumptions (within reason of plausibility):A stress test is intended to explore the limits of resilience. The scenarios should truly “stress” the organization and not just represent minor deviations from the base scenario.
• Mistakes in the industry:Choosing a scenario that is too conservative to achieve “good” results undermines the purpose of the stress test and lulls management into a false sense of security.
• Transfer results into concrete measures:The analysis of the stress test results must lead to concrete management decisions - be it adjusting risk limits, strengthening the capital base, modifying business strategies or developing specific mitigation plans.
• Experience value:Stress test results that have no consequences are a waste of resources. A clearly defined process for implementing actions based on results is crucial.
• Continuous development and learning:ESG stress testing is an iterative process. Models, assumptions and scenarios must be regularly reviewed, calibrated and adapted to new findings and risk landscapes.
• Structural weakness:There is often a lack of dedicated resources and interdisciplinary teams to continuously develop ESG stress tests and keep the learning curve steep.

Table 3: Conducting an ESG/climate risk stress test

ESG stress testing is a powerful tool to proactively strengthen your institution's resilience and prepare for an increasingly uncertain future.

Strategic takeaways for decision-makers

BaFin's requirements are more than just new regulations; they are a catalyst for a strategic realignment of risk management. For you as a manager, this results in the following central impulses for action:

1. Strategic prioritization is essential:The BaFin deadlines (September & end of 2025) are non-negotiable. CROs and risk managers must now manage implementation as a top priority, allocate the necessary resources and set up interdisciplinary project teams.
2. Data-driven reality instead of vague assumptions:Especially when it comes to climate risks, there is no way around a solid, granular database and its integration into core processes (lending, valuation, reporting). This is often the biggest operational hurdle and requires significant upfront investment.
3. Scenario thinking as the new normal:Geopolitical analysis and ESG stress testing are not one-off exercises. They require continuous refinement, a willingness to play through even uncomfortable, extreme scenarios and honestly evaluate their capital implications.
4. Holistic integration decides:The new risk drivers must not be viewed in isolation in silos. What is crucial for success is its deep anchoring in the overall bank strategy, the risk appetite framework, the governance structure and ultimately the risk culture practiced throughout the entire institution.

Actively shaping the future of risk management

The deadlines set by BaFin until September and the end of 2025 may seem ambitious, but they reflect the urgency with which financial institutions must adapt to a changing risk landscape. The best practices presented show that implementing these requirements is challenging, but feasible - and, above all, strategically sensible.

It's not about avoiding risks completely, but rather managing them consciously, strengthening your own resilience and thus securing the future viability of the institute. Proactive and in-depth dealing with these complex risk areas is not a "nice-to-have", but a fundamental building block for the stability, reputation and long-term success of every financial institution.

We invite you to use the approaches and strategic considerations outlined here as inspiration for your internal strategy discussions. Set the course now for resilient and future-oriented risk management that can meet the challenges of 2025 and beyond. The time for strategic action is now.

Next step: Free initial consultation

Would you like to strengthen operational resilience in your company? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →