PRA's new regulation on climate-related risks: Implications for firms

Prudential Regulatory Authrity published its latest Supervisory Statement (SS5/25: “Enhancing banks’ and insurers’ approaches to managing climate-related risks”) in December 2025. It refreshes supervisory expectations first set in SS3/19 while positioning climate-related risk as a core prudential and operational resilience issue that must be embedded into governance, risk management, scenario analysis, data, and disclosures. SS5/25 commences on 3 December 2025, replaces SS3/19, and expects firms to complete an internal review and produce a credible plan to address gaps within six months (by 3 June 2026), then keep assessments and actions under regular review.

SS5/25: PRA recommendations

SS5/25 is built on a simple supervisory message: climate-related risks are different in kind and therefore require a strategic, forward-looking management approach. The PRA highlights that climate risks are systemic (correlated, potentially non-linear and irreversible), uncertain in timing and magnitude yet partly foreseeable, and path-dependent (today’s actions change the distribution of future risks).

From that premise, the PRA’s recommendations can be summarised as seven practical expectations:

1. Board-owned governance and accountability. Boards should ensure clear executive ownership and oversight, and that senior management can demonstrate how strategy and risk management are responding to climate-related risks to the business model.
2. Climate-specific risk appetite that is measurable and operational. Boards are expected to periodically review the material climate risks in the risk register, approve climate-specific risk appetite statements, and express appetite through quantitative metrics and limits supported by scenario analysis (including, where appropriate, reverse stress testing or sensitivity analysis).
3. Scenario analysis is a core tool (because historic data is insufficient). The PRA states that it is not possible to rely on historic data for climate risk in the same way as for other risks; therefore, climate scenario analysis (CSA) is a key tool for identifying, quantifying, and managing climate risks proportionate to the firm’s exposure.
4. Scenario analysis must be used, not just produced. CSA should inform business strategy, risk management, and internal capital/liquidity assessments (ICAAP/ORSA), and firms should be able to demonstrate how CSA influenced decisions, including communicating uncertainty and limitations.
5. Data and risk reporting capabilities must mature. Firms should strengthen climate-risk data collection and aggregation, manage uncertainty (including proxies and assumptions), scrutinise third-party data, and invest in appropriate data infrastructure and governance.
6. Operational resilience must explicitly consider climate drivers. Firms should assess climate-related risk drivers across their general operations and their ability to continue providing essential business services in severe but plausible scenarios, including scenarios where services depend on third parties, and incorporate material climate drivers into business continuity/contingency planning.
7. Disclosures should reflect integration into governance and risk management. Within existing disclosure requirements, firms should enhance transparency on how climate risks are integrated into governance and risk management and how materiality/principal risk decisions are made, evolving disclosures as understanding improves.

Implications for firms: what changes in practice

1. This is an operating model change, not a “climate workstream”

The PRA expects a forward-looking, ongoing approach, with periodic review mechanisms and the ability to evidence progress, including the post-commencement internal review and action plan. This shifts the conversation from “do we have a policy?” to “do we have a repeatable management system that drives decisions and produces evidence?”

Practical consequences typically include:

• New or strengthened board/committee cadences and decision points around climate risk appetite, scenario results, and strategic trigger points.
• More explicit accountability mapping across first line (business), second line (risk), and third line (audit), with climate risks incorporated into internal control frameworks.
• A more explicit link between risk register → appetite metrics/limits → management information → actions.

2. Scenario analysis becomes a “business capability”

Firms should treat CSA as a capability with governance, standards, and reuse across multiple use cases (strategy, risk appetite, stress testing, capital/liquidity adequacy, valuation), with documented assumptions and communication of limitations and uncertainty.

This typically implies:

• Investment in tools, data, modelling expertise and model governance (especially where exposure is material).
• A defined review-and-challenge process so boards understand inputs, assumptions, outputs, caveats, and how results are used in decision-making.

3. Data expectations will drive changes to onboarding, reviews, and supplier management

The PRA expects firms to address material data gaps by engaging clients/counterparties/investees/policyholders (e.g., during onboarding or annual reviews), using proxies where necessary (without leaving material risks unrecognized), and building risk data aggregation capabilities that include climate risks, which can be approached systematically.

For many firms, that translates into:

• Changes to customer/client data-capture and periodic-review processes.
• Stronger governance over third-party data sources and outsourcing arrangements (because climate risk can be introduced or amplified through dependencies).

4. Additional implications for banks

SS5/25 is explicit that banks should incorporate climate risk into accounting practices and ensure timely recognition within expected credit losses (ECL), with documented processes to identify exposures most at risk and to quantify climate risk drivers at the exposure and portfolio levels.

It also expects banks to integrate climate risks into:

• ICAAP: identifying, quantifying and evaluating solvency impacts within capital planning horizons, using CSA as a key tool, and evidencing materiality judgements and capitalisation of material climate risks included in the risk register.
• ILAAP: identifying and evaluating climate-related risks that may impair liquidity/funding positions and incorporating them into liquidity and funding management systems, again with evidence and documentation of assumptions and proxies.

5. Additional implications for insurers

For insurers, the PRA expects processes to consider the capital impact of reasonably foreseeable adverse scenarios (including material climate risks) as part of capital management plans and the ORSA. Where climate risk is material, ORSA should explain why acceptance is appropriate; and ORSA stress and scenario testing should include CSA unless immaterial.

The PRA also expects insurers to specify the management actions they would take under different circumstances, including trigger points, with sufficient detail to judge their reasonableness (e.g., underwriting or investment strategy changes).

How Business Architecture helps implement SS5/25

Sometime ago, I had shared my thought on how Business Architecture can support you Sustainability goals. Here’s the proof now. Many organisations can understand the SS5/25 conceptually but struggle with execution because activities become fragmented into separate “climate”, “risk”, “finance”, “data”, and “operations” initiatives that do not join up into a coherent management system.

Business Architecture provides the connective tissue to turn supervisory expectations into an implementable, auditable operating model—especially for general users who think of “architecture” as only technology.

1. Translate supervisory expectations into an operating model

Business Architecture can design “who does what, when, and with what evidence”:

• Decision forums and cadence (board/committees), accountabilities, and escalation triggers aligned to periodic risk appetite review and strategy review expectations.

A straightforward end-to-end process for climate risk identification, risk register updates, appetite setting, MI/reporting, and management actions.

2. Build traceability from strategy to evidence

Supervisors ultimately look for consistency: if a risk is “material”, it should appear in the risk register, be reflected in appetite metrics/limits, be monitored through MI, and have actions when thresholds are breached. Business Architecture is the discipline that designs traceability and makes it sustainable.

3. Industrialise scenario analysis as a reusable capability

SS5/25 expects CSA to inform strategy, risk management, and ICAAP/ORSA, with documented objectives, assumptions/proxies, and communication of limitations. Business Architecture can define CSA as a capability with:

• Standard inputs/outputs, governance and control points (review/challenge, sign-offs), and integration points into strategy and risk appetite decisions.

4. Shape the data and reporting blueprint (including third-party dependencies)

The PRA expects continued improvement in data capabilities, including aggregation, proxy governance, and scrutiny of external suppliers. Business Architecture can define:

• The climate data “domain” (what data is needed, where it comes from, how it is curated, how uncertainty is flagged), and how data collection is embedded into onboarding/annual reviews where material.

The dependency model across outsourcing and third parties, aligned to the board’s responsibility to set tolerances and manage risks arising through these arrangements.

5. Provide a proportionate roadmap with measurable outcomes

SS5/25 is deliberately proportionate: more exposed firms are expected to do more, and even smaller firms may adopt simpler approaches if limitations are understood. Business Architecture can operationalise proportionality into a staged delivery plan that aligns capability uplift to exposure and supervisory evidence needs—starting with the six-month internal review and extending into continuous improvement.

Closing thought: “evidence-by-design” is the real differentiator

SS5/25 is not asking firms to predict the future with precision. It is asking them to show they have a disciplined, board-owned system for making decisions under uncertainty—using scenario analysis, measurable risk appetite, reliable data, resilient operations, and transparent reporting.

Business Architecture is one of the most effective ways to make that system coherent, repeatable, and demonstrable—so climate risk management becomes part of “how the firm runs”, rather than a periodic scramble to produce artefacts.