ESG data governance: A growing imperative for banks

A forward-looking ESG data and technology road map can help banks get ahead of growing regulatory and consumer demands—and avoid technical debt.

February 8, 2023By Daniel Heller, Andreas Reiter, Sebastian Schöbl, and Henning Soller

The banking industry is facing mounting pressure to meet fast-changing demands in environmental, social, and governance (ESG) issues. New and evolving regulations call for greater transparency and disclosure of ESG-related data (see sidebar, “ESG regulatory and disclosure requirements”). Stakeholders and investors are increasing their scrutiny of the effects investment decisions have on the climate and society. Consumers are holding banks to higher ESG standards as well—in 2019, about 14 percent of total client-driven revenues were controlled by consumers whose banking preferences were influenced by concern about purpose and sustainability.

ESG regulatory and disclosure requirements

An increasing number of global and European ESG-focused regulatory requirements have far-reaching effects on the front-to-back risks of the banking value chain. This list is not exhaustive.

Global requirements

Basel Committee on Banking Supervision (BCBS). This committee outlines principles for the effective management and supervision of climate-related financial risks, aiming to improving both banks’ risk management and supervisors’ practices in this area. The BCBS is currently also considering implications of climate-related financial risks on Pillars 1 and 3 of its Basel Framework.

International Sustainability Standards Board (ISSB). ISSB is an independent, private-sector body that develops and approves IFRS Sustainability Disclosure Standards as a global baseline operating under the oversight of the IFRS Foundation.

Task Force on Climate-/Nature-related Financial Disclosures (TCFD/TNFD) requirements. TCFD/TNFD is a set of global, market-led initiatives to establish risk management and disclosure frameworks for organizations to report and act on evolving climate- and nature-related risks; national jurisdictions have adopted or plan to adopt these recommendations into national law.

European requirements

European Central Bank (ECB) guide on climate-related and environmental risk. This guide outlines comprehensive supervisory expectations with respect to banks’ approach to climate-related and environmental risks and includes expectations on disclosure contents, which are applicable to significant institutions supervised directly by the ECB.

European Banking Authority (EBA) guidelines for loan origination and monitoring. These guidelines outline requirements related to loan origination and monitoring throughout the loan life cycle, including ESG risk considerations.

EBA guidelines on internal governance (second revision). These guidelines outline requirements for considering ESG risks within the risk management framework, and when setting, approving, and overseeing the implementation of elements of the business model and governance arrangements.

ECB Climate Risk Stress Test. This industry-wide Climate Risk Stress Test (for ECB-supervised banks) evaluates banks’ capabilities to assess climate risks and includes a structured questionnaire, an assessment of banks’ transition risk exposure, and a bottom-up stress test.

EBA implementing technical standards (ITS) on Pillar 3 disclosures on ESG risks. ITS is a set of disclosure standards that apply to large institutions with issued securities on a regulated market and require qualitative disclosures related to the management of ESG risks and quantitative disclosures with respect to exposure to and mitigation of physical and transition climate risks. (Quantitative disclosure requirements will be expanded to other ESG risks sequentially.) A separate ITS will be developed for other institutions not yet covered by the existing ITS.

EU Non-Financial Reporting Directive (NFRD). The NFRD is a set of a principle-based requirements for large public-interest entities to publish a nonfinancial statement on the way they operate and manage social and environmental challenges, including dedicated disclosure guidelines focused on climate-related information (a 2019 update).

EU draft Corporate Sustainability Reporting Directive (CSRD) (not yet finalized). The successor of the NFRD, the CSRD has an expanded scope of companies that need to disclose nonfinancial information and broader and more specific disclosure requirements in accordance with mandatory EU Sustainability Reporting Standards (to be developed by the European Financial Reporting Advisory Group).

EU taxonomy. This taxonomy means to uniformly define the business activities that are considered environmentally sustainable, with related disclosure requirements applicable to NFRD companies; it may be expanded to socially sustainable activities in the future.

EU Sustainable Finance Disclosure Regulation (SFDR). SFDR is a requirement for financial market participants and financial advisers (including insurance companies) to provide end investors with ESG-related information.

Further regulatory developments are expected in the future, such as the US Securities and Exchange Commission (SEC) climate-related disclosure rules, UK green taxonomy, and EBA guidelines on ESG risk management.

To meet these expectations, banks must adapt their IT systems to systematically collect, aggregate, and report on a broad range of ESG data. However, many financial institutions still do not have a comprehensive approach to integrating ESG data into their existing risk reporting.

Moving toward this goal will require significant changes to the IT infrastructure, from applications to data integration, architecture, and governance. New applications include not only the management and capture of ESG data but also financed emissions models, climate risk models, ESG scorecards, climate stress tests, and climate-adjusted ratings. ESG data must be woven into existing processes, such as credit approvals and decision making. And banks will need to adjust their data architecture, define a data collection strategy, and reorganize their data governance model to successfully manage and report ESG data.

Investing in the right priorities from the beginning will enable banking IT leaders to quickly build these new capabilities and solutions without accumulating technical debt.

An ESG data road map

Banks can begin by developing an ESG data and technology road map that balances tactical, short-term solutions with a strategic, long-term vision. In the process, banks should consider the following components and steps.

Define potential ESG platform solutions

Set up a central data platform that is integrated with existing finance and risk platforms to build a single source of truth.
Create a data model to capture ESG data at the certificate level, including integration with third-party data providers (via APIs) and compliance with ESG data policies.
Enable investors to gain real-time visibility into the ESG-related aspects of their investment portfolios.
Replace legacy ESG platform solutions with a cloud solution to reduce technical debt and modernize the technology infrastructure for future solutions.

Embed ESG requirements into core banking processes

Integrate new workflows into existing processes, such as using artificial intelligence to incorporate ESG data into decision-making processes (for example, credit decisions).
Communicate ESG requirements across the organization and bring all employees on board with an intentional change management approach.
Review and revise existing data processes to comply with changing ESG requirements (for example, increasing the frequency of data updates).
Develop a clear plan to support the integration of new ESG policies (such as how to add new certificates to investments).

Build a robust ESG data governance model

Identify central ownership and responsibility within the organization (such as by appointing an ESG data officer to serve as a point of contact).
Create a cross-functional steering committee for ESG data governance—including leaders from the business, technology, data, risk, and finance functions—with joint accountability and decision-making processes.
Establish ESG data controls to ensure compliance with regulatory frameworks (for example, to indicate whether a certificate has been assigned to an investment).
Ensure that ESG data governance reflects shifts in market demand (such as investments in offshore wind turbines) and location-specific regulatory requirements (such as bans on investments in combustion engines after 2030 in Germany).

Common detours and dead ends

In our experience, three pitfalls can create significant delays and technical inefficiencies for banks. By taking intentional steps to avoid these detours early on, banking IT leaders can increase their chances of success and accelerate the time to impact.

Functional silos

Too often, organizational silos lead to disjointed processes and a fragmented data architecture that does not allow for synergies across ESG use cases. While some redundancy might be unavoidable, there is often a substantial overlap across data needs. Effective ESG data governance thus requires a coordinated and centralized approach across multiple stakeholders. This can take place only within a culture of open communication, cross-functional collaboration, and close alignment of the business and IT functions. Crucially, the ESG data and technology strategy must be closely integrated into the broader ESG and business strategy, with active sponsorship and a clear mandate from the highest levels of leadership.

Process traps

When redesigning processes to incorporate ESG data governance, banking IT leaders must balance between two extremes—and avoid two common traps. On one side, a narrow focus on simplicity and standardization often leads to a failure to make the necessary adjustments to align with existing business and IT processes. On the other side, anchoring too much on legacy processes can create unnecessary complexity and hamstring the ESG data governance model. Banking IT leaders must therefore find a middle ground by designing new and improved ESG-related processes while addressing the requirements of current processes.

Technical debt

The design of ESG technical solutions involves constant trade-offs between short-term needs and the long-term vision. Trying to solve everything at once—or devise the best possible solution—can extend development time, increase the pressure to implement short-term tactical solutions, and lead to lasting technical debt. Instead, banks should apply a use case–driven approach to introduce new ESG capabilities in the right sequence at the right time.

Leaders can identify and prioritize specific ESG use cases, create clearly defined stage gates, and collect metrics to track success during interim phases. For example, consider how ESG data will be integrated into each step of the credit approval process, from customer data collection and risk scoring to credit monitoring and reporting (exhibit).

Multiple steps must be considered when integrating environmental, social, and governance data into the credit approval process.

Other potential use cases include regulatory and internal stress tests, analytical risk-weighted asset calculations, provisioning, risk-appetite frameworks, credit policies, capital allocation, pricing, portfolio emissions alignment, external disclosures, and internal reporting.

Additionally, some banks default to building in-house technical solutions for which some software-as-a-service (SaaS) solutions may provide a more cost-effective and feasible alternative. Banking IT leaders should implement a clear build-versus-buy framework with proper market screening mechanisms and early-warning capabilities to ensure resources are deployed as efficiently as possible.

Finally, resistance to upgrading legacy IT interfaces can hamper the integration of ESG data. While it may seem like an adequate short-term solution, adding new components to a complex, “spaghetti-like” architecture creates operational risk in the mid- to long term. Indeed, new ESG regulatory and business imperatives present an opportunity for banks to revise their existing enterprise architecture framework to be more closely aligned with best practices. Banks should aim to design modular, decoupled architecture components, linked by a well-managed and standardized API-based integration architecture.

Banking IT leaders must move quickly to integrate ESG data governance into their IT systems and processes to keep pace with the regulatory environment and consumer needs. By developing a road map that balances short-term and long-term objectives—and by taking preemptive measures to avoid detours along the way—banks can get ahead of their competitors and be better prepared to meet the growing ESG demands of tomorrow.

Daniel Heller is an alumnus of McKinsey’s Frankfurt office, where Henning Soller is a partner; Andreas Reiter is a consultant in the Vienna office; and Sebastian Schöbl is an associate partner in the Berlin office.