Research Report: A Practical Guide to ESG

For years, investors and activists have worked to compel large, public companies to report their stance on environmental, social and governance issues — better known as ESG. And recently, additional pressure has come from bank regulators on one specific ESG risk: climate. Smaller banks, meanwhile, see the writing on the wall and are taking steps to beef up their ESG programs.

As regulated entities, banks are no strangers to many elements of ESG, which Bank Director explores in the newly launched research report Choose Your Path: A Practical Guide to ESG, which is sponsored by Crowe LLP. Board structure and composition, cybersecurity and data privacy, risk management and regulatory compliance are all areas that fall under the governance umbrella. Social elements, which include financial access, diversity and community involvement, also incorporate into day-to-day operations as financial institutions comply with fair lending rules and other regulations. But it’s the ‘E’ for environmental — specifically, measuring greenhouse gas emissions — that frustrates some bankers who would rather focus on serving their communities than spending time and resources on that complex assessment.

In this report, Bank Director provides intelligence for bank boards and leadership teams seeking to better understand the current regulatory and investor landscape, and uncover what’s relevant for their own organizations. Inside, you’ll find:

  • A quick overview of how ESG has become a language of sorts to describe a company’s activities to investors and other stakeholders
  • Where Washington stands on ESG
  • How investors have focused their attention
  • How banks leverage ESG to uncover new opportunities, including how three community banks have identified core areas that are relevant to their own operations
  • Key material matters for banks to prioritize
  • What role boards could play in ESG oversight, and questions directors might ask

“[A]s disclosures grow, [investors] have more information to make comparable decisions, and that will just continue to grow because of the regulatory environment,’’ says Chris McClure, a partner at Crowe who leads the firm’s ESG team.

On Dec. 2, 2022, the Federal Reserve issued a request for comment on proposed principles for institutions over $100 billion in assets. These principles focus on climate-related financial risks: everything from ​​governance and policies and procedures to strategic planning and risk management. It’s in line with similar guidance issued by the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.

At least one Fed Governor doesn’t believe the guidance is necessary: “Climate change is real, but I disagree with the premise that it poses a serious risk to the safety and soundness of large banks and the financial stability of the United States,” stated Christopher Waller. “The Federal Reserve conducts regular stress tests on large banks that impose extremely severe macroeconomic shocks and they show that the banks are resilient.”

In 2023, the Securities and Exchange Commission is expected to finalize its rule around climate disclosure, adding another element of compliance for all publicly traded companies — not just the biggest banks. While some exemptions are anticipated for smaller companies, the rule would expect companies to share how climate-related risks are managed and governed, along with the material impacts of these risks on operations and strategy. Companies could be required to measure greenhouse gas emissions — including emissions by vendors and clients — and share their goals for transitioning to a greener economy.

At the same time, governments in conservative states are working to oppose these rules, going after banks and asset managers that they believe discriminate against the oil and gas or gun sectors. It’s a tricky environment to navigate. Increasingly, some disclosure will be mandated, at least for publicly traded institutions. But bank leaders will still determine their own strategies for the road ahead — and banks that are successful will find the path that’s right for their organization.

To access the report, click here.

If you have feedback on the contents of this report, please contact Bank Director’s vice president of research, Emily McCormick, at [email protected].

How Smaller Banks Can Prepare for Climate-Related Credit Risks

In 2021 and 2022, the nation’s financial regulators began sharing their future expectations for banks related to the growing concern of climate risk.

Their particular emphasis is focused on the impact of climate change on an institution’s credit risk. While the near-term direct impact is limited to the country’s largest institutions for now, there is an understanding that it’s only a matter of time until smaller banks will have to address similar regulatory expectations.

What can, and should, bankers at smaller banks be doing about climate risk in their portfolios? How can they prepare for future regulatory expectations? What information do they need to track?

Bank credit risk managers can start with understanding what types and levels of climate risk they have in their portfolios now, and how to track that going forward. It’s crucial they establish a baseline of their risk appetites and thresholds when looking at emerging risks.

Banking agencies are looking at rules intended to disclose how larger banks and other firms are incorporating climate risks into their risk management and overall business framework and strategies. That includes physical risks, such as the risk of financial losses from serious weather events like hurricanes and wildfires, and transition risk that come from shifting to a low-carbon economy and creating so-called “orphaned assets.”

To understanding a bank’s credit and risk exposure to climate sensitive and carbon sensitive assets, credit managers need to start with identifying, flagging and reporting on loans that are either in geographical areas that are more likely to be impacted by physical climate risks and those that are made to higher carbon industries representing potential transition risk.

How To Use Climate Information to Manage Climate Risk
Can smaller banks apply similar methods to manage their climate credit risk that they’ve used for previously identified emerging risks? Could a bank apply similar approaches it used for commercial real estate and Covid-19 concentrations to identify and track climate concentrations in a loan portfolio to get an overall view of the climate-related credit risk?

A banker could use standard industry codes, also called NAICS Codes, to identify high carbon business or industry concentrations and exposures. Some examples include coal, oil, mining, refining and supporting industries like trucking, drilling and refining, for a few examples.

To address acute climate physical risk a banker could look at using CRE property types like hotels, offices or multifamily for loans in riskier geographic areas like shore and waterways, as well as locations more prone to climate incidents like hurricane, wildfire and floods. There are a few different geo-location codes that can be leveraged for this type of concentration tracking: zip codes, counties, cities or MSA codes.

An example of a bank trying to get ahead of coding for climate is $36.6 billion BankUnited N.A., a regional bank headquartered in Miami Lakes, Florida. The bank’s third line of defense assurance group, credit review, wanted to begin broadly identifying climate exposure and climate related borrowers in their portfolios, to advance the consideration of climate impact from a credit perspective.

In 2022, they started by tagging any borrower reviewed by credit review within routine examinations focused on assessing risk grading and underwriting as “carbon sensitive.” The identification is subjective and is based on matters such as the loan borrower’s industry, business operations, inputs or by-products, location and collateral type and related potential repayment risk. Based on those data points, their analyst makes an assessment as to whether or not to tag the loan as “carbon sensitive.” An example would be a borrower with significant dependence on waterways that are currently experiencing profound and ongoing drought. They report the results at the examination level, as well as on a consolidated basis to management and the second line of defense.

Currently, there remains no plans for near-term regulatory requirements related to climate change or carbon sensitivity reporting or tracking for community banks. Regulators are only considering the largest banks for rules around climate asset management, climate risk management frameworks and policies.

But risk management techniques are always evolving. Forward-looking risk managers at banks of all sizes will want to continue momentum in 2023, to look forward and create a data-driven climate credit risk management program as tools improve and regulations and industry best practices mature. For now, directionally correct views of climate credit risk can potentially be a strategic risk management advantage for even the smallest bank.

Fighting Disaster Through Business Continuity Planning

As Hurricane Ian began to coalesce in the Caribbean in late September, all of Florida hunkered down. This included Climate First Bancorp, the holding company for $250 million Climate First Bank, which serves primarily commercial organizations. The storm was initially expected to make landfall in the U.S. by hitting St. Petersburg, Florida, Climate First’s headquarters. The bank’s leaders knew that they had to begin preparations, so they turned to their business continuity plan. 

The two-year-old bank is also in the middle of shifting its data storage to a third-party, so servers aren’t hosted at individual branches. As the storm rolled forward, though, the bank had to undergo a temporary shift of the data and operations from the St. Pete location to one in Winter Park, near Orlando. This gave the organization protection in case St. Petersburg saw significant damage. 

It served them well. As the state suffered flooding and destruction that reports have estimated between $50 billion and $65 billion, St. Petersburg and Orlando avoided the worst of the storm. Still, customers saw little disruption and the experience further prepared Climate First Bank for another hurricane that would hit weeks later. “We’re a climate focused bank, and this is supposed to be more than a 100-year flood,” says Lex Ford, president at Climate First Bank. “How many years in a row have we had a 100-year flood?”

Business continuity planning isn’t just a nice-to-have, but a requirement by regulators. How robust the continuity plan is, however, will determine how ready the organization can react when unexpected disturbances or upheavals in the normal course of business occurs. With the rate of natural disasters rising, so does the possibility that banks will have to lean on continuity preparation. Boards have a responsibility to ensure that such plans have robust strategies in place, but many organizations lack certain coverage.

Business continuity planning within institutions shifted in response to Covid-19. With more than 80% of executives and directors reporting that their organizations have remote workers, 44% saw a gap in their bank’s business continuity plan with regards to remote work procedures and policies, according to Bank Director’s 2022 Risk Survey, conducted in January 2022. That rate is down from 77% admitting such a gap in 2021. 

Meanwhile, despite the increase in intensity of hurricanes and other tropical storms since 1995, according to the Environmental Protection Agency, only 16% of respondents said their board has discussed the impact of climate change on the organization at least annually, according to the 2022 Risk Survey. Six out of 10 respondents said their board and senior leadership team understood the physical risks the bank faced due to climate change.

But when it comes to continuity preparations, “you’re not just planning for things that are obvious,” says Julie Stackhouse, a director at $27 billion Simmons First National Corp., headquartered in Pine Bluff, Arkansas. Stackhouse also served at the Federal Reserve Bank of Minneapolis in 2001, and was at a meeting in the New York Federal Reserve during 9/11. She witnessed first-hand the response of financial institutions. This experience of seeing banks react to the sudden attack crystalized the importance of continuity planning for Stackhouse.

When a disaster hits, “human beings have an emotional response,” says Stackhouse. Employees will worry about family and friends, not just the bank. During these moments, “you need to think about the practicality of personality,” Stackhouse adds.

How will employees respond under the pressure of an attack or a storm that destroys nearby homes, or a ransomware that could threaten their jobs? Considering those emotions during moments of clarity — and planning for an expectation that some employees won’t be available — is vital to the success of any continuity plan. For boards, ensure that management has considered the employees’ emotional response to such situations, or else the best plan may prove worthless when pressure rises. 

Climate First’s plan deals with the human side by spreading employees across the state. Even with two branches, the majority of its employees work from home. This served them well during Ian. But the bank took its experience with Ian and began to expand the states that it would hire from to ensure an interruption in Florida wouldn’t impact every employee of the bank. Some employees work permanently outside the state, and others occasionally do. “Many [new hires] live three, four, five states away,” Ford says. 

It’s one strategy the bank has used to counter the threat of any one incident shutting the organization down. But it’s a solution unique to the institution itself. For directors, it’s vital to review the continuity plan, seeking insight into key issues for the individual bank. 

“The first question” for boards, says Stackhouse, “is have you seen the business continuity plan? Do you know how often it’s updated? Do you know if the key expectations are laid out in the plan?” 

Stackhouse says that it’s surprising how many directors have failed to even inquire about the plan on this basic level. Once you have looked at the plan, though, you need to go further, asking about how communication will occur if a disturbance to the organization’s infrastructure takes place, Stackhouse says. How will leaders communicate with employees and each other? Banks should have tactics in place for such communication and expect different layers of disruption. You may not know what unexpected disaster could eventually impact the organization, but you can lean on other scenarios — in the news or experienced directly by the bank — to prepare in case communication is disrupted in an unexpected way.

Another key question: Does the bank have business continuity staff? As a director, know what their roles are, what they do and how they handle key issues within the continuity strategy. Having ownership over the continuity plan will prevent it from becoming a secondary concern. “It is never a good answer if it’s everybody’s responsibility,” adds Stackhouse. 

One of the best ways to pressure test your institution’s continuity plan is to have practice runs with scenarios that could prevent the bank from operating. Discussing these scenarios will allow the organization to see what works, what doesn’t and what should be tweaked. Directors should take part in many of those tests, since they will likely be a key resource if a large enough event takes place. Not to mention, in such scenarios, management may lean on boards of directors for guidance.

For community banks, where resources may be more limited, focus on events that are more likely to occur. This will depend on the organization but could be a hurricane or extended power outage or cyberattack. Having run-throughs while leaning on the continuity plan will test what the C-suite has put together. Did communication hold? What additional resources do employees need to do their job? How did they react? Seeing this under a guided test-run will ease nerves if the real event occurs. 

Larger banks may have a team that can run specialized tests to simulate very specific scenarios, like, say, a war or unexpected attack on the nation. While you may not know what scenario will occur, having these test-runs will allow the bank to have case studies on hand, in the event a similar disruption happens.

For Climate First, the plan they put in place served them through the hurricane season this year. They will incorporate their experience into continuity planning for the future. The goal? To ensure customers never realize a disruption occurred. 

With the most distant client living in Hawaii, that person “probably didn’t even know we were going through a storm,” says Ford. 

“And I hope they couldn’t tell.” 

* * *  

For more information about other aspects of business continuity planning, consider reading “Getting Proactive About Third-Party Cyber Risk,” or  “The Topic That’s Missing From Strategic Discussions.” 

Bank Director’s 2022 Risk Survey, sponsored by Moss Adams LLP, surveyed 222 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas. The survey was conducted in January 2022.

What New Climate Disclosure Means for Banks

Climate risk assessment is still in its infancy, but recent pronouncements by federal regulators should have bank directors and executives considering its implications for their own organizations.   

Under a new rule proposed by the Securities and Exchange Commission, publicly traded companies would be required to report on certain climate-related risks in regular public filings. 

Though the SEC’s proposal only applies to publicly traded companies, some industry observers say it’s only a matter of time before more financial institutions are expected to grapple with climate-related risks. Not long after the SEC issued its proposal, the Federal Deposit Insurance Corp. issued its own draft principles for managing climate risk. While the principles focus on banks with over $100 billion of assets, Acting Chair Martin Gruenberg commented further that “all financial institutions, regardless of size, complexity, or business model, are subject to climate-related financial risks.” 

The practice of assessing climate risk has gained momentum in recent years, but many boards aren’t regularly talking about these issues. Just 16% of the directors and officers responding to Bank Director’s 2022 Risk Survey say their board discusses climate change annually.

To understand what this means for their own organizations, boards need to develop the baseline knowledge so directors can ask management smarter questions. They should also establish organizational ownership of the issue and think about the incremental steps they might take in response to those risk assessments. 

“Climate risk is like every other risk,” says Ivan Frishberg, chief sustainability officer at $7 billion Amalgamated Financial Corp. in New York. “It needs the same systems for managing it inside a bank that any other kind of risk does. It’s going to require data, it’s going to require risk assessments, it’s going to require strategy. All of those things are very traditional frameworks.” 

The SEC’s proposed rule intends to address a major challenge with sizing up climate risk: the lack of uniform disclosures of companies’ greenhouse gas emissions and environmental efforts. The agency also wants to know how banks and other firms are incorporating climate risks into their risk management and overall business strategies. That includes both physical risk, or the risk of financial losses from serious weather events, and transition risk, arising from the shift to a low-carbon economy.  

Bank Director’s Risk Survey finds that many boards need to start by getting up to speed on the issue. Though 60% of survey respondents say that their board and senior leadership have a good understanding of physical risks, just 43% say the same about transition risk. Directors should also get a basic grasp of what’s meant by Scope 1, Scope 2 and Scope 3 emissions to better gauge the impact on their own institutions.  

Understanding Carbon Emissions

Scope 1: Emissions from sources directly owned or controlled by the bank, such as company vehicles.

Scope 2: Indirect emissions associated with the energy a bank buys, such as electricity for its facilities. 

Scope 3: Indirect emissions resulting from purchased goods and services (business travel, for example) and other business activities, such as lending and investments.

 

The SEC’s proposal would not require scenario analysis. However, directors and executives should understand how their loan portfolios could be affected under a variety of scenarios. 

Talking with other banks engaged in similar efforts could help institutions benchmark their progress, says Steven Rothstein, managing director of the Ceres Accelerator for Sustainable Capital Markets, a nonprofit that works with financial institutions on corporate sustainability. Boards could also look to trade associations and recent comments by federal regulators. In a November 2021 speech, Acting Comptroller of the Currency Michael Hsu outlined five basic questions that bank boards should ask about climate risk. The Risk Management Association recently established a climate risk consortium for regional banks. 

Assessing climate risk involves pulling together large amounts of data from across the entire organization. Banks that undertake an assessment of their climate-related risks should appoint somebody to coordinate that project and keep the board apprised.  

Banks might also benefit from conducting a peer review, looking at competing institutions as well as banks with similar investor profiles, says Lorene Boudreau, co-leader of the environment, social and governance  working group at Ballard Spahr. “What are the other components of your investors’ profile? And what are they doing? Use that information to figure out where there’s a [gap], perhaps, between what they’re doing and what your company is doing,” she says.

Finally, boards should think about the shorter term, incremental goals their bank could set as a result of a climate risk assessment. That could look like smaller, sector-specific goals for reducing financed emissions or finding opportunities to finance projects that address climate-related challenges, such as storm hardening or energy efficiency upgrades. 

A number of big banks have made splashy pledges to reduce their greenhouse gas emissions to net zero by 2050, but fewer have gotten specific about their goals for 2030 or 2040, Boudreau says. “It doesn’t have a lot of credibility without those interim steps.” 

While many smaller financial institutions will likely escape regulatory requirements for the near term, they can still benefit from adopting some basic best practices so they aren’t caught off guard in a worst-case scenario. 

“Climate risk is financial risk,” says Rothstein. “If you’re a bank director thinking about the safety and soundness of a bank, part of your job has to be to look at climate risk. Just as if someone said, ‘Is the bank looking at cyber risk? Or pandemic risk or crypto risk?’ All of those are risks that directors, through their management team, have to be aware of.”