Sustainability Risk: The Governance Mandate Has Not Moved, Even If the Regulators Have
The supervisory map has split. Europe is tightening, the US has pulled back, and mid-tier banks are caught in the middle. The governance question, though, has not moved. It is still what decides whether a firm holds up under scrutiny.
Mid-tier banks now sit between a tightening Europe and a retreating US
The supervisory map has split. The governance question has not.
Something has changed in the last year that mid-tier banks need to be honest about.
The US has pulled back on federal climate supervision. Europe has tightened up. The UK has gone further still. The supervisory map has split, and depending on where a bank is headquartered, the pressure either feels lighter than it did twelve months ago or noticeably heavier.
The governance question underneath all of this has not moved at all.
If a regulator, investor, counterparty, insurer, or board committee pushes hard on climate and sustainability risk, does your governance hold up? In many mid-tier firms, the answer is still no. And that is true regardless of what the loudest regulator in your jurisdiction happens to be saying this quarter.
Sustainability has been acknowledged, discussed, and disclosed. It has not always been built into the place where financial risk is actually governed. If it is not embedded there, it is not really under control.
Before going further, it is worth being clear about who this is aimed at. When I refer to mid-tier firms, I mean institutions that sit below the largest global banks but well above community-bank scale. In US terms, that is roughly Category III and IV banks and the larger regional and super-regional banks. In Europe, it is the Less Significant Institutions under the SSM and the mid-cap and challenger banks below the largest UK firms. These are institutions large enough to attract serious supervisory and investor scrutiny, but rarely resourced like a G-SIB.
That is precisely the population now caught in the most awkward position on climate and sustainability risk.
What the supervisory split actually looks like
A short detour into the regulatory picture matters here, because it has changed materially in the last twelve months.
In Europe, the direction is clear and getting firmer. The ECB's Guide on climate-related and environmental risks, first issued in 2020, has been reinforced by the ECB's 2022 climate stress test and subsequent thematic reviews. The expectations on governance, risk appetite, and embedding climate risk into the core risk framework are now part of the supervisory baseline, not an emerging theme.
The UK has gone further. The PRA's 2025 update to SS3/19, through CP10/25, raised the bar again on board ownership, risk integration, scenario use, and the evidence supervisors expect to see. That update is now feeding through into supervisory engagement with both banks and insurers.
The US has moved sharply in the opposite direction, and this is where the picture gets more complicated.
The interagency Principles for Climate-Related Financial Risk Management for Large Financial Institutions were finalized in October 2023 for banks above 100 billion dollars in assets. They were jointly withdrawn by the OCC, Federal Reserve, and FDIC in October 2025
The federal pullback reflects a clear political shift, not a change in the underlying financial risks. Those have not moved. Investors, counterparties, insurers, and rating agencies are still asking governance questions. European supervisors continue to apply their expectations to US firms operating in their jurisdictions. State-level disclosure and litigation pressure continues to evolve, particularly in California and New York. And the next administration, the next supervisory cycle, or the next severe loss event can reopen the federal file quickly.
For a mid-tier US institution, the practical position is uncomfortable. Federal supervisory pressure has eased, but the governance discipline behind it still matters commercially. For a mid-tier European institution, supervisory pressure is increasing, and the evidence bar is rising with it.
Either way, the underlying question is the same. Is climate and sustainability risk actually governed inside the firm, or only described in the annual report?
Too many firms still leave it in limbo
This is where mid-tier institutions get caught.
The largest global banks have spent years building climate risk infrastructure. Mid-tier firms face many of the same expectations without the same resources. That creates a difficult middle ground. Large enough to be scrutinised but not always built well enough to respond.
So what happens? Sustainability risk gets parked in Corporate Responsibility, Investor Relations, or a standalone sustainability team with little real authority over risk decisions. Everyone tells themselves the issue is being covered. Usually, it is not.
If a risk sits outside the firm's principal risk taxonomy, it is not being managed properly. It is being watched from a distance. Watching a risk is not the same as governing it.
This is the trap. Firms produce a strong report, hold a few internal discussions, maybe run a workshop, and assume progress has been made. But when you look for evidence inside the governance structure, the substance is often thin. No board-level challenge. No clear escalation route. No meaningful integration into core ERM. No defensible audit trail.
That is not a maturity gap. It is a governance gap.
And the most sophisticated investors, lenders, and counterparties are getting much better at spotting it, regardless of what the supervisory mood happens to be in any given quarter.
Disclosure is not governance
This is still one of the least understood points.
A firm can publish an impressive sustainability report and still have weak governance. It can make credible public commitments and still fail a serious supervisory challenge. It can speak fluently about climate risk at executive level and still be unable to show where the board challenged a decision, how ownership is assigned, or how the risk connects to capital and credit.
I see this often. The external story is polished. The internal mechanics are not.
A long report is not evidence of control. A committee reference is not evidence of oversight. A public commitment is not evidence of accountability. Those are the three substitutions that catch firms out most often, and they catch them out in front of exactly the audiences that matter most.
What this looks like in practice
It helps to ground this in something concrete.
Take a mid-tier bank with meaningful exposure to commercial real estate, particularly older office and mid-market industrial assets. On paper, the bank has a climate risk policy, a sustainability committee, and a section in the annual report on transition risk. The board has discussed climate risk. The CRO can describe it fluently.
Then transition pressure starts to bite. Tenant demand shifts toward more energy-efficient buildings. Local authorities tighten minimum energy performance requirements. Insurers reprice or pull back from the least efficient assets. Refinancing markets become more selective. Valuations on the weakest buildings begin to soften, and the gap between best-in-class and stranded stock widens faster than the bank's models assumed.
Now ask the governance questions.
Did the credit appetite framework distinguish between energy-efficient and energy-inefficient CRE exposures? Were transition assumptions actually built into loss-given-default and probability-of-default modelling, or were they discussed in a separate ESG workstream? Was the board shown a portfolio-level view of energy performance, refinancing risk, and insurability before the market moved? Is there documented challenge on a single CRE credit decision driven by transition risk?
In many mid-tier firms, the honest answer to most of those questions is no. Not because the people involved did not care, but because the governance architecture treated transition risk as adjacent to credit rather than part of it.
That is not an ESG failure. It is a credit underwriting failure dressed up in sustainability language. And it is the kind of failure that becomes visible in loss data two or three years after the governance gap was already there.
Governance weaknesses become financial problems
This is where some boards are still behind the curve. They continue to treat sustainability governance as a soft issue, something adjacent to reputation or stakeholder management. That view is outdated. Governance weakness does not stay in a governance box. It moves into capital, provisioning, credit quality, supervisory engagement, and eventually funding cost.
For European firms, the mechanics are familiar. Supervisory findings on climate governance can feed directly into the SREP process, influence Pillar 2 outcomes, and increase pressure inside ICAAP. The ECB's thematic reviews have already pushed banks on this, and the gap between what supervisors expect and what many mid-tier firms can demonstrate is well documented.
For US firms, the federal supervisory channel is currently less direct, but the commercial channel is not. Large institutional investors still want to see governance evidence. Reinsurers and counterparties still ask harder questions on portfolios exposed to transition and physical risk. Rating agencies still factor climate risk management into their assessments. Litigation and disclosure standards continue to evolve at state level. A US mid-tier bank that takes the federal pullback as a signal to stand down on governance is reading the situation too narrowly.
And in both jurisdictions, transition risk is not a specialist green issue. It is a credit issue. Changes in policy, technology, customer behavior, and asset desirability affect repayment capacity, asset value, and loss assumptions. If that is not reflected in governance, the institution is not seeing the risk clearly. If it is not seeing the risk clearly, it is probably not pricing it properly either.
The problem is usually not intent. It is mechanics.
Most firms are not failing because they do not care. They are failing because the mechanics are weak.
That usually shows up in a few ways:
Unclear board oversight. The board has discussed climate risk, but there is no structured reporting, no clear challenge record, and no evidence that discussion turned into decisions.
Fragmented risk taxonomy. Sustainability risk sits beside the risk framework rather than inside it, so it never fully enters controls, testing, limits, reporting, or escalation.
Poor defensibility. The process may exist informally, but the documentation does not. In any serious review, undocumented governance is treated as if it never happened.
Weak connection to the balance sheet. There is broad language about transition risk, but no serious translation into credit exposure, provisioning, RWA thinking, or portfolio vulnerability.
This is why I keep coming back to architecture. Governance is not proved by good intentions. It is proved by structure, evidence, and decision-making discipline.
The ARCHITECT™ Governance System
I developed the ARCHITECT™ Governance System because I saw too many firms treating sustainability governance as a reporting exercise when it should have been treated as a risk discipline.
You do not solve this with better wording. You do not solve it by adding another committee note or expanding the ESG section of the annual report. You solve it by embedding accountability, integrating the risk into the existing framework, and building a level of defensibility that stands up when the questions get harder.
That is what the system is designed to assess. It looks at governance maturity across six pillars.
A: Accountability. Who actually owns the risk at executive and board level? Not in vague terms. Specifically. Named owners, defined roles, escalation routes, and clarity across the Three Lines of Defense.
R: Risk Integration. Is sustainability risk inside the firm's principal risk taxonomy and core ERM framework, or still sitting on the margins?
C: Capital Exposure. Can the institution translate climate and transition risk into financial effect, including credit exposure, provisioning, and capital implications?
H: Horizon Scanning. Is there a disciplined process for tracking regulatory change, market transition, and sector pressure points before they become urgent?
I: Information and Reporting. Does the board receive reporting that is genuinely useful, or simply long-form narrative that creates the appearance of coverage?
T: Transparency and Defensibility. Can the institution show how challenge occurred, how materiality was assessed, and how decisions were made and recorded?
The aim is straightforward. Move sustainability risk out of the margins and into the operating core of the institution.
ARCHITECT™ translates sustainability ambition into a governance model built to withstand scrutiny.
Mid-tier firms need to stop hiding behind proportionality
Proportionality matters. Of course it does. A mid-tier bank is not a global systemically important bank, and nobody sensible expects identical infrastructure.
But proportionality is not a free pass for weak governance.
That is the point some firms still resist. They assume being mid-tier lowers the standard enough to make patchy architecture acceptable. That assumption is not going to age well. Regulators, investors, and counterparties are increasingly asking the same question regardless of size: is this risk governed properly within the core framework of the institution, or not?
If the answer is no, the fact that the institution is mid-tier does not make the weakness disappear. It just means the weakness may be discovered in a firm with fewer resources to absorb the consequences.
The same applies to firms tempted to read the US supervisory pullback as a reason to ease up. The federal posture has shifted. The underlying financial risks have not. The investor expectations have not. The European supervisory expectations on cross-border activity have not. Governance built only for the loudest regulator in the room is governance built to be rebuilt later.
That is why delay is a mistake. Governance remediation is always harder under pressure, always more expensive once an external party has identified the gap, and always more disruptive when boards realise too late that the issue was never really about sustainability reporting. It was about whether the governance model was fit for purpose.
Five questions I would ask before the next Board Risk Committee meeting
Before the next Board Risk Committee meeting, I would ask five direct questions.
Who, by name, owns climate and sustainability risk at executive and board level? If three people in the room would give three different answers, that is the problem.
Is sustainability risk embedded in our principal risk taxonomy, or is it still sitting outside core ERM?
Could we produce documented evidence of board-level challenge on a climate-related decision, or only a record that the topic was tabled?
Do we understand, in financial terms, how transition risk affects credit exposure and provisioning assumptions?
If a regulator, investor, or sophisticated counterparty asked for our governance evidence tomorrow, would we be proud of what we handed over?
If those questions produce hesitation, the governance gap is already there.
Closing
Governance is no longer a soft discipline in financial services. It is becoming one of the clearest signals of whether a mid-tier firm understands the risks it is actually taking. The institutions that recognize that early, regardless of which way the supervisory wind is blowing in their jurisdiction, will be the ones that handle the next cycle from a position of strength rather than catch-up. The ones that wait will be doing the same work later, under pressure, in front of an audience.
_______________________________________________________
Not sure how your governance framework would stand up under LP review, regulatory examination, or sell-side diligence? The ARCHITECT™ Governance Maturity Assessment gives mid-market private equity firms a practical starting point. Over two to three weeks, it shows where governance is strong, where it is exposed, and what needs to change.
_______________________________________________________
Author bio
Brendan Walsh is the founder of Walsh SRA and creator of the ARCHITECT™ Governance System. He brings more than 30 years of global executive leadership in regulated financial services, including senior roles at American Express across the US, Europe, and Asia, as well as advisory experience with regulated institutions including the UK's Office of Gas and Electricity Markets (OFGEM). He holds a master's degree in sustainability from Harvard University and is credentialed by GARP in both Sustainability and Climate Risk (SCR) and AI Risk. Walsh SRA advises mid-tier financial institutions on governance frameworks for climate and sustainability-related financial risk.
