Briefing Note: Bank of England Supervisory Statement SS4/25 – ESG/Sustainability Implications

Overview

SS4/25 (December 2025) sets out PRA expectations for operational resilience, governance and risk management. 
The final policy is intended to promote effective risk assessment and risk management capabilities. It aims to help firms build resilience against climate-related risks and make informed strategic decisions that support their business interests, including through the provision of appropriate financial products that can promote sustainable economic growth. 

The approach is described as being “proportionate, practical, and reflects the evolving climate-related risk landscape”.

Purpose and scope

• SS4/25 sets out the Prudential Regulation Authority (PRA) expectations for firms regarding governance, operational resilience, risk management, data management and disclosures.
• It applies to all UK insurance and reinsurance firms and groups, i.e., those within the scope of Solvency II including the Society of Lloyd’s and managing agents (Solvency II firms) and non-Solvency II firms (collectively referred to as ‘insurers’), banks, building societies, and PRA-designated investment firms.
  

Key ESG-relevant points

Governance & accountability 

• Verifiable board structure and involvement in climate related risk management. Assign ‘individual responsibility’ within leadership (and “at an appropriate level of seniority”) on specific issues
• Boards should ensure setting of business strategy and risk appetite with respect to climate-related risks 
• (Double) materiality assessment to be undertaken
• Knowledge management and training
• Setting accountability for sustainability-linked resilience measures

Climate risk integration

• Firms must embed climate-related financial risks into resilience frameworks. This should be done in a way that is proportionate to the firm’s risk exposure and the size of the firm, in line with the approach they take for other material risks. Firms to consider all material risks and their categorisation within their risk register. For example, where firms have chosen to use a categorisation such as tags like ‘accept, manage or avoid’
• PRA expects firms to understand the risks arising from relationships with clients, counterparties, investees and policyholders and to identify only those relationships that have a material impact on their climate-related risk profile (‘material relationships’). This will include the credit risk associated with lending and re-insurance activities, the market risk associated with holding securities and the reputational or litigation risk introduced by all relationships
• Maintain risk registers and demonstrate 2-step risk management process (cl 3.14) – step 1: Risk identification, assessment and sign-off from Board; step 2: proportionate risk management response that can be demonstrated to the regulator
• Assess the transmission channels (described in 2021 adaptation report) through which physical and transition risks impact firms’ risk types (e.g., market, credit, liquidity, operational risk and resilience, as well as underwriting, reserving, reputational and litigation risks) and future revenue and profitability
  

Operational resilience & scenario testing

• Annual testing should incorporate climate stress scenarios (e.g., extreme weather, transition risks). Scenario analysis should have clear objectives with the rationale for the range of selected scenarios clearly defined and “agreed by the board”
• Contingency plans must address ESG-driven systemic shocks - the impact of climate-related risk drivers from the perspective of both their general operations and their ability to continue providing important business services, including those supported by outsourcing and third-party arrangements in severe but plausible scenarios

Reporting & transparency

• Firms should implement an appropriate internal climate-related risk reporting process and methods; and ad-hoc reporting in cases where a risk appetite limit for a certain material risk is breached
• PRA expects clear reporting on resilience metrics and climate risk disclosures. Aligns with global frameworks (e.g., UK SRS - TCFD, ISSB)
• Firms should identify and assess any data gaps to understand the extent of uncertainty and reflect this when setting risk appetite and developing risk management tools
• PRA expects firms to make disclosures on the approach to managing climate-related risks, in existing reporting as per the UK Companies Act 2006

Compliance timeline

• By 3 June 2026: internal review of their current status in meeting the expectations set out in this SS4/25 and prepare an action plan on gap areas including updating of internal risk assessments and proposed climate action plans
• By March 2027: Full integration of climate risk into resilience planning