ESG Risk Management: Compliance Monitors, Internal Audit Reviews!
Since April 1, 2026, ESG risks are legally embedded in the German Banking Act (Sections 26c and 26d KWG) through BRUBEG. Financial institutions must integrate ESG risks into their risk management and establish an ESG risk plan. Regulatory resilience depends on effective coordination between the three lines of defense, robust documentation, and methodologically sound monitoring and audit processes.
Included in this collection:
Open collection
ESG Risk Management: Compliance Monitors, Internal Audit Reviews!
Review: Trend Conference Regulatory Law 2026
Expensive, annoying, incomprehensible? ADC/IPRE/Non-IPRE – Classification according to CRR III
General loan loss provision as a performance indicator – profit and loss account and equity
In the Focus of Supervision: Geopolitical Risks
Property value drives sustainable growth
Instant Payments Regulation Reporting – ready for the new EU reporting requirements?
Digital Assets and Digital Market Infrastructure – A Structural Shift in Treasury and Capital Markets
In the EBA's focus: Second implementation report on the IRRBB heat map
Treasury AI Is Not Trading AI: Why Banks Need a New Control Architecture
Do your internal monitoring and audit functions truly stand up to external scrutiny?
Since April 1, 2026, new requirements for ESG risk management have come into force. This not only brings implementation into focus but also raises a critical question: Are the compliance function and internal audit capable of effectively monitoring and reviewing adherence to these requirements?
With increasing regulatory complexity, expectations regarding methodologies, processes, and governance are rising significantly. At the same time, demands on compliance and internal audit are intensifying. Only if both functions meet these heightened expectations with sufficient depth and rigor will ESG risk management remain resilient under external review.
From Supervisory Focus to Legal Obligation
The regulatory maturity phase has reached a new level: With its publication in the Federal Law Gazette (BGBl. 2026 I No. 81), the Act Implementing the Banking Directive and Reducing Bureaucracy (BRUBEG) has been finalized. This completes the national transposition of CRD VI into German law. The law entered into force on April 1, 2026.
Through the newly introduced Sections 26c and 26d of the German Banking Act (KWG), ESG risks are now explicitly embedded at the statutory level as an integral component of risk management.
Financial institutions are now legally required to:
- consider ESG risks across short-, medium-, and long-term horizons,
- develop appropriate strategies for identifying and managing these risks, and
- maintain an ESG risk plan as a central management instrument.
Compliance Function
Out of Regulatory Blind Flight
The compliance function is responsible for systematically monitoring adherence to complex ESG regulatory requirements within risk management. It assesses the current implementation status and verifies regulatory compliance.
The practical challenge:
Effective monitoring requires a reliable and well-documented status quo for all individual requirements. In practice, however, such comprehensive documentation is often lacking. Without sufficient input from the first line, compliance is pushed into an operational role, blurring responsibilities and undermining its independence—effectively resulting in “regulatory blind flight.”
The First Line Gap Analysis: A Critical Foundation
Before monitoring and auditing can function effectively, a solid foundation must be established. This begins with a comprehensive gap analysis conducted by the operational units (first line of defense).
This analysis compares regulatory requirements (e.g., EBA guidelines, MaRisk, KWG) with actual practices. Only when business units clearly identify implementation gaps can a robust ESG risk management framework be built.
Assessing Implementation Capabilities
Compliance must evaluate whether operational units are capable of sustainably implementing ESG requirements. This includes assessing:
- staffing levels,
- expertise, and
- organizational readiness.
Without sufficient capabilities, compliant implementation is not feasible.
Recommendations as a Steering Tool
Identifying gaps alone is insufficient. Compliance must derive concrete recommendations to support remediation. These recommendations act as a steering mechanism to guide business units toward regulatory compliance.
Documentation: Leaving No Room for Challenge
Comprehensive and transparent documentation is essential. Only a complete audit trail of monitoring activities ensures that compliance can demonstrate its independence and effectiveness to regulators and internal audit.
Internal Audit
The Safety Net Under Scrutiny
While compliance monitors ongoing adherence, internal audit independently assesses the adequacy and effectiveness of ESG risk management.
With ESG risks now anchored in Sections 26c and 26d KWG, internal audit’s role becomes more critical—and more visible to regulators.
Section 26c KWG: ESG Risks as Core Risk Drivers
ESG risks must now be integrated into existing risk categories. Internal audit must evaluate whether ESG factors are consistently incorporated into risk inventories and stress testing.
A key challenge: assessing methodologies under uncertainty due to limited data availability.
Section 26d KWG: ESG Risk Plan as a Strategic Audit Focus
Institutions are required to maintain an ESG risk plan covering at least ten years. Internal audit must assess:
- consistency with business strategy,
- alignment with risk profile, and
- plausibility of defined milestones.
Any deficiencies may constitute a direct regulatory breach.
Methodological Rigor as a Safeguard
Regulators will increasingly assess the depth and quality of internal audit reviews. Robust methodologies and complete documentation are essential to withstand scrutiny.
Conclusion: The Chain Is Only as Strong as Its Weakest Link
Effective ESG risk management depends on the coordinated interaction of the three lines of defense:
- First line: conducts gap analysis and implements requirements
- Second line (compliance): monitors implementation
- Third line (internal audit): independently reviews effectiveness
Only this alignment ensures regulatory resilience and long-term stability.
You must login to post a comment.