The Prudential Regulation Authority (PRA) has published Consultation Paper 10/25 (CP10/25), marking a fundamental update to how it expects banks and insurers to identify, manage, and govern climate-related risks. The document, which will replace the PRA’s 2019 supervisory statement (SS3/19), is open for consultation until 30 July 2025 and is set to take effect immediately after finalisation. The updated expectations reflect six years of industry progress, persistent supervisory concerns, and a shift from awareness to implementation.

CP10/25 is not a checklist. It is a clear message to firms that climate risk must be treated as a core part of prudential management, not a peripheral disclosure issue. Unlike the more prescriptive ESG guidance issued by EU supervisors, the PRA maintains a principles-based approach. But this should not be mistaken for leniency. Expectations have been significantly raised, and the focus is now on integration, governance, and action.

From framework to function

SS3/19 was a foundational statement. It set out high-level principles, encouraged early scenario analysis, and emphasised the need for governance structures. It reflected the state of the market at the time: low capacity, growing interest, and limited data.

CP10/25 moves the goalposts. The PRA now expects climate risk management to inform business strategy, be embedded across the three lines of defence, and be regularly reported to Boards with sufficient technical detail to support decisions. Senior managers are expected to demonstrate ownership of climate issues and report clearly on risk appetite, exposures, and mitigation plans.

In short, what was once seen as “leading practice” is now the baseline.

Where expectations have grown stronger

Several areas show the clearest evolution in supervisory expectations:

1. Governance and accountability

Boards are expected to review and sign off on the firm’s material climate risks, supported by detailed internal reporting and analysis. Senior Management Functions (SMFs) must lead the firm’s climate risk response and regularly update the Board on practices, strategy, and implementation. Firms should document this governance process in a way that allows supervisors to review how climate risk is being managed at the top.

2. Risk appetite and materiality

The PRA introduces a two-step process. First, all firms must assess whether climate-related risks are material. This is not based on firm size but on risk exposure. The outcome must be signed off by the Board and revisited periodically. Second, where risks are deemed material, firms are expected to develop and maintain a proportionate but robust risk management framework, including clear appetite statements and thresholds. These should cascade to business units and be used to guide client-level and portfolio-level decisions.

3. Scenario analysis (CSA)

The PRA states that no bank has yet fully operationalised climate scenario analysis. CP10/25 outlines how this should change. Scenario selection must reflect the firm’s unique risk profile, with assumptions grounded in scientific evidence and relevant jurisdictional policy targets. The guidance calls for reverse stress testing to assess business model vulnerabilities and insists that CSA be used in decision-making, not just as an external reporting tool. Boards and executives are expected to understand the outputs and act on them.

Firms that rely on third-party scenario tools must be able to explain how they work, what assumptions they rely on, and what limitations they face. Outsourcing the technical work does not outsource the responsibility.

4. Sector-specific requirements

For banks, CP10/25 introduces new expectations under the Internal Liquidity Adequacy Assessment Process (ILAAP). Climate-related risks to cash flow, asset liquidity, and funding should be assessed and managed through the same framework used for broader liquidity planning.

Insurers are asked to deepen climate integration in the Own Risk and Solvency Assessment (ORSA) and Solvency Capital Requirement (SCR). In particular, the PRA wants insurers to examine how climate change may alter asset valuations, affect liability risks through higher claims or litigation, and introduce new risks into Matching Adjustment portfolios, especially as more illiquid assets are added under Solvency UK reforms.

5. Data and internal reporting

While data gaps remain a constraint, the PRA makes it clear that this cannot be an excuse for inaction. Firms should invest in infrastructure to address these gaps. In the interim, they must use conservative assumptions and proxies, clearly documenting the rationale. Reporting should be sufficiently detailed to support management and Board decisions, and updated regularly as new information becomes available.

6. Third-party and outsourcing risks

Firms must now explicitly consider how climate risks affect outsourced services and critical third-party relationships. This includes setting risk tolerances, reviewing exposures, and ensuring that external partners do not introduce unmanaged climate vulnerabilities into the business.

What firms should do next

With the consultation open until the end of July and the final statement expected in Q3 2025, firms have limited time to prepare. Supervisors will begin assessing alignment with the new expectations six months after finalisation. This means firms will likely be asked to show evidence of their approach by early 2026.

Now is the time to act:

• Conduct a comprehensive gap analysis: Compare your current approach to CP10/25’s expectations. Identify where enhancements are needed, particularly in governance, scenario analysis, and internal reporting.
• Engage your Board early: Ensure they are aware of their responsibilities, receive the right training, and have access to the data and insights required to oversee climate risks effectively.
• Develop or upgrade scenario analysis tools: Move beyond boilerplate stress tests. Scenarios should be use-case specific, decision-relevant, and capable of identifying vulnerabilities across your business.
• Strengthen internal risk reporting: Create a reporting cadence that supports cross-functional decision-making and enables ongoing Board engagement.
• Review your ORSA or ICAAP frameworks: These must now include climate risks where material, backed by credible methodologies and clear documentation.
• Evaluate outsourcing and vendor risks: Map out how climate risks affect your broader ecosystem and build this into risk appetite frameworks and contracts.

This is not simply a compliance update. It is a shift in how the PRA expects risk to be understood, communicated, and acted upon. The tone is clear. Climate risk needs to be a core component of how financial institutions operate and plan — not a standalone workstream or disclosure requirement.

Connecting regulation to resilience

CP10/25 brings the UK closer to international best practice. It reflects lessons learned from the EU’s more detailed ESG rulebooks, while staying true to the PRA’s principle-based approach. It also signals that climate is not falling off the supervisory agenda, even amid political pushback on green regulation elsewhere.

The challenge for firms is not just to respond, but to prepare. As expectations rise, scrutiny will follow. Institutions that move early will not only reduce supervisory risk, but also be better positioned to navigate the strategic shifts that climate change will continue to bring.

Subscribe to David Carlin's Sustainability Digest, Risk and Resilience: Navigating a Changing World