ESG: MARISK implementation – Part 1

The requirements for implementing sustainability are now included in the 7th MaRisk amendment. Following BaFin’s publication of the “Code of Practice on Dealing with Sustainability Risks” on January 13, 2020, pressure is now mounting on individual institutions to implement sustainability requirements throughout the bank.

The following series of articles is intended to show a possible approach for implementation projects in the individual institutes.

Axel Becker and Johannes Hugo

Axel Becker & Johannes Hugo
Regulartech-IT-Audit-Consult & ADWEKO

Setting up the implementation projects

The first question to clarify is whether the institution has already implemented ESG requirements, is in the middle of doing so, or is still in the early stages. The ESG implementation project is based on this. The typical project progression of a phase model is shown in the following diagram [1]:

MaRisk implementation project:
Exemplary project progression ESG project

MaRisk Implementation project

See: Becker Axel – Seminar VÖB-Service GmbH – ESG – Selected Topics in the Focus of Supervision / Internal Audit, p. 66.

The success factors of the ESG implementation project consist of establishing a functional project organization, including the essential key players and determining the personnel and budget issues. If sufficient capacity is not available internally, the institute should look for adequate competencies on the market.

GAP analysis = As-is assessment of ESG implementation status

The next step is to clarify the extent to which various ESG requirements have already been implemented at the institute. For this purpose, an institute-wide GAP analysis [2]
is necessary to determine the implementation status. All key areas such as ESG officer, credit, risk management, compliance and also internal audit must be included. Various GAP analyses are available on the market. The following chart – which is suitable as an example for a GAP analysis – is based in terms of structure on the DIIR ESG Audit Guide dated April 14, 2022. Fictitious values have been used in the graph for clarity. For the MaRisk GAPs in the company, an institution-specific analysis should be carried out, i.e., the institution’s own recording of the implementation survey to date.

ESG Guide Banks DIIR:
Competitor vs. self-assessment

Competitors vs Self-assesment

The key areas of action from MaRisk (Part 1) – based on the 7th MaRisk amendment [3] for the upcoming implementation activities are shown in the following diagram.[4]

MaRisk para.



AT 2.2, para. 1 Risks In order to assess materiality, the management must obtain an overview of the institution’s risks on a regular and ad hoc basis as part of a risk inventory, whereby the impact of ESG risks must be appropriately and explicitly included (overall risk profile). Comprehensive inclusion/addition of ESG risks in the Institute’s risk catalog and risk manuals.
AT 2.2, para. 1 Risks – Explanation

Consideration of ESG risks

For the purposes of this Circular, ESG risks are environmental, social or corporate governance events or conditions, the occurrence of which may have a potentially negative impact on the financial position, financial performance or cash flows of a supervised entity. In this respect, ESG risks act as risk drivers and can have an impact on the risk parameters described in Note (3). 1 a)-d) and other significant types of risk. When assessing the impact of ESG risks, various plausible scenarios derived from scientific evidence must be used and an appropriately long period of time must be selected. This assessment is also carried out quantitatively, as far as reasonable and possible.

Holistic consideration of ESG risks in the written regulations (SFO), in risk management (risk manual) and in corporate management (strategy, etc.)
AT 3, para. 1 Overall responsibility of the management This responsibility relates to all material elements of risk management, taking into account outsourced activities and processes. Business managers will only meet this responsibility if they can assess risks, including ESG risks, and take the necessary measures to limit them. This also includes the development, promotion, and integration and monitoring of an appropriate risk culture at all levels within the institute and the Group Definition of competencies (addition of ESG to the competence matrix), responsibilities, inclusion in the business distribution plan (separate ESG responsibility).


Fields of action

Cf. BaFin: Consultation on the 7th MaRisk amendment of September 26, 2022/.[4] Cf. Becker A./ Dzolic M.: Die Umsetzung der Anforderungen an ESG aus den MaRisk/.
Becker A./ Dzolic M. in: Handbuch MaRisk – Becker A./ Gruber W./ Heuter H., Fritz Knapp Verlag – Frankfurt am Main 2023

The other fields of action are highlighted and explained in the following articles.

Scope of regulation

The 7th MaRisk amendment stipulates the comprehensive implementation of ESG. Final implementation is targeted for May 2023. Institutions can already prepare for compliance with the new requirements as part of their MaRisk/ ESG implementation projects.

our recommendation

Address ESG issues and internal implementation status as promptly as possible and review what preparations are needed for the oversight meeting. We at ADWEKO and Regulartech-IT-Audit-Consult are happy to support you in ESG preparation and implementation as well as in determining your implementation needs and efforts.

talk to

Johannes Hugo