ISO 14091 in Practice: What Banks and Insurers Expect

Auditors ask for methodology, not for good intentions. CSRD reports are subject to audit, ESG data is seriously challenged in lending conversations and investor dialogue. Anyone presenting a climate risk analysis without a traceable process documentation will be corrected in the audit. DIN EN ISO 14091:2021 has emerged as the methodological reference that closes this gap. It is not mandatory, but it is in practice the standard that EFRAG, BaFin, ECB and EBA orient against. This authority article maps structure, application path, regulatory alignment and the open weaknesses for ESG managers, CFOs, risk managers and auditors.

Structure and the hazard-exposure-vulnerability framework

EN ISO 14091:2021 with the title „Adaptation to climate change – Guidelines on vulnerability, impacts and risk assessment" gives organisations of any size or sector a structured framework for climate risk assessment. It applies to present and future risks alike and follows a four-step structure: introduction to the concept of climate risk analysis, preparation, execution, documentation and communication. The standard was developed on the initiative of Germany and South Korea.

The conceptual core is the analysis along three dimensions:

• Hazard: identification of climate-related hazards, acute (extreme precipitation, storm) and chronic (sea-level rise, temperature increase). The EU Taxonomy Delegated Regulation lists 28 physical climate hazards in Annex I as the minimum review frame.
• Exposure: the extent to which company sites, supply chains or processes are exposed to those hazards, geocoded via RCP or SSP scenarios.
• Vulnerability: inner sensitivity and adaptive capacity of the organisation against the exposed hazards.

Risk thus emerges as a function of hazard, exposure and vulnerability, a conceptual difference from classic risk models that primarily build on probability and impact magnitude. The standard recommends impact chains, showing how climate hazards can directly or indirectly affect business processes. Both qualitative screening assessments and quantitative analyses are possible.

Embedding in ISO 14090, 14092 and 14001

ISO 14091 is part of an interlocking family:

ISO 14090 acts as the parent standard, defining higher-level adaptation principles. ISO 14091 translates those into an applicable methodology. ISO/TS 14092 complements the municipal area. The integration of all three covers the climate adaptation process from strategic anchoring to operational execution.

Important for ISO 14001-certified organisations: the ISO Climate Amendment from 2024 obliges all Type A management systems to consider climate risks in the organisational context. ISO 14091 can be embedded as a deep-dive module into the existing environmental management system without creating duplicate process landscapes. Complementary, ISO 31000:2018 serves as a general risk management framework with compatible terminology, while DIN SPEC 35110 transfers the concept onto the company level more pragmatically, though with less international recognition.

CSRD/ESRS E1, EU Taxonomy and TCFD compatibility

ESRS E1-9 requires the quantification of financial effects of material physical climate risks: identification of climate hazards (at least a 1.5 °C scenario for transition and RCP/SSP high scenarios for physical risks), assessment of asset and operation exposure against those hazards, monetary disclosure of the share of revenues and assets exposed to material physical risks. EFRAG does not prescribe a specific standard but expects a „robust", principle-based approach. In practice, ISO 14091 is the de-facto reference methodology because it provides internationally agreed terminology, process steps and documentation requirements that structurally meet the ESRS requirements. The UBA guidance on Climate Risk and Vulnerability Assessment (CRVA) for the EU Taxonomy explicitly builds on ISO 14091.

EU Taxonomy Annex II requires a robust Climate Risk and Vulnerability Assessment under the DNSH criterion „Adaptation to climate change" as a precondition for Taxonomy alignment. It must screen all 28 physical risks of Annex I of Delegated Regulation 2021/2139, evaluate probability and impact magnitude, and define risk reduction measures within five years where risks are deemed material. The hazard-exposure-vulnerability logic of ISO 14091 is the methodologically recognised foundation.

The TCFD framework demands similar process steps under „Risk Management": identification, assessment and management of climate-related risks. ISO 14091 is conceptually compatible. Impact chains complement the TCFD categories of physical and transition risks with a deeper cause-effect analysis. PwC explicitly uses TCFD with ISO 14091 methodology in its consulting practice for German OEM climate scenario analyses. Important distinction: TCFD focuses on disclosure and strategic steering, ISO 14091 on methodical risk identification and assessment. Both complement, neither replaces the other.

IFRS S2, applicable since January 2024, analogously requires a stress test of business strategy against various climate pathways. The choice of specific standard remains agnostic; documentation depth is what counts.

What banks and insurers actually require

BaFin MaRisk 7th Amendment 2023

With the 7th MaRisk amendment of 29 June 2023, BaFin integrated ESG risks for the first time as binding minimum requirements in bank risk management. The amendment converts the previously non-binding BaFin guidance note on sustainability risks (2019) and the EBA Guidelines on Loan Origination into audit-relevant requirements. Specifically, MaRisk now requires: measurement of sustainability risks with scientifically grounded scenarios (AT 2.2 and AT 4.1), integration of ESG risks into business and risk strategies, consideration in risk classification procedures. ISO 14091 is not named, but the hazard-exposure-vulnerability methodology corresponds exactly to what counts as scientifically recognised risk identification.

ECB guide and climate risk expectations

The ECB guide on climate-related and environmental risks (2020, updated 2022) sets clear expectations for significant institutions: banks should understand and manage climate and environmental risks as drivers of all established risk categories. Materiality assessment for short-, medium- and long-term horizons, IPCC-compliant scenarios, forward-looking approaches. The ECB structures physical risk analysis analogously to ISO 14091 in hazard, exposure, vulnerability. By the end of 2024 all banks were expected to fully meet the regulatory requirements on climate and environmental risk.

EBA requirements and Pillar 3 disclosure

The EBA has published an ESG dashboard based on Pillar 3 disclosures. Physical risk analyses are structured at three levels: hazard identification, exposure, vulnerability of assets. Conceptually identical to ISO 14091. A central problem: the EBA notes that physical risk indicators are only partially comparable because of inconsistent disclosure practice and varying methods. Broader acceptance of ISO 14091 would improve that comparability.

Insurers: GDV, Solvency II and ORSA

Solvency II requires since 2022 at least two long-term climate change scenarios in the ORSA (Own Risk and Solvency Assessment): one scenario below 2 °C and one clearly above. The GDV publishes an NGFS-based methodology paper covering both physical and transition risks. ISO 14091 and the GDV-ORSA approach differ in granularity: ISO 14091 targets the company level with impact chains, GDV ORSA focuses on capital investment and underwriting effects at portfolio level. Both are complementary. Industrial insurers increasingly treat ISO 14091 as an acknowledged methodology. There is no formal certification obligation, but pressure rises to perform the analysis under an auditable approach. Anyone substantiating the link between climate risk analysis and insurability gains a measurable negotiation advantage with insurers.

Application cases in Germany

Municipal pioneers: the Federal Environment Agency UBA adopted ISO 14091 as the methodological basis for municipal climate risk analyses. The municipality of Geestland identified the material climate risks of the site within six months using an ISO-14091-based tool with documented low effort. The city of Mainz produced its municipal climate risk analysis explicitly to ISO 14091:2021.

Mid-sized automotive company: site-specific geocoding on the CORDEX-EUR-11 grid (12.5 km), RCP 4.5 and 8.5 for 2031–2040 and 2041–2070, analysis of all 28 physical EU Taxonomy hazards. The result served both TCFD reporting and EU Taxonomy alignment. The methodology is documented in the case study on the company website.

Offshore wind sector: operators structure physical risk analyses by the three ISO 14091 steps: hazard identification, exposure assessment, planning of adaptation and resilience measures.

The first ESRS reports show a sobering baseline: the KPMG study 2026 (with University of Graz) analysed 74 EU companies in oil/gas, mining, construction and retail. Emissions are mostly reported, but strategic climate risk processes and financial embedding are often still underdeveloped. Disclosures on financial effects are almost entirely missing in most reports, yet these are exactly what banks, investors and funding bodies need.

Weaknesses and gaps in practice

• Generality, not operational specificity: no concrete thresholds (no temperature limits, no precipitation amounts at which a risk counts as material). The standard describes the process, not the outcome. Users have to set materiality thresholds themselves.
• No reference to specific climate hazard datasets: a recommendation to use climate scenarios without naming specific data sources. Users must identify Copernicus, DWD, CHELSA, EU-CORDEX themselves and ensure methodological consistency.
• Quantification deficit: qualitative and quantitative analysis are presented as equivalent, but no explicit guidance on monetary quantification. ESRS E1-9 requires exactly that.
• No link to adaptation measures: the standard ends with risk identification and prioritisation, not with measure design, cost-benefit assessment or monitoring. For ESRS-compliant reporting this gap must be closed with other standards.
• Data availability: Oliver Wyman and the EBA identify data availability as the largest single challenge. ISO 14091 assumes high-quality climate data but offers no solution for missing data.

From consulting practice this means: anyone choosing ISO 14091 as a process framework should build the methodological bridge to concrete data portals such as CORDEX EUR-11 or CMIP6 in parallel, and design their own scheme for financial quantification. Without these add-ons, the standard alone does not carry through an audit.

Audit and assurance requirements

With the CSRD, climate risk reporting becomes subject to audit. Auditors demand a traceable methodological derivation. Three aspects matter for auditors:

• Process documentation: choice of climate scenarios, applied data sources, justification of materiality thresholds must be traceable.
• Methodological consistency: ESRS demands consistency across years. ISO 14091 gives auditors a stable reference.
• Quantification gap as an audit risk: PwC notes that CSRD reports in the financial industry require strong process and data integrity. Missing financial quantification despite the ESRS E1-9 obligation is a central audit risk.

Assurance maturity differs widely: large groups work with external advisors (PwC, KPMG, EY, Deloitte) on structured climate risk analyses to ISO 14091/TCFD, while many mid-sized firms still rely on Excel-based or informal processes. With limited assurance currently and reasonable assurance ahead, pressure to standardise methodology will rise.

Specific ISO 14091 certification programmes analogous to „ISO 9001 Lead Auditor" do not yet exist in Germany. TÜV Academy, DGQ and KATE Umwelt & Entwicklung e.V. offer seminars increasingly integrating climate risk topics.

Frequently asked questions

Further resources

• Climate risk analysis for companies: Methodology to ISO 14091
• CORDEX vs. CMIP6: Climate data choice for the risk analysis
• Hail frequency Germany: ERA5, AR-CHaMo and ESRS E1-9
• RCP and SSP climate scenarios: A complete guide
• Climate risks and insurance gaps
• Physical vs. transition climate risks
• Integrating climate risks into financial planning