The real bottleneck is not timing. It is capability.

Many banks do not yet have enough experienced sustainability risk analysts to assess large and varied corporate loan books with consistency. They do not have a deep internal library of historical sustainability risk assessments. They do not have a mature logic for translating sustainability issues into financially material risk exposures at debtor and portfolio level.

That weakness becomes visible in the way many banks are currently working. They begin by collecting information from debtors. They send questionnaires, request policies, emissions figures, targets and governance information, and hope that the resulting dataset will form the basis of sustainability risk assessment.

Often it will not.

If a bank has not first determined which sustainability risks are materially relevant for a particular sector, business model or supply chain configuration, it cannot know what to ask. It cannot separate signal from noise. It cannot distinguish what is relevant for credit judgement from what is merely useful for disclosure or general ESG profiling.

The result is activity without analytical depth.

This is where much of the market is solving the problem in the wrong order. The correct starting point is not the questionnaire. It is the risk assessment engine.

Banks need first to build a structured sustainability risk methodology. That means identifying the sustainability risk topics that may matter financially, mapping them to sectors and activities, understanding transmission channels into financial risk, and establishing a logic that can be applied repeatedly across large portfolios.

Only then does it become possible to ask targeted, decision-useful questions.

The second mistake is narrower but just as important. Too many institutions still behave as though sustainability risk integration is largely a climate exercise. That is understandable. Climate risk has received the greatest regulatory attention, the broadest public attention and the most visible data build-out. But climate risk is only one part of the problem.

Sustainability risk in lending is much broader. It can include environmental liabilities, biodiversity-related exposure, labour conditions, product safety failures, community conflict, weak governance, corruption risk, supply-chain abuses and other factors that may feed into cash flow weakness, operational disruption, litigation, reputational pressure or reduced market access. All potential contributors to a debtors failure to pay back their credit.

A bank that focuses only on climate is not simplifying the task. It is under-scoping it.

This is not only a regulatory problem. It is also a commercial one.

If sustainability risk is poorly defined, it will be poorly priced. Banks will misjudge debtor resilience, underestimate downside risk and allocate capital with false confidence. Weak sustainability risk integration can create hidden concentration risk across sectors, geographies and supply chains. In adverse conditions, these blind spots do not remain theoretical. They show up in the portfolio.

For CEOs, CROs and credit managers, that is the real issue. Better sustainability risk integration is not simply a matter of satisfying supervisors. It is a way to improve risk selection.

Read more about this here: Why most bank questionnaires on sustainability fail

The next question is automation.

Here again, many institutions risk moving too quickly in the wrong direction. When internal sustainability risk expertise is limited, the temptation is to rely heavily on large language models and agentic workflows. But in a domain where the underlying knowledge base is thinner and less standardised than in traditional financial analysis, this can introduce significant inconsistency.

The model’s latent assumptions begin to do too much of the work. Variation in output increases. Traceability weakens. Hallucination risk rises.

A better alternative is deterministic design.

When the domain methodology is strong, the assessment process can be broken into smaller analytical tasks. Rules, evidence structures and risk logic do most of the work. AI is used only where interpretation is genuinely needed. In that structure, the bank is not outsourcing judgement to the model. It is constraining the model inside a controlled process.

That makes automation faster, cheaper and more defensible.

For regulated credit processes, defensibility is the real test. Can the bank explain why a sustainability issue was considered material or immaterial for a given debtor? Can it trace the link from sector activity to risk driver, from risk driver to financial transmission channel, and from there to credit relevance? Can it apply the same logic consistently across a large portfolio?

If not, the institution does not yet practice sustainability risk integration. It has sustainability-themed information collection.

Read more about this here: Automating sustainability risk assessment in banks – Pitfalls

The EBA requirement is real. But the harder truth is that many banks are still trying to industrialise sustainability risk assessment before they have properly defined it.

That is why so many programmes drift into generic questionnaires, fragmented data collection and climate-only shortcuts. These are not signs of progress. They are symptoms of a missing analytical foundation.

The institutions that will get this right will not be those that gather the most information or deploy the most fashionable AI. They will be those that first build a credible global materiality framework, translate it into structured risk logic, and automate against that foundation with discipline.

Banks do not have a data problem first. They have a risk-definition problem first.

Download our executive briefing here: