Managing Non-Financial Risk (NFR)
Another major modification to the regulatory agenda for Risk Management is looming
Since 2008 banks have spent considerable time and resources implementing stronger risk controls and risk management frameworks, such as the three lines of defence (“3LOD”) model. Remarkably those efforts covered mostly well-established BCBS risks. However in recent years most losses occurred in risk spaces that were neither fully identified nor backed up by corresponding models and capital. There are solid indications that those apparent NFR blind spots will soon be addressed in risk categories like Conduct Risk, Reputation Risk, Compliance Risk (incl. Financial Crime Risk and Legal Risk) and Integrity Risk will start showing up on the regulatory/ supervisory agenda. It will likely require more than just creating new policies or implementing structural tweaks and quick fixes to avoid additional fines or penalties. Personal liability to senior management for corporate incidents may also play an ever bigger role.
On the positive side, existing risk management capabilities and processes can also be leveraged to assess and manage with emerging NFRs. The challenge is to properly define and integrate the emerging risks into the existing taxonomy and frameworks (e.g., hierarchies of risks and controls), ensuring that no duplication of effort occurs. The business model components need to be analyzed against emerging NFRs, and the risk capacity of the organization should be adjusted accordingly. Building a more integrated, robust review and assessment methodology can give confidence that the monitored risks accurately reflect the business model context.
Recently, we have seen growing regulatory/supervisory expectations that banks use structured and more integrated risk assessment methodologies. Data is key for an integrated understanding, it is the base to manage the risk and the ability to evidence to 3rd parties that the organization understands and properly manages risk in its business context. Only the ability to present that picture can avoid more direct and indirect penalties and litigation. Constant and structured collection and processing of risk data is required for management of NFR but that poses a challenge for most institutions since neither full data, technology nor integrated frameworks and techniques are yet in place. So it will necessitate medium to longer-term strategic considerations and investment to cover for the new risk type requirements, including:
- fixing data breaks and incompleteness issues,
- upgrading their technical infrastructures and software,
- streamlining and digitizing workflows but focused on patchwork addressing regulation one-by-one also
- disregarding required change in company culture.
Should NFR’s profile be elevated on the regulatory & supervisory agenda, banks will require more integrated capabilities (e.g., common taxonomy, language, division of responsibilities); it will be complex and costly for financial institutions to provide evidence of their full and appropriate organizational understanding of risk and its management. Without improved capabilities, the institution might be able to remain compliant, but the costs of compliance may eventually increase unnecessarily. The balance between regulatory needs and associated costs has to be found.
A NFR framework should address three key questions:
- Does the organizational culture and risk structures cover all risks including NFRs?
- Does the framework provide the data and transparency to understand the risk profile of the organization and does it improve the decision-making process related to risk?
- Does the framework provide complete evidence for internal and external parties that risk is properly identified and managed?
Hans Jürgen Walter
Partner | Financial Services Industry Leader (Germany)
Partner | Financial Advisory (Germany)
Director | Risk Advisory (Spain)
Director | Risk Advisory (Netherlands)