LISTEN TO AUDIO VERSION:
Non-financial risks – risks with continuously increasing significance
In recent years, the media have reported increasingly high losses incurred by the institutions, which have also had a negative impact on their reputation. These losses result from fines imposed by supervisory and other authorities as well as legal costs due to faulty contracts or the bank’s treatment of their customers – reflecting the increased pressure on bank advisors to sell products.
Institutions cannot allocate these losses to the traditional financial risks, such as credit, market price or liquidity risks; instead, they fall into the risk category of non-financial risks (NFR). As mentioned above, NFR also comprise risks explicitly excluded from the supervisory definition of operational risks, such as strategic or reputational risk.
In the past, thanks to the option of using an internal quantification model, operational risk management focused on modeling and managing the data basis, such as loss events and risk assessments. Consequently, the primary objective was compliance with regulatory requirements. Active and therefore proactive NFR management, on the other hand, was not the institutions’ focus.
Furthermore, the institutions’ NFR profile is undergoing constant change, which further increases the need for appropriate and comprehensive NFR management. At present, they mainly achieve this through digitalization and automation of processes, which will result in fewer manual processing errors in the future but will increase the risks posed by cyber attacks or data theft.
Concretization of regulatory requirements leads to a more granular view of NFR
Due to inadequate risk monitoring, which frequently led to the large losses in the past, regulators have also recognized the need to specify and expand the regulatory requirements.
In particular the EBA Internal Governance Guidelines, which were revised in 2017, reflect the supervisory expectation for transparency of non-financial risks by enumerating the main NFR. In addition to financial risks, non-financial risks, including ”operational, IT, reputational, legal, conduct, compliance and strategic risks” (paragraph 136) must be adequately addressed in the risk management framework. This increased importance is also reflected in the current amendment to MaRisk, which in section BTR 4 requires operational risks to be integrated e.g. with compliance, information security, the adjustment processes in accordance with AT 8 and 9, and the internal control system.
Get analyses, articles, interviews and news about trends & innovation in banking right to your inbox every two weeks.
The multitude of non-financial risks poses growing challenges for institutions
The wide range of NFR causes the complexity in managing those risks that can currently be observed on the market, as well as the associated challenges of consistent and redundancy-free identification, assessment, management and reporting in an NFR framework. This specifically relates to the following aspects:
- Decentralized responsibility for NFR management means having to orchestrate a multitude of stakeholders who report to different board members.
- There is no clear and unambiguous definition of roles and responsibilities for NFR management.
- Institutions have established numerous risk assessments to identify and assess risks from the NFR universe, each using their own methodologies and metrics, e.g., protection need analysis or outsourcing risk analysis.
- NFR management is considered a backward-looking and regulatory effort devoid of added value.
The challenges outlined above cause high resource expenditures both in the decentralized areas and in centralized NFR management. As a consequence, the information received from the decentralized units cannot easily be aggregated into an NFR profile and reported to the relevant bodies as a whole.
A consistent response to the challenges described above is necessary in order to establish effective NFR management within the institution, which is both accepted by the decentralized units and meets the requirements of consistent reporting to the management.
A harmonized framework increases the effectiveness of NFR management
Components of an NFR framework include a clear definition and delineation of non-financial risks, the establishment of methods for managing NFR, and responsibilities with the aim of speaking a “common language”. This provides an overarching NFR profile that can be reported consistently, while identifying synergies between NFR, and lowering costs. In the long term, proactive NFR management can also reduce capital requirements. In our opinion, the essential core elements for an overarching and structured NFR management comprise:
- Definition of a comprehensive NFR taxonomy and of responsibilities
- Interlinking of risk assessments
- Consistent NFR reporting
These elements support the establishment of a three-lines-of-defense model for non-financial risks, which entails installing a central NFR unit that monitors both the decentralized areas, where NFR arise, and the methods used by NFR control units (e.g., compliance).
1. Definition of a comprehensive NFR taxonomy and of responsibilities
The starting point for integrated NFR management is a common understanding of the relevant NFR according to the business model. The supervisory authority expects that, in addition to defining NFR and operational risks as material risk types, the risk inventory should also identify and analyze the materiality of institution-specific non-financial risks, such as process, fraud, reputational and business risks.
These NFR must be defined accordingly and delineated from one another without overlap. Especially in the area of NFR, delineation is a key success factor in order to avoid redundancies in assessment and to clearly define the respective areas responsible for NFR management.
2. Interlinking risk assessments
Based on the NFR taxonomy, the next step is to identify and assess the NFR. For this purpose, institutions generally apply a range of risk assessment measures using various methods and metrics. In addition, they have appointed a number of decentralized officers, such as OpRisk, ICS, BCM and compliance officers, who act as the primary contacts for the risk assessments.
These officers, however, perform risk assessments at different times and using different methods, yet address similar issues. The trend in the number of risk assessments in institutions is increasing, as the proven instrument of a risk assessment is also used for ESG risks and reputational risks, for example. The implementation of risk assessments and the identification and meaningful integration of the decentralized officers in the divisions are key milestones on the way to tapping streamlining potential through integrated NFR management.
In order to reach the goal of method integration, the metrics for risk assessment must be considered in addition to the assessment methodology (e.g., gross vs. net risk assessment, extreme vs. normal case assessment). Not all non-financial risks (e.g., reputational or IT risks) can be expressed in financial terms and therefore require specified surrogate metrics.
Since some of the risk assessments for NFR that we encounter in the institutions are mandatory under supervisory law and have to be performed on a certain annual cycle, e.g., for new products or outsourcing, using these risk assessments as a source of inspiration for the NFR assessment or for downstream validation of the results by the central NFR unit generates the greatest added value.
3. Consistent NFR reporting
The currently existing silo-based assessment of non-financial risks along with the different reporting requirements of the respective responsible board members leads to a heterogeneous and partly inconsistent reporting of the NFR profile.
The central NFR unit should develop an overarching NFR report that covers the main NFR components and presents, among others, loss events that have occurred and the results of the NFR risk assessment with the derived management measures in summary form. A detailed view of the individual NFR remains with the responsible decentralized unit. In order to also leverage synergies in this regard, it is recommended to coordinate the reports on the NFR profile in terms of report content, recipients, and reporting frequency.
Critical success factors for effective NFR management
A prerequisite for integrated NFR management is a complete and uniform NFR taxonomy, which is defined on an institution-specific level based on the business model. At the same time, it is essential to define clear responsibilities for NFR management. The institution achieves the greatest efficiencies in all areas by interlinking the large number of decentralized and topic-specific NFR risk assessments. In this context, consistent methods and metrics, as well as scheduling risk assessments over time, are key to success.
The most critical success factors for implementing a target picture for effective management of non-financial risks are:
- a mutual understanding of the methods used to date to manage NFR,
- the willingness and readiness to change, especially with regard to the acceptance of newly defined responsibilities and methods
- the willingness to accept the results from the integrated risk assessment for NFR and to use them for management purposes,
- due to the overarching effects and the large number of areas involved in NFR management, the “tone from the top” is crucial for success
Conclusion on the management of non-financial risks
Owing to the large number of areas involved, NFR management is a complex and constantly evolving process. Currently, this is carried out in silo structures rather than coordinated by a central NFR unit with the corresponding responsibilities.
Increased regulatory requirements paved the way for the integration of NFR. The institutions, however, currently face the challenge of reporting on the institution-specific NFR profile in a comprehensive and consistent manner. In the long term, this active NFR management will lead to a reduction in risks and costs. An NFR framework based on a comprehensive NFR taxonomy with clearly defined responsibilities, interlinked risk assessments and consistent reporting serve as the foundation for these measures.