Non-financial Risk Management in the Financial Industry

Whereas the management of certain non-financial risks such as fraud risk or outsourcing risk is already established quite well and follows a standardised process, emerging risks such as conduct risk and sustainability risk require more attention. In addition, well-established risks like ICT risk need to be monitored closely as new sub-risks occur from increasing digitisation and automation. Therefore, it is important to review risk types periodically in a holistic manner and to assess their inherent and residual risk in order to see if they still match the organisation’s business model and risk appetite. Given the nature of non-financial risk, its measurement remains a challenge. Therefore, financial institutions need to develop robust methodologies for a more quantitative risk assessment of non-financial risks.

Fußnoten:

[1]Meyer 2000.

[2]OeNB/FMA 2006, 9.

[3]BCBS 2021b, 2.

[4]US Department of Commerce/National Institute of Standards and Technology 2012.

[5]EBA 2017.

[6]BCBS 2021b, 16.

[7]Ibid.

[8]OeNB/FMA 2006, 43.

[9]BCBS 2021b, 10–11.

[10]BCBS s.a., History.

[11]BCBS 2012.

[12]BCBS s.a., History.

[13]BCBS 2004.

[14]ESMA s.a., MIFID II.

[15]Federal Bureau of Investigation s.a., White-Collar Crime.

[16]European Union s.a., Data Protection Directive.

[17]European Union s.a., Comprehensive approach on personal data protection in the European Union.

[18]European Union s.a., General Data Protection Regulation.

[19]State of California Department of Justice s.a., California Consumer Privacy Act (CCPA).

[20]EBA 2019b.

[21]Europol 2021.

[22]FCA 2019a.

[23]Bank of England 2021.

[24]BCBS 2021a.

[25]Marita Delgado (Banco de España) at the SSM Round Table/Bankers Forum on 15 November 2019.

[26]ECB 2021.

[27]Board of Governors of the Federal Reserve System 2019.

[28]APRA 2019.

[29]Investopedia 2021b.

[30]BCBS 2000.

[31]BCBS 2019.

[32]BCBS 2008.

[33]Basel II refers to an international framework issued by the BCBS in 2006 in order to revise the standards governing the capital adequacy of internationally active banks; BCBS s.a., Basel II.

[34]BCBS 2017.

[35]FCA s.a.

[36]ICA s.a.

[37]OCC s.a.

[38]FATF s.a., Money Laundering.

[39]FATF s.a., Glossary.

[40]FATF 2019.

[41]BCBS 2020.

[42]EBA 2021b.

[43]APRA 2007.

[44]Deutsche Bundesbank 2021.

[45]Central Bank of Ireland s.a.

[46]The Wolfsberg Group 2019.

[47]Transparency International, Global Anti-Bribery Guidance.

[48]Cornell Law School, Legal Information Institute.

[49]Transparency International s.a., Tax Evasion.

[50]IRS s.a.

[51]European Commission s.a., Taxation.

[52]Copley 2016, 28–29.

[53]Central Bank of Ireland 2017, 7.

[54]FMSB 2018b.

[55]Bank of England/HM Treasury 2015.

[56]EBA 2014, 97–98.

[57]European Union 2021.

[58]SEC 2012.

[59]FDIC 2008.

[60]BCBS 2001.

[61]COSO 2016.

[62]OCC 2019a.

[63]APRA 2015.

[64]ACFE 2011.

[65]Cornell Law School s.a.

[66]Investopedia 2021a.

[67]European Union s.a., Antitrust Overview.

[68]International Chamber of Commerce s.a.

[69]US Department of Justice/Procurement Collusion Strike Force 2021.

[70]ACFE 2004.

[71]EBA 2019b.

[72]European Parliament 2020.

[73]EBA 2018.

[74]EBA 2019b, 18.

[75]Ibid.

[76]NIST s.a., cyber risk.

[77]OSFI 2021b.

[78]APRA 2013.

[79]NIST s.a., data confidentiality.

[80]EBA 2017.

[81]ECB 2021.

[82]APRA 2013.

[83]SNIA s.a.

[84]EUR-Lex 2016.

[85]State of California 2018.

[86]BCBS 2021a.

[87]FCA 2019a.

[88]Board of Governors of the Federal Reserve System 2020.

[89]BCBS 2021a.

[90]MAS/ABS 2021

[91]EBA 2019a.

[92]Bank of England 2019a.

[93]Board of Governors of the Federal Reserve System 2013.

[94]FDCI 2008.

[95]APRA 2017.

[96]MAS 2018a.

[97]Central Bank of Bahrain s.a.

[98]Gartner s.a.

[99]BCBS 2017.

[100]Board of Governors of the Federal Reserve System 2021a.

[101]Inaugural address by Ms Shyamala Gopinath, Deputy Governor of the Reserve Bank of India, at the Symposium on “Changing Dynamics of Legal Risks in the Financial Sector,” Kochi, 30 October 2009.

[102]Open Risk Manual s.a.

[103]Hillson 2000.

[104]IRM s.a.

[105]FDIC s.a.

[106]FDIC 2008.

[107]OCC 1996.

[108]EBA 2018.

[109]Board of Governors of the Federal Reserve System 2013.

[110]FDIC 2008.

[111]EBA 2021a.

[112]ECB 2020a.

[113]EBA 2021a.

[114]Bank of England 2019b.

[115]OSFI 2021a.

[116]MAS 2020a.

[117]Deutsches Institut für Menschenrechte 2016.

[118]UNEP 2014.

[119]Corporate Finance Institute s.a.

Federico Truffelli, Dr. Ulrich Göres, Lorenzo Fantini, Michele Rigoni, Luca Rancan

A risk appetite framework (RAF) sets the maximum level of risk an institution is willing to accept for the pursuit of its business plan and long-term strategic objectives, considering stakeholders interests and risk-specific regulatory requirements. The concept of risk appetite has evolved over the past ten years, reaching maturity not only through new regulatory standards but also the continuous hands-on efforts and tuning of financial institutions.

In 2009, the Senior Supervisors Group (SSG) under the Financial Stability Board (FSB) carried out an in-depth analysis of major failures and structural weaknesses in financial services’ governance, risk management and internal controls systems, which were then identified as partial causes of the financial and banking crisis of 2008. [1]The analysis highlighted a significant disparity between the FSB’s perception of risk management and appetite, and the actual performance of financial institutions. The FSB underlined the need for comprehensive and clear risk information, along with competences that allow for a proper risk oversight among board members and senior management, a message reinforced in recent years. [2]

Supervisory authorities called for a more structured, quantifiable and factual approach to the definition of risk appetite and management. In 2010, the SSG followed up on its findings and observed a general improvement in the identification of measurable indicators and in communication efforts towards (and from) senior management. However, such approaches were not yet fully consolidated within financial institutions. [3]

In 2013, the FSB helped push the risk appetite framework further by collecting and rationalising lessons learnt and best practice observed among market players. [4]The FSB also contributed to the consolidation of key terminology and concepts, setting the minimum requirements in terms of:

clear expression and identification of risk appetite and related limits, providing relevant vocabulary as well as guidelines to ensure significance and soundness;

governance of risk appetite frameworks, clarifying expectations concerning roles and responsibilities of different actors within an institution.

In the ensuing years, market players have embedded such concepts and guidelines, and they have further evolved metrics and indicators in RAFs. Such refinement firstly focused on financial risks, the real culprits of the 2008 crisis. In the past five years, however, increased attention has been devoted to non-financial risks (NFR). The European Central Bank (ECB) gave a boost to the RAF evolution for NFR, paving the way for inclusion of non-financial risks as a measure of sound risk management in its 2016 Supervisory Review and Evaluation Process guidance . [5]It stated that “Material non-financial risks (in particular compliance risk, reputational risk, IT risk, legal risk and conduct risk) are expected to be included more explicitly in the RAF, if not with quantitative proxies, at least with qualitative statements.” [6]