Non-financial Risk Management in the Financial Industry

Aytech Pseunokov, Project Leader, Boston Consulting Group, Dubai

Jennifer Rabener, Project Leader, Boston Consulting Group, Munich

Luca Rancan, Project Leader, Boston Consulting Group, Milan

Michele Rigoni, Principal, Boston Consulting Group, Milan

Dr. Barbara Roth, Managing Director, Head Group Internal Audit, Deutsche Börse AG, Frankfurt

Dr. Christian N. Schmid., Managing Director & Partner, Boston Consulting Group, Munich

Prof. Dr. Martin Schulz, Attorney at law, Counsel, CMS Hasche Sigle, Frankfurt

Björn Stauber, M.Sc., First Vice President Compliance, KfW Bankengruppe, Frankfurt

Rei Tanaka, Managing Director & Partner, Boston Consulting Group, Tokyo

Benedetta Testino, Project Leader, Boston Consulting Group, Milan

Federico Truffelli, Deputy Head of Group Anti-Financial Crime, Group Head of AML/FS Risk Assessment, Controls and Liaison Office Support, UniCredit Group, Milan

Anita Varshney, Global Vice President, Strategy SAP S/4HANA Sustainability, SAP, Hong Kong

Valérie Villafranca, Managing Director, Group Head of ESG Transformation, Société Générale, Paris

Lora von Ploetz, LL.M. Law, LL.M. Finance, Director, Head of Global Financial Crime Unit, Commerzbank AG, Frankfurt

Daniel Wagner, Manager, BCG Platinion, Frankfurt

Dr. Carsten Wiegand, Knowledge Expert, Team Manager, Boston Consulting Group, Frankfurt

These are turbulent times for the financial industry and for society at large. Banks, insurers, asset managers and other financial services providers are subject to a profound, lasting disruption, shaping the way value is created and how people will work in the decades to come.

Climate change and the role of the financial industry in the historical transformation toward greenhouse-gas neutrality is at the top of almost every CEO’s agenda. The industry is subject to game-changing environment, social and governance regulation (ESG) and disclosure requirements and is adopting a role as a change agent to finance the climate transition. The climate agenda deeply impacts the industry’s business and risk strategies, triggering fundamental changes to the way financial and non-financial risks are managed.

Since the COVID-19 outbreak in late 2019, society has seen a whirl of lockdowns and contact restrictions. The pandemic has also impacted businesses of all shapes and sizes across a range of industries, with the 2020 global gross domestic product down almost by 3.5%. [1]The financial industry has continued to prove its social and economic relevance during the pandemic, delivering vital aid to businesses and individuals at record speed, creating new processes and systems on the fly and shifting workforces and operations to remote conditions. COVID-19 accelerated digitisation to new heights, with some senior executives painfully realising that digital is not optional but a question of making the cut.

On top, regulatory agencies are ramping up their efforts to ensure corporations obey the rules – and imposing heavy penalties on those that fail to deliver. From 2009 to 2020, global regulators handed out almost 400 billion in fines for non-compliance. [2]

To emerge stronger from these challenging times, financial institutions must succeed on many fronts, with non-financial risk management being a critical component. This holds particularly true in times of geopolitical unrest such as the conflict between Russia and the Ukraine right now. For global financial organisations with a broad product portfolio across multiple geographical regions, the management of non-financial risks is complex, and pitfalls are looming: insufficient consistency in policy standards, a divergence in the regional execution, opaque risk exposure and a fragmented IT landscape, to name just a few. The need for a bank-wide, global non-financial risk management framework has become abundantly clear.

This handbook is intended as a guide to establish a target operating model for non-financial risk management, primarily for the financial industry, and covers the entire risk management lifecycle. This includes a definition of non-financial risk, risk appetite frameworks, risk governance, top-down non-financial risk assessments, internal control frameworks, data and IT governance as well as conduct and ethics.

The editors are grateful to the contributors, who are all leading experts in non-financial risk management, compliance and ESG.

Frankfurt and Munich, February 2022

The editors Norbert Gittfried, Dr. Georg Lienke, Florian Seiferlein, Jannik Leiendecker and Dr. Bernhard Gehra

Fußnoten:

[1]IMF 2021.

[2]BCG 2021a.

Prof. Dr. Douglas Arner, Dr. Bernhard Gehra, Jannik Leiendecker, Dr. Georg Lienke

Historically, financial institutions have focused many of their risk management efforts on financial exposures directly attributed to core business activities. However, in recent times, non-financial risk (NFR) management with an emphasis on compliance and environment, social and governance (ESG) risks has moved up the policy and executive agendas, amid new regulations, a range of compliance issues (some leading to significant fines) and an increasing pressure to act as change agents in the transition towards a decarbonised economy. A robust NFR framework is indispensable in case of crises, so that necessary quick and effective reaction measures can be taken. This became unmistakably clear in the conflict between Russia and the Ukraine, with unprecedented sanctions being imposed on Russia that heavily affect the global financial industry and non-financial sectors.

This handbook analyses the major success factors for meeting the requirements of modern non-financial risk management: an institution-specific target operating model (TOM) integrating all critical components – strategy, governance, risk management, information technology and data architecture including digitisation and artificial intelligence as well as ethics. The handbook has been written by senior NFR, compliance and ESG experts from key markets in Europe, the US and Asia, and it gives practitioners the necessary guidance to master the key challenges in today’s global risk environment. Each chapter includes key regulatory requirements, major implementation challenges, practical solutions and industry examples.

Institutions face non-financial risks across a range of activities: from onboarding clients to running IT systems and carrying out daily operations. Amid a continuous flow of new risks, failures in these areas can have significant economic and reputational consequences, both for the institutions as well as their executives. Globally, compliance issues led to 394 billion in fines during the years 2011 to 2020, including 50 billion in 2018, 2019 and 2020 alone. [1]In response, financial institutions have dramatically enhanced their oversight capabilities, leading to a proliferation of risk managers, internal auditors, control specialists and compliance officers, each with their own unique backgrounds, perspectives and skill sets.

These teams of experts have tended to focus on specific areas, leading to the evolution of siloed and fragmented processes, the disjointed nature of which has itself become an operational risk. A lack of coordination has created gaps, overlaps and mismatches in the three lines of defence (3LoD) framework at most institutions. Risk functions today often produce different risk reports that apply different methodologies to analyse and quantify risk, making it difficult for executives to put risk categories into proportion and arrive at accurate implications for overall risk management. This comes on top of existing complexity: global financial organisations need to orchestrate separate product divisions, infrastructure functions (including risk management) and geographical regions, representing a range of legal entities in local jurisdictions as well as regulators and regulatory systems and requirements in multiple jurisdictions. At the same time, they need to weave in effective and efficient measures to manage non-financial risks. The challenges are significant, suggesting that a holistic, structured approach is critical.