Non-financial Risk Management in the Financial Industry

To continue to thrive in an increasingly challenging risk environment, financial institutions need to develop a sophisticated approach to non-financial risk management. This can be done by establishing an institution-specific non-financial risk TOM, which will subsequently allow for a proper definition of risks, creating an integrated view of the 3LoD and building an effective internal control system – informing a sensible executive decision-making that can prevent inevitable risks getting out of control.

This handbook outlines the key ingredients of a non-financial risk TOM for financial institutions. The book sections follow a consistent structure: chapters start with an individual introduction to the topic at hand, followed by a summary of key regulatory expectations across the EU, the US and Asia. Each chapter assesses operational challenges and complexities, and it delivers approaches to define solutions based on industry success factors. Chapters are augmented by practical, hands-on examples from seasoned practitioners. They conclude with the summaries of key takeaways.

Risks are inherent to every business model, so that a zero-risk tolerance approach is in fact counter-intuitive. Historically, financial institutions have focused their attention on financial risks, including credit risk, market risk, liquidity risk and funding risks, aggregating the remainder under a category most often labelled as operational risk. Recently, non-financial risks have evolved as an independent category for risk management, allowing for a more tailored approach to management of individual non-financial risks. Chapter 2 provides a general definition of non-financial risk, delineates non-financial risk from financial risk, and provides definitions for categories and types of non-financial risk for financial institutions.

Following the definition of non-financial risk, chapter 3 provides a holistic approach to defining a non-financial risk appetite framework for financial institutions across three levels. This includes qualitative risk appetite statements for individual non-financial risk categories, outlining the level and types of risk that the financial institution is willing to take on in order to achieve its strategic objectives and business plan (level 1). Qualitative risk appetite statements are broken down into risk appetite metrics and corresponding thresholds, enabling institutions to set quantifiable tolerance levels for non-financial risk and underlying operational activities (level 2). Level 3 cascades the risk appetite framework to business lines and entity levels via pre-defined key risk indicators, facilitating the early detection of potential deviations from risk appetite objectives and potentially triggering timely interventions. The chapter also draws an outline of the corresponding governance that is required to operate a risk appetite framework.

Three chapters outline the governance and organisational structures required for sustainable non-financial risk management, standing on three major pillars. The three lines of defence (LoD) model ( chapter 4 ) defines the roles and responsibilities of the first LoD (front, middle and back office), the second LoD (risk control functions) and the third LoD (internal audit). The chapter focuses on the independence of second-LoD control functions and describes the concept of risk coordinating functions in the first LoD as a regulatory competence centre, coordination unit and interface to the second LoD.

‘Global functional lead’ ( chapter 5 ) stands for a combination of strategic, governance and risk management elements defined by an institution that aim to enable a consistent execution of risk management activities across complex organisations. It comprises the central setting of global risk management standards by horizontal risk management functions and their execution by vertical product- or region-focused functions, with direct or indirect reporting lines into horizontal functions. A policy and procedure framework ( chapter 6 ) intends to ensure that standards are met in the execution of an institution’s business and operational activities. It builds a structural policy hierarchy, allocating the financial institution’s documents including board directives, policies and procedures to different hierarchical levels. It structures them by risk types, business segments and relevant geographies.

Three chapters describe the most essential components of a financial institution’s non-financial risk management lifecycle.

Sophisticated institutions apply a top-down approach to non-financial risk assessment, using risk-type agnostic criteria to evaluate their exposure to non-financial risks and derive the proper implications for bank-wide risk management. Chapter 7 elaborates on the methodology for a top-down non-financial risk assessment.

A key element of effective risk mitigation is the underlying internal control framework. Controls can take a variety of forms, ranging from automated/manual process controls to the conduct of training sessions and the definition of internal policies and requirements. A comprehensive internal control framework needs to combine a top-down approach (focusing on controls addressing the most relevant risk types) with a bottom-up approach (whereby individual risks and controls are identified based on a detailed review of the underlying processes). Chapter 7 comprises a deep dive on the top-down approach for the creation of an internal control framework.

Financial institutions are confronted with non-financial risks that are increasing both in number and severity, and they face non-financial risk exposure in almost every area of activity. In many institutions, this has resulted in a heterogenous reporting landscape for non-financial risks, with a variety of bottom-up, risk-specific reports from different functions and often diverging criteria for the measurement of risk. Hence, financial institutions are in an ever-stronger need of an overall non-financial risk reporting approach, spanning across risk types and consolidating the measurement of risk and the adequacy assessment of risk-mitigating controls. Only such a top-down report can give executive management the fact base and insights necessary to steer an institution effectively. Chapter 8 describes an approach to risk-agnostic non-financial risk reporting.

Chapter 9 is a deep dive into investigation capabilities, combined with root cause analysis. Alongside the on-going harmonisation of European corporate law, individual jurisdictions are increasingly requesting the strengthening of investigative capabilities to better understand root causes of corporate misconduct. This includes the establishment of risk oversight and reporting capabilities, the establishment of a dedicated organisational unit as well as of processes and methods, alongside communication with stakeholders. Particular emphasis is put on the root cause analysis to determine the underlying reasons for misconduct. These insights are then used to identify corresponding lessons learned.

Today, excellent non-financial risk management is heavily supported by an adequate data and IT architecture. Chapter 10 starts with an outline of the associated challenges, ranging from heterogeneous (and partially unavailable) non-financial risk data and fragmented responsibilities to partially-integrated IT applications. These challenges can be addressed by defining a comprehensive strategy, creating full transparency of the IT architecture and aligning with the required data architecture. This can subsequently be translated into a short- and long-term roadmap towards a more public cloud-based or on-premises data platform.