Non-financial Risk Management in the Financial Industry

To offer products and services, financial institutions need business operations. These include headquarters and branch operations, such as physical assets like buildings, rental space or even vaults. These physical assets are complemented by IT infrastructure with both hardware as well as software.

Overall, there are five sources of potential operational risks or operational risk events. [2]These are people, processes, systems, external events and legal risks. All these components of the business and operating models give rise to a wide range of potential risks. These need to be identified, measured and managed. In managing these risks, banks must balance the expected return from risk-related activities with the amount of loss from these activities if risks materialise, as well as the costs of their management or mitigation. According to the Basel Committee, an effective operational risk management system and a robust level of operational resilience work together to reduce the frequency and impact of operational risk events. [3]

Financial business inherently includes numerous risk types, so complete risk avoidance in the sense of a “zero risk tolerance” is impossible. Risk taking and the management of risks is an integral part of the business. When providing loans to customers, financial institutions take on a credit risk. As the value of assets, such as securities, depends on certain underlying market parameters, such as interest rates, commodity prices or share prices, they are also exposed to market risks. Another core element of banking is taking deposits to fund loans. The management of the resulting cash inflow and outflow from assets and liabilities results in liquidity risks.

There are generally five basic management approaches to treating risks [4]: acceptance, avoidance, mitigation, sharing and transfer. Risk avoidance aims at fully evading the risk. This can mean that certain business activities need to be stopped or not performed, or processes need to be designed in a way to ensure that the particular risk does not arise. For example, when a bank wants to avoid any risk from outsourcing part of its value chain, the entire process needs to be done inhouse. If currency risks are to be avoided for certain currencies, then these currencies cannot be used either for trading, lending or payment services.

Risk mitigation describes the process of taking actions to reduce the possible loss event frequency or the possible impact of loss events. It is central to the mitigation strategy that an effective control environment is established, with preventive as well as detective controls. An internal control environment is an essential part of all risk management processes, and almost all regulators require financial institutions to have one. The European Banking Authority (EBA) publishes detailed guidelines on internal control frameworks in Title V of its guidelines on internal governance. [5]

In case internal controls do not adequately address risks, while accepting the risk is not a reasonable option, management can also share or transfer the risk to another party, for example by way of insurance products. [6]However, the Basel Committee points out that risk transfer is an imperfect substitute for sound controls and risk management programmes, hence, banks should view it as a complementary strategy rather than a replacement for thorough internal operational risk controls. [7]

Risk acceptance means that the risk is accepted without taking any specific measures. This can be the case when a certain risk type is deemed non-material for the financial institution. An indicator for this could be that the expected loss would be less than the costs related to the management activities to mitigate the risk. [8]In addition, this strategy is also applied to the assessment of residual risks, in which the latter is the risk exposure after controls have been considered. [9]

The choice of the approach for any particular risk type depends on the individual bank’s business model, i.e. its products, services, processes, people, transaction channels as well as physical and IT infrastructure. It further depends on the bank management’s risk strategy and risk appetite, as well as on the relevance of the risk type in this combination. The general approach to risk management stated in the risk strategy is detailed in the risk appetite statement, which elaborates on the types and amounts of risk a financial institution is willing to take. For more details on risk appetite, especially from a non-financial risk perspective, please refer to chapter 3.

The practices of risk management vary depending on the size and complexity of business models and operations. However, a general approach to risk management always contains four core steps for each identified risk type. The first step is the determination, description and measurement of the inherent risk of the particular risk type. Inherent risk is defined as the amount of that type of risk without any mitigating measures or control processes. In a second step, based on this inherent risk, an assessment of potential mitigating measures is performed. These mitigating measures can have different forms, one of which could be the use of internal controls for a certain type of risk. These types of mitigating measures are intended to reduce the impact of a risk event. The implementation of controls around the processes related to the specific risk type can help reduce the risk event’s probability and the impact of a risk event should it occur. Examples for such controls are the four-eyes principle or user access management. In a third step, the residual risk needs to be managed, if any remains after application of all mitigating measures and controls. Lastly, all of these steps need to be documented and reported to management, at least on an aggregated level.

Definitions of different types and clusters of risk are in use in financial institutions across the globe. Some of the risk types are standardised, with clear definitions by regulators; other risk types are not always clearly defined. The understanding and research of risks, root causes and effects gradually evolve. Laws, regulations and regulating authorities integrate, extend and adjust this knowledge, mostly driven by events and scandals. Therefore, we will take a look at the history of the development of non-financial risk here, and analyse commonalities and differences in regulatory definitions of risk types – with a focus on definitions around non-financial risks.

Looking at the history of the development of non-financial risk, the starting point is perceived by many as the development of operational risk. In 1997, the Basel Committee on Banking Supervision (BCBS or Basel) issued a paper that set out 25 core principles for effective banking supervision. [10]One of the key risks faced by financial institutions was cited as operational risk, which was defined “as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk.” [11]

Two years later, BCBS issued a proposal for a new capital adequacy framework to replace Basel I, the capital measurement system launched in 1988. [12]Following the publication of the first round of proposals in 1999, the revised framework for capital measurement and capital standards, called Basel II, was endorsed in 2004. As part of the framework, operational risk, along with credit risk and market risk, was named as a risk type for capital requirements calculations. The scope of the definition of operational risk was contained in seven loss event types: (1) internal fraud, (2) external fraud, (3) employment practices and workspace safety, (4) clients, products and business services, (5) damages to physical assets, (6) business disruptions and system failures, and (7) execution, delivery and process management. [13]