Non-financial Risk Management in the Financial Industry

The idea of Basel II was to measure the operational risk on a model basis by using loss data from operational risk loss events through one of the following three methods: the advanced measurement approach (AMA), the basis indicator approach (BIA) or the standardised approach (STA), which was mainly based on revenues over the past three years. However, the distributions used in the AMA were unable to appropriately consider extreme outliers because risk measurement and corresponding capital requirements were always based on some confidence level. In comparison with operational risk management, non-financial risk management is not only based on historical events but needs to include risk assessments that require organisations to familiarise themselves with their business models, risk appetites and the risks themselves. This means that financial risks are the original risks while non-financial risks are second-order effects of the original risks. And while financial risks can be measured, it is still a challenge to measure non-financial risks.

Simultaneously to the BCBS developments, the history of the development of non-financial risk was supported by six waves that triggered the development of the respective risks (Figure 1).

The first wave relates to the topic of conduct and mis-selling. As a result of the mis-selling scandals of the 1990s and early 2000s, including the dotcom bubble, and parallel to the development of Basel II, the European Markets in Financial Instruments Directive, also known as MiFID, was introduced in 2004 and has been applied since 2007. Its objective, amongst other things, was to set out the conduct of business and regulatory reporting to avoid market abuse. [14]

The second wave relates to financial crime risks. An understanding was gained that many compliance-related incidents included white collar-crimes. According to the US Federal Bureau of Investigation, white-collar crime refers to the full range of frauds committed by business and government professionals and is independent of the application or threat of physical force or violence. [15]In addition, it was noticed that retail customers were also involved in crimes, for example by committing tax evasion.

The third wave relates to the growing interest in data privacy that was triggered by the expanding use of data and online technology, including online banking. As early as 1992, the European Union published the European data protection directive, which came into force in 1995. It aimed to protect individuals with regard to the processing of personal data and the free movement of such data. [16]More than ten years later, in 2011, the European Union issued an opinion on a comprehensive approach on personal data protection. [17]This resulted in the European Union regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data in 2016, commonly referred to as the General Data Protection Regulation (GDPR), which is in effect since 2018. [18]Other jurisdictions have adopted this regulation under other names and in other forms, such as the California Consumer Privacy Act (CCPA), introduced in 2018 to enhance privacy rights and consumer protection. [19]

The fourth wave relates to information, communication and technology (ICT) as well as cybersecurity risks. With the growing relevance of technology, these risks have gained in importance and a necessity for the position of a chief information security officer (CISO) arose. Therefore, the EBA reacted in 2019 by issuing the guidelines on ICT and security risk management that were enforced in 2020, [20]and, in 2021, by launching, with Europol’s European Cybercrime Centre, a campaign called Cyber Scams 2.0 to spread public awareness of cybercrimes. [21]

The fifth wave relates to operational resilience and outsourcing/vendor risks. Along with increased technological risks, the need for the overall stability of financial institutions and the financial system triggered a regulatory push towards operational resilience. This was spearheaded by the UK regulatory authorities’ policies both on operational resilience as well as on outsourcing and third-party risk management (published in 2019 and enforced since 2021). [22] , [23]The BCBS followed by publishing its principles for operational resilience in 2021. [24]The disintermediation of the value chain, driven by technological developments, lead to a higher importance of the understanding of both supply and process chains as well as knowing third parties such as vendors and contractors.

The sixth wave relates to environmental, social and governance (ESG) as well as general strategic risks. ESG is not perceived as a singular risk type of the risk taxonomy but is rather included in overall strategic risks. It influences, or materialises in, other risk types. The environmental element is found in supply chain management and the well-established know-your-supplier process. By contrast, the social element is generally associated with human resources and led to the introduction of anti-discrimination laws and quotas. With the increasing importance of the good citizenship model, an ethical change has taken place, and the public has developed higher expectations for moral behaviour in organisations. As such, ESG risks are clearly embedded in strategy discussions and form a part of the strategic risk faced by financial institutions and all other organisations.

The term non-financial risk is not yet commonly used by regulators. While there are definitions for individual risk types, such as operational risk or AML risks, even with a somewhat widespread base, no catalogue of risk types has been summarised under non-financial risks by regulators. Thus, no clear regulatory definition of non-financial risk has been established.

On a global level, BCBS does not provide a definition of non-financial risk. The Basel Committee has, however, updated the principles for the sound management of operational risk and published a linked paper on operational resilience in March 2021. As with Basel, regulators more frequently advise on operational risk management and in part reference some of the non-financial risk types within those policies.

In Europe, Banco de España mentions certain examples of non-financial risks, such as misconduct, non-compliance, IT, reputational, cybersecurity or operational challenges. The basis for the delineation against financial risks is that the mentioned non-financial risks are not linked directly to financial decisions and have nothing but a downside. Also, according to Banco de España, a further defining element of non-financial risk is that it is hard to quantify precisely. Finally, there is a reference to operational risk as the specific part of the Basel Accord included a capital charge for these types of risk. [25]The ECB annually publishes a report on the outcome of the Supervisory Review Process (SREP) IT Risk questionnaire, which specifically deals with findings and weaknesses of IT-related risks. [26]

US regulators do not explicitly provide a definition of non-financial risk. However, in its November 2019 Supervision and Regulation report, the Federal Reserve Board (FED) gives examples of risk-management weaknesses for US banks with less-than-satisfactory supervisory ratings. These examples include compliance, internal controls, model risk management, operational risk management and/or data as well as information technology infrastructure. Further weaknesses mentioned concern the Bank Secrecy Act (BSA) and anti-money laundering (AML) programmes. [27]