Central banks have a new challenge on their radars: the task of examining frameworks used by financial institutions to manage non-financial risks (NFRs). The need to manage NFRs on top of traditional financial risks has become more evident and pressing than ever before, especially since the global financial crisis. Why? Primarily due to a track record of losses caused by the materialization of NFRs (e.g. cyber, reputational, conduct, regulatory, technology and financial crime risks) rather than traditional financial risks.
In the near future, central banks may expect not only banks but also fintechs to demonstrate how specific risks (like NFRs) are managed by them, particularly where technology trends (such as cloud computing, AI, third-party risk/vendor management, and crypto & digital currencies) are involved. This may be the case for all financial entities, but especially for global systemically important financial institutions (G-SIFIs), other systemically important institutions as well as some listed non-financial institutions.
Why take action?
In terms of losses, a majority have largely arisen from imposed penalties, misconduct and/or the cost of remediation plans to manage these occurrences. Other key contributors are lapses in oversight and weak internal controls. Media publications with international reach have widely reported on these losses, which has caused many institutions to suffer worldwide reputational damage resulting in a decrease in customer trust.
Interestingly, the majority of these losses are siloed and handled without risk management professionals intervening, which seems to be a standard, industry-wide norm. Fueling this scenario of absent tried-and-tested risk management frameworks is the organization's attitude towards these types of risk; in other words, its prevalent risk culture. In addition to growing regulatory attention on NFRs, it has become clear that organizations must start to control and manage NFRs that pose an even greater threat than financial risks. For this, there needs to be a more holistic approach.
- Central banks may require banks and fintechs to demonstrate frameworks for NFR management
- Regulatory norms encompassing specific coverage of NFR taxonomy
- Organizational business strategies and risk appetite frameworks to be tweaked to adequately deal with NFRs
- The scope of management of NFRs should vary depending on the size and complexity of the organization
- NFRs would require a greater focus on what might actually happen in the future
- To consider management of NFRs as 2020's top agenda for CROs.
- Rearticulate NFR management under the existing organizations' risk governance models (e.g. the Three Lines of Defense model).
- To understand that NFR implementation requires a cultural shift. Hence build an enhanced risk culture that is eventually captured in the organization's guiding policies of managing NFR.
- Hone NFR implementation as the first line of defense by a wider group of functions, rather than by risk management or Board of Directors alone. These functions play key roles in NFR management processes, so they appear incremental in scope to existing risk management set-up and controls.
- Focus on scenario analysis, stress testing and prediction techniques instead of post-fact/incident analysis techniques.
- Hire skilled NFR managers with a strong understanding of the organization's business model and risk management practices.
Living in a dynamic environment means we have to study and perceive risks in an equally dynamic way to remain effective and, in some cases, to even stay afloat. Organizations may therefore need to consider both complex and simple NFRs in their business strategies. Additionally, they also need to look at their interaction over time; in other words, beyond the knowledge of likelihood and severity of specific risk types. Organizations today work within constantly-evolving supervisory environments where supervisory authorities already have NFR on their roadmaps.
If institutions want to meet both organizational strategic objectives as well as supervisory requirements, they will need to ramp up their efforts to put in place enterprise-wide, well-integrated NFR management frameworks with a set taxonomy and operating model. Only then will they be able to integrate NFRs into the management of traditional financial risks within the organization.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.