Non-Financial Risk— Moving Away From Traditional Risk Silos

Central banks have a new challenge on their radars: the task of examining frameworks used by financial institutions to manage non-financial risks (NFRs). The need to manage NFRs on top of traditional financial risks has become more evident and pressing than ever before, especially since the global financial crisis. Why? Primarily due to a track record of losses caused by the materialization of NFRs (e.g. cyber, reputational, conduct, regulatory, technology and financial crime risks) rather than traditional financial risks.

Who's affected?

In the near future, central banks may expect not only banks but also fintechs to demonstrate how specific risks (like NFRs) are managed by them, particularly where technology trends (such as cloud computing, AI, third-party risk/vendor management, and crypto & digital currencies) are involved. This may be the case for all financial entities, but especially for global systemically important financial institutions (G-SIFIs), other systemically important institutions as well as some listed non-financial institutions.

Why take action?

In terms of losses, a majority have largely arisen from imposed penalties, misconduct and/or the cost of remediation plans to manage these occurrences. Other key contributors are lapses in oversight and weak internal controls. Media publications with international reach have widely reported on these losses, which has caused many institutions to suffer worldwide reputational damage resulting in a decrease in customer trust.

Interestingly, the majority of these losses are siloed and handled without risk management professionals intervening, which seems to be a standard, industry-wide norm. Fueling this scenario of absent tried-and-tested risk management frameworks is the organization's attitude towards these types of risk; in other words, its prevalent risk culture. In addition to growing regulatory attention on NFRs, it has become clear that organizations must start to control and manage NFRs that pose an even greater threat than financial risks. For this, there needs to be a more holistic approach.

What's ahead?

Central banks may require banks and fintechs to demonstrate frameworks for NFR management Regulatory norms encompassing specific coverage of NFR taxonomy Organizational business strategies and risk appetite frameworks to be tweaked to adequately deal with NFRs The scope of management of NFRs should vary depending on the size and complexity of the organization...