Non Financial Risk

In addition to the traditional "financial risks", such as credit, market or liquidity risk, the so-called non-financial risks (NFR) are becoming increasingly important in financial services companies. These also include risks explicitly excluded from the regulatory definition of operational risks, such as strategic risks or reputational risks.

The management of non-financial risks has never been so crucial to the success of a company. Since the global financial crisis, financial institutions have seen not only an unprecedented expansion of financial market regulation, but also the emergence of new risks, such as those resulting from cyberattacks. COVID-19 was also an operational risk event with many different implications for companies' business operations. In response, NFRs have become a key focus area for financial institutions, with some banks allocating more than 50% of their economic capital to this risk portfolio.

The RiskNET editorial team held a roundtable discussion with profound NFR experts. Marion Bürgers (COO & Head of Business Management, Governance & Reporting of the Compliance Division, HSBC Germany), Sebastian Fritz-Morgenthal (Executive Vice President & Head of Global Risk, Bain & Company), Marcus Haas (Advisor for Banking Supervision, Deutsche Bundesbank), Claudia Meyer (former Global Head of Operational and Reputational Risk Management, Allianz Group), and Christoph Reitze (Managing Director Non-Financial Risk, Aareal Bank) took part in the discussion. The questions were asked by Frank Romeike (Managing Partner and Editor-in-Chief of RiskNET) and Thomas Kaiser (Professor at Goethe University Frankfurt and Professor Kaiser Risk Management Consulting). All participants are authors of the book edited by Thomas Kaiser "Non-Financial Risk Management: Emerging stronger after COVID-19", Risk Books, London 2021. 

RiskNET: How well were banks prepared for the COVID-19 pandemic through their non-financial risk frameworks? What worked well, what not so well?

Claudia Meyer: Our contingency plans had already taken into account pandemics or the unavailability of employees as well as the unavailability of business premises. The typical contingency plan for a pandemic was working from home for so-called key personnel, but not for every employee and not simultaneously worldwide for all offices as well as for internal and external service providers. In order to implement home office for all employees, additional software (for example VPN tokens) and hardware (laptops and other hardware for service companies in the offshore areas) had to be purchased for the employees at home, as well as additional licences for video and telephone conferences. Of course, this took a few weeks before the home office quota could rise to over 90 per cent. Through very close cooperation with the service companies, especially the IT service companies, processes and contingency plans were coordinated. Daily status calls helped solve problems very quickly and efficiently so that the customer were impacted as little as possible. Task force groups, led by HR and crisis management, were formed to take care of the health of the employees, such as procurement of protective suits, masks, elaboration of hygiene concepts as well as the management of office utilisation up to and including rebuilding.

Marion Bürgers: Due to the strict regulatory requirements alone, banks were extremely well prepared for a pandemic - in contrast to other sectors, for example. The high standards in the area of IT and business continuity management, for example, also helped. This meant that disaster recovery sites that had been tested for years could now be used and not just paid for. The possibilities for mobile working already practised in many areas of the banks did not have to be created completely from scratch, but "only" expanded and stabilised. The BaFin also provided support by reacting quickly, for example, with regard to the regulations on the conduct of trading business.

Christoph Reitze: The COVID-19 pandemic was certainly a real stress test for established NFR systems. And not so much in their perhaps often more "regulatory" driven reporting and method (consistency) role, but rather in the economically at least equally important coordination role and as a governance model. The NFR systems always functioned well in those cases where comprehensively informed reactions and decisions were possible at short notice. This often required different functions and areas to work closely together, which in turn requires a common language and a clear understanding of roles in the team.

Sebastian Fritz-Morgenthal: Work from Home versus Work from Office or Team A / Team B worked very well, depending on the infrastructure our people had at home. Teams that had already worked together in the office for many years were also able to do this very well virtually.

On the other hand, onboarding new colleagues was difficult. And we had to extremely overinvest and also quickly bring these people back into the office after the first openings and de facto "onboard" them again.

RiskNET: Did COVID-19 contribute to changing the perception of the importance of NFR? How specifically?

Christoph Reitze: NFR often acted as a coordinator between the various stakeholders. This coordinating role often worked particularly well where issues had already been assessed jointly in the past, i. e. where there was a common understanding. This value of "wargaming" or - less hip - "scenario analysis" is certainly one of the central "lessons learned" for NFR management after COVID-19.

Sebastian Fritz-Morgenthal: The organisation has learned that you can't prepare for everything, but you should prepare better for some things. The value of appropriate training and exercises has increased massively. We have gained significant acceptance in the First Line with our questions, requirements and scenarios since the outbreak of the Corona crisis.

Marion Bürgers: In the past, a pandemic was a simulation game as part of an annual business continuity exercise. However, it was often based on swine or bird flu, but very few people probably expected the whole world to be affected for such a long period of time. It therefore remains to be hoped that the situation and how it is dealt with will not be forgotten so quickly for the acceptance and importance of NFR as it shows that even a supposedly "low frequency / high impact" scenario can actually occur. It should provide food for thought and be recalled again and again when precisely such probabilities are discussed again in risk assessments.   

Claudia Meyer: In my opinion, COVID-19 has not necessarily contributed to changing the perception and importance of NFR. COVID-19 has led to the 1st and 2nd line functions working together in a more integrated and holistic way in the sense of a wholistic company approach to serve all stakeholder groups (especially customers, employees and supervision). A joint focus on core value chain processes and their prioritisation helped in the timely execution of emergency measures and customer processes as well as in the optimisation of emergency plans in general.

RiskNET: What role did risk culture and other behavioural risk management factors play in managing the pandemic? What remains of it?

Marion Bürgers: Communication, taking responsibility, making decisions are core components of Behavioural Risk Management and integral parts of a reasonable risk culture. Not only in banks, of course. Some banks have already recognised this and set up their own departments for this purpose. This is not (yet) a regulatory requirement, so one can assume that these areas are really wanted to improve the risk culture and risk awareness. If one divides the term into its essential components, it quickly becomes clear that NFR is primarily characterised by the behaviour of each individual in the organisation, i. e. the handling of risks and its management. This includes above all the topic of leadership, because in times of virtual working environments it has become clear that behind many risks there are above all people who need the basic ingredients for which Behavioural Risk Management stands: communication, assumption of responsibility and decisions.

Claudia Meyer: 1st and 2nd line functions have aligned the measures towards the most important processes and stakeholders and pulled together. Many departments including the most important service companies worked closely together "End2End". So-called "turf wars" and silo thinking between functions were put on the back burner. The risk function was able to further expand its "advisory role" in the business and generate trust, which will further strengthen the future cooperation between 1st and 2nd line and strengthen the role of the 2nd line functions in change or crisis processes as an actively sought-after dialogue partner of the business in risk issues and action planning.

Christoph Reitze: Openness to new ways and the willingness to admit mistakes, to address problems clearly and, if necessary, to take countermeasures promptly were certainly central, especially in the first days and weeks. In this respect, I would say that a certain degree of agility was certainly a success factor. On the other hand, in the medium term, the stringent return to "new normal" day-to-day processes is a challenge in many places - not only in questions of accounting for assets, but also in all operational processes, which often have significantly more "remote" components. Here, risks have to be rethought and reassessed, but also consequences have to be drawn from experience. For example, highly manual or even paper-based processes with freehand checklists without a clear workflow or even a lack of system support must probably be increasingly critically evaluated - even if narrowly defined cost/benefit aspects were often "life-prolonging" in the past.

Sebastian Fritz-Morgenthal: The willingness to adhere to global standards as long as local specifics are taken into account increased significantly at the beginning of the crisis. It remains to be seen what will remain of this when this crisis is over. In any case, our risk culture has become much more tangible for many colleagues. It is now clear why we are writing down our risk culture, but also what distinguishes us from our clients, partner firms and competitors.

RiskNET: Can banks learn something from other industries that have a highly developed risk and error culture, for example? Or also from industries whose core competence is NFR, for example reinsurers?

Marion Bürgers: You could also turn this question around. Perhaps there would have been fewer critical impacts in some industries if other industries had followed the banks' example and, for example, shifted administrative activities to their home desks.

Claudia Meyer: What do we mean by a highly developed risk and error culture? A highly developed risk and error culture is characterised by open communication of errors or process weaknesses between the 1st and 2nd line of defence and the will of the 1st line to identify the causes and remedy them promptly. Ideally, this behaviour should also be incentivised or relevant for the bonuses of management of the 1st line. The establishment of an open error culture helps to further optimise processes and to further align them with customer needs. This also means using controls more effectively and efficiently and reviewing the control inventory together with the risk function when changing processes and introducing systems.

Sebastian Fritz-Morgenthal: Lessons learned are a very powerful tool to better understand and codify our own (error) culture. We have a corresponding database with internal and external events and instructions for action and processes derived from them. We then also use these in the training of our staff so that everyone knows why we do certain things in a certain way and not simply the way it is described in a textbook or standard training on risk management.

Christoph Reitze: Banks in general are certainly not always leaders when it comes to agility, transparency and system support of processes. And ultimately, this is certainly also an expression of a risk and error culture. In this respect, yes, a look at competitors and neighbouring sectors is certainly worthwhile. Whereby I would spontaneously think of fintechs rather than insurance groups. Agility and a lean system landscape can be an inspiration for a mature organisation.

RiskNET: A look into the crystal ball: How will the relevance of NFR develop further compared to financial risks? And how do the individual topics in NFR grow (back) together?

Marcus Haas: A lot will depend on whether ESG risks are counted as "non-financial risks" or are rather assigned to financial risks. For this to happen, however, it would have to appear on the assets side and banks would have to see opportunities and profits in green investments - instead of regulatory requirements.

Claudia Meyer: The importance of NFR management will continue to increase as new risk areas such as ESG and climate change as well as compliance, IT and crisis risks continue to gain importance. The integration of these risks into NFR management plays an important role. The assessment of these risks as well as reporting and monitoring should be carried out in a uniform manner in order to better prioritise and track risk mitigation.

As an example of the convergence of individual topics, the integration of business continuity management (BCM) into NFR management processes should be mentioned.

The crisis scenarios jointly identified by the business continuity manager and risk manager are integrated into the NFR risk catalogue and assessed only once for the company or for the respective subsidiaries/sites - so-called risk impact analysis. The business continuity measures, derived for the essential processes and identified in the BIA (Business Impact Analysis), are then defined as controls for the crisis scenarios between the 1st Line and the Business Continuity Manager and documented in the integrated (Governance, Risk and Control) GRC system. The NFR manager regularly reviews the design and effectiveness of the business continuity tests and other controls. 

Sebastian Fritz-Morgenthal: An ERM/GRM function is always needed, which must be located at the CRO. This function must take care of the permanent development and consistent application of the risk framework. The distinction between non-financial risk and financial risk will continue to blur in many industries, the understanding of the causes will (hopefully!) continue to increase and thus further improve our risk management approaches.

Christoph Reitze: Affordability in both the operational and monetary sense - in my understanding two of the main motivations for integrated NFR management - are basically central to maintaining a fungible and adaptable organisation regardless of the size of the institution. While smaller and medium-sized companies may focus more on cost aspects, larger institutions in particular need an active counterweight that strives for consolidation in order to cope with the ever-increasing demands and the associated specialisations and thus maintain consistency and steering relevance.

RiskNET: And what will happen on the methods side? Everyone is talking about risk analytics and artificial intelligence (AI). Can we use such approaches to develop effective early warning systems - also for NFR?

Claudia Meyer: AI seems to me to be too premature, as there is currently little or no data available for many NFR topics. Scenario analysis workshops with experts is the most important tool here to analyse and assess the risks and to determine the measures and risk appetite.

Sebastian Fritz-Morgenthal: These are tools that have played a major role so far and will continue to do so in the future. However, they must be mandatorily supplemented by stress tests, scenario analyses and corresponding training and exercises in order to guarantee the applicability and effectiveness of our risk management techniques in the long term.

Marcus Haas: The new standardized approach will make models for OpRisk increasingly less important. At the same time, models will probably find their way into the field of ESG risk assessment.

RiskNET: What will the future role of the CRO look like? Will the next CRO be a cyber risk expert, a lawyer or a psychologist?

Christoph Reitze: I find it interesting that, depending on the business model, CVs from NFR management are increasingly being actively sought for board positions. At the same time, regulatory requirements in the "fit and proper" procedure, such as a minimum experience in lending decisions, do not necessarily make it easier to bring deep expertise in potentially highly relevant special topics into the function. In this respect, in most cases it will probably remain with the versatile business economist for a while.

Marcus Haas: I rather assume that there are dedicated risk experts, for example for cyber, sustainability, OpRisk, compliance, etc., whose knowledge comes together in the risk report and goes to a "classic" CRO in the sense of a management position (business graduate, lawyer).

Marion Bürgers: There is no one-size-fits-all and no stereotype. It is important to take every risk seriously, not only those that can be modelled and with which experience has already been gained in the industry, such as in the financial crisis of 2008. There are no scripts, you cannot foresee and calculate everything, cyber risk is only one aspect of NFR. Psychology certainly plays a big role, but common sense, risk awareness, empathy and experience are essential components of the CRO function.

Claudia Meyer: A CRO, for example in the insurance industry, will continue to be more mathematically oriented because of the actuarial and financial market-oriented risk models. Therefore, the role and responsibility of the Head of Enterprise Risk Management or Head of NFR Management should be further strengthened and expanded. Establishing both a quantitative CRO and NFR CRO at the same management level would be a possible solution. Similarly, it may make sense to merge the compliance function with the NFR CRO function, as a large part of operational/non-financial risks consist of compliance risks. This makes it possible to realise further synergies and transparency in risk management in the 1st and 2nd line.

Sebastian Fritz-Morgenthal: The next CRO will of course be a nuclear physicist. She can handle data, has a good understanding of rules and their limits, is used to lifelong learning, can work well in teams, in particular also cooperate with people who sometimes show special character traits, she regularly comes to her own or team limits and has learned to deal with these limits.

Thomas Kaiser: To summarise from the roundtable and the other book contributions, it can be said that COVID-19 has not fundamentally changed non-financial risk management, but that the perception of the issues, the importance of the cooperation of the "Three Lines of Defence" and the benefit of "tried and tested" operational resilience approaches have increased considerably. In this context, it has become particularly clear that the "human factor" is crucial: a good risk culture, intrinsic and extrinsic motivation of all employees and clear "ownership" of the risks (with corresponding assumption of responsibility) have brought banks through the crisis significantly better. And for those institutions with room for improvement in this respect, the notion that COVID-19 will not be the last pandemic, let alone the last crisis altogether, should encourage them to improve their non-financial risk management accordingly. The complex requirements for the management of financial and non-financial risks in connection with ESG risks should provide starting points for this, in addition to the impulses from COVID-19.