Non-financial risks have become at least as important, to both firms and regulators, as financial risks. This is mostly due to the importance of firms’ dependence on IT systems to operate their businesses but regulators (particularly the Financial Conduct Authority – the FCA) are also highlighting non-financial risks arising from newer regulatory topics, adding to the universe of risks and risk categories firms need to consider.
Part 1 of these articles focused on new and emerging technology-related non-financial risks. This article considers non-financial risks outside the technology field that both firms and regulators are focusing on. I’m not outlining, here, geopolitical risks, reputational risks or climate-related risks. Those have all been relevant for some time and they continue to be relevant. The risks described below are newer and they’re more specific.
1 Conduct risk – the risk of a firm not meeting its regulatory obligations to customers and the consequences of that – is an established risk category. However, identifying risks to a firm’s ability to deliver good outcomes to retail customers and putting appropriate mitigants in place to address those risks are hardwired into the regulatory framework of the Consumer Duty in a way that hasn’t been the case for most other conduct of business requirements. And Consumer Duty obligations are, in part, phrased in risk terminology. The risk of failing to deliver good outcomes to retail customers needs to figure, prominently, in non-financial risk management frameworks and activities. Some firms will include this risk within the ‘conduct risk’ category. However, bear in mind that there are specific requirements in relation to the Duty that will need to be addressed and both the business and the board will need to track progress.
Firms also need to address risks to retail customers and consider what novel risks are emerging for customers, including vulnerable customers, and the corresponding risks for firms that don’t identify and respond to those under the Duty.
2 It’s a similar story in relation to the risk of consumers experiencing financial exclusion, a risk identified in the FCA’s Finalised Guidance in respect of the Consumer Duty. Declining a consumer-applicant risks their financial exclusion and firms are expected to address that risk through signposting to sources of appropriate information from an independent and reliable source. Failure to take this additional step risks harm to the consumer-applicant through financial exclusion, presenting a risk for a firm that fails to address the risk of consumer harm. (Incidentally, expect to see more about financial exclusion as part of the discussion about affordability of residential mortgages and home ownership.)
3 The FCA’s 2023 consultation paper on Diversity and inclusion in the financial sector (CP23/20) proposes that larger firms[1] will be required to recognise a lack of diversity and inclusion (D&I) as a non-financial risk. In the cost benefit analysis in Annex 2 of the CP, this is extended to cover “D&I and related risks” (emphasis added).
Groupthink[2] is also said to “create risks for firms”, although it’s unclear whether the groupthink-risk is limited to D&I or is to be extrapolated to other situations where groupthink might occur.[3] In the context of the CP, the FCA’s concern is that a firm may miss or misinterpret important considerations throughout its decision-making processes if it can’t draw on diverse perspectives or constructive challenge from all of its staff.
Risks attached to misconduct – notably, non-financial misconduct (NFM), including bullying and harassment – are said, in the CP, to be so serious that confidence in regulatory standards is undermined if the FCA doesn’t take action. Links are drawn between NFM and risks to a healthy firm culture and the risk of groupthink and it’s clear that these are seen by the FCA as risks firms are to consider.
The scope of these risks will need to be considered by firms, along with how they fit within the wider risk taxonomy and combinations of risks considered by firms in their risk management activities. For instance:
- In a group structure, should any mismatch between the D&I approaches taken by sister companies or parent and subsidiary be considered as an additional aspect of the D&I risk, particularly where there’s secondment of employees between the two companies or sharing of staff or common policies?
- Should risk of non-compliance with Consumer Duty requirements be a standalone risk, be included within conduct risk or be a subset of conduct risk?
- And how will risk of groupthink be treated within D&I risk, strategy risk and governance risk – and those risks in combination?
The third article in this series considers risk management and governance in more detail.
[1] It’s proposed that larger firms will be those with 251 or more employees.
[2] Described in CP23/20 as when groups of people make poor choices because members of the group have either not considered or don’t feel comfortable suggesting alternative options.
[3] My view is that the FCA will apply groupthink risk to a wider range of situations once it has been established in one particular context (which might well be D&I, as set out in CP23/20). If that’s correct, we have early signs of an additional non-financial risk that firms will need to take into account.
This article is intended to provide general information about current and expected topics and perspectives that might be of interest. It does not provide or constitute, or purport to provide or constitute, advice relevant to any particular circumstances. Legal or other professional advice relevant to any particular circumstances should always be sought.