This is the third and final article looking at new and emerging non-financial risks. It’s concerned with managing those risks and the wider governance arrangements firms will need to have in place.
As I’ve said in the previous two articles, increased emphasis by firms and regulators on non-financial risks have made these risks at least as important to as financial risks. This is mostly due to the importance of firms’ dependence on IT systems to operate their businesses but regulators (particularly the Financial Conduct Authority – the FCA) are also highlighting non-financial risks arising from newer regulatory topics, adding to the universe of risks and risk categories firms are required to consider.
Risk management activities, governance and board oversight should be reviewed to ensure they provide for the focus regulators expect. Here are some more specific points that are relevant to new and emerging non-financial risks.
1 The newer non-financial risks will need to be placed within the firm’s risk taxonomy. For some firms, this will involve creating new risk categories; for others, the risks will fall within existing risk categories but might need a designated sub-category. This is likely to depend on:
- The current risk categories a firm has in place and whether the new non-financial risks can, comfortably, be accommodated within those;
- How cleanly new non-financial risks and their mitigants can be placed within current risk categories; and
- The significance of the new non-financial risks for the firm and how prominently and distinctly they need to be recognised and tracked, including in management information (MI) provided to senior management and the board.
2 Part of this work will involve considering combinations of risks and how those can be expected to impact the business. Combinations of risks will include the new and emerging non-financial risks but there might also be novel combinations of risks and risks (including new and emerging non-financial risks) that increase in tandem or that are triggered by other risk events occurring.
3 Enterprise-wide risk management will almost certainly be needed when considering non-financial risks because they’re less likely to be confined to a particular part of the business. A cyber-attack or power outage – perhaps, also, failure in relation to outsourcing arrangements – has the potential to affect the whole of the business. By comparison, financial risks (such as interest rate risk or credit risk) will generally be limited to specific lines of business.
4 Where a firm is part of a wider group, group-wide risk management – or, at least, alignment of enterprise-wide risk management within each group company – will be needed too.
5 Assessing the true impact of non-financial risks and quantifying the resulting losses present challenges. Assumptions will need to be made about how long an event would occur and the consequences of that event. For instance, it might be assumed that a cyber-attack would be resolved within 48 hrs but data may have been compromised in that period, reputational damage may take longer to resolve and there may be loss of business or an impact on future growth, all of which are difficult to quantify with any confidence. Decisions will need to be made about the mitigants that can be applied and, realistically, how effective they will be and over what timeline. Bear in mind, too, that a range of different mitigants will almost certainly be needed as events unfold and the risk profile evolves.
6 Consider whether there’s value in having very early warning indicators in relation to key risks that have a potentially systemic impact on the firm or its customers. This is most likely to be relevant to IT risks and events impacting operational resilience and important business services.
7 Risk management models and frameworks that have been adequate and effective in the past might need adjustment to accommodate an increasing number of non-financial risks, new and emerging non-financial risks and non-financial risks taking on increasing significance in the universe of risks faced by firms. Changes to models will depend on the business, the customer base, the firm’s strategy and the risk profile of each particular firm and firms will need to be open to new approaches and making adjustments to arrangements.
8 Regulators require boards to be more actively involved in newer regulatory topics, including the Consumer Duty, diversity and inclusion (D&I) and operational resilience. There should be regular reports to the board (a key feature of operational resilience) and the board is required to consider a formal annual report under Consumer Duty rules. Regulators propose making boards responsible for maintenance and oversight of firms’ D&I strategies, overseeing and monitoring progress against diversity targets, holding management accountable through a higher degree of scrutiny and supporting cultural change.
9 Risk management frameworks, risk appetites, the work of (and terms of reference for) board and executive risk committees and board activity in relation to risk management may need adjustment, bearing in mind that regulators will expect it to be clear how these new and emerging non-financial risks are being considered up to board level. As well as documenting these changes, firms will need to decide how to introduce and embed the alterations to governance and cultural shifts to support new approaches.
10 Governance will need to be in place for each aspect of the business relevant to a non-financial risk. For instance, the firm’s D&I strategy might be sufficient to address D&I risks; if not, a D&I framework or similar document will be needed (consistent with the enterprise-wide risk management framework), setting out how D&I risks are being addressed, bringing together all D&I work and ensuring any gaps and inconsistencies are resolved. In the case of model risk governance, model risk management arrangements will need to be documented.
11 Good MI is essential and consider the following points:
- MI needs to be aligned with what the board needs to oversee, monitor, review and challenge.
- Regulators (particularly, the FCA) want to see boards measuring delivery, success and impacts. This may require MI in a different form or with a different focus. Is the firm set up to produce that in meaningful terms and will monitoring activities need to change in order to measure and produce metric-driven MI?
- Picking up on the point in paragraph 6, MI could include very early warning indicators, as well as the more traditional KRIs and EWIs.
The actions taken will vary between firms but adjustments are likely to be needed, now and as further non-financial risks emerge.
This article is intended to provide general information about current and expected topics and perspectives that might be of interest. It does not provide or constitute, or purport to provide or constitute, advice relevant to any particular circumstances. Legal or other professional advice relevant to any particular circumstances should always be sought.