Almost all risk causes and events will have some sort of financial impact. So, if you are considering a risk to your institution that is not covered by the first three items of the Deloitte risk event taxonomy, then it must be a non-financial risk.
Many industrial corporates have developed effective approaches to managing nonfinancial risks, integrating them into strategic choices and overall resilience. Banks can learn from their experience.
Business Risks
Business risks are those that can have an impact on a company’s financial health. They include issues like customer credit, a declining market or legal problems. They can also impact the company’s operational or strategic performance. This type of risk is often overlooked, especially by smaller institutions that may not have the resources to deal with them effectively.
These risks are less well-defined than financial risk because they are difficult to measure. They are also more complex, with a wider range of root causes, events and impacts. They are also more loosely connected to each other, making it harder to apply the bow-tie methodology for quantifying and managing them. This is partly because operational and strategic risks are typically managed by a broad range of front-line staff rather than a centralized team.
Business risks can also be more expensive for companies to manage than financial risk. For example, a bank that has a high level of business risk may be forced to pay fines or legal costs as a result of a regulatory violation or a breach of trust by one of its employees. This is more than just an inconvenience; it can significantly damage a brand and cost the company millions in fines or lawsuits. This type of risk is often referred to as reputational risk.
Environmental Risks
With increasing regulatory scrutiny and rapid shifts in technology, financial institutions are facing many new non-financial risks. To manage these challenges, they have increased staffing and introduced more controls. Unfortunately, this has created siloed non-financial risk functions that are less well-aligned to the institution’s overall strategy and less effective at addressing the emerging risks.
One example is environmental risk, which involves the risks a business may pose to people and the environment due to pollution or waste. This risk can cause harm to human health (e.g., disease-causing microbial agents or lack of oxygen in surface water) or ecological receptors (e.g., plants and animals). Banks that finance environmental projects can face liability for the project’s failure, which can increase their cost of capital.
While banks have improved their capabilities in managing some types of non-financial risk, the overall maturity level is still lower than for financial risks. This is because the underlying causes, events and impacts are more complex and loosely connected, making them harder to identify, measure and manage. To improve these capabilities, institutions need to provide a consistent “one source of truth” for their non-financial risk data and reporting. This helps them to more effectively align their risk management activities with their strategic choices and improves collaboration across risk functions. They also need to incorporate non-financial risks into their stress testing.
Political Risks
A wide range of circumstances can impact financial markets, such as the 2007 to 2008 global financial crisis that shook the confidence of investors and caused businesses to close. These events, which are often related to political instability, affect the monetary wellbeing of the market and can be quite damaging for many companies.
Government actions are the most commonly identified source of political risk, which can affect businesses either directly or indirectly. This can include things such as nationalization, higher taxes, increased regulations, and barriers to trade. However, it could also encompass more extreme events such as civil unrest, war, strikes, and riots.
There is a growing demand for jobs that focus on the assessment of political risks and this is largely due to businesses expanding their operations into foreign countries. Managing these types of risks can be particularly challenging because they can result in loss of profits, revenue or even assets.
The good news is that there are a number of strategies to help mitigate the effects of political risk. Aon’s team of experts use their years of experience, innovative analysis tools and tailored risk transfer programs to reduce the potential impact on your business. This includes helping you to find appropriate local insurance products and designing solutions for transferring and managing your political risks. This includes covering a wide range of events, including embargoes, interference and nationalization of projects, supply chain disruption, and the threat of strikes, riots or civil commotion.
Technology Risks
Some respondents cite technology risks (including operational, reputational and strategic risk) as a growing priority. These are the risks that can cause losses, whether from fines imposed by regulators or the legal costs of managing an incident. Nevertheless, these types of losses are often not captured by the traditional financial loss metrics used to assess capital and risk appetite.
Institutions of all sizes cited a desire to invest in nonfinancial risk management capabilities. They are keen to improve their ability to quantify these risks, and they want to align their ERM processes with business logic rather than centralized reporting. They also recognize that they must address the potential impact of nonfinancial risks, even if they are not captured by the traditional risk appetite and limit-setting approaches used to assess market and credit risk.
While banks can learn from highly sophisticated approaches to nonfinancial risk developed by corporates for their specific business models, they must address unique challenges that arise in the banking industry. For example, many bank ERM teams struggle to apply business-linked logic universally within the framework, and they run into the same limitations that the corporates do when trying to standardize ERM processes and metric definitions. These limitations can lead to a misalignment between the ERM function and the business, as the functions attempt to establish common definitions of risk appetite and limits in the face of differing business-specific risk tolerances.