Non-financial risks becoming a growing challenge

Tools and frameworks for the management of credit and market risks are well established. For financial institutions, McKinsey identifies a shifting focus to non-financial risks that require changes in banks’ practices.

Banks take on financial risk to generate a profit from it. However, non-financial risks such as compliance failures, misconduct, technology, or operational challenges often have no upside but only a downside. Between 2008 and 2012, the top ten global banks paid nearly $200 billion through litigation, compensation claims, and operational mishaps, says McKinsey in their latest article “Nonfinancial risk: A growing challenge for the bank”. Besides the financial damage, financial institutions so suffer from a reputational loss and managers might be held accountable personally.

Despite efforts to govern non-financial risks better such as introducing new governance structures and increasing the headcount, risks are not controlled comprehensively. Institutions still spend much time on firefighting and remediating audit findings without knowing where the next risk might materialise. Based on McKinsey’s work with many institutions around the world and an informal survey among 15 global and regional banks, they provide banks with a framework for enhanced non-financial risk management.

In line with regulatory expectations, banks should build three lines of defence: The first owns and manages risks, the second controls them against standards, and the third checks the adequacy of the first two. Thereby, the first line should not just include financial risks but also important operational challenges such as IT. In addition, the second line needs to broaden its scope towards areas such as legal, HR, finance, and tax. Also, boards should increase their engagement with the management of non-financial risks, for example by quarterly board meetings on risk controls.

Finally, McKinsey identifies four key elements for effective non-financial risk management:

  • Integrated risk autonomy: Risks and terms must be defined across the organisation to eliminate inconsistencies when managing them and to consolidate the number of risk types to be managed.
  • Focussing on prevention: The primary task should be to prevent non-financial risks to materialise. To improve prevention, banks should map risks along their value chain and move controls upstream. Ensuring correct data entry, for example, is easier than correcting errors later.
  • Integrated and forward-looking risk and control assessment: Systems must be assessed rigorously, also in regards to considering emerging risks. In the end, financial institutions should have a transparent and aggregated reporting that allows its management to identify the most significant challenges.
  • Quantification of non-financial risks: Measuring non-financial risks is hard but can be done through the identification of key risk indicators such as error rates that ultimately drive potential threads. Using those, tools including stress-testing and advanced analytics can be used to quantify risks.