Tools and frameworks for the management of credit and market risks are well established. For financial institutions, McKinsey identifies a shifting focus to non-financial risks that require changes in banks’ practices.
Banks take on financial risk to generate a profit from it. However, non-financial risks such as compliance failures, misconduct, technology, or operational challenges often have no upside but only a downside. Between 2008 and 2012, the top ten global banks paid nearly $200 billion through litigation, compensation claims, and operational mishaps, says McKinsey in their latest article “Nonfinancial risk: A growing challenge for the bank”. Besides the financial damage, financial institutions so suffer from a reputational loss and managers might be held accountable personally.
Despite efforts to govern non-financial risks better such as introducing new governance structures and increasing the headcount, risks are not controlled comprehensively. Institutions still spend much time on firefighting and remediating audit findings without knowing where the next risk might materialise. Based on McKinsey’s work with many institutions around the world and an informal survey among 15 global and regional banks, they provide banks with a framework for enhanced non-financial risk management.
In line with regulatory expectations, banks should build three lines of defence: The first owns and manages risks, the second controls them against standards, and the third checks the adequacy of the first two. Thereby, the first line should not just include financial risks but also important operational challenges such as IT. In addition, the second line needs to broaden its scope towards areas such as legal, HR, finance, and tax. Also, boards should increase their engagement with the management of non-financial risks, for example by quarterly board meetings on risk controls.
Finally, McKinsey identifies four key elements for effective non-financial risk management: