Since 2008 banks have spent considerable time and resources implementing stronger risk controls and risk management frameworks, such as the three lines of defence (“3LOD”) model. Remarkably those efforts covered mostly well-established BCBS risks. However in recent years most losses occurred in risk spaces that were neither fully identified nor backed up by corresponding models and capital. There are solid indications that those apparent NFR blind spots will soon be addressed in risk categories like Conduct Risk, Reputation Risk, Compliance Risk (incl. Financial Crime Risk and Legal Risk) and Integrity Risk will start showing up on the regulatory/ supervisory agenda. It will likely require more than just creating new policies or implementing structural tweaks and quick fixes to avoid additional fines or penalties. Personal liability to senior management for corporate incidents may also play an ever bigger role.
On the positive side, existing risk management capabilities and processes can also be leveraged to assess and manage with emerging NFRs. The challenge is to properly define and integrate the emerging risks into the existing taxonomy and frameworks (e.g., hierarchies of risks and controls), ensuring that no duplication of effort occurs. The business model components need to be analyzed against emerging NFRs, and the risk capacity of the organization should be adjusted accordingly. Building a more integrated, robust review and assessment methodology can give confidence that the monitored risks accurately reflect the business model context.
Recently, we have seen growing regulatory/supervisory expectations that banks use structured and more integrated risk assessment methodologies. Data is key for an integrated understanding, it is the base to manage the risk and the ability to evidence to 3rd parties that the organization understands and properly manages risk in its business context. Only the ability to present that picture can avoid more direct and indirect penalties and litigation. Constant and structured collection and processing of risk data is required for management of NFR but that poses a challenge for most institutions since neither full data, technology nor integrated frameworks and techniques are yet in place. So it will necessitate medium to longer-term strategic considerations and investment to cover for the new risk type requirements, including:
Should NFR’s profile be elevated on the regulatory & supervisory agenda, banks will require more integrated capabilities (e.g., common taxonomy, language, division of responsibilities); it will be complex and costly for financial institutions to provide evidence of their full and appropriate organizational understanding of risk and its management. Without improved capabilities, the institution might be able to remain compliant, but the costs of compliance may eventually increase unnecessarily. The balance between regulatory needs and associated costs has to be found.
Download a thought-provoking white paper with further details about the nascent NFR discipline focusing on the need for both NFR-methodology and NFR-risk taxonomy here.