With credit and market risks now under better control, the focus is shifting to nonfinancial risks. Managing these well will require big shifts in banks’ practices.
Banks are accustomed to taking on financial risk and generating profit from it. It is the premise of their business models. But nonfinancial risk (NFR), whether related to compliance failures, misconduct, technology, or operational challenges, has only a downside. And the downside is large.
Foremost are the financial consequences. Between 2008 and 2012, the top ten banks globally lost close to $200 billion through litigation, compensation claims, and operational mishaps. 1 1. The Conduct Costs Project, CCP Research Foundation, ccpresearchfoundation.com. At least 17 incidents racked up losses of more than $1 billion each; another 65 incidents each resulted in losses above $100 million.
Yet the direct financial consequences of NFR are not the only concern. The reputational damage wrought can hit a bank hard at a time when customers, shareholders, and public stakeholders are questioning banks’ business models. And there are also the personal consequences for senior managers, whom regulators increasingly hold accountable for misconduct or failure to comply with laws and regulations. 2 2. See, for example, the Bank of England Prudential Regulation Authority’s Senior Managers Regime, bankofengland.co.uk. All of this, and the prospect of still tighter regulation, puts considerable pressure on banks to manage NFR better. 3 3. As an example of possible tighter regulation, the Basel Committee on Banking Supervision proposes to remove the advanced measurement approach and replace it with a standardized measurement approach. By our estimate, the impact would be to increase European banks’ capital requirements by 70 to 80 percent, while US banks would see a much smaller increase because, on average, they already hold more capital for operational risk.
Many have already invested heavily to do so, boosting head counts, creating new governance structures, and making operational improvements to control risks related to compliance, fraud, and IT. Yet the mitigation of NFR remains elusive. Much time is spent firefighting and remediating audit findings, yet too often there is no warning of when or where the next risk might materialize.
An important factor underlying this is a fuzzy definition of the responsibilities between the first line of defense, in the businesses, and the second-line control functions. In addition, control functions are siloed, each having its own risk-identification processes, reporting structures, and IT systems.
The result is duplicated work as well as costs. Banks feel they are drowning in parallel efforts aimed at identifying, assessing, and remediating risks, with the same individuals being approached over and over again, and diluting scarce resources and attention from running the business. Inevitably, the chief risk officer and his or her operational-risk unit struggle to provide the board and regulators with a thorough view of risks faced and controls required. 4 4. See, for example, Corporate governance principles for banks, Basel Committee on Banking Supervision, July 2015, bis.org; OCC guidelines establishing heightened standards for certain large insured national banks, insured federal savings associations, and insured federal branches; integration of regulations, US Office of the Comptroller of the Currency, September 2014, occ.treas.gov; and EBA guidelines on internal governance (GL 44), European Banking Authority, September 2011, eba.europa.eu.
Against this backdrop, many institutions seek a more integrated NFR-management approach in order to reduce the risk of further failures, meet stakeholders’ requirements and expectations, and limit costs. This article describes the three key components of such an integrated approach: an enhanced governance framework, a set of enablers, and changes in the front office’s approach and mind-set. It is based on our work with many financial institutions globally and an informal survey of 15 global and regional banks. Some of the structures and ideas we outline here are familiar to banks from their work on financial risk; many are newly conceived for the management of nonfinancial risk. Taken together, a full implementation of these concepts represents a paradigm shift in the NFR-management practices of many banks today.
In line with regulatory expectations, banks are building a governance model with three lines of defense. The first line owns and manages risks, the second line sets control standards and monitors adherence to them, and the third line—audit—checks on the adequacy of the first two.
Whereas all institutions regard the business divisions as the first line of defense, some overlook the role of central-infrastructure areas, such as IT and operations. These central areas do not take on financial risks from the balance sheet, but they are where the risk of most operational failure resides. Hence, many banks have extended the definition of the first line to include them.
In addition, they have broadened their definition of the second line beyond the risk and compliance functions to include areas such as legal, HR, finance, and tax, recognizing their role in managing the institution’s control framework in their respective areas of risk expertise. Take legal. Like credit risk, it is often directly involved in business transactions, advising on and approving legal structures. HR, meanwhile, often sets and monitors policies on hiring, promotions, and compensation.
How a bank chooses to delineate first- and second-line activities in these areas might vary—there is no one-size-fits-all approach—but it is essential that the bank defines a consistent set of principles that reflect its governance structure, operational complexity, and specific regulatory requirements. These principles need to be permanent enough to guide future adjustments to the organization and operating model. They should clarify the organizational separation of the first and second lines to ensure independent control by second-line areas, while permitting them to perform activities as adviser or servicer. This is culturally important, so that second-line areas are seen as vital to the bank’s business model.
The principles also need to emphasize the importance of first-line areas taking responsibility for NFR management, rather than focusing entirely on revenue or cost management. To be sure, given the complexity of managing controls consistently across the bank while meeting regulatory standards, the first line may need additional expertise. For example, dedicated control units can help senior management identify and design improvements. Balanced scorecards, which measure control effectiveness and review thresholds and penalties for breaching them, can also help. Ultimately, the principles must promote a change in the organization’s thinking so that risk management and controls are at the front of senior management and employees’ minds.
Once they are agreed, the risk-governance principles need to be shared across the organization and formalized as part of the risk-policy framework, while the chief risk officer ensures their consistent application.
Despite recent improvements, many bank boards do not routinely consider NFR management, engaging only in some firefighting when risk controls fail. They can increase their engagement in various ways. Quarterly board meetings or a board committee dedicated to risk control are options. The meetings will need to provide auditable proof of appropriate risk-taking and risk-management decisions in line with the board’s regulatory and legal accountability. Their quality will depend on input from both first and second lines and, crucially, on action-oriented reports on nonfinancial risk that align to a clear definition of risk appetite.
These meetings and reports are required so that boards can build a forward-looking perspective of the bank’s top risks (and challenge the bank’s risk profile), to assess the adequacy of the overall control system to keep the bank within its agreed risk-tolerance boundaries, and to ensure that any control gaps are addressed.
To these ends, the reports should consolidate risks by business and type of risk, and aggregate the following information: