How can firms create a holistic and integrated approach to managing non-financial risks?
Non-financial risks are creating big challenges for financial services organisations. There are two reasons that executives and decision-makers may not be seeing the full picture.
Your non-financial risks may be the biggest threats to the future success of your organisation. And the list of potential hazards is long and varied: cyberattacks, emerging technologies, reputational issues, climate change, mis-selling, misconduct, a return to territorialism, geopolitics, human rights… the scope for issues seems to be growing every day.
Yet, while most financial institutions have done a fairly good job shoring up their financial risk capabilities (particularly since the global financial crisis), our experience working with leading banks, asset managers and insurers suggests that few organisations enjoy the same level of sophistication when it comes to their non-financial risks.
The problem isn’t that managers aren’t aware of the risks. Nor is it a lack of effort or desire to address these risks. More often, the problem comes down to poor visibility.
There are two reasons that executives and decision-makers may not be seeing the full picture. The first is that most executives are only looking at one dimension of the risk. KPMG member firms’ work with financial services firms around the world suggests that most continue to rely primarily on quantitative measures when identifying, measuring and ranking non-financial risks. Far too few also incorporate qualitative measures to get a better view of the risks they face.
Rather than just measuring the quantity of infractions that occur or the number of training sessions conducted, for example, financial services firms could also be tracking situations where infractions almost occurred. They could be conducting root cause analysis. And they could be overlaying media information and other sources to understand where other institutions may be experiencing increased risks.
The other big challenge facing financial services firms comes down to a lack of integration across their various risk activities. The reality is that most – if not all – financial services firms currently assess and manage their non-financial risks in silos. Business continuity management is managed in one silo; third-party risk in another; IT security in yet another. But the three can often be very interlinked: a third-party system could lead to an IT security issue that could impact business continuity.
Yet, more often than not, risk management requirements are covered by separate functions; communication between functions is limited; oversight is fractured; and the number of reports being generated becomes overwhelming. Decision-makers and managers are only able to see pieces of the puzzle rather than the whole picture.
KPMG firms have worked with a number of large banks, insurers and asset managers around the world. And our experience suggests there are seven key areas where all financial services firms should be focusing on in order to create a more holistic and integrated non-financial risk management approach.
Making sure that everyone in the organisation is speaking the same language is key to creating better integration across risk functions. Indeed, a common understanding of the taxonomy, definitions and delimitations of terms are a key prerequisite for an integrated approach. While complete standardisation may not always be possible, key terms (such as risks, impacts, causes and occurrence probabilities) should be clearly defined.
Where possible, risk functions should be integrated into fewer units. This will encourage improved interaction between responsibilities (by optimising tools, IT and reporting, for example) and enhance efficiency within the units responsible (in both the first and second lines of defence). A clear definition of the role of the Second Line of Defence, including independent reporting to the management board, is critical.
Financial institutions should be working to improve the efficiency, productivity and integration of their risk functions by reducing the number of risk identification and assessment tools being used across the organisation’s second line of defence. This will involve increasing the number of synergies within the different functions and interlinking the tools and methodologies across the functions, thereby creating the basis for an integrated level of control.
Similarly, financial institutions will want to reduce the number of IT tools currently being utilised across the second line of defence. This is an opportunity to implement robust integrated technical solutions (versus continuing to use generic tools such as Microsoft Office apps). Creating a common technical platform can help to simplify the sharing of information and can enable all data to be pooled together to improve overall reporting.
Rather than relying solely on quantitative risk data, risk managers and senior management should be working to enhance their view by identifying, collecting and then integrating qualitative data sources and measures. Understanding which data sources should be used (based on value, reliability, ease of access and security, for example) will be a critical first step. Finding ways to integrate quantitative and qualitative data into clear and actionable reports to management will also be key.
While IT systems are important, it’s the people behind the systems and the culture of the organisation that enable successful integration. Creating a culture of risk awareness, compliance and management across the entire enterprise is key to ensuring that your people not only understand the importance of non-financial risks but also how to properly report and manage them. This must start within the risk function but, very quickly, it must also be embedded across the lines of business.
Integrating existing reports into a single overarching non-financial risk report will be key to helping senior management focus on the right risks at the right time to support strategic decision-making. Financial institutions may want to consider starting with the harmonisation of their reporting layout and assessment grids, taking great care to subsequently integrate the results. Ensuring that the right risks are being raised and reported in the right way will be key to managing the growing scope of potential non-financial risks.
Given the pace of change both inside and outside of the financial services sector, we believe it is particularly worrying that executives and boards are not seeing the full non-financial risk picture. The risk inventory for financial services firms is changing constantly. And that makes it more critical than ever for managers and boards to be able to see and understand the risks they face.