Your non-financial risks may be the biggest threats to the future success of your organization. And the list of potential hazards is long and varied: cyberattacks, emerging technologies, reputational issues, climate change, mis-selling, misconduct, a return to territorialism, geopolitics, human rights… the scope for issues seems to be growing every day.
Yet, while most financial institutions have done a fairly good job shoring up their financial risk capabilities (particularly since the global financial crisis), our experience working with leading banks, asset managers and insurers suggests that few organizations enjoy the same level of sophistication when it comes to their non-financial risks.
The problem isn’t that managers aren’t aware of the risks. Nor is it a lack of effort or desire to address these risks. More often, the problem comes down to poor visibility.
Seeing all the dimensions
There are two reasons that executives and decision-makers may not be seeing the full picture. The first is that most executives are only looking at one dimension of the risk. KPMG member firms’ work with financial services firms around the world suggests that most continue to rely primarily on quantitative measures when identifying, measuring and ranking non-financial risks. Far too few also incorporate qualitative measures to get a better view of the risks they face.
Rather than just measuring the quantity of infractions that occur or the number of training sessions conducted, for example, financial services firms could also be tracking situations where infractions almost occurred. They could be conducting root cause analysis. And they could be overlaying media information and other sources to understand where other institutions may be experiencing increased risks.
The value of integration
The other big challenge facing financial services firms comes down to a lack of integration across their various risk activities. The reality is that most — if not all — financial services firms currently assess and manage their non-financial risks in silos. Business continuity management is managed in one silo; third-party risk in another; IT security in yet another. But the three can often be very interlinked: a third-party system could lead to an IT security issue that could impact business continuity.
Yet, more often than not, risk management requirements are covered by separate functions; communication between functions is limited; oversight is fractured; and the number of reports being generated becomes overwhelming. Decision-makers and managers are only able to see pieces of the puzzle rather than the whole picture.
Getting to the full picture
KPMG firms have worked with a number of large banks, insurers and asset managers around the world. And our experience suggests there are seven key areas where all financial services firms should be focusing on in order to create a more holistic and integrated non-financial risk management approach.
Given the pace of change both inside and outside of the financial services sector, we believe it is particularly worrying that executives and boards are not seeing the full non-financial risk picture. The risk inventory for financial services firms is changing constantly. And that makes it more critical than ever for managers and boards to be able to see and understand the risks they face.