Your non-financial risks may be the biggest threats to the future success of your organization. And the list of potential hazards is long and varied: cyberattacks, emerging technologies, reputational issues, climate change, mis-selling, misconduct, a return to territorialism, geopolitics, human rights… the scope for issues seems to be growing every day.

Yet, while most financial institutions have done a fairly good job shoring up their financial risk capabilities (particularly since the global financial crisis), our experience working with leading banks, asset managers and insurers suggests that few organizations enjoy the same level of sophistication when it comes to their non-financial risks.

The problem isn’t that managers aren’t aware of the risks. Nor is it a lack of effort or desire to address these risks. More often, the problem comes down to poor visibility.

Seeing all the dimensions

There are two reasons that executives and decision-makers may not be seeing the full picture. The first is that most executives are only looking at one dimension of the risk. KPMG member firms’ work with financial services firms around the world suggests that most continue to rely primarily on quantitative measures when identifying, measuring and ranking non-financial risks. Far too few also incorporate qualitative measures to get a better view of the risks they face.

Rather than just measuring the quantity of infractions that occur or the number of training sessions conducted, for example, financial services firms could also be tracking situations where infractions almost occurred. They could be conducting root cause analysis. And they could be overlaying media information and other sources to understand where other institutions may be experiencing increased risks.

The value of integration

The other big challenge facing financial services firms comes down to a lack of integration across their various risk activities. The reality is that most — if not all — financial services firms currently assess and manage their non-financial risks in silos. Business continuity management is managed in one silo; third-party risk in another; IT security in yet another. But the three can often be very interlinked: a third-party system could lead to an IT security issue that could impact business continuity.

Yet, more often than not, risk management requirements are covered by separate functions; communication between functions is limited; oversight is fractured; and the number of reports being generated becomes overwhelming. Decision-makers and managers are only able to see pieces of the puzzle rather than the whole picture.

Getting to the full picture

KPMG firms have worked with a number of large banks, insurers and asset managers around the world. And our experience suggests there are seven key areas where all financial services firms should be focusing on in order to create a more holistic and integrated non-financial risk management approach.

1. Taxonomy: Making sure that everyone in the organization is speaking the same language is key to creating better integration across risk functions. Indeed, a common understanding of the taxonomy, definitions and delimitations of terms are a key prerequisite for an integrated approach. While complete standardization may not always be possible, key terms (such as risks, impacts, causes and occurrence probabilities) should be clearly defined.
2. Governance: Where possible, risk functions should be integrated into fewer units. This will encourage improved interaction between responsibilities (by optimizing tools, IT and reporting, for example) and enhance efficiency within the units responsible (in both the first and second lines of defense). A clear definition of the role of the Second Line of Defense, including independent reporting to the management board, is critical.
3. Methodologies: Financial institutions should be working to improve the efficiency, productivity and integration of their risk functions by reducing the number of risk identification and assessment tools being used across the organization’s second line of defense. This will involve increasing the number of synergies within the different functions and interlinking the tools and methodologies across the functions, thereby creating the basis for an integrated level of control.
4. IT systems: Similarly, financial institutions will want to reduce the number of IT tools currently being utilized across the second line of defense. This is an opportunity to implement robust integrated technical solutions (versus continuing to use generic tools such as Microsoft Office apps). Creating a common technical platform can help to simplify the sharing of information and can enable all data to be pooled together to improve overall reporting.
5. Data: Rather than relying solely on quantitative risk data, risk managers and senior management should be working to enhance their view by identifying, collecting and then integrating qualitative data sources and measures. Understanding which data sources should be used (based on value, reliability, ease of access and security, for example) will be a critical first step. Finding ways to integrate quantitative and qualitative data into clear and actionable reports to management will also be key.
6. People and culture: While IT systems are important, it’s the people behind the systems and the culture of the organization that enable successful integration. Creating a culture of risk awareness, compliance and management across the entire enterprise is key to ensuring that your people not only understand the importance of nonfinancial risks but also how to properly report and manage them. This must start within the risk function but, very quickly, it must also be embedded across the lines of business.
7. Reporting: Integrating existing reports into a single overarching non-financial risk report will be key to helping senior management focus on the right risks at the right time to support strategic decision-making. Financial institutions may want to consider starting with the harmonization of their reporting layout and assessment grids, taking great care to subsequently integrate the results. Ensuring that the right risks are being raised and reported in the right way will be key to managing the growing scope of potential non-financial risks.

Given the pace of change both inside and outside of the financial services sector, we believe it is particularly worrying that executives and boards are not seeing the full non-financial risk picture. The risk inventory for financial services firms is changing constantly. And that makes it more critical than ever for managers and boards to be able to see and understand the risks they face.

1. Does your non-financial risk framework adequately cover all the potential risks your firm faces?
2. Do you understand the impact of strategic decisions on your risk profile?
3. Does you appetite for non-financial risk align with decision-making?
4. Does your firm's risk culture influence the way your firm manages non-financial risks?
5. Are you overly focused on the financial impacts of non-financial risk events?
6. Are you encouraging the business and it support units to own their non-financial risks?
7. Is your reporting across the sub-categories of non-financial risk consistent?
8. Are your risk management siloes integrated and coordinated?
9. Does your entire organization speak the same language with regards to non-financial risk?
10. Are you confident that you are tracking and measuring the right non-financial risks?