The existential crisis of non-financial risk management

Whilst credit and market risk management have matured, managing non-financial risks has become a growing challenge for financial institutions.

In the past decade, our world has changed significantly due to an increasing information intensity, hyper-transparency, hyper-connectivity and complexity of regulation. We have witnessed the credit crisis, rise of social media, migration to digital online services and ubiquitous prevalence of mobile smart phones!

The consequence is an increased relevance and impact of non-financial risks. The tendency to remediate deficiencies with more zealous application of current thinking is not leading to a solution. Operational failures and compliance breaches continue to significantly impact business performance, and the integrity and ethics of banks and insurance companies are still openly questioned.

What should operational and non-financial risk managers do to overcome these challenges and retain a seat at the table?

There are a few things they could do to step up and change their traditional ways of managing non-financial risks. If they fail to do so, they risk becoming irrelevant and others will take up the glove.

  • Overcome the ‘operation successful, patient died’ syndrome and become more forward looking
  • Understand the interconnectedness of risks in our globalised world
  • Understand the risks and opportunities of new technologies and data
  • Talk the language of the business and focus on enhancing risk culture

Overcome the ‘operation successful, patient died’ syndrome and become more forward looking

Until the Basel 2 reforms to banking supervision, operational risk was largely a residual risk category for risks and uncertainties which were difficult to manage. It was, in a way, a catch all category for “other risks”. Around 2002, a definition evolved for this category of risk: the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.

I recognise that the discipline of operational risk management has come a long way, but in practice I see that time and again a narrow interpretation of this definition fails to address the changes that have happened in the world. Traditionally, risk managers have had a strong focus on the avoidance of internal process and system related risks through frameworks, policies and (hard) controls. Whilst this may have helped to manage preventable risks this is static and mainly backward looking. More importantly, this does not allow the identification and management of emerging risks, strategic uncertainties and external risks, which could potentially have a much larger impact on the longer-term success and sustainability of an organisation. Not surprisingly, regulators will increasingly focus on the quality of strategic decision making and scenario analysis.

Therefore, the practical definition of operational risk should be changed and risk managers must become more strategic and forward looking.

Understand the interconnectedness of risks in our globalised world

As our markets, business and companies become more global, macro-influences (political, economic, social, technological, environmental and legal factors) and micro-influences (factors specific to an industry and related industries, including competition, customers, suppliers and barriers to entry) become more intertwined. Consequences are often correlated and it becomes increasingly difficult to look at risks and events in isolation. Further, these should be regarded in the context of internal capabilities (business model, products, services, strengths, weaknesses etc.) and an organisation’s political and cultural context (stakeholder expectations, corporate governance, ethical considerations, cultural factors, etc.).

Risk managers will need to develop a much broader skill set that allows them to understand and analyse the impact of interconnected risks onto things like the achievement of strategic objectives, the business model, the profit drivers and capital position of the organisation. The result will be more relevant input into decision making and better conversations with senior management.

Understand the opportunities and risks of new technologies and data

Although real disruption may still lie ahead, new innovative technologies have made an impact upon the many industries. This year, I expect to see an increased use of artificial intelligence and the first commercial applications of blockchain technology and self-executing smart contracts. The use of robot-advisors and the sophistication of risk-based pricing based on policy holders’ personal profiles are examples where heavy reliance is placed on data (analytics) and programmed algorithms.

Another interesting example (albeit disputed by some) is a company called Cambridge Analytica who claimed to have supported the Trump campaign. They used the OCEAN personality scale – an acronym for openness, conscientiousness, extraversion, agreeableness and neuroticism – alongside thousands of different pieces of data on every individual, and claimed to be able to predict how citizens would vote.

With digitisation and automation, more models are being integrated into business processes, the risk profile and consequent operational losses of institutions are changing. Therefore, risk managers need a different skillset to be able to identify and assess the related key risks – such as data quality (completeness, accuracy etc.), data privacy (e.g. General Data Protection Regulation) and model risk (defective models and model misuse etc.).

On the other hand, risk management can benefit from data analytics to provide better and timelier information upon which to detect problems earlier, make better decisions and predict problems before they happen.

Talk the language of the business and focus on enhancing risk culture

Markets for many financial institutions are characterised by a high degree of uncertainty. Shorter business cycles make long term planning increasingly difficult. Often, we cannot identify all uncertain events and even if we can, it is very difficult to calculate the impact and likelihood of these events.

In response, many of these organisations are changing the way they work and implement for example Agile, scrum and lean start-up approaches. These approaches, in themselves, are ways to manage risks through e.g. iterations and fast feedback loops on assumptions allowing organisations to avoid harm and reap the benefits of uncertainties.

However, traditional rigid risk management processes and methodologies may no longer be effective in these circumstances. Risk managers cannot rely on static risk and control universes anymore. Risk-based decisions will need to be made quickly and changes including mitigating actions implemented swiftly. In this more fluid world, a strong risk culture and soft controls become essential to create a level of awareness and preparedness to mitigate risks appropriately.

There is a clear role for risk managers to help in establishing a strong culture. They should move up from their audit, accounting or controlling backgrounds and develop strong interpersonal and advisory skills. They need to be able to talk the language of the business to become change agents within their organisations.