THANK YOU FOR SUBSCRIBING
You often hear the expression enterprise risk management (“ERM”) and you may ask yourself—is that risk management for the entire organization? The simple answer is, yes, it is risk management across all risk domains within a given enterprise. However, in order to understand the different components of ERM, we must understand what risk management is. Risk management by definition is the process of identifying, assessing, and controlling threats to an organization’s business objectives, including its capital and earnings. These risks stem from a variety of sources, however, more often the risks that come to mind are financial in nature like credit risk, market risk or liquidity. These are the types of risks that you can measure exposure into dollars and cents because they all form part of a given portfolio of assets.
Non-financial risks are risks that are very difficult to measure, understand, and at times assert with defined risk ratings such as low, medium or high. These risks are not covered by traditional financial risk management. Over the past decade or so, the term non-financial risk has grown in popularity by risk managers in financial institutions, especially and most recently on the back of the COVID-19 pandemic. The reason being is because non-financial risks as much as they may not be associated to an asset class, the effects can be pervasive and directly impact an organizations reputation, in specifically its brand, employees, customers, and stakeholders.
So what are the risks that are under the banner of non-financial risk – those risks are effectively all operational risks, however, more specifically are third-party risk which include activities like the use of outsourcing by organizations in an effort to reduce costs and implementation time while increasing third-party vendor dependency such as contractual nonperformance risks or the potential for vendors non-compliance to laws or regulations or inability to maintain operations in case of natural disaster or technology outage. Cyber risk is another form of operational risk that is top of mind for many institutions as a result of increase in cyber-attacks like the ransomware attacks we observed the past year against not only financial organizations but also manufacturing and oil companies. Cyber risk was always on the rise, however, COVID-19 may have accelerated this trend, thus making this risk category one of the most prevalent and critical for risk managers to assess and control. Conduct risk is another non-financial risk that often gets overlooked because it is so hard to conceptualize and to an extent measure into an actual risk exposure with real financial implication. However, inappropriate behavior by employees can have devastating effects in an organization. Regulators in many jurisdictions have focused on the importance of conduct and have expressed the need for organizations with non-financial risk disciplines to have robust frameworks in place to train, identify and control risks stemming from inappropriate behaviors by employees.
“There is no simple model but the very basic methodology is an integrated approach, one that embraces a holistic approach for risk recognition and partnership with key functions like legal, compliance, information security and audit”
The list for non-financial risks or what I would define as off-balance sheet risks is much greater than those mentioned above. Compliance, process, fraud, human capital, and model risk amongst other more specific risks like digital, innovation and AI are also under this umbrella or more commonly categorized as IT Risks. It is for this reason that non-financial risk management has become more important than ever in ensuring these types of risk are not only managed by the risk management department but understood by the broader organization and therefore training and awareness is key in making this happen. Risk is managed as an organization and not necessarily by a corporate function.
Now that we know the size and scale of non-financial risk management, the question is how is this managed? There is no simple model but for most, the very basic methodology is an integrated approach, one that embraces a holistic approach for risk recognition and partnership with key functions like legal, compliance, information security and audit. Ensuring processes like top-down risk assessments, control attestations, issue management coupled with strong governance, risk appetite, and robust reporting can serve as an outcome-driven framework for managing non-financial risks. Often, risks are managed in silos and it is this very approach that can have pervasive effects to poor risk management as the story telling for risk falls short, prioritization for risk remediation may turn biased, risk aggregation and reporting may end up incomplete or inaccurate, and ultimately your company’s risk profile may suffer and not reflect the true picture of your organization enterprise risks.