N. Gittfried  G. Lienke  F. Seiferlein
J. Leiendecker  B. Gehra (eds.)

Risk Management
in the Financial Industry

A Target Operating Model
for Compliance and ESG Risks
1. Auflage 2022
Bibliografische Information der Deutschen Nationalbibliothek
Die Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen Nationalbibliografie;
detaillierte bibliografische Daten sind im Internet über http://dnb.d-nb.de abrufbar.
Besuchen Sie uns im Internet: http://www.frankfurt-school-verlag.de
Das Werk einschließlich aller seiner Teile ist urheberrechtlich geschützt. Jede Verwertung außerhalb der engen Grenzen des Urheberrechtsgesetzes ist ohne Zustimmung des Verlages unzulässig und strafbar. Das gilt insbesondere für Vervielfältigungen, Mikroverfilmungen und die Einspeicherung und Verarbeitung in elektronischen Systemen.
Konvertierung in ePub: mediaTEXT Jena GmbH
ISBN (print): 978-3-95647-188-9
ISBN (epub): 978-3-95647-189-6
ISBN (pdf): 978-3-95647-190-2
ISBN (mobi): 978-3-95647-191-9
1. Auflage 2022  © Frankfurt School Verlag / efiport GmbH, Adickesallee 32-34, 60322 Frankfurt am Main


1  Introduction: Rising to the Challenges of Non-Financial Risk Management, Compliance and ESG
2  Definition of Non-Financial Risk in Financial Institutions
3  Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks
4  The Three Lines of Defence Model: Key Success Factors for Effective Risk Management
5  Global Functional Lead in Non-Financial Risk Management: Ensuring Consistency and Integration in Complex Organisations
6  Policies and Procedures: Framework and Governance Requirements in the Financial Sector
7  Top-Down Risk and Control Assessment: A Forward-Looking Approach to Evaluate Company-Wide Non-Financial Risk Exposure
8  A Top-Down Approach to Non-Financial Risk Reporting: Collaboration Across Risk Types for Sustainable Risk Steering
9  Internal Investigations into Corporate Misconduct: Applying an Investigative Approach to Enable Proactive Risk Oversight
10  Technical Application and Data Architecture for Non-Financial Risk Management
11  Data Governance in Non-Financial Risk Management
12  Optimising Effectiveness and Efficiency: Deployment of Artificial Intelligence in Non-Financial Risk Management
13  Core Elements of Conduct and Ethics in the Context of Non-Financial Risk
14  Managing Conduct Risk: Framework and Perspectives
15  Successful ESG Transition: Implications and Challenges for Effective Risk Management


Norbert Gittfried is a Partner and Director at Boston Consulting Group. As topic coordinator for Compliance & Regulation, he advises large financial institutions worldwide on complex compliance transformations and the development of overarching non-financial risk steering approaches. His focus lies both in establishing effective Compliance and NFR Management systems, in digitising those functions and making them more efficient. Prior to joining BCG 11 years ago, he was Senior Manager at a Big 4 Company. He is a lecturer at Goethe Business School and a permanent representative in various industry bodies for FI.
Georg Lienke is a lawyer and Associate Director at Boston Consulting Group focusing on non-financial risk management and Compliance. In his work for financial institutions and corporate clients over the last 15 years, his focus was on the design and implementation of target operating models for non-financial risk management. Georg regularly publishes on non-financial risk topic. He holds a Ph.D. in law from the Technical University Dresden and a Master of Laws in Corporate and Financial Law from the University of Hong Kong. Prior to joining BCG, Georg worked at a Big 4 Company and a global bank.
Florian Seiferlein is an Associate Director at Boston Consulting Group. For over a decade, he advised leading companies on Compliance & Non-Financial Risks (NFR). He managed large-scale Compliance & NFR transformations, investigations and regulatory assessments in Europe, North America and Africa, and he was also a part of US Monitor teams. Prior to joining BCG, he worked for Big 4 and management consulting firms. Florian holds a Master of Science in business engineering (Karlsruhe Institute of Technology).
Jannik Leiendecker is a Partner and an Associate Director at Boston Consulting Group. Over the last 11 years, his focus has been on Non-Financial Risk (incl. Compliance) and ESG. He has advised numerous clients especially within the Financial Services industry on the set-up and optimisation of their respective operating model. He has also co-authored various corresponding publications. Jannik holds a Master of Science in Economic History from the London School of Economics and a Bachelor of Science in Business from the Ludwig-Maximilians-University in Munich.
Bernhard Gehra is a Senior Partner and Managing Director at Boston Consulting Group. His focus has been on Risk, Compliance and Technology for more than 20 years. During the last of those, he has led large worldwide projects focused on Risk and Non-Financial Risk. Furthermore, Bernhard recently managed ESG Compliance issues for large companies. Prior to joining BCG, he worked for a global securities service provider. Bernhard holds a Ph.D. in information science.


Prof. Dr. Douglas Arner, Kerry Holdings Professor in Law, RGC Senior Fellow in Digital Finance and Sustainable Development, Faculty of Law, University of Hong Kong, Hong Kong
Dr. John Ashley, General Manager, Financial Services and Technology, NVIDIA Inc., San Francisco Bay Area
Ulrike Brouzi, Member of the Board of Managing Directors, DZ BANK AG, Frankfurt
Rene Bystron, Project Leader, Boston Consulting Group, Seattle
Dr. Oliver Engels, Chief Risk Officer, Deutsche Börse AG, Frankfurt
Dr. Erasmus Faber, Managing Director, Head of Compliance & Risk Management Germany, Twelve Capital (DE) GmbH, Munich
Lorenzo Fantini, Managing Director & Partner, Boston Consulting Group, Milan
Barbara Fojcik, Project Leader, Boston Consulting Group, Munich
Dr. Jan-Oliver Fröhlich, Project Leader, Boston Consulting Group, Hamburg
Kai Gammelin, Risk prevention and compliance expert in a leading position in the financial industry, Bludenz
Dr. Julia Gebhardt, Partner, Boston Consulting Group, Munich
Dr. Ulrich Göres, Frankfurt
Peter Gürtlschmidt, Mag. MA, Vice President, Head AFC GMIC Corporate & Investment Bank Germany / EMEA, Deutsche Bank AG, Frankfurt
Dr. Katharina Hefter, Managing Director & Partner, Boston Consulting Group, Berlin
Hurdogan Irmak, Head of Risk Management, Isbank, Istanbul
Marc Peter Klein, Ass. jur., Managing Director, Head AFC Corporate & Investment Bank Germany / EMEA, Deutsche Bank AG, Frankfurt
Dr. Michael Lange, Managing Director, Divisional Head Compliance, DZ BANK AG, Frankfurt
Annika Melchert, Manager, BCG Platinion, Dubai
P. Robert Mieszkowski, DZ BANK AG, Frankfurt
Martina Mietzner, Managing Director, Chief Compliance Officer, Bayerische Landesbank, Munich
Burcu Nasuhoglu, Head of Operational Risk Management, Isbank, Istanbul
Dr. Jochen Papenbrock, Financial Services and Technology Developer Relationship Lead EMEA, Gaia-x FAIC Lead, NVIDIA GmbH, Frankfurt
Aytech Pseunokov, Project Leader, Boston Consulting Group, Dubai
Jennifer Rabener, Project Leader, Boston Consulting Group, Munich
Luca Rancan, Project Leader, Boston Consulting Group, Milan
Michele Rigoni, Principal, Boston Consulting Group, Milan
Dr. Barbara Roth, Managing Director, Head Group Internal Audit, Deutsche Börse AG, Frankfurt
Dr. Christian N. Schmid., Managing Director & Partner, Boston Consulting Group, Munich
Prof. Dr. Martin Schulz, Attorney at law, Counsel, CMS Hasche Sigle, Frankfurt
Björn Stauber, M.Sc., First Vice President Compliance, KfW Bankengruppe, Frankfurt
Rei Tanaka, Managing Director & Partner, Boston Consulting Group, Tokyo
Benedetta Testino, Project Leader, Boston Consulting Group, Milan
Federico Truffelli, Deputy Head of Group Anti-Financial Crime, Group Head of AML/FS Risk Assessment, Controls and Liaison Office Support, UniCredit Group, Milan
Anita Varshney, Global Vice President, Strategy SAP S/4HANA Sustainability, SAP, Hong Kong
Valérie Villafranca, Managing Director, Group Head of ESG Transformation, Société Générale, Paris
Lora von Ploetz, LL.M. Law, LL.M. Finance, Director, Head of Global Financial Crime Unit, Commerzbank AG, Frankfurt
Daniel Wagner, Manager, BCG Platinion, Frankfurt
Dr. Carsten Wiegand, Knowledge Expert, Team Manager, Boston Consulting Group, Frankfurt


These are turbulent times for the financial industry and for society at large. Banks, insurers, asset managers and other financial services providers are subject to a profound, lasting disruption, shaping the way value is created and how people will work in the decades to come.
Climate change and the role of the financial industry in the historical transformation toward greenhouse-gas neutrality is at the top of almost every CEO’s agenda. The industry is subject to game-changing environment, social and governance regulation (ESG) and disclosure requirements and is adopting a role as a change agent to finance the climate transition. The climate agenda deeply impacts the industry’s business and risk strategies, triggering fundamental changes to the way financial and non-financial risks are managed.
Since the COVID-19 outbreak in late 2019, society has seen a whirl of lockdowns and contact restrictions. The pandemic has also impacted businesses of all shapes and sizes across a range of industries, with the 2020 global gross domestic product down almost by 3.5%.[1] The financial industry has continued to prove its social and economic relevance during the pandemic, delivering vital aid to businesses and individuals at record speed, creating new processes and systems on the fly and shifting workforces and operations to remote conditions. COVID-19 accelerated digitisation to new heights, with some senior executives painfully realising that digital is not optional but a question of making the cut.
On top, regulatory agencies are ramping up their efforts to ensure corporations obey the rules – and imposing heavy penalties on those that fail to deliver. From 2009 to 2020, global regulators handed out almost 400 billion in fines for non-compliance.[2]
To emerge stronger from these challenging times, financial institutions must succeed on many fronts, with non-financial risk management being a critical component. This holds particularly true in times of geopolitical unrest such as the conflict between Russia and the Ukraine right now. For global financial organisations with a broad product portfolio across multiple geographical regions, the management of non-financial risks is complex, and pitfalls are looming: insufficient consistency in policy standards, a divergence in the regional execution, opaque risk exposure and a fragmented IT landscape, to name just a few. The need for a bank-wide, global non-financial risk management framework has become abundantly clear.
This handbook is intended as a guide to establish a target operating model for non-financial risk management, primarily for the financial industry, and covers the entire risk management lifecycle. This includes a definition of non-financial risk, risk appetite frameworks, risk governance, top-down non-financial risk assessments, internal control frameworks, data and IT governance as well as conduct and ethics.
The editors are grateful to the contributors, who are all leading experts in non-financial risk management, compliance and ESG.
Frankfurt and Munich, February 2022
The editors Norbert Gittfried, Dr. Georg Lienke, Florian Seiferlein, Jannik Leiendecker and Dr. Bernhard Gehra

[1] IMF 2021.
[2] BCG 2021a.

1  Introduction: Rising to the Challenges of Non-Financial Risk Management, Compliance and ESG

Prof. Dr. Douglas Arner, Dr. Bernhard Gehra, Jannik Leiendecker, Dr. Georg Lienke
Historically, financial institutions have focused many of their risk management efforts on financial exposures directly attributed to core business activities. However, in recent times, non-financial risk (NFR) management with an emphasis on compliance and environment, social and governance (ESG) risks has moved up the policy and executive agendas, amid new regulations, a range of compliance issues (some leading to significant fines) and an increasing pressure to act as change agents in the transition towards a decarbonised economy. A robust NFR framework is indispensable in case of crises, so that necessary quick and effective reaction measures can be taken. This became unmistakably clear in the conflict between Russia and the Ukraine, with unprecedented sanctions being imposed on Russia that heavily affect the global financial industry and non-financial sectors.
This handbook analyses the major success factors for meeting the requirements of modern non-financial risk management: an institution-specific target operating model (TOM) integrating all critical components – strategy, governance, risk management, information technology and data architecture including digitisation and artificial intelligence as well as ethics. The handbook has been written by senior NFR, compliance and ESG experts from key markets in Europe, the US and Asia, and it gives practitioners the necessary guidance to master the key challenges in today’s global risk environment. Each chapter includes key regulatory requirements, major implementation challenges, practical solutions and industry examples.

1.1  New risks and challenges

Institutions face non-financial risks across a range of activities: from onboarding clients to running IT systems and carrying out daily operations. Amid a continuous flow of new risks, failures in these areas can have significant economic and reputational consequences, both for the institutions as well as their executives. Globally, compliance issues led to 394 billion in fines during the years 2011 to 2020, including 50 billion in 2018, 2019 and 2020 alone.[1] In response, financial institutions have dramatically enhanced their oversight capabilities, leading to a proliferation of risk managers, internal auditors, control specialists and compliance officers, each with their own unique backgrounds, perspectives and skill sets.
These teams of experts have tended to focus on specific areas, leading to the evolution of siloed and fragmented processes, the disjointed nature of which has itself become an operational risk. A lack of coordination has created gaps, overlaps and mismatches in the three lines of defence (3LoD) framework at most institutions. Risk functions today often produce different risk reports that apply different methodologies to analyse and quantify risk, making it difficult for executives to put risk categories into proportion and arrive at accurate implications for overall risk management. This comes on top of existing complexity: global financial organisations need to orchestrate separate product divisions, infrastructure functions (including risk management) and geographical regions, representing a range of legal entities in local jurisdictions as well as regulators and regulatory systems and requirements in multiple jurisdictions. At the same time, they need to weave in effective and efficient measures to manage non-financial risks. The challenges are significant, suggesting that a holistic, structured approach is critical.

1.2  A forward-looking solution for non-financial risk management in the financial industry

To continue to thrive in an increasingly challenging risk environment, financial institutions need to develop a sophisticated approach to non-financial risk management. This can be done by establishing an institution-specific non-financial risk TOM, which will subsequently allow for a proper definition of risks, creating an integrated view of the 3LoD and building an effective internal control system – informing a sensible executive decision-making that can prevent inevitable risks getting out of control.
This handbook outlines the key ingredients of a non-financial risk TOM for financial institutions. The book sections follow a consistent structure: chapters start with an individual introduction to the topic at hand, followed by a summary of key regulatory expectations across the EU, the US and Asia. Each chapter assesses operational challenges and complexities, and it delivers approaches to define solutions based on industry success factors. Chapters are augmented by practical, hands-on examples from seasoned practitioners. They conclude with the summaries of key takeaways.

1.3  Defining and aligning non-financial risk categories

Risks are inherent to every business model, so that a zero-risk tolerance approach is in fact counter-intuitive. Historically, financial institutions have focused their attention on financial risks, including credit risk, market risk, liquidity risk and funding risks, aggregating the remainder under a category most often labelled as operational risk. Recently, non-financial risks have evolved as an independent category for risk management, allowing for a more tailored approach to management of individual non-financial risks. Chapter 2 provides a general definition of non-financial risk, delineates non-financial risk from financial risk, and provides definitions for categories and types of non-financial risk for financial institutions.

1.4  Establishing a non-financial risk appetite framework to prevent an undesirable risk-taking

Following the definition of non-financial risk, chapter 3 provides a holistic approach to defining a non-financial risk appetite framework for financial institutions across three levels. This includes qualitative risk appetite statements for individual non-financial risk categories, outlining the level and types of risk that the financial institution is willing to take on in order to achieve its strategic objectives and business plan (level 1). Qualitative risk appetite statements are broken down into risk appetite metrics and corresponding thresholds, enabling institutions to set quantifiable tolerance levels for non-financial risk and underlying operational activities (level 2). Level 3 cascades the risk appetite framework to business lines and entity levels via pre-defined key risk indicators, facilitating the early detection of potential deviations from risk appetite objectives and potentially triggering timely interventions. The chapter also draws an outline of the corresponding governance that is required to operate a risk appetite framework.

1.5  Building key governance and organisational pillars for non-financial risk management

Three chapters outline the governance and organisational structures required for sustainable non-financial risk management, standing on three major pillars. The three lines of defence (LoD) model (chapter 4) defines the roles and responsibilities of the first LoD (front, middle and back office), the second LoD (risk control functions) and the third LoD (internal audit). The chapter focuses on the independence of second-LoD control functions and describes the concept of risk coordinating functions in the first LoD as a regulatory competence centre, coordination unit and interface to the second LoD.
‘Global functional lead’ (chapter 5) stands for a combination of strategic, governance and risk management elements defined by an institution that aim to enable a consistent execution of risk management activities across complex organisations. It comprises the central setting of global risk management standards by horizontal risk management functions and their execution by vertical product- or region-focused functions, with direct or indirect reporting lines into horizontal functions. A policy and procedure framework (chapter 6) intends to ensure that standards are met in the execution of an institution’s business and operational activities. It builds a structural policy hierarchy, allocating the financial institution’s documents including board directives, policies and procedures to different hierarchical levels. It structures them by risk types, business segments and relevant geographies.

1.6  Generating excellence in the non-financial risk management lifecycle

Three chapters describe the most essential components of a financial institution’s non-financial risk management lifecycle.
Sophisticated institutions apply a top-down approach to non-financial risk assessment, using risk-type agnostic criteria to evaluate their exposure to non-financial risks and derive the proper implications for bank-wide risk management. Chapter 7 elaborates on the methodology for a top-down non-financial risk assessment.
A key element of effective risk mitigation is the underlying internal control framework. Controls can take a variety of forms, ranging from automated/manual process controls to the conduct of training sessions and the definition of internal policies and requirements. A comprehensive internal control framework needs to combine a top-down approach (focusing on controls addressing the most relevant risk types) with a bottom-up approach (whereby individual risks and controls are identified based on a detailed review of the underlying processes). Chapter 7 comprises a deep dive on the top-down approach for the creation of an internal control framework.
Financial institutions are confronted with non-financial risks that are increasing both in number and severity, and they face non-financial risk exposure in almost every area of activity. In many institutions, this has resulted in a heterogenous reporting landscape for non-financial risks, with a variety of bottom-up, risk-specific reports from different functions and often diverging criteria for the measurement of risk. Hence, financial institutions are in an ever-stronger need of an overall non-financial risk reporting approach, spanning across risk types and consolidating the measurement of risk and the adequacy assessment of risk-mitigating controls. Only such a top-down report can give executive management the fact base and insights necessary to steer an institution effectively. Chapter 8 describes an approach to risk-agnostic non-financial risk reporting.
Chapter 9 is a deep dive into investigation capabilities, combined with root cause analysis. Alongside the on-going harmonisation of European corporate law, individual jurisdictions are increasingly requesting the strengthening of investigative capabilities to better understand root causes of corporate misconduct. This includes the establishment of risk oversight and reporting capabilities, the establishment of a dedicated organisational unit as well as of processes and methods, alongside communication with stakeholders. Particular emphasis is put on the root cause analysis to determine the underlying reasons for misconduct. These insights are then used to identify corresponding lessons learned.

1.7  Using data, IT and artificial intelligence

Today, excellent non-financial risk management is heavily supported by an adequate data and IT architecture. Chapter 10 starts with an outline of the associated challenges, ranging from heterogeneous (and partially unavailable) non-financial risk data and fragmented responsibilities to partially-integrated IT applications. These challenges can be addressed by defining a comprehensive strategy, creating full transparency of the IT architecture and aligning with the required data architecture. This can subsequently be translated into a short- and long-term roadmap towards a more public cloud-based or on-premises data platform.
Chapter 11 describes the data governance required to facilitate an effective NFR management. Historically, data governance has focused on “financial risk” thereby often leaving non-financial risk aside. Yet, an effective non-financial risk data governance system can be established by leveraging existing data governance frameworks. This will entail a clear assignment of roles and responsibilities (including non-financial risk data officers, data owners, stewards and custodians), implementing concrete use cases, scaling-up as well as defining a comprehensive data catalogue and supporting technologies. The resulting data governance should subsequently be integrated into existing governance structures on both entity and group levels.
Accelerated by COVID-19, the financial sector is experiencing a substantial digital transformation of business and operating models, mainly to cater for changing customer expectations and behaviour and to optimise the efficiency of financial operations. Digitisation multiplies the volume of available data and opens opportunities for the use of artificial intelligence (AI) and other forms of sophisticated analytics in non-financial risk management. Concurrently, regulatory expectations on the financial sector’s uses of AI are increasingly demanding and must be managed to withstand regulatory scrutiny. Chapter 12 examines how AI can help improve non-financial risk management and contains two use cases for AI usage: financial crime prevention and the prevention of market abuse.

1.8  Putting conduct and ethics at the centre of sustainable non-financial risk management

Recent scandals in the corporate world have demonstrated that a lack of ethical values is often at the root of corporate misconduct. Hence, the role of conduct and ethics cannot be emphasised enough.
Chapter 13 describes the subtle interplay between ethics, conduct and integrity in the context of the financial industry, and it outlines the implications for managers who must learn to navigate today’s complex regulatory landscape. Most business ethicists agree that, in general, financial institutions’ ethical taxonomies could be divided into two categories: conduct/compliance-based ethics and integrity-based ethics. While the former constitute principles and codes born from government regulations, the latter are based on the establishment of core principles to which all employees are asked to adhere to and govern themselves accordingly. Organisations that combine both conduct-/compliance-based with integrity-based ethics could significantly mitigate conduct risk (market, client and employee conduct risk). Three major areas emerge as key focal points for regulatory oversight: expansion of the circle of stakeholders, elimination of “rolling bad apples” and greater cross-border collaborations. Supervisory bodies expect companies to behave ethically and maintain a strong focus on good conduct, not just towards their customers but towards all stakeholders. Technology is playing an increasingly bigger role in the support of its monitoring and implementation.
Chapter 14 examines two key trends in the regulation of conduct risk: Treating Customers Fairly (TFC) and the Senior Managers and Certification Regime (SM&CR). The idea of TFC as the standard for good conduct has made its way into financial regulatory frameworks all across the globe. Another overarching global trend has been the shift away from a case-by-case approach towards treating conduct risk as a systemic phenomenon. As such, recent regulations have focused on extending individual liabilities through elaborate SM&CRs. Conduct risk figures prominently on the ESG agenda for mainly two reasons: it is a key feature of a firm’s governance framework and directly impacted by sustainability risks, and its occurrence is estimated to be on the rise as ESG investing brings forth novel opportunities and new decision-making.
To manage conduct risk, the development and implementation of an effective conduct risk framework is required, reflecting and tailored to a firm’s culture, business environment and regulatory landscape, while it is also implemented through appropriate systems. Three key principles, however, should stand at the core of every framework: standardised metrics, customer centricity and clear definitions. Unfortunately, there is no one-size-fits-all approach. Each financial institution must remain vigilant about new conduct risks and develop its own approach based on its own exposures, activities and overall strategies.

1.9  Environment, social and governance: Implications for effective risk management

With the issuance of the UN Sustainable Development Goals, the Paris Climate Agreement in 2015 and, more recently, the COP26 climate summit in Glasgow in 2021, ESG issues have risen to the top of the agenda of the global financial services sector. Of all ESG topics, climate change has the highest profile – for good reason. The risks associated with climate change and their implications for the global financial system’s stability are now universally acknowledged. In addition, financial institutions are set to play a pivotal role in global efforts to adapt to climate change as well as mitigate its negative effects. Adaptation in this context requires financial institutions to support clients in managing the physical risks associated with the impact of climate change (such as destruction of assets by natural disasters). Climate change mitigation, on the other hand, requires a transition to a carbon-neutral economy which will in turn involve trillions of dollars in funding. Directing private funding to sustainable activities is a monumental effort that requires both a cross-border coordination and support from the financial services industry.
Chapter 15 begins with a review of the current ESG regulatory landscape in selected jurisdictions, noting the different levels of regulatory advancement but also the breakneck speed at which new sustainable finance regulations are being rolled out. These and their impact from the standpoint of compliance will be a key theme going forward. The chapter then examines the most common challenges associated with ESG implementation, such as divergent approaches to materiality of ESG information, lack of uniform taxonomies of sustainable activities, scarcity of ESG data and the resulting reliance on third party information providers. The chapter also covers the voluntary disclosure standards and frameworks which came to the fore in recent years, and provides guidance on their application and use.
The chapter continues to analyse the key components required for a successful green transition, noting the importance of having a clear ESG strategy supported by a robust governance model. The right resources, technology, culture and ecosystems are key enablers of an ESG transition, and they can also create new value-generating opportunities.

[1] BCG 2021a.

2  Definition of Non-Financial Risk in Financial Institutions

Martina Mietzner, Dr. Julia Gebhardt, Dr. Katharina Hefter, Jennifer Rabener, Dr. Carsten Wiegand

2.1  Introduction

Risk management has always been a core element of financial institutions, which play a significant role in the transformation function of the financial markets, thereby transforming lot sizes, maturity and risk.[1] However, in recent years, not all loss events can be attributed to traditional financial risks. These so-called non-financial risks are, in fact, linked to operations.
As a first step in the discussion of risk management and the different types of risk, it makes sense to consider the definition of risk itself. According to the Oxford Learner’s Dictionary, risk is defined as “the possibility of something bad happening at some time in the future; a situation that could be dangerous or have a bad result.”
To offer products and services, financial institutions need business operations. These include headquarters and branch operations, such as physical assets like buildings, rental space or even vaults. These physical assets are complemented by IT infrastructure with both hardware as well as software.
Overall, there are five sources of potential operational risks or operational risk events.[2] These are people, processes, systems, external events and legal risks. All these components of the business and operating models give rise to a wide range of potential risks. These need to be identified, measured and managed. In managing these risks, banks must balance the expected return from risk-related activities with the amount of loss from these activities if risks materialise, as well as the costs of their management or mitigation. According to the Basel Committee, an effective operational risk management system and a robust level of operational resilience work together to reduce the frequency and impact of operational risk events.[3]
Financial business inherently includes numerous risk types, so complete risk avoidance in the sense of a “zero risk tolerance” is impossible. Risk taking and the management of risks is an integral part of the business. When providing loans to customers, financial institutions take on a credit risk. As the value of assets, such as securities, depends on certain underlying market parameters, such as interest rates, commodity prices or share prices, they are also exposed to market risks. Another core element of banking is taking deposits to fund loans. The management of the resulting cash inflow and outflow from assets and liabilities results in liquidity risks.
There are generally five basic management approaches to treating risks[4]: acceptance, avoidance, mitigation, sharing and transfer. Risk avoidance aims at fully evading the risk. This can mean that certain business activities need to be stopped or not performed, or processes need to be designed in a way to ensure that the particular risk does not arise. For example, when a bank wants to avoid any risk from outsourcing part of its value chain, the entire process needs to be done inhouse. If currency risks are to be avoided for certain currencies, then these currencies cannot be used either for trading, lending or payment services.
Risk mitigation describes the process of taking actions to reduce the possible loss event frequency or the possible impact of loss events. It is central to the mitigation strategy that an effective control environment is established, with preventive as well as detective controls. An internal control environment is an essential part of all risk management processes, and almost all regulators require financial institutions to have one. The European Banking Authority (EBA) publishes detailed guidelines on internal control frameworks in Title V of its guidelines on internal governance.[5]
In case internal controls do not adequately address risks, while accepting the risk is not a reasonable option, management can also share or transfer the risk to another party, for example by way of insurance products.[6] However, the Basel Committee points out that risk transfer is an imperfect substitute for sound controls and risk management programmes, hence, banks should view it as a complementary strategy rather than a replacement for thorough internal operational risk controls.[7]
Risk acceptance means that the risk is accepted without taking any specific measures. This can be the case when a certain risk type is deemed non-material for the financial institution. An indicator for this could be that the expected loss would be less than the costs related to the management activities to mitigate the risk.[8] In addition, this strategy is also applied to the assessment of residual risks, in which the latter is the risk exposure after controls have been considered.[9]
The choice of the approach for any particular risk type depends on the individual bank’s business model, i.e. its products, services, processes, people, transaction channels as well as physical and IT infrastructure. It further depends on the bank management’s risk strategy and risk appetite, as well as on the relevance of the risk type in this combination. The general approach to risk management stated in the risk strategy is detailed in the risk appetite statement, which elaborates on the types and amounts of risk a financial institution is willing to take. For more details on risk appetite, especially from a non-financial risk perspective, please refer to chapter 3.
The practices of risk management vary depending on the size and complexity of business models and operations. However, a general approach to risk management always contains four core steps for each identified risk type. The first step is the determination, description and measurement of the inherent risk of the particular risk type. Inherent risk is defined as the amount of that type of risk without any mitigating measures or control processes. In a second step, based on this inherent risk, an assessment of potential mitigating measures is performed. These mitigating measures can have different forms, one of which could be the use of internal controls for a certain type of risk. These types of mitigating measures are intended to reduce the impact of a risk event. The implementation of controls around the processes related to the specific risk type can help reduce the risk event’s probability and the impact of a risk event should it occur. Examples for such controls are the four-eyes principle or user access management. In a third step, the residual risk needs to be managed, if any remains after application of all mitigating measures and controls. Lastly, all of these steps need to be documented and reported to management, at least on an aggregated level.

2.2  History of non-financial risk and specifications by key regulators

Definitions of different types and clusters of risk are in use in financial institutions across the globe. Some of the risk types are standardised, with clear definitions by regulators; other risk types are not always clearly defined. The understanding and research of risks, root causes and effects gradually evolve. Laws, regulations and regulating authorities integrate, extend and adjust this knowledge, mostly driven by events and scandals. Therefore, we will take a look at the history of the development of non-financial risk here, and analyse commonalities and differences in regulatory definitions of risk types – with a focus on definitions around non-financial risks.

2.2.1  A short history of non-financial risk

Looking at the history of the development of non-financial risk, the starting point is perceived by many as the development of operational risk. In 1997, the Basel Committee on Banking Supervision (BCBS or Basel) issued a paper that set out 25 core principles for effective banking supervision.[10] One of the key risks faced by financial institutions was cited as operational risk, which was defined “as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk.”[11]
Two years later, BCBS issued a proposal for a new capital adequacy framework to replace Basel I, the capital measurement system launched in 1988.[12] Following the publication of the first round of proposals in 1999, the revised framework for capital measurement and capital standards, called Basel II, was endorsed in 2004. As part of the framework, operational risk, along with credit risk and market risk, was named as a risk type for capital requirements calculations. The scope of the definition of operational risk was contained in seven loss event types: (1) internal fraud, (2) external fraud, (3) employment practices and workspace safety, (4) clients, products and business services, (5) damages to physical assets, (6) business disruptions and system failures, and (7) execution, delivery and process management.[13]
The idea of Basel II was to measure the operational risk on a model basis by using loss data from operational risk loss events through one of the following three methods: the advanced measurement approach (AMA), the basis indicator approach (BIA) or the standardised approach (STA), which was mainly based on revenues over the past three years. However, the distributions used in the AMA were unable to appropriately consider extreme outliers because risk measurement and corresponding capital requirements were always based on some confidence level. In comparison with operational risk management, non-financial risk management is not only based on historical events but needs to include risk assessments that require organisations to familiarise themselves with their business models, risk appetites and the risks themselves. This means that financial risks are the original risks while non-financial risks are second-order effects of the original risks. And while financial risks can be measured, it is still a challenge to measure non-financial risks.
Simultaneously to the BCBS developments, the history of the development of non-financial risk was supported by six waves that triggered the development of the respective risks (Figure 1).
Figure 1: Development of non-financial risk
The first wave relates to the topic of conduct and mis-selling. As a result of the mis-selling scandals of the 1990s and early 2000s, including the dotcom bubble, and parallel to the development of Basel II, the European Markets in Financial Instruments Directive, also known as MiFID, was introduced in 2004 and has been applied since 2007. Its objective, amongst other things, was to set out the conduct of business and regulatory reporting to avoid market abuse.[14]
The second wave relates to financial crime risks. An understanding was gained that many compliance-related incidents included white collar-crimes. According to the US Federal Bureau of Investigation, white-collar crime refers to the full range of frauds committed by business and government professionals and is independent of the application or threat of physical force or violence.[15] In addition, it was noticed that retail customers were also involved in crimes, for example by committing tax evasion.
The third wave relates to the growing interest in data privacy that was triggered by the expanding use of data and online technology, including online banking. As early as 1992, the European Union published the European data protection directive, which came into force in 1995. It aimed to protect individuals with regard to the processing of personal data and the free movement of such data.[16] More than ten years later, in 2011, the European Union issued an opinion on a comprehensive approach on personal data protection.[17] This resulted in the European Union regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data in 2016, commonly referred to as the General Data Protection Regulation (GDPR), which is in effect since 2018.[18] Other jurisdictions have adopted this regulation under other names and in other forms, such as the California Consumer Privacy Act (CCPA), introduced in 2018 to enhance privacy rights and consumer protection.[19]
The fourth wave relates to information, communication and technology (ICT) as well as cybersecurity risks. With the growing relevance of technology, these risks have gained in importance and a necessity for the position of a chief information security officer (CISO) arose. Therefore, the EBA reacted in 2019 by issuing the guidelines on ICT and security risk management that were enforced in 2020,[20] and, in 2021, by launching, with Europol’s European Cybercrime Centre, a campaign called Cyber Scams 2.0 to spread public awareness of cybercrimes.[21]
The fifth wave relates to operational resilience and outsourcing/vendor risks. Along with increased technological risks, the need for the overall stability of financial institutions and the financial system triggered a regulatory push towards operational resilience. This was spearheaded by the UK regulatory authorities’ policies both on operational resilience as well as on outsourcing and third-party risk management (published in 2019 and enforced since 2021).[22],[23] The BCBS followed by publishing its principles for operational resilience in 2021.[24] The disintermediation of the value chain, driven by technological developments, lead to a higher importance of the understanding of both supply and process chains as well as knowing third parties such as vendors and contractors.
The sixth wave relates to environmental, social and governance (ESG) as well as general strategic risks. ESG is not perceived as a singular risk type of the risk taxonomy but is rather included in overall strategic risks. It influences, or materialises in, other risk types. The environmental element is found in supply chain management and the well-established know-your-supplier process. By contrast, the social element is generally associated with human resources and led to the introduction of anti-discrimination laws and quotas. With the increasing importance of the good citizenship model, an ethical change has taken place, and the public has developed higher expectations for moral behaviour in organisations. As such, ESG risks are clearly embedded in strategy discussions and form a part of the strategic risk faced by financial institutions and all other organisations.

2.2.2  Existing non-financial risk specifications by key global and regional regulators and associations

The term non-financial risk is not yet commonly used by regulators. While there are definitions for individual risk types, such as operational risk or AML risks, even with a somewhat widespread base, no catalogue of risk types has been summarised under non-financial risks by regulators. Thus, no clear regulatory definition of non-financial risk has been established.
On a global level, BCBS does not provide a definition of non-financial risk. The Basel Committee has, however, updated the principles for the sound management of operational risk and published a linked paper on operational resilience in March 2021. As with Basel, regulators more frequently advise on operational risk management and in part reference some of the non-financial risk types within those policies.
In Europe, Banco de España mentions certain examples of non-financial risks, such as misconduct, non-compliance, IT, reputational, cybersecurity or operational challenges. The basis for the delineation against financial risks is that the mentioned non-financial risks are not linked directly to financial decisions and have nothing but a downside. Also, according to Banco de España, a further defining element of non-financial risk is that it is hard to quantify precisely. Finally, there is a reference to operational risk as the specific part of the Basel Accord included a capital charge for these types of risk.[25] The ECB annually publishes a report on the outcome of the Supervisory Review Process (SREP) IT Risk questionnaire, which specifically deals with findings and weaknesses of IT-related risks.[26]
US regulators do not explicitly provide a definition of non-financial risk. However, in its November 2019 Supervision and Regulation report, the Federal Reserve Board (FED) gives examples of risk-management weaknesses for US banks with less-than-satisfactory supervisory ratings. These examples include compliance, internal controls, model risk management, operational risk management and/or data as well as information technology infrastructure. Further weaknesses mentioned concern the Bank Secrecy Act (BSA) and anti-money laundering (AML) programmes.[27]
Among Asian-Pacific regulators, the Australian Prudential Regulation Authority (APRA) refers to non-financial risks in its information paper on governance, culture, remuneration and accountability. However, it does not provide an explicit definition of non-financial risk.[28]

2.3  Differentiation of financial and non-financial risk

Given the lack of clarity concerning a standardised definition of non-financial risk, we here define the terms ‘financial risk’ and ‘non-financial risk’ the way we will use them throughout this book. The general approach considers regulatory definitions already in use and attempts to find a structure that encompasses all types of risk.
Financial risk can generally be defined as “the possibility of losing money on an investment or business venture.”[29] Other categorisations of financial risk use the question of measurability, meaning whether methodologies are available to accurately model and measure risk.
However, as both approaches do not clearly define the risk types that would be considered under financial risk, our definition of financial risk is based on a positive-list approach, defining all risk types that belong in this risk category. Non-financial risk is then defined as the remaining risk types. Moreover, due to the importance of the term “operational risk,” which is a supercategory for certain, yet not all non-financial risks, non-financial risk itself is subdivided into two key categories: operational risks and strategic risks. Taken together, this approach covers all types of risks possible in financial institutions.

2.3.1  Financial risk definition

Our definition of financial risk is based on the enumeration of all included individual financial risk types. For the purposes of this book, the three financial risk types included in the definition of financial risk are credit risk, market risk and liquidity risk.
The BCBS defines credit risk as “the potential that a bank borrower or counterparty will fail to meet its obligations in accordance with agreed terms.”[30]