A risk appetite strategy for nonfinancial issues

(10 pages)

In 2022, losses, fines, and legal expenses for nonfinancial risks cost the banking industry $19 billion, bringing the total price tag for nonfinancial risks to more than $460 billion since 2010.

Nonfinancial risks—those that emerge from people, processes, systems, and external events—are challenging to manage for all institutions, and executives are faced with a constantly changing landscape of risk events and disruptions. Despite the inherent challenges, it is important to clearly define an appetite for these risks to limit the risk taking in areas that go beyond a company’s risk capacity and threaten its business objectives. This appetite needs to be balanced against return optimization by investing in activities that offer the highest yield.

For financial institutions, risk appetite is a particularly important component of an end-to-end risk management framework. It needs to be supported by other risk management components, such as a comprehensive risk taxonomy, robust risk identification and assessment processes, data and analytics capabilities, and a risk aggregation and prioritization logic based on risk materiality. Risk appetite needs to be integrated into risk governance and oversight, reporting, and risk decision making and mitigation actions (Exhibit 1).

Risk appetite is a core component of an end-to-end nonfinancial risk management framework.

At financial institutions, setting risk appetite for financial risks is an extensive, regulatory-driven practice to manage risks to the balance sheet, profit-and-loss statement, and cash flows. The objective is to limit the credit, market, and liquidity risk capacity of financial assets and liabilities in relation to capital and funding. At the same time, executives need to trade off allocation of scarce capital and funding with risks to optimize returns, which are measured by the return on equity and risk-adjusted capital.

For nonfinancial risks, setting risk appetite is a much more elusive and theoretical concept than for financial risks.

In this article, we share our experience of working with financial institutions that have an assured grasp of their nonfinancial-risk appetite through actions to enhance nonfinancial-risk management. We identify the principles that guide the framework design and the methods used to achieve the emerging approach in managing nonfinancial-risk appetite for an institution.

Shifting focus from management of financial to nonfinancial risks

The focus of the financial industry has, in recent years, shifted from management of financial risks to nonfinancial ones, such as operational risk, regulatory compliance, and the compliance and conduct necessary to prevent financial crimes.

The shift has been driven by major industry trends such as the mis-selling of products, facilitation of tax evasion, breakdown of controls to protect institutions against money laundering, new regulations, and heightening supervisory expectations. Risk managers must also contend with new obstacles: advanced-intelligence-driven, digitized operating models; regulatory requirements for compliance and operational safety; and organizational and process challenges that come from a need for continuous efficiency and productivity enhancements.

In many ways, the impact of nonfinancial risks on financial institutions is more threatening than that of financial risks: these risks cannot be passed on to customers, have more extensive reputational effects, and often require more complex remediation efforts at higher costs than financial risks. In some years, the nonfinancial-risk losses have equaled or exceeded the cumulated credit risk provisions or impairments at banks. As mentioned, losses, fines, and litigation expenses have cost the biggest European and US banks more than $460 billion since 2010 (Exhibit 2).

Operational losses, fines, and litigation costs for nonfinancial risks have cumulated to approximately $460 billion over the past 14 years.

Yet these firms typically continue to spend much more than the industry average on managing nonfinancial risks. While the average European bank employs 8 to 9 percent of its staff in money-laundering prevention, the most efficient banks employ just 4 to 5 percent. For banks with money-laundering issues, as much as 18 percent of employees work in money-laundering prevention.

Similarly, for regulatory compliance, large international banks that have experienced a major conduct or regulatory compliance breach employ 2.0 to 3.0 percent of their staff in the second-line regulatory compliance function, while the average large international bank has just 1.5 percent on the second line and the most efficient bank well below 1.0 percent.

In many ways, the impact of nonfinancial risks on financial institutions is more threatening than that of financial risks: these risks cannot be passed on to customers, have more extensive reputational effects, and often require more complex remediation efforts at higher costs than financial risks.

It is no surprise that even in a post-financial-crisis era of strong capital ratios and stricter regulation, we have seen bank failures and tremors within the financial industry resulting from nonfinancial risk. Executives may therefore feel unmoored when it comes to measuring an institution’s appetite for nonfinancial risk.

Principles for designing a risk appetite framework

Designing a risk appetite framework for nonfinancial risk relies on five fundamental principles. These are different from the approach for financial risks, which can be more easily aggregated to form a view of the risk of financial losses.

Principle 1: Focus on top nonfinancial risks by business areas and shared services

How a global bank used a business-driven risk appetite framework to manage nonfinancial risks

A global bank implemented a business-driven risk appetite framework with a specific risk appetite for top nonfinancial risks.

The bank redesigned its nonfinancial-risk-appetite framework to strengthen its effectiveness by defining the risk appetite from a business perspective, rather than from a control function perspective. The risk appetite definition was proposed to the board at the outset by the risk and compliance functions, but the business did not find this risk appetite actionable to guide decision making in the day-to-day business operations.

The bank based its framework on a set of five core principles:

Not all risks are of equal importance. Risk appetite should focus on top risks that matter the most for each business unit and these risks’ specific drivers to maximize the effectiveness and usefulness of the risk appetite for the business.
Qualitative statements, metrics, and limits or thresholds should be linked to the true drivers of each business unit’s top risks to make the risk appetite operational.
Risk appetite should be embedded in the business and its strategic decisions by putting the business in the lead for proposing risk appetite to avoid making it an exercise run by the control function.
Thresholds and tolerance levels should be complemented with control-based key performance and inherent risk indicators to unlock business management relevance.
Governance process for risk appetite breaches should be formalized by predefined actions and timelines for getting back within the threshold to trigger real consequences for the business.

The risk appetite was defined on a business unit level. Each unit described its business model and strategy and how its client segments, distribution channels, products and services, infrastructure, and external factors—such as market conditions and regulation—create inherent risk.

Each business unit set an overarching, general risk appetite applicable for all its nonfinancial risks (including risks for which management had been delegated to a support function, such as cybersecurity). For these risks, each unit formulated overarching qualitative statements on accepted and rejected risks, and expectations on the control environment. Specific non-risk-type metrics were defined as applicable for all risk types in the risk taxonomy, such as material issues identified by regulators or an internal audit and operational losses.

The business units defined the seven to ten top risks driving most of their risk profiles. For these risks, a risk-type-specific appetite was formulated, and the underlying risk drivers were identified to track and understand the exposure to the top risks. Specific risk-type statements were articulated on which risks to take and not to take and the expectations on risk-specific control frameworks and processes. Risk-specific metrics to monitor top risks were based on their identified drivers. Thresholds for the metrics were based on historical data, benchmarks, and discussions between the business and the control functions. Ultimately, the thresholds were cascaded to the region or desk level where appropriate (exhibit).

For top risks, risk drivers are defined, specific qualitative statements are developed, and metrics and thresholds are selected.

A business unit dashboard was built to track the development of the risk profile of the unit, covering both generic risk metrics and specific risk-type metrics for top risks. A breach review process with “hard triggers” for residual risk metrics indicates a potential risk appetite breach. Exceeding a hard trigger initiates a formalized review to determine whether the risk appetite has been breached and, if so, to decide on the appropriate remediation measures. “Soft triggers” are set for metrics monitoring effectiveness of controls and development of inherent risks that may warrant further preventative or preemptive actions but do not trigger a risk appetite breach.

If a risk appetite breach is confirmed, the business unit can develop a remediation plan that is reviewed, challenged, and agreed to by the relevant control function or functions. The remediation plan is based on one, or a combination, of the following options to either reduce the inherent risk, improve the control environment, or adjust risk appetite within three months, so as to bring residual risks back into appetite:

accelerating the strengthening or remediation of control frameworks
temporary or tactical controls
temporary risk acceptance
stopping new business
additional capital allocation
permanent change of risk appetite

Consistency between the risk appetites set on business unit level and group level is ensured through a set of common metrics and limits on both levels, such as operational risk losses.

Institutions often use the risk taxonomy as an anchor point for risk appetite and define statements for each risk type, which leads to a one-size-fits-all approach rather than a prioritization of risks by importance to the group or an individual business unit (see sidebar “How a global bank used a business-driven risk appetite framework to manage nonfinancial risks”).

Instead, setting risk appetite by business unit and shared-services function ensures focus on the risk that matters the most and strengthens the quality of outcomes for people, processes, and systems through the following means:

business and risk ownership alignment
risk prioritization from a business view that also helps to define appropriate key performance indicators (KPIs) and key risk indicators (KRIs) that the business and shared-services functions should follow
appropriate target setting for improvement and frequency

Leading institutions take a risk-based approach and set a more specific risk appetite for the top risks, using both qualitative statements and a set of three to five risk-specific metrics to formulate appetite. They tie the risk appetite to the institution’s risk taxonomy and typically set the appetite for top risks one level down in the nonfinancial-risk taxonomy because of the large variety of risk types within the nonfinancial-risk category with different risk drivers. A McKinsey analysis has shown that this approach, on average, results in ten to 12 top risk types in retail banking, wealth management, asset management, and capital markets and 15 in corporate and investment banking, compared with risk taxonomies that often have more than 30.

How an insurer used key risk and performance metrics to quantify nonfinancial risk appetite

A leading international insurance company sought to uplift the quality of its nonfinancial-risk management in response to recent litigation cases and regulatory inquiries. On first reading, this looked puzzling, as the management of risk was the very nature of the insurance business. But quantifying vast amounts of dispersed qualitative information is different from evaluating actuarial data and requires a clearly steered transformative effort.

The institution opted for a top-down risk assessment starting from an existing taxonomy of nonfinancial risks. To allow for greater manageability, these were split into a dozen risk domains composed of approximately three times as many risk vectors. For each risk, the institution calculated in a recurring cycle, first, the inherent risk exposure; second, the adequacy of the internal controls system; and, third—after data quality adjustments and weighing of factors—the residual risk.

Intuitively, inherent risk exposure is a function of the severity and the likelihood of risk events. Severity is best observed in the potential economic and reputational impact seen in the frequency of external or internal breaches. The key to using such a system, then, was twofold. First, the insurer needed to identify metrics for suitable quantitative and qualitative data (for example, the sum of internal operational losses per annum such as fines) and apply industry-wide adjustments (for example, from the operational risk loss database ORX). Second, the identification and application needed to be harmonized into one single scoring logic and weighed according to their relevance.

To form an opinion of the adequacy of the internal-controls system, the company turned to a set of proactive (for example, audits, regulatory inspections, internal regulations, training) and reactive (for example, customer complaints, whistleblowing allegations, litigations) risk management metrics. Using existing data to the maximum extent was paramount to increase acceptance across the organization. Again, the outcomes were translated into a single quantitative scoring logic.

The combination of the risk exposure and the controls metrics yields a residual risk matrix. However, the insurer desired to report the current nonfinancial-risk exposure in a single metric, which was achieved by taking the average of the sum of squared residual risk scores.

The effects of introducing such a system were multiple. By adopting an annual or quarterly standard process, analysis efforts dropped drastically. The increased quantification led to greater comparability across business units and periods and, eventually, better prioritized investment decisions. Lastly, by involving top management—by means of an interactive reporting dashboard allowing for slicing and dicing—far higher levels of ownership and integration into strategic decision making were achieved.

In this scenario, top risk types are often jointly decided among the business, control, and shared-services functions, where the second line ultimately confirms or reviews or challenges the top-risk selection. Institutions use a wide range of sources to identify top risks around which to subsequently formulate appetite. The most common sources are results of the risk and control self-assessment, issues and events, monitoring data, audit reports, and KPIs and KRIs (see sidebar “How an insurer used key risk and performance metrics to quantify nonfinancial risk appetite”).

Principle 2: Draw on subject matter expertise as much as possible

Building on the first point, risk expertise is scarce and needs to be used as much as possible. This means abolishing the concept of a central risk and compliance function that can manage all risks. Create instead a clear view of where the subject matter expertise for the risk types resides and what the operating model is—whether it is in the business, such as the retail or wholesale bank; in shared services, such as IT or operations; or in a corporate or control function, such as finance, legal, risk, or compliance.

Where the subject matter expertise resides is where the guidance should be given on appropriate risk operating model, key controls, and target KPIs and KRIs to monitor risk appetite, which would be supported and overseen by the second line.

In essence, the formulation of risk appetite may be a joint process among business, second-line control, and shared-services functions but start from a business and operations perspective while maintaining a clear and independent second-line oversight and challenge role.

Leading institutions put ownership of risk appetite in the business or first line of defense. Risk appetite is an outcome of a business management perspective, and executives can use it in their daily decision making. The risk appetite sets the starting point for the quality of business operations.

Principle 3: Use metrics and quantify KPIs and KRIs for key controls for people, processes, and systems

Metrics are the basis of a clear risk appetite statement following the principle, “What you cannot measure, you cannot manage.” Defining metrics for nonfinancial risks is not an easy task, but the following principles should be considered:

Avoid “zero tolerance” statements—violations and breaches do happen even where they’re not tolerated.
Metrics need to be anchored against a view on current error rates and quality levels, as well as targets, to avoid starting from an “out of appetite” position immediately.
Error rates should be calibrated against a multitude of negative outcomes to avoid—these can be financial but also operational, reputational, and in customer impact. Thus, scenario analyses can help set limits for metrics for these top risks.
Metrics should serve as proxies of residual risks rather than inherent risks to account for the already existing risk management processes and controls.
Metrics need to be defined by balancing investments in controls versus targeted impact—leading (forward-looking) indicators should be included to help identify and prevent quality issues in processes before risks materialize.
Metrics should be available by organizational responsibility and mapped to the business unit to create a holistic front-to-back business view including shared services and control functions.
Information on metrics versus targets needs to be available for regular monitoring.

Leading institutions often use both metrics that are agnostic to the risk type and are risk-type specific, and a combination of forward- and backward-looking metrics to set risk appetite. Typically, three to five risk-specific metrics are used per risk type.

A common approach is to set risk appetite breach thresholds for residual-risk metrics, with hard-risk appetite breaches complemented by early-warning triggers—levels are calibrated based on historical data, expert judgment, and management experience. A major advantage of using early-warning triggers derived from residual risk is the opportunity to integrate nonfinancial risks into “standard” limit management processes—that is, explicit decisions on exceptions, business limits, and strengthening the control environment for top risks can be taken on an objective basis.

A common approach is to set risk appetite breach thresholds for residual-risk metrics, with hard-risk appetite breaches complemented by early-warning triggers—levels are calibrated based on historical data, expert judgment, and management experience.

Consistency among group, business unit, and function-level risk appetites is typically ensured by using a set of identical metrics on all organizational levels.

In the financial-services industry, anti–money laundering and sanctions, fraud, information and cybersecurity, and data management and technology make up most of the material risks around which risk appetite is formulated.

Principle 4: Develop a monitoring dashboard based on a single source of truth across the first and second lines

Dashboards are important for monitoring compliance with the risk appetite set and can be defined at group and divisional levels front to back or by risk type.

Information needs to be timely. Monitoring information should be provided on at least a monthly basis. Both drawn from a single source of truth, information and data can be in different cuts, such as by division responsible for the overall risk profile of the business, by shared or corporate unit owning the process, or by risk type to create an aggregated view. The latter is particularly important from a group perspective for sensitive risk areas such as cybersecurity, regulatory compliance, and transformational risks.

Reporting formats can consider how to prompt action with the following means:

questions regarding realignment against risk appetite following limit breaches
negative trends—where situations worsen rather than improve
root-cause analysis and cross-reading (for instance, comparison against industry and competitors)

Lastly, reporting needs to be efficient, automated, and readily available. Timely data sources enable timely action.

At leading institutions, the risk function most often monitors and reports on risk appetite dashboard metrics and compliance with appetite set. Reporting on risk appetite is often done on a monthly or quarterly basis.

Principle 5: Establish a flexible governance that continually reviews processes and realigns metrics

Governance on risk appetite for nonfinancial risk is critical. Risks emerge, evolve, and are managed on a different timescale against an operating model, sourcing model, and technological and regulatory requirements that are constantly changing.

A centralized risk committee, particularly if also tasked with financial risks, can become too crowded, blindsided by second-line dominance and formalities. Such a committee is unable to constantly balance risk appetite against the status of the organization and the maturity of its operating model.

By contrast, an effective approach to risk appetite and nonfinancial risks incorporates discussions of each business unit’s risk profile, the risk profile of shared services, and specific risk categories with a clear perspective on the need to intervene and to adjust risk appetite or acceptances.

A carefully crafted nonfinancial risk governance embeds these questions into the financial institution’s overarching governance; the divisional and infrastructural executive committees; specialty committees such as IT, data, and cybersecurity; and an overarching nonfinancial risk committee. The latter is supported by the second line and reviews risk acceptances and remediation plans and actions. It ultimately approves risk appetite by business unit, shared-services function, and risk type.

Operating models are constantly changing, whether from digitization, cost savings programs, or regulatory requirements. Maintaining quality of processes and execution against multiple expectations when conflicts arise—particularly underinvestment—is also necessary. KPIs and KRIs driving risk appetite against these change risks can only be managed through a flexible governance.

In addition to flexibility, a mandate is equally as important. Leading institutions give control functions the mandate to review, challenge, and approve the risk appetite proposed by the business or first line. That authority helps prevent risk appetite from becoming a compliance or risk exercise led by the control function. At the same time, the above-described approach ensures business ownership by using business knowledge and insights to derive top risks and risk appetite and clear accountability.

Similarly, the chief risk officer or risk committee typically makes the ultimate decision on the proposed risk appetite before it is approved by the executive board and board of directors.

Leading institutions also formalize governance on risk appetite breaches through a predefined set of actions and timelines for getting back within the threshold to trigger real consequences. These can include stopping new business, allocating more capital, strengthening temporary controls, accelerating control remediation, or accepting temporary risk.

Responding fast is critical. Institutions typically require a remediation plan to be in place within three months in case of risk appetite breaches, but the time frame also often depends on the scale or complexity of the remediation required.

Letting principles lead the process

Nonfinancial risk is a complex topic for financial institutions. It is made even more complex given that practices to manage it have evolved from financial risks. Many of these practices ignore the practical differences that require a more bottom-up business perspective with a focus on top risks; a higher quality, management-driven development of KPIs and KRIs along the operating model; and a flexible governance that sets meaningful improvement targets.

Applying the principles above puts financial institutions significantly closer to other sectors that have learned to manage risks in their operating model from an enhanced process-and-system perspective. Companies in these sectors, including advanced industries, high tech, and basic materials, had to undergo—and still are undergoing—significant changes and quality improvements.

Explore a career with us

Search Openings

How a defined risk appetite can improve nonfinancial risk management