Financial institutions, especially banks, have long been the leaders in developing advanced approaches to managing financial risks—credit risk, market risk, and funding and liquidity risk. These practices advanced alongside efforts to create more systematic regulation, beginning with the first Basel accord (1988). Basel II and Basel III followed in the 2000s, and amendments known as “Basel IV” are slated for implementation in 2023. In addition, annual stress-testing exercises are now required by various regulators. At the core of these approaches lies a fundamental understanding that risks can be quantified and expressed in terms of an equity-capital buffer that banks need to hold in order to compensate for potential losses.
Financial risks are reflected in the financial positions on banks’ balance sheets and result from their risk-taking activity. Nonfinancial risks arise from the bank’s operations (processes and systems) and are similar to risks faced by companies outside the financial sector (“corporates”). Over time, corporates have developed approaches to address nonfinancial risk while adapting approaches developed by banks to manage financial risk, which corporates also face. We believe that financial institutions can learn from the experience of corporates in managing nonfinancial risks. A cross-industry comparison can highlight promising opportunities in key areas:
- Digitization. As the banking industry moves rapidly to digitize its business model, new risks will emerge, including cyberrisks, IT delivery risks, business-continuity risks, as well as new model risks from AI. Technology is the corporate sector that has the most experience with these risks.
- Critical infrastructure. Banking is considered highly critical infrastructure. Therefore, the industry could benefit from studying how risks are addressed by other critical-infrastructure sectors, including telecommunications, transport, and energy.
- Regulation. Banking is probably the most heavily regulated industry. As a result, it has developed a highly centralized approach to risk management. Banking is the only industry, for example, with a regulatory obligation to include a chief risk officer (CRO) in its C-suite ranks. For these reasons, banking may have the most important risk-management experience in the area of regulatory risk.
Nonfinancial companies hold a variety of views on nonfinancial risks and how to approach them, differences mainly determined by market and sector. The divergent perspectives relate to each industry’s risk appetite and risk-management practices. McKinsey explored these perspectives in a 2021 executive survey on corporate resilience (see sidebar, “The McKinsey–FERMA corporate risk survey: What executives revealed about resilience”).
The survey revealed organizations’ varying approaches to resilience. A prominent factor is the sector in which the organization operates. For instance, in the airline industry, safety is of paramount importance. Data on near accidents are valued so highly that pilots can be penalized more severely for not providing this information than for having made actual mistakes. In contrast, software providers thrive on developing stable products that are improved incrementally over time. In telecommunications, cloud providers focus on stability as well. Their services performed so well during the pandemic that many banks and nonfinancial companies overcame their doubts about cloud risks. These reservations were formerly a barrier to the transfer of critical software services. After observing the high security standards maintained by cloud providers, organizations came to regard them as safer than on-premises data centers. Finally, in the automotive industry, global production is highly sophisticated, with up to 80 percent outsourcing in the supply chain. This allows for product scalability but creates vulnerabilities from geopolitical risks as well as regulatory and technological change. The industry is thus engaged in rethinking strategies across supply chains, software, and product and environmental compliance.
The lessons from particular industries suggest two caveats when comparing practices between banks and corporates:
- When deciding whether risk-management practices are transferable from another industry, financial institutions have to weigh these practices within the context of particular business models and risk appetites.
- Risk management cannot be seen as a collection of static practices but must evolve to keep pace with rapidly changing business models.
It will be worthwhile to explore these two points, comparing operational risk and enterprise-risk-management (ERM) frameworks in banking and corporates and then looking at the broader question of resilience over time. The importance of this second point has grown in recent years and intensified during the pandemic. Many corporates have begun rethinking their risk-management mindset in light of the present disruptive and rapidly changing business environment. We believe that these developments hold potent lessons for financial institutions.
Corporate ERM approaches and their application to nonfinancial risk
A comparison of the ERM approaches of banks and corporates allows us to understand their different backgrounds and evolutionary drivers. An ERM system consists of four basic layers (exhibit):
- Governance and organization. This layer covers the accountability structure (the three lines of defense) addressing how risk ownership, risk control, and assurance accountability are assigned, exercised through risk committees, and formalized through policy structure. This layer also includes the underlying risk taxonomy to assign accountabilities and acts as a basis for the policy structure.
- ERM processes and methodologies. Here, the general ERM approach and processes are defined. Different approaches are usually taken for financial risks versus nonfinancial risks. Financial-risk approaches focus on limit structures, while approaches for nonfinancial risks focus on severity and probability matrices mapping inherent and residual risks. The risk profile is managed through numerous processes: incident management, risk and control assessments, risk appetite, and monitoring and reporting processes.
- Risk-specific control processes. This layer entails all mechanisms for managing specific risk types. Nonfinancial risks are managed through risk-specific controls, often called key controls, as they are formally governed by the ERM approach. These can be controls for reconciliations for financial disclosures, the “four eyes” principle for business partnership approvals, or systems-embedded controls often used for managing cyberrisks.
- Risk and integrity culture. This final layer refers to managing norms and behaviors around risk, including the incentive structure, the tone set by top management, the consistency of formal risk governance with actual behavior, and the approach used to discover and balance risk issues and conflicts throughout the organization (such as P&L performance targets and adherence to a company’s risk and integrity norms).
These ERM layers and their components commonly exist in banking and corporates. Their maturity and development, however, can differ significantly. There are, for example, significant application differences, as risk management in banking is heavily regulated, whereas corporate ERM practices are driven by industry standards, such as those related to the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Differences in organization and governance
A striking difference between corporates and banks can be seen in their respective risk-governance structures and the extent to which they are formalized. As much as 10 percent of bank staff might be situated in central risk functions (risk, compliance); in large corporates, the corresponding share is often less than one-tenth of 1 percent. The reason for the difference is that banks need heavier central risk functions to meet more stringent regulatory requirements. These include a mandate to have a CRO as a distinct second-line executive. Corporates, on the other hand, focus more on embedding risk management into their operational processes within the front line. They usually assign risk and compliance functions to the CFO; rarely will a nonfinancial company have a dedicated risk chief executive.
For corporates, the risk-management function mainly identifies and reports on risks. It also manages a few frameworks for commercial compliance in such areas as business-partner due diligence, capital markets and M&A compliance, antibribery and corruption risks, and export risks. Most nonfinancial risk management, as it relates to the corporate operating model, will be embedded in the businesses.
The differences become evident when we look at how risk issues are addressed in banks versus corporates. At banks, the CRO usually becomes involved, answering to the regulator about incidents and the remedial programs applied to address underlying issues. In corporates, the businesses in which the risks are materializing are usually responsible for identifying them and applying solutions to resolve them. Central risk and compliance functions often play supporting and coordinating roles (except for commercial-compliance issues, for which the response is centralized).
Many banks augment frontline ownership of risk with divisional control offices. This allows banks to address the root causes of issues more effectively and permanently. For corporates, central risk and compliance functions generally would not be responsible for certifying compliance for risks arising in the businesses—such as health and safety risks in mining, network security for telecommunications companies, or software risks for autonomous vehicles in the auto industry.
Corporates have, however, overcome the artificial first- and second-line delineation that banks often apply. For banks, the division can create a wall between an independent control function and a center of competence. Interestingly, the term “independent control” has recently been eliminated from the COSO’s organizational standards with respect to the second line, whereas in banking, the term is still used in all regulations.
Banks manage financial risk through various quantitative means and balance-sheet analyses with a more centralized approach than the business-embedded risk approach taken by corporates. Corporates can consider whether they might benefit from more a centralized ERM in certain areas.
Differences in the ERM approach
Banks perforce emphasize financial risk in their traditional ERM approach. They take a highly quantitative approach to capital as the balance-sheet resource. The risk profile is usually defined top-down in relation to available capital (after certain buffers), measured both in regulatory as well as economic terms and then cascaded into the organization.
For various reasons, this approach is impractical for nonfinancial risks, other than in measuring the potential impact these risks might have on capital as the last compensating resource. Banks apply capital models to gain a complete view of the adequacy of their capitalization levels and then allocate this across different businesses. They know that the ingoing assumptions are statistically weak. Nevertheless, the approach allows analogous steering on a capital basis aligned to financial risks.
The drawbacks are twofold: first, history is not a reliable predictor for nonfinancial risks, given continuous business-model changes, process enhancements, and regulatory changes. The contrast with credit and market risks is clear, since creditworthiness, for example, can be predicted quite accurately from balance-sheet data, just as market volatility can be measured from market data. Second, nonfinancial risks have to be evaluated in the context of the specific business model and customer expectations. A more iterative approach to business or consumer software development acknowledges that bugs must be continuously fixed; the risk appetite is very different for risks involving health and safety, such as for software in nuclear-power plants or even consumer products such as cars.
Corporates have therefore developed risk-management approaches rooted in expert data and performance data for processes and systems. Such data provide a better basis for steering nonfinancial risk. Industrial corporates take this approach to quality control and the management of most product- and production-related risks. Banks, on the other hand, have a more difficult time, as they must address heterogenous processes and highly complex products built over time. Some have begun developing process or product-quality frameworks for managing nonfinancial risks. Most, however, have not. They still need to make that connection and, more important, find a way to address it.
Where does this leave banks when it comes to addressing nonfinancial risk? In a tight spot, actually, because risk-and-control self-assessments or capital-driven risk-appetite frameworks are only meaningful for nonfinancial risks when the nature of these risks is well understood. Only then can banks establish specific business-related views and apply practical metrics in the same way that the businesses do in the first line of defense. Replicating centralized, capital-based quantitative approaches that cascade metrics across the organization will be of limited use.
Worth noting is that corporates also struggle to apply business-linked logic universally within their ERM approach. In attempting to make risks comparable, define risk appetite, and centralize reporting, corporates have found that their second-line teams begin to replicate the banking approach. This leads to central functions at corporates hitting the same limitations that banks experience.
Differences in risk-specific control approaches
Banks can thus learn from highly sophisticated approaches for managing nonfinancial risk developed by some corporates for their business models. Experiences from particular industries can provide helpful guidance to the banking sector (and corporates from other sectors).
- Managing process risks. Those financial institutions—mainly banks—that develop complex products and business models can learn important lessons from the auto and pharma industries. In automotive, approaches to managing process and production risks incorporate considerable experience and are highly sophisticated, especially in relation to product cost, quality, and safety. The high level of outsourcing in the auto industry (as much as 80 percent) requires continuous monitoring of suppliers in relation to cost and quality. In pharma, the management of risks related to R&D and (heavily regulated) production standards is highly developed.
- Managing software development and deployment risks. Banks have begun to develop and deploy software in rapid cycles, an approach mirroring that of tech companies. However, the relative stability of products developed by tech companies, as well as the smoothness of their subsequent adoption, stand in contrast to the experience of many banks. Banks, therefore, have plenty to learn from the tech experience.
- Corporate security and business continuity. The airline industry has been addressing geopolitical risks and safety requirements since its inception. Its vast experience includes many mechanisms to deal with physical security.
- Debiasing strategic decisions. Industries in which capital expenditure is high, such as oil and gas, basic materials, or transport, have extensive experience in assessing and managing large projects and their attending risks. They can be especially adept at removing biases in decision making on the business case, as well as identifying risk mitigants.
Risk and integrity culture
Given the small size of corporates’ risk functions in relation to those of banks, corporates have had to place greater emphasis on cultural elements. Most of the major nonfinancial risks that corporates contend with have serious integrity issues associated with them, as evidenced in some spectacular cases: from the emissions scandals in automotive to autopilot failures in the aircraft industry.
To counter these dangers, corporates have deployed an array of measures: whistleblower systems, investigations, training and communication programs, and employee surveys. Banks have adopted some of the same measures but on a smaller scale. Some banks little value risk culture as a risk-management lever. Risk culture may also play a smaller role in managing financial versus nonfinancial risk, given the greater transparency afforded the former in bank operations.
Resilience: The new risk-management paradigm for corporates
The discussion so far has focused on nonfinancial risk in a continuously changing world. Nonfinancial risk is found to be deeply embedded in corporate operations. As the 21st-century business environment became more volatile and disruptive, however, companies began to question standard risk-management approaches. The thought leaders among them are now calling for new approaches that go beyond risk management, toward corporate resilience. A report on a recent CFO conference of global companies noted, “Caution and preparation dominate the current strategies of many companies.... They rely on early warning systems and greater resilience in order to be able to withstand another shock.”
Resilience is still an emerging approach. Many companies have taken early steps, including efforts to manage resilience levels holistically across the enterprise. Executive teams and boards are raising new topics with their risk teams, discussions that could provide useful insights for banks. The new conversations have centered on four questions.
Identifying blind spots
Many boards are blindsided by risk events that seem to come out of the blue. A keen eye, however, can usually detect warning signals that precede these events—as long as leaders are receiving appropriate reporting. The executive team and board must have timely reporting that permits critical evaluation of the key elements of their risk profile, including the risk drivers and how they are evolving. Many existing reporting systems are simply inadequate for this crucial purpose. They provide too much extraneous detail, swamping the important messages; assessments can be too diffuse, covering everything but lacking the needed focus on important trends; reporting can fail to highlight the most important risks and can hide connections between internal and external developments.
Often underestimated are the risks emerging from transformations of all kinds, including cost or lean transformations, growth programs, or fundamental changes in the business model due to digital, AI, or other technologies. The current static ERM processes are often unable to understand and address the company’s changing risk profile. Specific approaches are therefore needed, quite apart from project-risk measures, to understand and mitigate transformation risks.
Both banks and corporates often relegate strategy to planning exercises in which the business mix is adjusted according to the changing business environment. In a world of growing uncertainty and disruption, however, the typical three- to six-month planning cycle is proving inadequate. The spectrum of outcomes supporting planning are generally unable to incorporate dramatic technological change, public-health and climate crises, and volatile social-media trends. The more disruptive changes mean that strategies must be stress-tested against shorter timelines and scenarios have to account for a broader set of potential outcomes. At the same time, banks need to develop dynamic capabilities and structural resilience assets:
- Dynamic capabilities. These are critical skills that involve foresight—the ability to anticipate disruption—and informed action, incorporating implications into business decisions. To develop them, banks will need to invest in data and information gathering to analyze the potential implications of expected disruptions before they happen. The specific practices include continuous scenario analyses, war-gaming, and fast decision making within corporate governance.
- Structural assets. While capital and cash are key resources to compensate for risks, organizations need to pay more attention to other resilience assets in order to manage disruptions effectively. This includes developing organizational capabilities, strengthening the supply chain, deepening technological capabilities, and safeguarding market positions, reputation, sustainability profiles, and other societal expectations.
These structural assets relate to common risk taxonomies. However, leading corporates are including them in the strategy debate, moving beyond the question of controls. They are looking at fundamental capabilities and structures that mitigate risks. The key tools are broad-range scenarios (in terms of outcomes and time periods) used as starting points to identify risks and risk-mitigation requirements.
Creating strategic options
The opportunity question arises in any well-designed strategy process. The financial crisis of 2007–08 demonstrated that during crises the winners of the next cycle are created. The outperformers often build on more flexible cost structures; they might be able to dispose of noncore assets more quickly, while focusing on growth. This could involve internal actions to adapt the business model as well as external opportunities, which are seized using available financial resources and skills. The winners emerging from the financial crisis looked at more than the downside of strategic scenarios; they saw upside, too, and sought to invest in strategic optionalities that could provide competitive advantage. The current semiconductor shortage in the auto industry provides one example of a resilient strategy through a crisis. In 2020, Toyota did not cut back on orders of this relatively low-cost item at the beginning of the pandemic, while other OEMs did just that. The result was that for a time Toyota was better able to maintain production and meet demand.
Lessons for banks
The experience of corporates provides banks with lessons for improving how they address nonfinancial risk. Corporates continue to develop their ERM systems, going beyond the formal processes. They are focusing on embedding risk management in the front line and elevating strategic resilience questions to the executive team and the board. Banks can profitably heed these steps, as they lead to a more advanced approach. Banks have a second-line focus for financial risk, which they otherwise tend to replicate for nonfinancial risk.
Banks can become better adjusted to the changing risk landscape by effectively embedding the management of nonfinancial risk into the front line and rethinking their approach to risk appetite (beyond the current cascading of capital metrics, or an arbitrary selection of KPIs and KRIs). The approach ensures that banks comprehend the full and varied spectrum of nonfinancial risks and understand that a generic, governance-focused nonfinancial-risk system is clearly inadequate. Like the leading corporates, banks can build an effective approach to nonfinancial risk by improving the management of relevant processes and systems and strengthening resilience overall.
The risk profile of a bank, like that of a nonfinancial company, is shaped by the strategic decisions it makes. Banks can learn from the experience corporates have accrued in developing effective approaches to managing nonfinancial risks. These include embedding risk into strategy and improving overall resilience. These measures are particularly important in the current economic environment—one that is bound by pandemic-related disruptions, accelerating technological change, and increasing regulatory layers. Our times are forcing organizations to take what in an ordinary period would be regarded as drastic actions. They must, therefore, understand the implications of these actions for their institution’s risk profile.