In 2022, losses, fines, and legal expenses for nonfinancial risks cost the banking industry $19 billion, bringing the total price tag for nonfinancial risks to more than $460 billion since 2010.
Nonfinancial risks—those that emerge from people, processes, systems, and external events—are challenging to manage for all institutions, and executives are faced with a constantly changing landscape of risk events and disruptions. Despite the inherent challenges, it is important to clearly define an appetite for these risks to limit the risk taking in areas that go beyond a company’s risk capacity and threaten its business objectives. This appetite needs to be balanced against return optimization by investing in activities that offer the highest yield.
For financial institutions, risk appetite is a particularly important component of an end-to-end risk management framework. It needs to be supported by other risk management components, such as a comprehensive risk taxonomy, robust risk identification and assessment processes, data and analytics capabilities, and a risk aggregation and prioritization logic based on risk materiality. Risk appetite needs to be integrated into risk governance and oversight, reporting, and risk decision making and mitigation actions (Exhibit 1).
At financial institutions, setting risk appetite for financial risks is an extensive, regulatory-driven practice to manage risks to the balance sheet, profit-and-loss statement, and cash flows. The objective is to limit the credit, market, and liquidity risk capacity of financial assets and liabilities in relation to capital and funding. At the same time, executives need to trade off allocation of scarce capital and funding with risks to optimize returns, which are measured by the return on equity and risk-adjusted capital.
For nonfinancial risks, setting risk appetite is a much more elusive and theoretical concept than for financial risks.
In this article, we share our experience of working with financial institutions that have an assured grasp of their nonfinancial-risk appetite through actions to enhance nonfinancial-risk management. We identify the principles that guide the framework design and the methods used to achieve the emerging approach in managing nonfinancial-risk appetite for an institution.
Shifting focus from management of financial to nonfinancial risks
The focus of the financial industry has, in recent years, shifted from management of financial risks to nonfinancial ones, such as operational risk, regulatory compliance, and the compliance and conduct necessary to prevent financial crimes.
The shift has been driven by major industry trends such as the mis-selling of products, facilitation of tax evasion, breakdown of controls to protect institutions against money laundering, new regulations, and heightening supervisory expectations. Risk managers must also contend with new obstacles: advanced-intelligence-driven, digitized operating models; regulatory requirements for compliance and operational safety; and organizational and process challenges that come from a need for continuous efficiency and productivity enhancements.
In many ways, the impact of nonfinancial risks on financial institutions is more threatening than that of financial risks: these risks cannot be passed on to customers, have more extensive reputational effects, and often require more complex remediation efforts at higher costs than financial risks. In some years, the nonfinancial-risk losses have equaled or exceeded the cumulated credit risk provisions or impairments at banks. As mentioned, losses, fines, and litigation expenses have cost the biggest European and US banks more than $460 billion since 2010 (Exhibit 2).
Yet these firms typically continue to spend much more than the industry average on managing nonfinancial risks. While the average European bank employs 8 to 9 percent of its staff in money-laundering prevention, the most efficient banks employ just 4 to 5 percent. For banks with money-laundering issues, as much as 18 percent of employees work in money-laundering prevention.
Similarly, for regulatory compliance, large international banks that have experienced a major conduct or regulatory compliance breach employ 2.0 to 3.0 percent of their staff in the second-line regulatory compliance function, while the average large international bank has just 1.5 percent on the second line and the most efficient bank well below 1.0 percent.
In many ways, the impact of nonfinancial risks on financial institutions is more threatening than that of financial risks: these risks cannot be passed on to customers, have more extensive reputational effects, and often require more complex remediation efforts at higher costs than financial risks.
It is no surprise that even in a post-financial-crisis era of strong capital ratios and stricter regulation, we have seen bank failures and tremors within the financial industry resulting from nonfinancial risk. Executives may therefore feel unmoored when it comes to measuring an institution’s appetite for nonfinancial risk.
Principles for designing a risk appetite framework
Designing a risk appetite framework for nonfinancial risk relies on five fundamental principles. These are different from the approach for financial risks, which can be more easily aggregated to form a view of the risk of financial losses.
Principle 1: Focus on top nonfinancial risks by business areas and shared services
Institutions often use the risk taxonomy as an anchor point for risk appetite and define statements for each risk type, which leads to a one-size-fits-all approach rather than a prioritization of risks by importance to the group or an individual business unit (see sidebar “How a global bank used a business-driven risk appetite framework to manage nonfinancial risks”).
Instead, setting risk appetite by business unit and shared-services function ensures focus on the risk that matters the most and strengthens the quality of outcomes for people, processes, and systems through the following means:
- business and risk ownership alignment
- risk prioritization from a business view that also helps to define appropriate key performance indicators (KPIs) and key risk indicators (KRIs) that the business and shared-services functions should follow
- appropriate target setting for improvement and frequency
Leading institutions take a risk-based approach and set a more specific risk appetite for the top risks, using both qualitative statements and a set of three to five risk-specific metrics to formulate appetite. They tie the risk appetite to the institution’s risk taxonomy and typically set the appetite for top risks one level down in the nonfinancial-risk taxonomy because of the large variety of risk types within the nonfinancial-risk category with different risk drivers. A McKinsey analysis has shown that this approach, on average, results in ten to 12 top risk types in retail banking, wealth management, asset management, and capital markets and 15 in corporate and investment banking, compared with risk taxonomies that often have more than 30.
In this scenario, top risk types are often jointly decided among the business, control, and shared-services functions, where the second line ultimately confirms or reviews or challenges the top-risk selection. Institutions use a wide range of sources to identify top risks around which to subsequently formulate appetite. The most common sources are results of the risk and control self-assessment, issues and events, monitoring data, audit reports, and KPIs and KRIs (see sidebar “How an insurer used key risk and performance metrics to quantify nonfinancial risk appetite”).
Principle 2: Draw on subject matter expertise as much as possible
Building on the first point, risk expertise is scarce and needs to be used as much as possible. This means abolishing the concept of a central risk and compliance function that can manage all risks. Create instead a clear view of where the subject matter expertise for the risk types resides and what the operating model is—whether it is in the business, such as the retail or wholesale bank; in shared services, such as IT or operations; or in a corporate or control function, such as finance, legal, risk, or compliance.
Where the subject matter expertise resides is where the guidance should be given on appropriate risk operating model, key controls, and target KPIs and KRIs to monitor risk appetite, which would be supported and overseen by the second line.
In essence, the formulation of risk appetite may be a joint process among business, second-line control, and shared-services functions but start from a business and operations perspective while maintaining a clear and independent second-line oversight and challenge role.
Leading institutions put ownership of risk appetite in the business or first line of defense. Risk appetite is an outcome of a business management perspective, and executives can use it in their daily decision making. The risk appetite sets the starting point for the quality of business operations.
Principle 3: Use metrics and quantify KPIs and KRIs for key controls for people, processes, and systems
Metrics are the basis of a clear risk appetite statement following the principle, “What you cannot measure, you cannot manage.” Defining metrics for nonfinancial risks is not an easy task, but the following principles should be considered:
- Avoid “zero tolerance” statements—violations and breaches do happen even where they’re not tolerated.
- Metrics need to be anchored against a view on current error rates and quality levels, as well as targets, to avoid starting from an “out of appetite” position immediately.
- Error rates should be calibrated against a multitude of negative outcomes to avoid—these can be financial but also operational, reputational, and in customer impact. Thus, scenario analyses can help set limits for metrics for these top risks.
- Metrics should serve as proxies of residual risks rather than inherent risks to account for the already existing risk management processes and controls.
- Metrics need to be defined by balancing investments in controls versus targeted impact—leading (forward-looking) indicators should be included to help identify and prevent quality issues in processes before risks materialize.
- Metrics should be available by organizational responsibility and mapped to the business unit to create a holistic front-to-back business view including shared services and control functions.
- Information on metrics versus targets needs to be available for regular monitoring.
Leading institutions often use both metrics that are agnostic to the risk type and are risk-type specific, and a combination of forward- and backward-looking metrics to set risk appetite. Typically, three to five risk-specific metrics are used per risk type.
A common approach is to set risk appetite breach thresholds for residual-risk metrics, with hard-risk appetite breaches complemented by early-warning triggers—levels are calibrated based on historical data, expert judgment, and management experience. A major advantage of using early-warning triggers derived from residual risk is the opportunity to integrate nonfinancial risks into “standard” limit management processes—that is, explicit decisions on exceptions, business limits, and strengthening the control environment for top risks can be taken on an objective basis.
A common approach is to set risk appetite breach thresholds for residual-risk metrics, with hard-risk appetite breaches complemented by early-warning triggers—levels are calibrated based on historical data, expert judgment, and management experience.
Consistency among group, business unit, and function-level risk appetites is typically ensured by using a set of identical metrics on all organizational levels.
In the financial-services industry, anti–money laundering and sanctions, fraud, information and cybersecurity, and data management and technology make up most of the material risks around which risk appetite is formulated.
Principle 4: Develop a monitoring dashboard based on a single source of truth across the first and second lines
Dashboards are important for monitoring compliance with the risk appetite set and can be defined at group and divisional levels front to back or by risk type.
Information needs to be timely. Monitoring information should be provided on at least a monthly basis. Both drawn from a single source of truth, information and data can be in different cuts, such as by division responsible for the overall risk profile of the business, by shared or corporate unit owning the process, or by risk type to create an aggregated view. The latter is particularly important from a group perspective for sensitive risk areas such as cybersecurity, regulatory compliance, and transformational risks.
Reporting formats can consider how to prompt action with the following means:
- questions regarding realignment against risk appetite following limit breaches
- negative trends—where situations worsen rather than improve
- root-cause analysis and cross-reading (for instance, comparison against industry and competitors)
Lastly, reporting needs to be efficient, automated, and readily available. Timely data sources enable timely action.
At leading institutions, the risk function most often monitors and reports on risk appetite dashboard metrics and compliance with appetite set. Reporting on risk appetite is often done on a monthly or quarterly basis.
Principle 5: Establish a flexible governance that continually reviews processes and realigns metrics
Governance on risk appetite for nonfinancial risk is critical. Risks emerge, evolve, and are managed on a different timescale against an operating model, sourcing model, and technological and regulatory requirements that are constantly changing.
A centralized risk committee, particularly if also tasked with financial risks, can become too crowded, blindsided by second-line dominance and formalities. Such a committee is unable to constantly balance risk appetite against the status of the organization and the maturity of its operating model.
By contrast, an effective approach to risk appetite and nonfinancial risks incorporates discussions of each business unit’s risk profile, the risk profile of shared services, and specific risk categories with a clear perspective on the need to intervene and to adjust risk appetite or acceptances.
A carefully crafted nonfinancial risk governance embeds these questions into the financial institution’s overarching governance; the divisional and infrastructural executive committees; specialty committees such as IT, data, and cybersecurity; and an overarching nonfinancial risk committee. The latter is supported by the second line and reviews risk acceptances and remediation plans and actions. It ultimately approves risk appetite by business unit, shared-services function, and risk type.
Operating models are constantly changing, whether from digitization, cost savings programs, or regulatory requirements. Maintaining quality of processes and execution against multiple expectations when conflicts arise—particularly underinvestment—is also necessary. KPIs and KRIs driving risk appetite against these change risks can only be managed through a flexible governance.
In addition to flexibility, a mandate is equally as important. Leading institutions give control functions the mandate to review, challenge, and approve the risk appetite proposed by the business or first line. That authority helps prevent risk appetite from becoming a compliance or risk exercise led by the control function. At the same time, the above-described approach ensures business ownership by using business knowledge and insights to derive top risks and risk appetite and clear accountability.
Similarly, the chief risk officer or risk committee typically makes the ultimate decision on the proposed risk appetite before it is approved by the executive board and board of directors.
Leading institutions also formalize governance on risk appetite breaches through a predefined set of actions and timelines for getting back within the threshold to trigger real consequences. These can include stopping new business, allocating more capital, strengthening temporary controls, accelerating control remediation, or accepting temporary risk.
Responding fast is critical. Institutions typically require a remediation plan to be in place within three months in case of risk appetite breaches, but the time frame also often depends on the scale or complexity of the remediation required.
Letting principles lead the process
Nonfinancial risk is a complex topic for financial institutions. It is made even more complex given that practices to manage it have evolved from financial risks. Many of these practices ignore the practical differences that require a more bottom-up business perspective with a focus on top risks; a higher quality, management-driven development of KPIs and KRIs along the operating model; and a flexible governance that sets meaningful improvement targets.
Applying the principles above puts financial institutions significantly closer to other sectors that have learned to manage risks in their operating model from an enhanced process-and-system perspective. Companies in these sectors, including advanced industries, high tech, and basic materials, had to undergo—and still are undergoing—significant changes and quality improvements.