By Christopher Eaton and David O'Brien, PwC Channel Islands
From cyber and compliance breaches to failing to meet expectations on environmental, social and governance (ESG), non-financial risks (NFRs) now pose a potentially costlier threat than financial exposures. Yet identifying, managing and providing assurance against NFRs within financial services (FS) continues to be challenging. How can your business effectively manage these risks?
Since the global financial crisis, FS organisations’ management of credit, market and liquidity risks has become ever more sophisticated and assured. In an industry that generates much of its return from taking on financial risks and advising clients on their exposures, there are clear commercial upsides to this understanding and control.
However, a year of pandemic has once again shown that non-financial risks (NFRs) can often prove to be the most devastating. From the growing focus onESGto the heightened operational risks and cyber vulnerabilities for people working from home, 2020 has also highlighted the knock-on impact of one NFR to another.
If we add longstanding NFRs such as mis-selling, regulatory sanction or losing key personnel to this daunting risk register, the potential costs to your business become clear. NFR management also goes to the heart of the reputation, board assurance and public trust upon which your business and the Channel Islands as a financial centre depend. There is always the chance to recoup the losses from a bad day’s trading. Yet, it can take years to remediate a compliance failure or repair damage to your brand.
Enterprise risk management
The spotlight on ESG highlights the importance of building non-financial risks into enterprise risk management (ERM) frameworks that span financial, regulatory and operational risk.
Increasingly, ESG is being evaluated alongside financial return to rate investment performance. In turn, institutional investors now want ‘financial grade’ information on ESG factors so they can make allocation decisions based on sustainable performance. For leadership and senior management, this means ensuring that ESG is fully integrated into risk analysis and selection. The resulting demands include setting risk thresholds and monitoring exposures when there are as yet no globally consistent definitions, standards and metrics. Boards want effective ESG dashboards and assurance over public disclosures.
Falling short
How well are NFRs monitored and managed? Do boards have sufficient independent assurance? Even with the higher priority and investment we’ve seen in recent years, the understanding, governance and control of NFRs still doesn’t match the corresponding levels of understanding, governance and control within financial risks. There are many reasons for this – difficulties in identification, quantification and securing frontline business buy-in to name but a few. As the impact of COVID-19 has shown, it can also be difficult to develop scenario plans and secure business engagement for tail risks that can appear remote until they strike.
Five step framework
However, NFR is a fast developing field, with more informed, structured and integrated firm-wide frameworks emerging. Our approach is built around five key steps:
1. Build NFRs into your ERM framework
Build NFRs into your ERM framework and ensure they are governed by common definitions and measures (a ‘single language’) across all three lines of defence. Experience shows that too often there are overlapping types of risk, different definitions and siloed control functions resulting in duplicated work and costs.
2. Map your risks
Identify where the material risks to your business exist, your risk appetite and how much information is available to help manage them. You can then use the map to profile the risk in your processes and assess both probability and severity.
3. Quantify your risks
Until you can quantify and put a financial figure on the impact of the risk, you’re unlikely to secure the required management buy-in to address it. Ensure you include the impacts on areas like staff retention, existing customer loss and reduction in new customers.
4. Understand your controls
Having identified the risks, the next step is mitigating them. It’s important to identify which controls are used to mitigate which specific risks, determine the effectiveness and efficiency, and link them to your policies, operating procedures and ERM framework. In addition to more systematic governance internally, we’re seeing growing demands for external verification, and ultimately formal assurance, in areas such as ESG.
5. Ensure compliance
Establish effective monitoring with risk oversight from the second line of defence and seek independent assurance that the the risk management and internal control framework is working as designed through a third line of defence.
Clear benefits
The more you can identify, avert and tackle risks proactively, the lower the chances of the occurrence and cost of remediation. Your ability to meet stakeholder expectations and manage risk in areas such as ESG can also enhance your reputation and help to win new business.
Our team can share our experiences with you on how we’ve advised on and helped implement enterprise risk management systems and mitigation projects. Please feel free to get in touch.
