Non-financial risk (NFR) has rapidly emerged as a critical concern for financial institutions, rivaling traditional financial risks. As a result, risk management leaders must implement and continually enhance structured, integrated risk programs across a diverse range of NFR risk domains, including:
Operational risk | Third-party risk | ESG |
Data | Cybersecurity | Privacy |
Resiliency | Technology, including AI and emerging tech | Fraud |
Here’s how financial institutions can take the lead on NFR management.
Drivers of NFR’s Growing Significance
Several factors have contributed to the rising importance of NFR:
- Regulatory scrutiny: Increased regulatory oversight and expectations (CCPA, GDPR, Basel III, DORA, etc.) have placed a spotlight on NFR, demanding greater transparency, accountability, and risk management practices.
- Technology dependence: The pervasive reliance on technology across all aspects of business operations, including client service, has heightened vulnerability to cyber threats, system failures, and data breaches. At the same time, financial institutions are moving quickly to qualify use cases and gain advantage from novel and emerging technologies like AI – adding new forms of risk to the enterprise.
- Cyberattacks: The escalating frequency and sophistication of cyberattacks, coupled with growing regulatory attention to cybersecurity, have made NFR a priority. Organizations experienced ~1,636 cyberattacks per week in the second quarter of 2024 alone, a 30% year-over-year increase.
- Complex “system of systems” business operations and resiliency needs: Modern financial institutions – and the broader financial systems in which they reside – are increasingly complex, operating as “systems of systems” with surprising dependencies and failure points. Adding to this complexity is the growing reliance on third-party service providers for vast swaths of critical business operations. The operational and resilience risks facing financial institutions in this system of systems world are massive.
The uptick in NFR demands dedicated resources, skill sets, and focus. Financial services risk leaders must meet the NFR imperative.
Meeting the NFR Challenge Head On
Financial institutions can take proactive steps to modernize, scale, and enhance their NFR programs even if they have existing robust capabilities. These efforts often encompass the following key areas:
- Risk taxonomy and appetite: A clear and comprehensive NFR taxonomy is essential for risk identification, assessment, and management. Defining the organization’s risk appetite provides a framework for setting acceptable risk levels.
- Regulatory readiness: Ensuring compliance with evolving regulatory requirements and industry standards is crucial for mitigating NFR-related risks and avoiding penalties.
- Metrics and reporting: Developing appropriate metrics and reporting mechanisms allows for effective monitoring, measurement, and communication of NFR exposures. Automating the reporting process can further accelerate risk identification and decision-making insights by spotlighting leading indicators and patterns in an easy-to-use dashboard.
- RCSA and independent testing: Regular risk and control self-assessments (RCSAs) and independent testing help validate the effectiveness of NFR controls and identify potential weaknesses. These testing plans should be tied to risk posture/appetite and include hands-on technical evaluations. Systems analysis and scenario testing, specifically, can reveal the potentially broad adverse implications of NFRs on the business.
- Operating model across lines of defense: A well-structured operating model, with clearly defined roles and responsibilities, ensures the three lines of defense collaborate productively to manage NFRs.
Based on our experience working with global financial institutions, here are several key lessons other industry firms can adopt for a strategic, comprehensive NFR approach:
- Culture of risk awareness: Due to the scope and increasing intensity of NFR, fostering a culture of risk awareness and a risk management mindset is essential. Throughout all levels of the organization, there must be clear guidelines, best practices, communication, and continual training to support the NFR management mission. This can also include a deliberate redesign and structure of risk activities in each line of defense to ensure appropriate risk responsibilities, definitions, and handoffs.
- Data-driven decision-making: Leveraging data analytics and automation can provide valuable insights into emerging risks and inform decision-making. Consider the “3 As”: automation, which ensures consistent accuracy, which enables confident risk management action.
- Collaboration and communication: Strong collaboration among different departments and stakeholders can help surface and monitor NFRs in a way siloed organizations cannot.
- Continuous improvement: NFR management is an ongoing process that requires continuous evaluation, adaptation, and improvement to address evolving risks. This calls for revisiting and refreshing policies and metrics at strategic intervals to maintain a forward-looking risk posture. It also requires horizon scanning: looking around corners to understand threats and opportunities that may be coming. Leaders can proactively grasp these risks and put mitigations in place before risks present themselves.
Emerging Trends and Future Considerations
As the landscape of NFRs continues to change, financial institutions must stay ahead of novel trends and anticipate future challenges. Risk teams should be particularly mindful of the following areas:
- Quantum computing: The potential impact of quantum computing on cybersecurity and cryptography poses significant risks in the not-too-distant future, potentially requiring upskilling, additional resources, and a forward-looking risk management framework.
- AI at scale: The widespread adoption of AI introduces new risks related to bias, model governance, and explainability. 34% of financial services leaders fear they’re falling behind competitors with AI adoption, and 70% increased their AI spend this year. Going all in on AI may feel like competitive table stakes but doing so responsibly and efficiently is itself a competitive advantage.
- Geopolitical instability: Increasing geopolitical tensions and trade uncertainties can create new risks for financial institutions operating in a global environment, especially for those with significant operations in geopolitical hotspots: think the East Asian rim, Middle East, or Eastern Europe.
- Extreme third-party and technology dependence: The concentration of critical functions in a few technology providers can increase the vulnerability to single points of failure as seen in the recent CrowdStrike outage.
By proactively addressing NFRs and staying informed about emerging trends, financial institutions can mitigate risks, enhance their resilience, and protect their long-term sustainability.
To transform your organization’s approach to NFR, contact CrossCountry Consulting.