The latest focus in risk management seems to be "Non-Financial Risk". Search for "Non-Financial Risk" on Google and you will be returned everything from whitepapers and frameworks to conferences and plenty of commentary from regulators.
Our firm, Protecht, is 20 years old this year with two decades of hands-on risk management under our belts. Personally, I have been involved in risk management for over 35 years.
It may sound cynical but this current "trend" feels like yet another buzz word to imply something new in the risk management world. I am failing to see what is new. It feels like a new name for something we have been doing for years.
So what is "Non-financial Risk" or "NFR", as we seem to love acronyms in Risk Management, or should I say RM!
NFR is a broad term that is usually defined by exclusion, that is, any risks other than the traditional financial risks of market, credit, and liquidity.
I’ve never been a fan of defining something by what it is not. It implies that it is too hard to define by what it is! Telling you I am not Brad Pitt, doesn’t give you much information on what I actually look like. I am taller than him for a start!
So let’s use our understanding of risk to try and define what this "Non-Financial Risk" is.
Risk is the effect of uncertainty on objectives.
If we focus on Risk Impacts first, these should be defined based on the objectives of the organisation.
For most organisations, they would typically include such things as:
This usually reduces to a number of identified risk impacts typically including:
A typical taxonomy of Risk Events at Board level may include:
At the highest level, these typically come back to 4 main causes, being:
From these taxonomies of Causes, Events, and Impacts, combinations will define each tailored risk that the organisation faces. A common way of representing this is using Bow Tie Analysis:
Example Bow Tie diagram for a Financial Risk: Market Risk
Example Bow Tie diagram for a Non-Financial Operational Risk: Fraud Risk
What is clear is that most risk causes and events will impact many, if not, all impact types including financial impacts. Virtually every risk has the potential for a financial impact. Are all risks therefore not "financial risks"? If the definition relates to the impact / consequence type then the answer must be "yes".
The Australian Securities and Investments Commission chair James Shipton speaking at a recent Australian Institute of Company Directors event said: "The truth is that all risk ultimately has financial consequences."
Returning to the Deloitte's definition implies that, "Financial Risk" covers Market, Credit and Liquidity (numbers 1, 2 & 3) in the Risk Event Taxonomy noted above. This implies that Non-Financial Risks are the rest. Using a positive definition, "non-financial risk" therefore covers items 4 to 12 in the Risk Events noted above.
These can be summarised as Operational Risk (including HR, Culture & Conduct, IT, Data & Cyber, Business Disruption, Fraud, Legal & Compliance, Assets, and Infrastructure) and Strategic Risk.
If we are to refer to "non-financial risk" then I think it should be made clear that we are talking about risks other than those managed directly by the Finance Department (or equivalent) being Market, Credit and Liquidity (and for an Insurance company, Insurance Risk).
When we are talking about non-financial risk, be clear that we are talking about Operational and Strategic risk.
The main reason for the current focus on Operational and Strategic Risk is that they are more difficult to manage compared to the "financial risks".
Some organisations have therefore said, non-financial risks are "in the too hard basket" and operational and strategic risks have therefore been neglected. The irony is that operational and strategic risks are by far the largest cause of major declines in corporate performance. J. Lam as far back as 2011 stated: "Studies of the largest public companies have shown time and, again, that strategic risks account for approximately 60 percent of major declines in market capitalization, followed by operational risks (about 30 percent), and financial risks (about 10 percent)".
We, at Protecht, do "Risk Management". We do Market, Credit, Liquidity although this accounts for less than 10% of what we do. Most importantly we do Operational and Strategic Risk Management and have done for 20 years. We don’t need another name "non-financial risk" for the risks we manage and we certainly don’t need to resort to an "everything other than..." definition.
The truth is that many organisations are not managing operational and strategic risks very well. This is clearly highlighted in our whitepaper where we will specifically cover the recent Australian Securities and Investment Commission (ASIC) report on "Director and officer oversight of non-financial risk".
If you would like to know more as to how Protecht can help you manage your non-financial (sorry – Operational and Strategic Risk) through its training, consulting and software solutions, contact us today:
 The future of Non-Financial Risk in financial services. Deloittes 2018
 ISO 31000:2018 Risk Management Principles and Guidelines.
 Lam, J."Risk Management: The ERM Guide from AFP." (2011). Association for Financial Professionals
 Corporate Governance Taskforce – Director and officer oversight of non-financial risk report" October 2019.
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).