The latest focus in risk management seems to be “Non-Financial Risk”. Search for “Non-Financial Risk” on Google and you will be returned everything from whitepapers and frameworks to conferences and plenty of commentary from regulators.

Our firm, Protecht, is 20 years old this year with two decades of hands -on risk management under our belts. Personally, I have been involved in risk management for over 35 years.

It may sound cynical but this current “trend” feels like yet another buzz word to imply something new in the risk management world. I am failing to see what is new. It feels like a new name for something we have been doing for years.

So what is “Non-financial Risk” or “NFR”, as we seem to love acronyms in Risk Management, or should I say RM!

NFR is a broad term that is usually defined by exclusion, that is, any risks other than the traditional financial risks of market, credit, and liquidity[1].

I’ve never been a fan of defining something by what it is not. It implies that it is too hard to define by what it is! Telling you I am not Brad Pitt, doesn’t give you much information on what I actually look like. I am taller than him for a start!

So let’s use our understanding of risk to try and define what this “Non-Financial Risk” is.

Risk is the effect of uncertainty on objectives[2].

Risk is made up of three main parts:

  1. Impacts / Consequences: This is the “effect” on objectives
  2. Causes: These are the root causes of the risk, often identified through asking the questions Why? and continuing until the answer is “it just is” or the answer is “outside of your influence”.
  3. Events: These are things that occur between the Causes and the Impacts.

Impacts. 

If we focus on Risk Impacts first, these should be defined based on the objectives of the organisation.

For most organisations, they would typically include such things as:

  1. Profit (Revenue and Expense)
  2. Financial Stability (Capital levels and Cash-flow)
  3. Stakeholder satisfaction (Customer, Supplier, Employee, etc)
  4. Employee safety and well-being
  5. Compliance with Regulatory and Contractual Obligations
  6. Protection and Enhancement of Reputation and Brand
  7. Protection and Enhancement of the Environment
  8. Protection and Enhancement of Society (Corporate Social Responsibility - CSR)

This usually reduces to a number of identified risk impacts typically including:

  1. Financial (profitability and cash-flow)
  2. Customer
  3. Employee
  4. Environment
  5. Legal and Compliance Breaches
  6. Reputation and Brand
  7. CSR

Let’s now focus on “Risk Events”.

A typical taxonomy of Risk Events at Board level may include:

  1. Market Risk
  2. Liquidity and Funding Risk
  3. Credit Risk
  4. Human Resource Risk (Quality and Quantity)
  5. Culture and Conduct Risk
  6. IT Risk
  7. Loss of confidential data and IP, including Cyber
  8. Business Disruption
  9. Fraud
  10. Legal and Compliance
  11. Infrastructure and physical assets
  12. Strategic, Project and Change Risk

And finally, Risk Causes.

At the highest level, these typically come back to 4 main causes, being:

  1. People
  2. Inadequate Process
  3. Systems
  4. External Events

From these taxonomies of Causes, Events, and Impacts, combinations will define each tailored risk that the organisation faces. A common way of representing this is using Bow Tie Analysis:

Example Bow Tie diagram for a Financial Risk: Market Risk:

DT NFR

 

Example Bow Tie diagram for a non-financial operational risk: Fraud Risk:

NFR Blog - Bow Tie

What is clear is that most risk causes and events will impact many, if not, all impact types including financial impacts. Virtually every risk has the potential for a financial impact. Are all risks therefore not “financial risks”? If the definition relates to the impact / consequence type then the answer must be “yes”. 

The Australian Securities and Investments Commission chair James Shipton speaking at a recent  Australian Institute of Company Directors event said: “The truth is that all risk ultimately has financial consequences.”

Returning to the Deloitte's definition implies that, “Financial Risk” covers Market, Credit and Liquidity (numbers 1, 2 & 3) in the Risk Event Taxonomy noted above. This implies that Non-Financial Risks are the rest. Using a positive definition, “non-financial risk” therefore covers items 4 to 12 in the Risk Events noted above.

These can be summarised as Operational Risk (including HR, Culture & Conduct, IT, Data & Cyber, Business Disruption, Fraud, Legal & Compliance, Assets, and Infrastructure) and Strategic Risk.

If we are to refer to “non-financial risk” then I think it should be made clear that we are talking about risks other than those managed directly by the Finance Department (or equivalent) being Market, Credit and Liquidity (and for an Insurance company, Insurance Risk).

When we are talking about non-financial risk, be clear that we are talking about Operational and Strategic risk.

The main reason for the current focus on Operational and Strategic Risk is that they are more difficult to manage compared to the “financial risks”.

This is because for Operational and Strategic Risk:

  1. There is less risk data available and as a result, the use of quantitative techniques to measure the risk is made more difficult. If you can’t measure it, it’s more difficult to manage. This makes the risks more qualitative in nature and measurement.

  2. The risks are way more complex. This can be seen by comparing the financial and non-financial risk bow-tie diagrams above. The range of root causes, event types and impacts is much wider and the connection between cause, event and impact is more complex and loose.

  3. The disciplines of operational risk management and strategic risk management are younger and much less mature than for the “financial” risks.

  4. Unlike financial risks, non-financial risks are not managed by a centralised team but rather a broad range of front-line staff across every business area.

Some organisations have therefore said, non-financial risks are “in the too hard basket” and operational and strategic risks have therefore been neglected. The irony is that operational and strategic risks are by far the largest cause of major declines in corporate performance. J. Lam as far back as 2011 stated: “Studies of the largest public companies have shown time and, again, that strategic risks account for approximately 60 percent of major declines in market capitalization, followed by operational risks (about 30 percent), and financial risks (about 10 percent)”[3].

We, at Protecht, do “Risk Management”. We do Market, Credit, Liquidity although this accounts for less than 10% of what we do. Most importantly we do Operational and Strategic Risk Management and have done for 20 years. We don’t need another name “non-financial risk” for the risks we manage and we certainly don’t need to resort to an “everything other than…. ”definition".

The truth is that many organisations are not managing operational and strategic risks very well. This is clearly highlighted in our next blog where we will specifically cover the recent Australian Securities and Investment Commission (ASIC) report on “Director and officer oversight of non-financial risk”[4].

If you would like to know more as to how Protecht can help you manage your non-financial (sorry – Operational and Strategic Risk) through its training, consulting and software solutions, contact us today:

  1. Book a demonstration of the Protecht.ERM system.
  2. Send us an email to info@protecht.com.au

[1] The future of Non-Financial Risk in financial services. Deloittes 2018  
[2] ISO 31000:2018 Risk Management Principles and Guidelines.
[3] Lam, J.”Risk Management: The ERM Guide from AFP.” (2011). Association for Financial Professionals
[4] Corporate Governance Taskforce – Director and officer oversight of non-financial risk report” October 2019.

02_The-Complete-Guide-to-Compliance-and-Compliance-Risk-Management-ebook-cover
The Complete Guide to

Compliance and Compliance Risk Management

Download Now

Related Articles

feature image
Compliance Management Protecht News & Events Risk Management Risk Reporting Videos Compliance Professionals

Modern Slavery - Being Prepared

Do you know what the Modern Slavery Act is and how it will impact your business? We had the opportunity to have Associate Professor Justine Nolan...
Read more
feature image
Risk Culture Key Risk Indicators Internal Audit Risk Management Framework

Understanding Key Risk Indicators from a Personal Perspective

This is part 4 of our video series on "Difficulties in Engaging Staff in Risk Management". David Tattam provides an example of how you can explain...
Read more
feature image
Risk Culture Risk Management Videos

Difficulties in Engaging Staff in Risk Management: Making Risk Management Real

This is part 2 of our video series on "Difficulties in Engaging Staff in Risk Management". David Tattam provides an example of how you can make risk...
Read more