Non-Financial Risk – Why the big focus?

The latest focus in risk management seems to be "Non-Financial Risk". Search for "Non-Financial Risk" on Google and you will be returned everything from whitepapers and frameworks to conferences and plenty of commentary from regulators.

Our firm, Protecht, is 20 years old this year with two decades of hands-on risk management under our belts. Personally, I have been involved in risk management for over 35 years.

It may sound cynical but this current "trend" feels like yet another buzz word to imply something new in the risk management world. I am failing to see what is new. It feels like a new name for something we have been doing for years.

Non-Financial Risk Management

So what is "Non-Financial Risk" or "NFR", as we seem to love acronyms in Risk Management, or should I say RM!

NFR is a broad term that is usually defined by exclusion, that is, any risks other than the traditional financial risks of market, credit, and liquidity[1].

I’ve never been a fan of defining something by what it is not. It implies that it is too hard to define by what it is! Telling you I am not Brad Pitt, doesn’t give you much information on what I actually look like. I am taller than him for a start!

So let’s use our understanding of risk to try and define what this "Non-Financial Risk" is. Risk is the effect of uncertainty on objectives[2].

Risk is made up of three main parts:

1. Impacts / Consequences: This is the "effect" on objectives
2. Causes: These are the root causes of the risk, often identified through asking the questions Why? and continuing until the answer is "it just is" or the answer is "outside of your influence".
3. Events: These are things that occur between the Causes and the Impacts.

Impacts

If we focus on Risk Impacts first, these should be defined based on the objectives of the organisation.

For most organisations, they would typically include such things as:

1. Profit (Revenue and Expense)
2. Financial Stability (Capital levels and Cash-flow)
3. Stakeholder satisfaction (Customer, Supplier, Employee, etc)
4. Employee safety and well-being
5. Compliance with Regulatory and Contractual Obligations
6. Protection and Enhancement of Reputation and Brand
7. Protection and Enhancement of the Environment
8. Protection and Enhancement of Society (Corporate Social Responsibility - CSR)

This usually reduces to a number of identified risk impacts typically including:

1. Financial (profitability and cash-flow)
2. Customer
3. Employee
4. Environment
5. Legal and Compliance Breaches
6. Reputation and Brand
7. CSR

Let’s now focus on "Risk Events".

A typical taxonomy of Risk Events at Board level may include:

1. Market Risk
2. Liquidity and Funding Risk
3. Credit Risk
4. Human Resource Risk (Quality and Quantity)
5. Culture and Conduct Risk
6. IT Risk
7. Loss of confidential data and IP, including Cyber
8. Business Disruption
9. Fraud
10. Legal and Compliance
11. Infrastructure and physical assets
12. Strategic, Project and Change Risk

And finally, Risk Causes.

At the highest level, these typically come back to 4 main causes, being:

1. People
2. Inadequate Process
3. Systems
4. External Events

From these taxonomies of Causes, Events, and Impacts, combinations will define each tailored risk that the organisation faces. A common way of representing this is using Bow Tie Analysis:

Example Bow Tie diagram for a Financial Risk: Market Risk

Example Bow Tie diagram for a Non-Financial Operational Risk: Fraud Risk

What is clear is that most risk causes and events will impact many, if not, all impact types including financial impacts. Virtually every risk has the potential for a financial impact. Are all risks therefore not "financial risks"? If the definition relates to the impact / consequence type then the answer must be "yes". 

The Australian Securities and Investments Commission chair James Shipton speaking at a recent Australian Institute of Company Directors event said: "The truth is that all risk ultimately has financial consequences."

Returning to the Deloitte's definition implies that, "Financial Risk" covers Market, Credit and Liquidity (numbers 1, 2 & 3) in the Risk Event Taxonomy noted above. This implies that the rest are examples of Non-Financial Risks. Using a positive definition, "non-financial risk" therefore covers items 4 to 12 in the Risk Events noted above.

These can be summarised as Operational Risk (including HR, Culture & Conduct, IT, Data & Cyber, Business Disruption, Fraud, Legal & Compliance, Assets, and Infrastructure) and Strategic Risk.

If we are to refer to "non-financial risk" then I think it should be made clear that we are talking about risks other than those managed directly by the Finance Department (or equivalent) being Market, Credit and Liquidity (and for an Insurance company, Insurance Risk).

When we are talking about non-financial risk, be clear that we are talking about Operational and Strategic risk.

The main reason for the current focus on Operational and Strategic Risk is that they are more difficult to manage compared to the "financial risks".

This is because for Operational and Strategic Risk:

1. There is less risk data available and as a result, the use of quantitative techniques to measure the risk is made more difficult. If you can’t measure it, it’s more difficult to manage. This makes the risks more qualitative in nature and measurement.
   
2. The risks are way more complex. This can be seen by comparing the financial and non-financial risk bow-tie diagrams above. The range of root causes, event types and impacts is much wider and the connection between cause, event and impact is more complex and loose.
   
3. The disciplines of operational risk management and strategic risk management are younger and much less mature than for the "financial" risks.
   
4. Unlike financial risks, non-financial risks are not managed by a centralised team but rather a broad range of front-line staff across every business area.

Some organisations have therefore said, non-financial risks are "in the too hard basket" and operational and strategic risks have therefore been neglected. The irony is that operational and strategic risks are by far the largest cause of major declines in corporate performance. J. Lam as far back as 2011 stated: "Studies of the largest public companies have shown time and, again, that strategic risks account for approximately 60 percent of major declines in market capitalisation, followed by operational risks (about 30 percent), and financial risks (about 10 percent)"[3].

We, at Protecht, do "Risk Management". We do Market, Credit, Liquidity although this accounts for less than 10% of what we do. Most importantly we do Operational and Strategic Risk Management and have done for 20 years. We don’t need another name "non-financial risk" for the risks we manage and we certainly don’t need to resort to an "everything other than..." definition.

The truth is that many organisations are not managing operational and strategic risks very well. This is clearly highlighted in our whitepaper where we will specifically cover the recent Australian Securities and Investment Commission (ASIC) report on "Director and officer oversight of non-financial risk"[4].

If you would like to know more as to how Protecht can help you manage your non-financial risk management (sorry – Operational and Strategic Risk Management

) through its training, consulting and software solutions, contact us today:

1. Book a demonstration of the Protecht.ERM system.
2. Send us an email at info@protechtgroup.com

[1] The future of Non-Financial Risk in financial services. Deloittes 2018  
[2] ISO 31000:2018 Risk Management Principles and Guidelines.
[3] Lam, J."Risk Management: The ERM Guide from AFP." (2011). Association for Financial Professionals
[4] Corporate Governance Taskforce – Director and officer oversight of non-financial risk report" October 2019.