The latest focus in risk management seems to be "non-financial risk". Search for "non-financial risk" on Google and you will be returned everything from white papers and frameworks to conferences and plenty of commentary from regulators.
At our firm, Protecht, we have more than two decades of hands-on risk management under our belts. Personally, I have been involved in risk management for over 35 years.
It may sound cynical, but this current trend feels like it's just another buzz word to imply something new in the risk management world. I am failing to see what is new. It feels like a new name for something we have been doing for years.
Sign up to our knowledge hub now to get our latest risk insights in your inbox every week:
What is non-financial risk and what are its impacts?
So what is "non-financial risk" or "NFR", as we seem to love acronyms in risk management (or should I say RM?).
NFR is a broad term that is usually defined by exclusion, that is, any risks other than the traditional financial risks of market, credit, and liquidity [1].
I’ve never been a fan of defining something by what it is not. It implies that it is too hard to define by what it is. Telling you I am not Brad Pitt, doesn’t give you much information on what I actually look like. I am taller than him for a start!
So let’s use our understanding of risk to try and define what this "Non-Financial Risk" is. Risk is the effect of uncertainty on objectives [2].
Risk is made up of three main parts
Impacts/consequences: This is the "effect" on objectives
Causes: These are the root causes of the risk, often identified through asking the questions Why? and continuing until the answer is "it just is" or the answer is "outside of your influence".
Events: These are things that occur between the causes and the impacts.
How do we define risk impacts?
If we focus on risk impacts first, these should be defined based on the objectives of the organisation.
For most organisations, they would typically include such things as:
- Profit (revenue and expense)
- Financial stability (capital levels and cash-flow)
- Stakeholder satisfaction (customer, supplier, employee, etc)
- Employee safety and well-being
- Compliance with regulatory and contractual obligations
- Protection and enhancement of reputation and brand
- Protection and enhancement of the environment
- Protection and enhancement of society (corporate social responsibility - CSR)
This usually reduces to a number of identified risk impacts typically including:
- Financial (profitability and cash-flow)
- Customer
- Employee
- Environment
- Legal and compliance breaches
- Reputation and brand
- CSR
How do we define risk events?
A typical taxonomy of risk events at board level may include:
- Market risk
- Liquidity and funding risk
- Credit risk
- Human resource risk (quality and quantity)
- Culture and conduct risk
- IT risk
- Loss of confidential data and IP, including cyber
- Business disruption
- Fraud
- Legal and compliance
- Infrastructure and physical assets
- Strategic, project and change risk
How do we define risk causes?
At the highest level, these typically come back to four main causes, being:
- People
- Inadequate process
- Systems
- External events
From these taxonomies of Causes, Events, and Impacts, combinations will define each tailored risk that the organisation faces. A common way of representing this is using risk bow tie analysis:
Example bow tie diagram for a financial risk: Market risk
Example bow tie diagram for a non-financial operational risk: Fraud risk
What is clear is that most risk causes and events will impact many, if not, all impact types including financial impacts. Virtually every risk has the potential for a financial impact. Are all risks therefore "financial risks"? If the definition relates to the impact/consequence type, then the answer must be "yes".
According to former Australian Securities and Investments Commission chair James Shipton, speaking at the Australian Institute of Company Directors: "The truth is that all risk ultimately has financial consequences."
Returning to Deloitte's definition implies that "financial risk" covers market, credit and liquidity (numbers 1, 2 & 3) in the risk event taxonomy noted above. The rest must be examples of non-financial risks. Using a positive definition, "non-financial risk" therefore covers items 4 to 12 in the risk events noted above.
Non-financial risk is operational and strategic risk
These can be summarised as operational risk (including HR, culture & conduct, IT, data & cyber, business disruption, fraud, legal & compliance, assets, and infrastructure), and strategic risk.
If we are to refer to "non-financial risk" then I think it should be made clear that we are talking about risks other than those managed directly by the finance department (or equivalent) being Market, Credit and Liquidity (and for an insurance company, insurance Risk).
When we are talking about non-financial risk, be clear that we are talking about operational and strategic risk.
The main reason for the current focus on operational and strategic risk is that they are more difficult to manage compared to the "financial risks".
This is because for operational and strategic risk:
There is less risk data available and as a result, the use of quantitative techniques to measure the risk is made more difficult. If you can’t measure it, it’s more difficult to manage. This makes the risks more qualitative in nature and measurement.
The risks are way more complex. This can be seen by comparing the financial and non-financial risk bow-tie diagrams above. The range of root causes, event types and impacts is much wider and the connection between cause, event and impact is more complex and loose.
The disciplines of operational risk management and strategic risk management are younger and much less mature than for the "financial" risks.
Unlike financial risks, non-financial risks are not managed by a centralised team but rather a broad range of front-line staff across every business area.
Some organisations have therefore said, non-financial risks are "in the too hard basket" and operational and strategic risks have therefore been neglected. The irony is that operational and strategic risks are by far the largest cause of major declines in corporate performance.
As far back as 2011, James Lam wrote: "Studies of the largest public companies have shown time and, again, that strategic risks account for approximately 60% of major declines in market capitalisation, followed by operational risks (about 30%), and financial risks (about 10%).”[3]
Conclusions and next steps for your organisation
We, at Protecht, do risk management. This includes market, credit and liquidity risk, although this accounts for less than 10% of what we do. Most importantly we do operational and strategic risk management and have done for 20 years. We don’t need another name "non-financial risk" for the risks we manage and we certainly don’t need to resort to an "everything other than..." definition!
If you'd like to know more about how we see the world of risk management, a good place to start is our Enterprise Risk Management eBook which answers the key question: what does it actually mean to manage risk effectively across the enterprise?
Sign up to our knowledge hub now to get our latest risk insights in your inbox every week:
[1] The future of non-financial risk in financial services. Deloitte, 2018
[2] ISO 31000:2018 Risk management principles and guidelines.
[3] Lam, J. "Risk Management: The ERM Guide from AFP." (2011). Association for Financial Professionals
Originally published October 2019, updated July 2023