The risk management discipline is in real danger of failing to see the forest for the trees in the way it talks about non-financial risk management. The debates – often on the “how” and “where” of risk frameworks – are usually grounded in an artificial construct such as organisational structure, lines of defence or regulatory requirements.
The reality is that while some individual risks have not changed fundamentally, new risks are emerging all the time, and changing shape. For example, inappropriate conduct risk-related behaviours were observed as early as the 17th century in tulip trading during the “Tulipmania”. On the other hand, most of the IT-related risks, including cyber risk, did not exist 40 years ago. Within ecosystems, risk scenarios evolve organically and develop new relationships with other risks. Risks do not obey the false boundaries that are created to define and manage them.
Instead, the risk discipline should be focusing on the best way to manage NFRM. This involves thinking about non-financial risk in a more connected, innovative and practical way – both within firms and between them – through new, collaborative approaches.
A useful example of the way the discipline has created false boundaries is the Basel Committee on Banking Supervision’s (BCBS’s) definition of operational risk, which is: “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.” This exclusion of strategic risk and reputational risk, more than 15 years ago, was undertaken because both of these risks were considered too “fuzzy” to quantify, when supervisory and industry focus was on measuring operational risk for regulatory capital calculation purposes.
In 2019, both regulatory and industry focus have shifted away from advanced modelling of operational risk losses for predictive purposes. Now, the discipline is beginning to understand that the relationship between these two risks and all other non-financial risks is very important. In the wake of social media and other online forms of communication, the potential for a reputational risk loss event has grown significantly – social media not only makes reputational damage instantly visible, it also accelerates the growth of the size of the original risk event loss impact. There is also increasing acknowledgement of the tight interlinkage between levels of non-financial risks and the ability of an organisation to deliver on its strategic goals.
The same holds true for a rapidly developing regulatory focus, operational resilience. The UK’s Financial Conduct Authority (FCA), Bank of England, and Prudential Regulatory Authority (PRA) published a joint discussion paper on this topic, Building the UK financial sector’s operational resilience, in July 2018. To follow up on this, the regulators expect to jointly issue a consultation paper in October. This will include both the regulators’ new policies in this area, as well as their approach to supervising operational resilience.
Other regulatory bodies are also looking at the issue of operational resilience. The BCBS is expected to include material on the topic in its forthcoming update to its 2011 Principles for the Sound Management of Operational Risk. And the US Federal Reserve is also drafting a new document on operational resilience, although the timeline for its publication is not known.
Operational resilience impacts, and is impacted by, all forms of non-financial risk. It’s important for firms to think about operational resilience — the impact that a loss event may have, and how well a firm responds — in relationship with the likelihood of risks materialising. All non-financial risks, such as OpRisk, strategic risk, and reputational risk, should be considered.
Certainly, the regulators are thinking in this connected way. Many of the operational resilience issues that are under the spotlight — such as responding to an IT outage or a data privacy breach — are issues that all firms face, and are a source of potential systemic risk. Regulators are connecting the dots.
For example, at recent hearings in the UK parliament about IT failures at financial services firms, UK regulators talked about how they are now looking at the way in which reputational damage inflicted by social media (say, for example, an IT outage resulting from a cyberattack) could impact a firm’s capital position and liquidity. This is an operational risk loss event morphing into reputational risk via social media. This then transforms into strategic risk and business risk, as well as financial risks such as liquidity risk. The ability of the initial IT outage to roll into other kinds of risks depends on the strength of the operational resilience at the firm.
It is all connected, and this is why Acin is calling for the industry to adopt further the term non-financial risk. Firms need to look at the entire risk picture in a more joined-up way. The risk management discipline needs to turn away from debates about what risk fits where, and instead put its energies into understanding how risk and resilience interconnects, within firms and between firms.
This is why we also believe that now is the moment for firms to embrace collaboration. To truly understand non-financial risk and resilience, financial services firms need to share experiences and best practices with each other.
Regulators are keen to encourage more industry collaboration. For example, in a recent speech, PRA deputy CEO Lyndon Nelson indicated that financial services supervisors would like to see banks collaborate more to protect IT systems and data from either accidental or deliberate damage. Emphatically underscoring the new importance of collaboration was Nelson’s revelation that the Bank of England would be shortly publishing a report that will highlight the importance of collaboration among financial services firms around resilience issues.
Regulators are also looking at resilience metrics. For example, in the BCBS update to its 2011 Principles for the Sound Management of Operational Risk, the body stated it is planning to include a set of metrics for operational resilience around IT outages. In the UK, Nick Strange, the Bank of England’s director of supervisory risk specialists, has said regulators are thinking about demanding that firms set a specific “tolerance for disruption – in the form of a specific outcome or metric” to strengthen approaches to operational resilience. Examples include “the proportion of payments made; the number of customers affected; [and] the maximum allowed time for restoration of a business service.”
Clearly the majority of non-financial risk – and especially operational resilience – is not a source of competitive advantage for firms – the regulators are implying this through their calls for increased collaboration. Their belief – as well as ours – is that proactive collaboration among firms would strengthen the entire financial system, potentially making all collaborating firms more resilient and benefitting the industry as a whole.
Getting industry-led collaboration right will make all firms stronger and enable constructive dialogue with the regulators about operational resilience, as well as non-financial risk management. Acin is committed to enabling the industry to collaborate through its unique Networked Defence Model, which is bringing the industry together into a growing network of firms who work together to enhance their risk and control environments.
Through the Networked Defence Model, financial services can be transformed from a control ecosystem within each bank that is only as strong as its weakest link, to one that is as robust as the community’s strongest link.