Focusing on nonfinancial risks

SUITS THE C-SUITE By Vicky Lee-Salas

Business World (12/21/2015 – p.S1/2)
As the business environment for financial institutions grows increasingly more complex and challenging, more and more banks are rethinking their risk management systems to encompass a growing number of nonfinancial risks. In a recent Ernst & Young survey of major financial institutions titled “Rethinking Risk Management,” which included respondents from 29 economies, banks are realizing the need to reengineer some aspects of risk management with new approaches and tools. While the study looks at various aspects of risk, including risk culture, risk appetites, and the impact of Basel III, we will focus on the area of nonfinancial risks as a growing concern for banks, particularly for global systemically important financial institutions (G-SIFI).
Almost all banks are now looking at operational risk in a more granular way — breaking down nonfinancial risk into sub-risk types such as conduct, compliance, reputation, money laundering and systems. Several of the respondents revealed that conduct and compliance failures have resulted in huge financial and reputational losses to the industry: 44% of G-SIFIs reported losses between $1 billion to $5 billion, while 25% of G-SIFIs reports losses of up to $20 billion due to nonfinancial risks. Eighty percent of G-SIFIs agreed that lapses in internal oversight and controls are the main reasons for the losses. While 91% said that the losses were covered by the capital held for nonfinancial losses, barely 25% of the respondents had a scenario assessment for the type of risk leading to the loss. Of even greater concern is that only 9% of respondents even noticed that the risk was rising prior to the loss event.
To address nonfinancial risk, firms are now working to improve risk assessment and identification systems, such as loss-reporting procedures and forensic investigative processes to identify weaknesses in individual processes. There is also now greater emphasis on forward-looking analysis, rather than after-the-fact assessment. This aims to prevent losses before they occur rather than dealing with the fallout of untoward incidents.
Many of the respondents are currently doing in-depth reviews of their operational processes to map every step in their processes in order to pinpoint where things can go wrong and flag them more quickly. Other measures include conducting simulation and modeling processes to better anticipate and avoid events; doing environmental scans to understand the impact of breaches on the industry; in-depth analysis of near-miss events to tighten controls, establishing whistle-blowing hot lines; and providing more training to strengthen employee accountability.
Accountability, in particular, is one that many respondents perceive as a key factor in managing nonfinancial risks. As a result, a vast majority of the respondents share that they now hold the front office — desk heads and business unit heads — primarily accountable for managing nonfinancial risks by providing more clarity on accountability, as well as linking misbehavior to performance and compensation metrics.
One type of nonfinancial risk that have banks on the alert is conduct risk. The term “conduct risk” comprises a wide variety of activities and types of behaviors that fall outside the main categories of risk, such as market, credit, liquidity and operational risk. In essence, it refers to risk attached to the way in which a firm, and its staff, behave in a wide range of market-facing and internal situations. Although there is no official definition, conduct risk is generally agreed to incorporate matters such as how customers are treated, remuneration of staff and how firms deal with conflict of interest. When asked what specific areas of conduct risk they were most concerned about, all the bank respondents indicated product mis-selling and money laundering as the highest.
Thus, more banks are treating conduct risk as a type of principal risk, and are undertaking special initiatives to manage it better, including defining governance structures, enhancing policies, challenging existing metrics and embedding conduct risk into the overall business model, strategy analysis and HR processes. For some institutions, these steps are as drastic as dropping certain products and transactions or leaving certain markets and countries to reduce risk. Others are working on reducing complexities and refining customer-facing protocols by adjusting sales incentives and sales targets.
Respondents identified products and customers as the two areas that require more attention. To mitigate conduct risk in product development, more than half of respondents have introduced new product approval processes and greater oversight over the product development committee, including establishing cross-functional senior committees to monitor new product development.
Respondents are also putting an increased focus on treating customers fairly, particularly new customers. Since there have been recent incidences of product mis-selling in the industry, banks are reviewing customer-facing activities such as implementing new rules for customer management, improving customer identification and assessment for individual products, strengthening internal training programs, linking customer management to performance evaluation and compensation and introducing new escalation processes for misconduct.
What these initiatives clearly indicate is that banks are moving away from a more traditional legal/control mind-set to a more risk-focused approach that takes into account the amount of risk in the specific activity. The focus is now more on what drives intrinsic risk, which calls for more forward-focused risk assessments of nonfinancial risk and enhancing stress and scenario analysis and modeling of stand-alone conduct risk.
Nonfinancial risk, particularly conduct risk, may be more difficult to manage compared to other aspects of regulation, such as liquidity or capital ratios since there are no definite metrics for gauging effectiveness. However, more and more banks are accepting that conduct risk events can potentially cause longer-term reputational damage to the firm’s customers and employees, in addition to the potential losses from fines and remediation costs.
Conduct risk is an inherent risk to the balance sheet. If it is viewed in this manner, speaking up when people see or suspect something is wrong will no longer be snitching on colleagues; rather, it will become a matter of mitigating risk for the organization.
This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.
Vicky Lee-Salas is the Philippine Financial Services Office Leader of SGV & Co.