The regulatory scrutiny surrounding non-financial risk (NFR) has been significantly heightened by the recent regulatory actions related to topics such as money laundering, technology or data theft, sales practices, and market manipulation.
For both financial and non-financial institutions alike, non-financial risk management has become more challenging due to the added complexity from rapid shifts in technology, extensive process automation, and greater dependence on systems instead of people. These changes have led to new risk exposures.
Given multiple pressures from stakeholders, the industry has rapidly responded by building out non-financial risk management capabilities.
Most organizations now have numerous specialist teams dedicated to the management of various non-financial risks, often with overlapping remits and different chains of command.
With risk-control-siloed functions, each having its risk-identification processes, reporting structures, and IT systems, the result is duplicated work as well as costs. Organizations feel they are drowning in parallel efforts aimed at identifying, assessing, and remediating risks with the same individuals being approached over and over again, and diluting scarce resources and attention from operating the business.
In 2019, BankingBook Analytics and Global Risk Institute jointly developed the Distribution Analysis for Information Risk (DAIR) framework for the quantification of non-financial cyber risk. Unlike other industry standards, DAIR uses an integrated risk taxonomy, focusing on the impact of failures, rather than frequency of losses.
Many institutions seek a more integrated NFR-management approach in order to reduce the risk of further failures, to meet stakeholders’ requirements and expectations, and limit costs. DAIR has application in non-financial risk management and quantification across financial and non-financial industries alike.
NFR STRATEGY AND FUNCTIONAL DESIGN
The development of an NFR risk strategy requires a review of business ambitions, with a focus on developing a robust control framework. NFR teams need to understand how the business functions. A lack of understanding can lead to friction when designing risk control targets. Dedicated control units can help senior management identify and design improvements.
When it comes to organizational design, there is no one-size-fits-all approach, but it is essential that organizations define a consistent set of principles that reflect governance structure, operational complexity, and specific regulatory requirements. These principles need to be flexible enough to guide future adjustments to the organization and operating model. They should clarify the organizational separation of the first and second lines of defense to ensure independent control by second-line areas while permitting them to perform activities as an advisor or servicer. This is culturally important so that second-line areas are seen as vital to an organization's business model.
A principles-based approach must promote a change in the organization’s thinking so that risk management and controls are foremost in the minds of senior management and employees. Balanced scorecards, which measure control effectiveness and review thresholds, and penalties for breaching them, can also help.
BBA recommends that the NFR strategy is based on a sound foundation of risk ownership. The blueprint of organizational design can then be devised by consolidating and aggregating risks by business and type.
INTEGRATED RISK TAXONOMY
If NFR management is to be integrated, all parties must speak the same language. Yet, it is common for second-line functions to use different taxonomies with overlapping types of risk and different definitions of those risks. This creates inconsistencies when applied in different risk assessments and reports or used to assign responsibilities. The number of taxonomies within an institution can easily exceed a dozen and may contain several hundred risk definitions. Consolidation into a single taxonomy can reduce the number of risk types, which can then be assigned to second-line functions. Our principles-based approach to designing the risk taxonomy focuses on proportionality, materiality, and performance.
It is important to deal with risk efficiently when it arises. More important still is to prevent risks from materializing in the first place. BBA recommends an end-to-end business view, enabling organizations to review their business complexity in the light of control requirements. Controls might be unnecessary if underlying processes and systems, or product complexities are addressed in ways that improve the robustness of the business model, which would also reduce the cost of control.
BBA recommends two principal ways to develop and improve control frameworks. First, organizations should map risks along entire value chains and processes in order to understand where they might lie and include their interdependencies. Second, wherever possible, controls should be top-down, as opposed to bottom-up.
INTEGRATED & FORWARD-LOOKING RISK AND CONTROL ASSESSMENT
The evidence of audit findings and risk incidents calls into question the comprehensiveness and effectiveness of internal control frameworks. Traditional risk assessment (especially of operational risk) often focuses exclusively on avoiding risks that have led to losses in the past. But it is a reasonably safe bet that many of the risks that will trip up organizations in the future are not yet on their radar.
Using forward-looking scenarios, BBA’s assessments consider emerging risks and monitor developments in other companies and even other industries for clues as to where new risks might arise. BBA's rigorous assessment of the adequacy of controls examines the following elements:
- Ownership: A clear breakdown of the organization and its activities into assessment units. These units should reflect the management structure and provide an end-to-end view of value chains within the organization's operating model.
- Common Components: These should include risk and control taxonomies, definitions of risk materiality, and common aggregation logic. These should be defined for each risk type by the responsible second line.
- A Common Set of Control Attributes: These serve as evidence for the design and implementation effectiveness of controls and can include characteristics such as the frequency of controls, the level of automation, and whether they aim to prevent or detect risk events.
- A Clear Governance Structure Across First and Second Lines: Responsibility for identifying, assessing, validating, and reporting on risks and controls should be assigned clearly.
- An Integrated Management Information System for First and Second Lines: A consistent reporting base by division and risk type.
CYBER RISK ASSESSMENT
The digitization of personal and business interactions is dramatically changing the cyber-attack surface. BBA's Cyber Risk Assessment is based on the following key elements:
- Gap Analysis and Implementation Roadmap: To enable the successful implementation of DAIR, we identify and explain potential gaps that the organization has to address, in line with the recommended implementation options.
- Enterprise-wide Identification of Critical Assets: Segmentation and ring-fencing of critical cyber assets based on their contribution to achieving mission-critical.
- Data Capture: The key objective of this work step is to identify and collate internal data for threats, near misses, and incidents. Using event logs and emerging trends, BBA's experts design forward-looking scenarios and identify cyber risk quantification paths for cyber and interrelated risks, e.g., reputational risk, business risk, etc.
ESG FACTOR SCORING TO SHOW IMPACT OF ESG ON CREDIT AND OPERATIONAL RISK
In recent years, there has been a growing focus on looking beyond the balance sheet. Investors demand answers to questions, such as:
- Environmental: Is the company’s business subject to increasing risks as a result of climate change?
- Social: Does the company monitor its supply chain for potential human rights violations or health and safety issues?
- Governance: What is the structure of executive compensation, and what measures do they have in place to combat corruption?
BBA assists stakeholders in integrating Environmental, Social, and Governance (ESG) risks for each portfolio enterprise to highlight its key ESG challenges and opportunities.
BBA's ESG factor scoring covers all asset classes, with the main focus on non-financial corporates. Using both qualitative and quantitative factors and proprietary algorithms, BBA's ESG approach fills a market gap by developing ESG scores, demonstrating the effect of scores on a company's credit and operational risks. While the number of ESG scoring KPIs may vary by company, depending on the sector and the quality of the company’s ESG management system; however, establishing company-specific ESG scoring KPIs is now considered as a standard in the 100-day post-acquisition plan.
BBA's quantitative ESG management approach helps investee companies prepare in advance of the investment and credit rounds. Other services that we provide, include best practice benchmarking of ESG risks, compliance roadmap, effective risk governance, and quantification.
QUANTIFICATION OF NON-FINANCIAL RISK
Management guru Peter Drucker once said, “what gets measured, gets managed.” BBA offers high-quality quantification of NFR that enables better risk management – at a lower cost.
Accurate capital quantification is important, especially given the growing levels of risk-weighted assets banks and credit unions are obliged to hold to cover operational risk. In light of regulatory developments (such as the Basel Committee’s proposal to abolish the use of advanced internal models for calculation of Pillar 1 capital requirements for operational risk), DAIR can be used to run a sanity check on capital requirement determined using the standardized approach.
BBA focuses on high priority “tail risks,” i.e. risks that can severely impact the capital position of an organization. By modelling at lower confidence intervals, DAIR can also be used to quantify risk indicators. For example, for high frequency, low severity risks, we can apply DAIR to identify quantifiable risk indicators, such as an acceptance threshold for error rates or earnings shortfall, etc. If selected appropriately, these indicators capture the true drivers of NFR exposure and the quality of controls, in turn providing a more robust foundation for risk assessments, risk-appetite definition, and capital calculations. It is important that the risk indicators have thresholds attached to them that trigger a specific, ideally pre-defined action, which reduces the exposure to this particular risk.
Finally, DAIR reporting consolidates the risks by business unit and type of risk. Customized reporting coverage can be designed to address the demands of various stakeholders. For example,
- Standalone and consolidated capitalization of NFR scenarios.
- A set of quantitative risk indicators that can be monitored to ensure the tolerance of risk is not breached.
- A record of major incidents and near misses, and their impact in terms of financial losses or capital implications.
CYBER RISK QUANTIFICATION USING THE DAIR APPROACH
DAIR uses a three-dimensional approach to capture and size, organizational cyber risk:
- Operational cyber risk quantification using forward-looking high severity scenarios.
- Business cyber risk quantification to capture the knock-on effect, e.g., loss of credibility, and customer base.
- Systemic cyber risk to measure the impact of cross-border software subversion, e.g., targeting of critically important systemic assets.
Delivered in an easy-to-use, web-based front-end platform, Operational and Business cyber risk modules are included in BBA's ECAPLeader and the Systemic cyber risk module is in our ScenarioFrontier application. Users have the option to either use a cyber-risk specific module or the entire suite.
Next Generation of AML Surveillance System: BBA’s Approach
Financial crime driven by money laundering has reached global and stratospheric proportions. Funds laundered are estimated to run into trillions of dollars annually, estimated to be between two to five per cent of the world’s GDP.
As the quantum of laundered money increases, so do the suspicious transaction reports (STRs), corresponding investigations and prosecutions. Each STR form provides valuable clues about the behavioral aspects of the financial crime and should not be overlooked. Using information about the transaction or the individual, we can identify key discrete factors to rank order STRs from high to low risk. Such analysis can be undertaken using the logit function, thereby, assigning score to each factor as a function of the successful prosecution. Highly predictive factors can then be presented in the form of a multivariate discriminant analysis model. Using receiver operating characteristic (ROC), we can test the predictive power of the behavioral factors shortlisted for the model.
Data-driven STR analysis can help surveillance and monitoring agencies develop a national alert system. Customized alert queries can also be designed, such as, “Create an alert when over the past X days at least Cash deposits were made with an amount between the fixed threshold value($10,000) and X% of that amount”.
AI learning can take place for uncalibrated scenarios, e.g., emerging use of P2P transactions, mules augmented by industry-based intelligence. Such alert queries can generate additional transaction alerts that usually do not get caught in the filter.
To run this analysis, we require aggregate data of the total number of STRs received and successful prosecutions per year. Where prosecution data is unavailable, we use the benchmark case-law from similar jurisdictions.
BankingBook Analytics (BBA) uses accelerators to develop a data and analytics operating model, combined with process-mapping, to assist FIUs with the implementation of the next generation of money laundering analytics and monitoring tools.
BBA’s microservice architecture uses behavioral analytics and ROC accelerators, providing an assurance that each factor included in the model is based on minimum acceptable predictive power, reducing or avoiding false-positive alerts, to avoid expensive administration and investigation efforts. Using technology enablers, such as, Optical Character Recognition (OCR), we can transform STRs into data readable files.
When seeking to upgrade or develop your system’s surveillance capabilities, you should insist on an integrated AML system that has the following capabilities:
- An alert system for regulated entities using AI-enabled STRs scoring
- Automation and integration of regulatory reporting (FATF, Egmont, etc.)
- Lateral integration with the law enforcement agencies for escalated STRs, case files, etc.
Risk-based analysis of suspicious transaction reports can help national Financial Intelligence Units transform from being reactive to proactive regulatory organizations. It is also one of the highly regarded strategic competencies particularly in anti-money laundering efforts, because meaningful risk assessment must be almost by-the-minute analysis due to the accelerated pace of changing financial, technology and social realities. Our system comes equipped with a real-time executive dashboard.
Our easily accessible archiving system, vintage risk-record keeping further empowers investigative capabilities to prevent financial crime proactively, while fighting financial crime on an ongoing basis.
Click here to book a discussion today.
BankingBook delivers the world's only cyber risk management software solution that provides 360-degree cyber risk coverage. Through BBA, business stakeholders get unprecedented visibility into the financial loss exposure originated by cyber and non-financial events. This allows business leaders to make well-informed decisions. If you are a GRI and/or CCTX member, ask for our promotional software licensing plan.
BBA's cyber risk quantification models work with both internal and external data. The Risk Data Warehouse in our module allows various members of the organization to centrally manage all of their relevant risk data and risk incidents reporting.
Built on the DAIR Standard
BBA's cyber risk quantification software modules are the only enterprise software platform purpose-built on DAIR - a standard developed under the Global Risk Institute's thought leadership. Key benefits of implementing DAIR include coverage of the full spectrum of cyber threat; planning, forecasting, and ROI analysis, the development of a risk transfer framework, e.g., insurance, determination of the contribution of cyber risk in pricing frameworks, and rollout of threshold limits for Key Risk Indicators and risk appetite dashboards.
KEY METRICS & DELIVERABLES
- For each loss scenario, assign frequency and severity distributions. Distribution options for frequency include Poisson and Negative Binomial. Distribution options for severity include Pareto, GPD, Weibull, Lognormal, and Gamma.
- Key parameters: Expected frequency and severity, and unexpected severity at a pre-agreed confidence interval.
- Simulated approach to determine Earnings-at-risk for business units.
- Cyber risk identification and assessment.
- Review existing framework and outline development options, including the development of a strategic roadmap.
- Mapping of malicious and non-malicious cyber-attacks with global risk taxonomy.
- Pilot “deep dives” on top risks, including design and development of quantitative KPIs.
- Design data collection templates, and reporting dashboards.
ScenarioFrontier is a powerful tool for day-to-day strategic planning and capital management, permitting companies to identify and quantify risks and opportunities across a wide range of potential economic environments. ScenarioFrontier integrates budget, risk, and macroeconomic variables for regulatory compliance and management action planning.
ECAPLeader provides an integrated view of capital for material risks, using a modelling engine attuned to the credit cycle, such that economic capital rises in good periods and starts to fall, relatively, in bad periods as losses are realized.
ModelTek is an industry-leading platform designed to industrialize model risk management for the second and third lines of defense. Regulators and auditors across the globe are consistently asking for more in-depth and more frequent model validation. The risk of non-compliance with regulatory standards, such as IFRS 9, BCBS 350, and BCBS 223 is severe.