The regulatory scrutiny surrounding non-financial risk (NFR) has been significantly heightened by the recent regulatory actions related to topics such as money laundering, technology or data theft, sales practices, and market manipulation.
For both financial and non-financial institutions alike, non-financial risk management has become more challenging due to the added complexity from rapid shifts in technology, extensive process automation, and greater dependence on systems instead of people. These changes have led to new risk exposures.
Given multiple pressures from stakeholders, the industry has rapidly responded by building out non-financial risk management capabilities.
Most organizations now have numerous specialist teams dedicated to the management of various non-financial risks, often with overlapping remits and different chains of command.
With risk-control-siloed functions, each having its risk-identification processes, reporting structures, and IT systems, the result is duplicated work as well as costs. Organizations feel they are drowning in parallel efforts aimed at identifying, assessing, and remediating risks with the same individuals being approached over and over again, and diluting scarce resources and attention from operating the business.
In 2019, BankingBook Analytics and Global Risk Institute jointly developed the Distribution Analysis for Information Risk (DAIR) framework for the quantification of non-financial cyber risk. Unlike other industry standards, DAIR uses an integrated risk taxonomy, focusing on the impact of failures, rather than frequency of losses.
Many institutions seek a more integrated NFR-management approach in order to reduce the risk of further failures, to meet stakeholders’ requirements and expectations, and limit costs. DAIR has application in non-financial risk management and quantification across financial and non-financial industries alike.
NFR STRATEGY AND FUNCTIONAL DESIGN
The development of an NFR risk strategy requires a review of business ambitions, with a focus on developing a robust control framework. NFR teams need to understand how the business functions. A lack of understanding can lead to friction when designing risk control targets. Dedicated control units can help senior management identify and design improvements.
When it comes to organizational design, there is no one-size-fits-all approach, but it is essential that organizations define a consistent set of principles that reflect governance structure, operational complexity, and specific regulatory requirements. These principles need to be flexible enough to guide future adjustments to the organization and operating model. They should clarify the organizational separation of the first and second lines of defense to ensure independent control by second-line areas while permitting them to perform activities as an advisor or servicer. This is culturally important so that second-line areas are seen as vital to an organization's business model.
A principles-based approach must promote a change in the organization’s thinking so that risk management and controls are foremost in the minds of senior management and employees. Balanced scorecards, which measure control effectiveness and review thresholds, and penalties for breaching them, can also help.
BBA recommends that the NFR strategy is based on a sound foundation of risk ownership. The blueprint of organizational design can then be devised by consolidating and aggregating risks by business and type.
INTEGRATED RISK TAXONOMY
If NFR management is to be integrated, all parties must speak the same language. Yet, it is common for second-line functions to use different taxonomies with overlapping types of risk and different definitions of those risks. This creates inconsistencies when applied in different risk assessments and reports or used to assign responsibilities. The number of taxonomies within an institution can easily exceed a dozen and may contain several hundred risk definitions. Consolidation into a single taxonomy can reduce the number of risk types, which can then be assigned to second-line functions. Our principles-based approach to designing the risk taxonomy focuses on proportionality, materiality, and performance.
It is important to deal with risk efficiently when it arises. More important still is to prevent risks from materializing in the first place. BBA recommends an end-to-end business view, enabling organizations to review their business complexity in the light of control requirements. Controls might be unnecessary if underlying processes and systems, or product complexities are addressed in ways that improve the robustness of the business model, which would also reduce the cost of control.
BBA recommends two principal ways to develop and improve control frameworks. First, organizations should map risks along entire value chains and processes in order to understand where they might lie and include their interdependencies. Second, wherever possible, controls should be top-down, as opposed to bottom-up.
INTEGRATED & FORWARD-LOOKING RISK AND CONTROL ASSESSMENT
The evidence of audit findings and risk incidents calls into question the comprehensiveness and effectiveness of internal control frameworks. Traditional risk assessment (especially of operational risk) often focuses exclusively on avoiding risks that have led to losses in the past. But it is a reasonably safe bet that many of the risks that will trip up organizations in the future are not yet on their radar.
Using forward-looking scenarios, BBA’s assessments consider emerging risks and monitor developments in other companies and even other industries for clues as to where new risks might arise. BBA's rigorous assessment of the adequacy of controls examines the following elements:
- Ownership: A clear breakdown of the organization and its activities into assessment units. These units should reflect the management structure and provide an end-to-end view of value chains within the organization's operating model.
- Common Components: These should include risk and control taxonomies, definitions of risk materiality, and common aggregation logic. These should be defined for each risk type by the responsible second line.
- A Common Set of Control Attributes: These serve as evidence for the design and implementation effectiveness of controls and can include characteristics such as the frequency of controls, the level of automation, and whether they aim to prevent or detect risk events.
- A Clear Governance Structure Across First and Second Lines: Responsibility for identifying, assessing, validating, and reporting on risks and controls should be assigned clearly.
- An Integrated Management Information System for First and Second Lines: A consistent reporting base by division and risk type.
CYBER RISK ASSESSMENT
The digitization of personal and business interactions is dramatically changing the cyber-attack surface. BBA's Cyber Risk Assessment is based on the following key elements:
- Gap Analysis and Implementation Roadmap: To enable the successful implementation of DAIR, we identify and explain potential gaps that the organization has to address, in line with the recommended implementation options.
- Enterprise-wide Identification of Critical Assets: Segmentation and ring-fencing of critical cyber assets based on their contribution to achieving mission-critical.
- Data Capture: The key objective of this work step is to identify and collate internal data for threats, near misses, and incidents. Using event logs and emerging trends, BBA's experts design forward-looking scenarios and identify cyber risk quantification paths for cyber and interrelated risks, e.g., reputational risk, business risk, etc.
ESG FACTOR SCORING TO SHOW IMPACT OF ESG ON CREDIT AND OPERATIONAL RISK
In recent years, there has been a growing focus on looking beyond the balance sheet. Investors demand answers to questions, such as:
- Environmental: Is the company’s business subject to increasing risks as a result of climate change?
- Social: Does the company monitor its supply chain for potential human rights violations or health and safety issues?
- Governance: What is the structure of executive compensation, and what measures do they have in place to combat corruption?
BBA assists stakeholders in integrating Environmental, Social, and Governance (ESG) risks for each portfolio enterprise to highlight its key ESG challenges and opportunities.
BBA's ESG factor scoring covers all asset classes, with the main focus on non-financial corporates. Using both qualitative and quantitative factors and proprietary algorithms, BBA's ESG approach fills a market gap by developing ESG scores, demonstrating the effect of scores on a company's credit and operational risks. While the number of ESG scoring KPIs may vary by company, depending on the sector and the quality of the company’s ESG management system; however, establishing company-specific ESG scoring KPIs is now considered as a standard in the 100-day post-acquisition plan.
BBA's quantitative ESG management approach helps investee companies prepare in advance of the investment and credit rounds. Other services that we provide, include best practice benchmarking of ESG risks, compliance roadmap, effective risk governance, and quantification.
QUANTIFICATION OF NON-FINANCIAL RISK
Management guru Peter Drucker once said, “what gets measured, gets managed.” BBA offers high-quality quantification of NFR that enables better risk management – at a lower cost.
Accurate capital quantification is important, especially given the growing levels of risk-weighted assets banks and credit unions are obliged to hold to cover operational risk. In light of regulatory developments (such as the Basel Committee’s proposal to abolish the use of advanced internal models for calculation of Pillar 1 capital requirements for operational risk), DAIR can be used to run a sanity check on capital requirement determined using the standardized approach.
BBA focuses on high priority “tail risks,” i.e. risks that can severely impact the capital position of an organization. By modelling at lower confidence intervals, DAIR can also be used to quantify risk indicators. For example, for high frequency, low severity risks, we can apply DAIR to identify quantifiable risk indicators, such as an acceptance threshold for error rates or earnings shortfall, etc. If selected appropriately, these indicators capture the true drivers of NFR exposure and the quality of controls, in turn providing a more robust foundation for risk assessments, risk-appetite definition, and capital calculations. It is important that the risk indicators have thresholds attached to them that trigger a specific, ideally pre-defined action, which reduces the exposure to this particular risk.
Finally, DAIR reporting consolidates the risks by business unit and type of risk. Customized reporting coverage can be designed to address the demands of various stakeholders. For example,
- Standalone and consolidated capitalization of NFR scenarios.
- A set of quantitative risk indicators that can be monitored to ensure the tolerance of risk is not breached.
- A record of major incidents and near misses, and their impact in terms of financial losses or capital implications.
CYBER RISK QUANTIFICATION USING THE DAIR APPROACH
DAIR uses a three-dimensional approach to capture and size, organizational cyber risk:
- Operational cyber risk quantification using forward-looking high severity scenarios.
- Business cyber risk quantification to capture the knock-on effect, e.g., loss of credibility, and customer base.
- Systemic cyber risk to measure the impact of cross-border software subversion, e.g., targeting of critically important systemic assets.
Delivered in an easy-to-use, web-based front-end platform, Operational and Business cyber risk modules are included in BBA's ECAPLeader and the Systemic cyber risk module is in our ScenarioFrontier application. Users have the option to either use a cyber-risk specific module or the entire suite.
BankingBook delivers the world's only cyber risk management software solution that provides 360-degree cyber risk coverage. Through BBA, business stakeholders get unprecedented visibility into the financial loss exposure originated by cyber and non-financial events. This allows business leaders to make well-informed decisions. If you are a GRI and/or CCTX member, ask for our promotional software licensing plan.
BBA's cyber risk quantification models work with both internal and external data. The Risk Data Warehouse in our module allows various members of the organization to centrally manage all of their relevant risk data and risk incidents reporting.
Built on the DAIR Standard
BBA's cyber risk quantification software modules are the only enterprise software platform purpose-built on DAIR - a standard developed under the Global Risk Institute's thought leadership. Key benefits of implementing DAIR include coverage of the full spectrum of cyber threat; planning, forecasting, and ROI analysis, the development of a risk transfer framework, e.g., insurance, determination of the contribution of cyber risk in pricing frameworks, and rollout of threshold limits for Key Risk Indicators and risk appetite dashboards.
KEY METRICS & DELIVERABLES
- For each loss scenario, assign frequency and severity distributions. Distribution options for frequency include Poisson and Negative Binomial. Distribution options for severity include Pareto, GPD, Weibull, Lognormal, and Gamma.
- Key parameters: Expected frequency and severity, and unexpected severity at a pre-agreed confidence interval.
- Simulated approach to determine Earnings-at-risk for business units.
- Cyber risk identification and assessment.
- Review existing framework and outline development options, including the development of a strategic roadmap.
- Mapping of malicious and non-malicious cyber-attacks with global risk taxonomy.
- Pilot “deep dives” on top risks, including design and development of quantitative KPIs.
- Design data collection templates, and reporting dashboards.
ScenarioFrontier is a powerful tool for day-to-day strategic planning and capital management, permitting companies to identify and quantify risks and opportunities across a wide range of potential economic environments. ScenarioFrontier integrates budget, risk, and macroeconomic variables for regulatory compliance and management action planning.
ECAPLeader provides an integrated view of capital for material risks, using a modelling engine attuned to the credit cycle, such that economic capital rises in good periods and starts to fall, relatively, in bad periods as losses are realized.
ModelTek is an industry-leading platform designed to industrialize model risk management for the second and third lines of defense. Regulators and auditors across the globe are consistently asking for more in-depth and more frequent model validation. The risk of non-compliance with regulatory standards, such as IFRS 9, BCBS 350, and BCBS 223 is severe.