By Sonia Dribek-Pfleger and Dr. Lorenz Schendel
While the individual frameworks of the Non-Financial Risks (NFR) are becoming more detailed and extensive due to regulatory requirements (e.g. DORA), current challenges (pandemic, cyber, AI, geopolitical crises), increasing team size, and decentralisation of risk management activities, the overall view of non-financial risks is increasingly suffering. However, moving from regulatory compliance to efficient risk management often requires taking a step back and connecting the dots. In this article, we present both pragmatic approaches for initial steps and a long-term target picture for the holistic management of non-financial risks, with the aim of creating consistency between the various NFR data, making the NFR risk profile transparent and achieving efficient risk management by focusing on the material risks.
Context and challenges
Historically, various NFR are processed in different areas of the organization, leading to a lack of both a central data repository and a central NFR reporting system. There is often no central data repository, just as there is often no central NFR reporting system. This siloed, individual approach is particularly detrimental to efficiency and gives the business units (1st LoD) the impression that similar or even identical risks are being recorded by different teams. Added value is often not seen as a result, only an additional burden – which usually leads to lower data quality, inconsistencies in the assessments and a deterioration in the risk culture.
The aim is therefore to consolidate and harmonize different frameworks. This can minimize the effort involved in recording and managing risks, better involve the business units and identify inconsistencies. This not only increases data quality, but also enables better comparability of risks and therefore more targeted active risk management of non-financial risks.
A key challenge is the fact that responsibilities are usually distributed across the organizational structure. If NFR topics are already bundled in one area, conflicts of objectives can be reduced. Nevertheless, overarching commitment at board level is essential. Another challenge is the typically heterogeneous and extensive system landscape, which is often supplemented by manual processes (e.g. reporting incidents via a mail template). Similar complexities arise with the underlying data and existing reports, which typically differ greatly both in terms of granularity (e.g. thousands of highly structured ICT data vs. a few individual compliance cases described with free text) and in terms of the metrics to be considered (quantification methodology, time horizon, …) as well as the underlying structure (process-based, organizationally based or based on the risk taxonomy).
Interlocking of data and processes
As a starting point, data respositories that are collected at the same level (e.g. process level or department level) can be linked directly and automatically. Other different data pools can be linked manually in a first step using technically simple approaches (e.g. Excel, PowerBI). Often, quick wins can then be realized for the future by making minor adjustments to the data collection (e.g. supplementing the process as part of the data collection) so that a higher degree of automation is possible in the future. In many cases this manual exercise also provides starting points for how different risk management cycles could be interlocked in the future in order to reduce costs and ensure data consistency during data collection. The consistent use of a uniform risk taxonomy is of great importance here in order to facilitate allocation and avoid redundancies.
Depending on the scope of the respective risk management cycle, the organizational embedding of risk management and the size of the institution, there are different approaches as to how an efficient connection via defined interfaces, central coordination or complete integration can be implemented (see Fig. 1).
Figure 1: Three ways of interlocking risk management cycles
The long-term target picture should include the highest possible level of standardization with regard to the data collection level, the taxonomy used (e.g. multi-level to cover different requirements), scales (uniform risk matrix), assessment methods (e.g. VaR), time horizons and reporting dates. This is optimally supported by flexible GRC software that technically allows the data pools to be directly linked. Due to the often modular structure of the software, gradual roll-out and expansion are possible.
Reporting: consistency, transparency and efficiency
A central result object is a holistic NFR report – both at institution level, but above all at a flexible granular level, for example at department or process bundle level. In the long-term target picture, an automated dashboard is suitable that combines an overall view with deep-dive options and that is based on a central data repository. A pragmatic and efficient initial implementation can also be PowerPoint/PowerBI-based on the basis of the first manually linked data.
In terms of content, this NFR report (see Fig. 2 for an example) fulfills several purposes:
Transparency: The collective presentation of the various NFR data and inventories creates transparency about the existing risks at the level of the decentralized risk officers, which is generally not available beforehand. The implementation within the project shows that this is very positively received by the business units and therefore improves the risk culture in particular.
Consistency: The semi-automated preliminary alignment between different NFR data and the joint alignment of anomalies with the decentralized risk officers enables inconsistencies to be identified first and then rectified, resulting in improved data quality in the individual NFR data.
Efficiency: A cohesive presentation of the entire risk profil of a department or a process bundle on a few pages enables more efficient processing both for the business units and for NFR risk controlling.
Figure 2: Risk assessment dashboard for an example institution
Initially, a semi-annual reporting cycle is recommended. First as preparation for the annual risk assessment cycle serving as input for the individual workshops on risk identification and assessment with the decentralized risk officers, then as a presentation of the risk profile results after concluding the assessment cycle.
Conclusion and outlook
As a CRO, you receive various NFR-related reports, some of which are very extensive and granular. This means that all the relevant information is actually available, but it is important to use it efficiently. It can be difficult to understand the overarching key points and, in particular, the causes, context and dependencies. An overarching NFR report serves as the first port of call here, before diving into the details with the regular reports. Even if the long-term target picture with a complete linking of data and a central database is not easy to implement, depending on the institution, it is clear that a structured approach to holistic NFR management generally makes sense. An improvement in data quality is quickly achieved, efficiency in daily work and risk management options are noticeably improved – both in risk controlling and in the business units, as project experience shows. With the goal of efficiency, transparency and reduction of effort, the work of risk controlling is also increasingly appreciated by the business units, as individual added value is seen. This also improves the risk culture and cooperation between risk controlling and the business units. Efficient management of the current NFR framework also lays the ideal foundation for mastering potential future challenges in NFR and ensures a focus on the key risks in the organization.