In 2018, the sum of fines for the three largest infringements of non-financial risk regulations among European banks amounted to EUR5,420,000,000. Losses caused by non-financial risks are increasing at an alarming rate worldwide.
Non-financial risk (NFR) is one of the essential drivers of risk within a bank. In recent times, these risks have increasingly become the root cause of significant losses. Between 2011 and 2017 alone, the total amount of NFR-related losses amounted to more than EUR500 billion. In particular, the main reasons for this can be traced to inadequate or failed management approaches of internal processes, systems, human error, and external events. Non-financial risk can quickly take on large proportions and spread deep within the business. When this occurs, NFR can also indirectly affect business areas not directly involved with the NFR incident. New risks, such as cyber risk and contract risk, can negatively affect a company’s image.
The increasing rate of NFR incidence is a call to action, with companies now attacked every 14 seconds by cyber-attacks. In fact, the average cost of lost and stolen data due to data breaches amounts to EUR125,000 per person.
Only the following holistic approach will provide sustainable security and minimize non-financial risk:
The foundation for mitigating non-financial risk will be anchored with the organization in the form of specialized governance and cultural change.
Changes to internal and external conditions and the consequent impact on an organization’s risk situation require an adjustment to the organizational structure used for risk management.
More than ever, the organization must react to new and increased non-financial risk events. For this purpose, dedicated teams of specialists for non-financial risks must be established. Their role is foremost to manage risk of new dangers from cyber-attacks across the entire risk management process.
To support the establishment of specialist teams, it is necessary to closely integrate them with operational employees. A high level of awareness and expanded awareness must be created. Change in organization and governance can only be ensured in the long term through cultural change.
Talented risk managers must be brought to the organization who are familiar with the new data-driven approaches and the technologies available on the market.
Non-financial risks are constantly evolving in terms of scale and complexity and should be examined across four fundamental areas.
Non-financial risk never stands still. Due to internal and external influences, it is subject to constant change which can lead to assessments of low risk today but assume dangerous proportions tomorrow.
A continuous evaluation of NFR is required. Evaluation and risk mitigation can be significantly improved by standardizing, harmonizing, and automating the underlying processes.
In addition, a clear definition and allocation of NFRs to specific business areas as well as an evaluation of their potential business impact is of great relevance. This is the only way to assign specific controls to individual NFRs and establish an optimal control environment for risk mitigation.
In order to not only evaluate existing risks and take precautions before an incident occurs, but also to react quickly to the incidents and make deductions for the future, it is important to establish modern technology.
Appropriate tools must be carefully selected and implemented in the daily business process.
Modern tools for risk forecasting and operational risk efficiency, supported by artificial intelligence, must be established to establish an efficient non-financial risk management process. Only new types of technology can respond adequately to new needs. A first step, for example, is the establishment of a comprehensive database that identifies individual risks in detail, derives a reasonable clustering and assigns appropriate controls. Only through the holistic recording of potential risks and events is it possible to include artificial intelligence.
The authors strongly believe that non-financial risk management provides the basis not only for selective optimization, but also for holistic alignment of risk management with current requirements. This holistic approach can raise a bank’s performance to a new level.
Banks can overcome the challenges involved in the transformation of risk management to include non-financial risk by a reasonable effort. Capgemini Invent, with experience in NFR management in more than 15 European countries, can support this process with a variety of projects and expertise.
Erekle Tolordava is a Senior Manager at Capgemini Invent and is leading company’s strategic offer Non-Financial Risk Management globally. You can contact him at firstname.lastname@example.org or 004915140252792
 Annual Top 10 Losses 2018 ORX, 2019.
 The Institute of Operational Risk, 2019.
 VARONIS, 60 Must-Know Cybersecurity Statistics for 2019.