Non-financial risk – incident management

Incident management in non-financial risk management (NFRM) encompasses the identification, capture, and analysis of risks and the elaboration of respective actions. The establishment of an effective incident management solution promotes faster response to risks, and makes it possible to proactively address potential vulnerabilities and prevent further incidents. It identifies potential sources of risks (e.g., implementation of a new product, outsourcing of services, external incidents, etc.), provides the necessary data, and triggers subsequent risk assessments in every impacted unit. In one word, sound incident management simplifies non-financial risk management. In addition, process efficiency and effectiveness can be increased through the use of new technologies.

Data availability is fundamental for effective incident management. At Capgemini Invent, we are pleased to provide you with structural recommendations based on the cross-sector best practices discovered during our various projects across Europe:

Common taxonomy: 

Development of a mutually exclusive and comprehensively exhaustive risk taxonomy of actual risk events and an effective risk identification process; alignment of the taxonomy with external sources to facilitate the integration of external data into the internal (incident) database.

Governance and organization:

This involves establishing a clear structure with explicit ownership and responsibilities along the three lines of defense. In particular, the responsibilities between the first and second lines of defense should be clearly articulated within the organization and a permanent control team should be created to review the activities and controls performed by the first line and to report to both the first and second lines in order to permanently monitor operational risks and promote a sound risk culture.

People and culture:

This involves living a culture that recognizes the importance of managing non-financial risks to the extent that everybody in the organization is aware of the risks triggered by their activities regardless of whether they are directly or indirectly affected by them. One of the best practices to support risk culture is the establishment of a respective risk culture entity in the organization. The entity should be sponsored by different departments, such as Risk, Legal, Compliance, and HR. Beyond that, the community should foster knowledge sharing, leverage best practices, and encourage actively challenging existing methods.

Technology and tools:

This involves implementing  tools supported by new technologies to examine historical data on losses and to identify (potential) correlations and patterns. New technology will also help to maintain a more complete risk inventory and better integrate external data (e.g., such as the data from ORX).

In addition to the above-listed prerequisites, incident management furthers improves when best practices are implemented:

Risk identification and documentation

When identifying an incident, a comprehensive picture of the incident must be captured. Appropriate governance and organization, combined with the right people and culture, leverage the identification process. Lastly, a well-developed risk taxonomy facilitates clear and appropriate categorization.

Assessment and documentation of root causes

Every identified incident must be analyzed to its root cause. Storing this information in a central database promotes an accelerated initial analysis and makes it possible to proactively reduce incident frequency and solve the root cause of every NFR problem.

Documentation of (potential) impacts of each incident

The impact of each incident to the enterprise is documented, resulting in measurable outcomes, making results comparable and improving audit tracking.

Creation of an action plan 

The fundamental remediation of historical incidents is a solid basis to prevent potential incidents in the future. Every remediation action should be defined by considering the link between the root cause and the (potential) impact of each incident and it should target failing controls and processes. Remediation actions can vary, from automating failing processes to questioning management bonuses, by repeatedly incurring incidents.

Incident management using modern applications

A solid incident management tool supports the above best practices and provides a dashboard with customizable outputs to track and report incidents. Automated mail triggers include escalation and security processes. To further improve the identification, documentation, and assessment of incidents, the possibility to couple big data with advanced analytics. This can be further enhanced by using natural language processing and optical character recognition. Machine learning, APIs, knowledge base, and SLAs support should also be facilitated.

Stay tuned for more information on incident management by Capgemini Invent.

Erekle Tolordava is a Senior Manager at Capgemini Invent and is leading company’s strategic offer Non-Financial Risk Management globally. You can contact him at erekle.tolordava@capgemini.com or 004915140252792

Erekle Tolordava

Expert in Banking, Risk and Regulation

I am a senior manager at Capgemini Invent‘s Capability Group Data, Risk and Regulatory. I have an extensive project experience as a project lead in the European banking sector with main focus on Risk and Regulatory, Asset/ Client Migration as well as on Data Management.
Since 2019, I am leading the Non-Financial Risk offering of Capgemini Invent DACH. Before moving to Capgemini, I had gained my previous experience at a leading audit company in Germany.