Banks are accustomed to taking on financial risk and generating profit from it. It is the premise of their business models. But nonfinancial risk, whether related to compliance failures, misconduct, technology, or operational challenges, has only a downside. And the downside can be large.
Foremost are the financial consequences. Between 2008 and 2012, the top ten banks globally lost close to $200 billion through litigation, compensation claims, and operational mishaps. At least 17 incidents racked up losses of more than $1 billion each; another 65 incidents each resulted in losses above $100 million.
Yet the direct financial consequences of non financial risk are not the only concern. The reputational damage wrought can hit a bank hard at a time when customers, shareholders, and public stakeholders are questioning banks’ business models. And there are also the personal consequences for senior managers, whom regulators increasingly hold accountable for misconduct or failure to comply with laws and regulations. All of this, and the prospect of still tighter regulation, puts considerable pressure on banks to manage non financial risk better.
Many have already invested heavily to do so, boosting head counts, creating new governance structures, and making operational improvements to control risks related to compliance, fraud, and IT. Yet the mitigation of NFR remains elusive. Much time is spent firefighting and remediating audit findings, yet too often there is no warning of when or where the next risk might materialise.