Regulators are stepping up their focus on non-financial risks and banks should consider restructuring their risk management functions accordingly, operational risk managers said at the OpRisk conference earlier today (June 12).
Jason Forrester, head of enterprise and operational risk management at Credit Suisse, said non-financial risk – in its broadest conception, all risks not covered by a bank’s market and credit risk frameworks – came in for special attention at a Basel Committee on Banking Supervision meeting held in New York about two months ago for chief risk officers (CROs) from global systemically important financial institutions (G-Sifis).
“I actually think there is going to be a lot more focus on non-financial risk from the regulators,” Forrester said. “The feedback from all the G-Sifi CROs was non-financial risk is their biggest concern, in particular tech risk and third-party risk management. A number of them were thinking of combining their non-financial risk functions together and appointing a single head of non-financial risk.”
Some banks have already moved in that direction: Balbir Bakhshi currently serves as Deutsche Bank’s group head of non-financial risk management, while UBS has merged its operational risk and compliance functions under one global head, James Oates.
Forrester predicted that, for big banks, non-financial risk would soon surpass market and credit risk in terms of importance. He explained that banks were generally extremely well-capitalised for and provisioned against credit risk exposure, while the use of clearing and collateralisation had dramatically reduced counterparty credit risk exposure. Market risk, meanwhile, accounted for a relatively low portion of banks’ overall risk-weighted assets and posed a lower threat now that firms had decreased their derivatives exposures compared with crisis-era levels.
Credit Suisse has around 1,000 people currently focused specifically on non-financial risk management, Forrester said. He believes a major bank will appoint a group CRO with a non-financial risk background within the next decade.
“The next big financial crisis is going to be some combination of non-financial risk. Liquidity, operational, reputational [risks] together are going to cause some large event that dislocates the market,” he said. “Having a group of people that look at that…may better protect us going forward.”
It makes a lot more sense to have all non-financial risk in one space. It is going become probably the biggest risk – maybe is the biggest risk for some banks alreadyPhilip Umande, Lloyds Banking Group
Philip Umande, head of operational risk capital and analytics at Lloyds Banking Group, agreed with Forrester, adding that the skill sets of CROs needed to evolve accordingly: previously, CROs had tended to have a background in credit risk but, going forward, they would need to have expertise in major non-financial risks, such as cyber crime.
Umande also echoed Forrester’s point about managing all non-financial risks together as their profile rises within firms.
“There is a huge drive towards simplification and agility. It makes a lot more sense to have all non-financial risk in one space,” he said. “It is going become probably the biggest risk – maybe is the biggest risk for some banks already. There is going to be more focus on it at the highest level.”
Sean Miles, a senior op risk manager at Santander, agreed that going forward data, technology and third-party risks would be among the leading concerns within firms’ risk departments. Although his bank had not yet discussed appointing a head of non-financial risk, he said “it does feel like the market is going that way”.
Forrester argued non-financial risks were too interconnected to keep siloed. For example, operational or reputational risk events can have knock-on effects that impact business continuity, or other areas.
“I think particularly now, given the interconnectivity of banks with market utilities, an operational event potentially at a market utility could cause a much broader contagion effect across the industry,” he said.
The comments at the conference chime with a recent prediction by Mark Yallop, a senior adviser to the Bank of England’s Prudential Regulation Committee, that supervisors will shift their attention from banks’ financial resilience to so-called operational resilience.
“While I’ve been on the PRC, we’ve still been in the business of de-risking banks – raising capital standards, increasing liquidity, improving governance standards. The next three years are going to be much more about how prudential regulators manage the challenges of new technology, and the revolution that has been brought about in the banking industry,” Yallop told Risk.net.
Editing by Olesya Dmitracova