Reviewing the interplay of non-financial risks within other risk silos and gaining a holistic view

Keith Davies, Group Chief Risk & Compliance Officer, Admiral PLC

Below is an insight into what can be expected from Keith’s session at New Generation Operational Risk Europe 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Can you give an insight into the interplay of non-financial risks and how these interact with other risk silos?

The risk profiles of firms in the modern world are now so broad and complex that there are almost an infinite number of ways that risks can interact and indeed become ‘stacked risks; – where the combined impact of an event is greater than the sum of its individual impacts.

There are some obvious areas where risks can interact with each other; such as AI and data ethics, cryptocurrency and financial crime risks, geopolitical risks (such as the Ukraine war) on business risks, financial and market risks, supply chain risks and cyber risks. However perhaps more illustrative are examples of actual issues that have hit organizations in several ways.

One high-profile example is Yorkshire County Cricket Club where people risk issues relating to racism, led to immediate financial losses (with removal of sponsorship and test matches), loss of management, and on-going reputational and legal issues. Also are the various firms who have seen cyber events trigger financial loss (through business interruption, ransom payments, customer recourse), business disruption, customer service issues and regulatory and reputational issues.

In what ways do you believe there has been an increase in complexity in the interplay of risks?

I think there are a number of reasons. The first is that firms are now understood to face more risks than just the financial and operational risks traditionally focused on by risk teams. Instead, the scope of risk activity has to reflect the changing risk profile of firms and encompass all drivers of a firm’s long-term value.  This requires refreshing existing non-financial coverage to reflect the changing nature, location, and dynamics of business operations. This includes the increased importance of supply chains, digital distribution, servicing and communications, data as an asset, innovative technology (artificial intelligence (AI), machine learning, Internet of Things), cryptocurrencies etc., all of which can create risks as well as major opportunities for firms.

Secondly with stakeholder capitalism highlighting the importance of firms’ social license to operate, Boards, business management and risk teams all need to recognize that a series of less tangible, non-financial risks that have previously not been explicitly quantified or managed e.g. cultural, sustainability or reputational risks which can impact the firm in several ways beyond the initial incident. A good example of this is P&O Ferries’ poorly handled redundancy programme causing significant operational, financial, and reputational damage.

Do you have any examples of any drivers and consequences of different risks from your experience?

There are so many. Each event has a driver and very often direct and knock-on consequences. Some obvious recent examples from the financial services sector are:

  1. How IT outages and programme delivery issues can have a detrimental impact on business retention, customer service and regulatory interest
  2. How cyber issues at suppliers can impact operational delivery, data protection issues and reputational damage
  3. How reputational issues (either internally or by association with external providers or partners) can lead to significant brand damage with customers, employee, the media, and shareholders.
How can institutions begin to identify connections across risks and subsequent events?

The first step is for the whole firm to recognize that the world has changed, and more than ever, it is everyone’s responsibility to identify and manage risks, not least as risk functions – by definition – are not living the realities of the modern risk profile day-to-day. However, it is clear that many risk functions need to modernize and think, and work in ways more aligned to the current threats that businesses face. A first step is for risk functions to move from hindsight (and looking at individual events after they have occurred) to insight – using analysis of all data points to try and find read-across between events, where a risk in one area drives issues in other areas, and also areas where risks compound.

Here, a good eGRC tool, data analytics, and even behavioral science experts can help identify threats, patterns, and risk linkages. However, it should also involve different areas in risk teams and the business taking time to discuss issues with their different perspectives. In addition, risk functions should work with a variety of internal and external sources to continually scan the horizon for new and emerging threats and opportunities. They can also give the foresight needed to protect businesses – especially in the fast-moving digital world where firms have less time to react to events once they have crystalized.

How can culture be re-aligned to allow for a more holistic risk assessment?

As with most things, there needs to be changes in people, processes and technology. In terms of process, the risk framework needs to be extended to cover risks beyond the traditional areas of financial and operational risk, and also include pervasive risks like behavioral risk, sustainability risk, climate risk, geopolitical risks and reputation risks that can impact several other risk types when they crystalize.

Firms need to think beyond their perimeter and instead oversee and understand complex supply and value chains, risks by association, and also the external risks created by digital communications (including social media, fake news, and fake websites).

Secondly, in terms of technology risk teams and the business all need to work together to combine data and information, and to discuss what the collective impact of their combined knowledge could be for their organization. This means traditional siloed risk functions should be broken down and time given for different areas to discuss what they are seeing.

Finally on people, risk teams need to employ the right skill mix and mindset to allow risks to be fully understood, including:

  1. specialists – maybe from unorthodox sources – who understand risks in a digital, multi-stakeholder environment
  2. People who have worked in different areas of the organization and can understand how issues affect the business in real time
  3. Individuals with genuine enterprise-wide knowledge and the intellectual agility to quickly identify, assess and respond to emerging and connected risks
  4. People with learning agility and cognitive diversity who can complement existing traditional risk skills and approaches.