Non-financial risk management in financial services

While most institutions now have well-developed risk management frameworks to

minimize market, credit, and liquidity risk, there is growing recognition of the need to

enhance management of non-financial risk (NFR).



Ricardo Martinez - Principal - Risk Advisory - Deloitte

Edward Hida - Partner - Risk Advisory - Deloitte

Francisco Porta - Partner - Risk Advsory - Deloitte

Published on 26 March 2019

Share this article


In the years since the global financial crisis, financial institutions have made substantial investments to upgrade their risk management programs and comply with increasingly stringent regulatory requirements.

While most institutions now have well-developed risk frameworks to minimize market, credit, and liquidity risk, there is growingrecognition of the need to enhance management of non-financial risk (NFR). Many of the largest risk events in recent years have stemmed from NFRs such as conduct and cyber risk, rather than from traditional financial risks. Institutions will need to move away from the current piecemeal efforts and instead adopt a holistic approach to NFR.

The foundation of an effective program to manage NFR, and a step that many institutions find challenging, is to implement a comprehensive process to identify all the NFRs facing the organization. In this effort and as a first step, institutions should employ a comprehensive risk taxonomy and a holistic risk identification process.

The challenge of managing non-financial risk

NFR is a broad term that is usually defined by exclusion: that is, any risks other than the traditional financial risks of market, credit, and liquidity. NFRs are generally not considered core or directly associated to the primary business and revenue-generating activities reflected in the P&L statement and the balance sheet. They can nevertheless have substantial negative strategic, business, economic, and/or reputational implications. NFR builds on the operational risks as defined in the seven Basel operational risk event types, and more prominently addresses emerging risks such as cyber, conduct, model, compliance, strategic, and third-party risk.

The greatest attention has been paid in recent years to operational risk. Illustrating the magnitude of operational risk, the ORX financial services operational risk loss database has now expanded to include over €400 billion in operational risk losses at its contributing institutions. Regulatory enforcement fines, penalties, and litigation now comprise the bulk of the operational risk losses at most major banks.

While banks have made progress in managing operational risks at an overarching level, they have typically lagged behind in developing the integrated policies, processes, and controls required to identify and manage some of the NFRs.

Third-party risk

The increasing use of outsourcing by financial institutions in an effort to reduce costs has increased third-party risks such as contractual nonperformance, the potential that vendors will violate laws or engage in unethical behavior, data breaches, loss of intellectual property, and an inability to maintain operations in the event of a natural disaster, infrastructure breakdown, or equivalent occurrence. Regulators have made clear that financial institutions are responsible for managing the risks posed by their third parties.

Model risk

Model risk has grown as financial institutions have come to rely more heavily on models in such areas as risk and capital management, product pricing, AML, and financial reporting. Managing model risk has received significant attention from regulators and financial institutions over recent years.

Conduct risk

In recent years, well-publicized instances have occurred of inappropriate behavior by employees at major financial institutions, in both retail and wholesale markets. The top 20 global banks are estimated to have lost US$348 billion from 2012-2016 through conduct-related costs. According to one estimate, the Common Equity Tier 1 ratios of EU G-SIBs would be around 2 percent higher without the fines that have been levied for problems stemming from conduct risk. Regulators in many jurisdictions have focused on the importance of conduct and culture, looking at such issues as misaligned compensation incentives and lack of accountability.

Cyber risk

The losses from cyberattacks were an estimated US$445 billion across all industries in 2016, up 30 percent from three years before, and banks and other financial institutions are prime targets for hackers. The number of cyberattacks against financial institutions is estimated to be four times greater than against companies in other industries. Regulatory initiatives focused on cyber risk can be found in the United States, the United Kingdom, Hong Kong, mainland China, Japan, Singapore, and Australia. The US Treasury Department has named cyberattacks as one of the top risks facing the US financial sector.

Need for holistic risk identification

In addition to initiatives that focus on specific types of NFR, regulators are also stressing the importance of effectively managing NFR as part of the risk management control framework of individual institutions and the functioning of the financial system as a whole. They are encouraging institutions to adopt an integrated NFR management framework rather than the ad-hoc and often reactionary assessments of specific risks in place at many organizations. An NFR management framework provides a comprehensive approach to managing NFR including alignment with the organization’s risk appetite statement, the role of each line of defense, and

measurement and monitoring, while considering any interconnections and correlations among NFRs, controls, reporting, and relevant technology tools (Figure 1). The end result is a risk mitigation program that effectively integrates all efforts and capabilities designed to minimize potential losses from NFR.

Need for holistic risk identification

A critical first step is to have an effective risk identification process that highlights all relevant NFRs; this is a regulatory expectation. Identifying NFRs is a significant challenge in large part because financial institutions lack an agreed definition and taxonomy of these risks. Since NFR is often defined by exclusion as being risks other than market, credit, or liquidity risk, institutions may find it difficult to identify all their NFRs and establish a robust risk control framework for each of them.

Institutions need to begin with a comprehensive NFR taxonomy, which they canthen customize as needed. Deloitte’s proprietary risk taxonomy has a three three-tier risk hierarchy including major risk categories, risk subcategories, and then risk types. Of the major risk categories, two-thirds are non-financial risk types.

Deloitte member firms use this taxonomy in their client engagements, as a starting point to create a customized taxonomy for each individual institution. A risk taxonomy helps prevent some NFRs from being overlooked, provides a standardized language for all three lines of defense to employ across the institution, and establishes a foundation on which an institution can build an integrated approach to managing all the NFRs it faces, including their correlations and interactions.


  • NFR comprises a diverse and complex set of risks with the potential

to inflict substantial financial and reputational damage on financial


  • Supervisory authorities around the world are increasingly focused on the

importance of effective management of specific categories of NFR, such

as conduct risk and cyber risk, as well as on NFR management as a whole

  • Financial institutions need to implement an integrated framework for

managing NFR

  • A key first step is to adopt a taxonomy of all the types of NFR and then

identify the specific NFRs facing the organization

Share #DeloitteInsideNow


Global Cyber Risk

A new survey explores Chief Audit

Executives' views on the Internal Audit

function's role and ways to more fully tap

the objectivityit brings to the business.

© 2021. See Terms of Use for more information. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see to learn more about our global network of member firms. The Luxembourg member firm of Deloitte Touche Tohmatsu Limited Privacy Statement notice may be found at