Article

Managing emerging NFRs and embedding operational resilience strategy

Financial institutions (FIs) are facing an uncertain economic and geopolitical environment, increased regulatory scrutiny, and rapid shifts in technology.

Financial institutions (FIs) are facing an uncertain economic and geopolitical environment, increased regulatory scrutiny, and rapid shifts in technology. Consequently, the importance of managing emerging non-financial risks (NFR)^[1], and creating an effective operational resiliency strategy, is increasing.

In response to the 2008 financial crisis, regulators focused on ensuring financial services firms possess sufficient capital through strict regulations. However, recent years have highlighted the importance of operational effectiveness, which can impact customers (firm-level) and the financial system (system level). Resilience is more than a control framework — it can expand business continuity management programmes and is a strategic imperative.

The consequences of poor NFR management can be more severe than those associated with traditional financial risks. Impacts can range from direct losses, such as fines, legal action, and costs related to compliance failures, to indirect damage to reputation and the overall business model. Risks can potentially stem from employee misconduct or failure to meet supervisory standards.

Recent examples of operational incidents highlight the vulnerabilities from increased digitisation and interconnectivity. For instance, in 2024, a flawed update from CrowdStrike — a cybersecurity technology firm — resulted in an IT outage with global repercussions. Additionally, an outage at SWIFT, a global messaging service, disrupted wholesale payments in the UK and other countries.

The next few years promise to accelerate the pace of emerging NFR, due to factors such as increased digitisation, major geopolitical shifts, large-scale artificial intelligence adoption, and complex workforce dynamics. Consequently, proficient NFR management is crucial for preventing operational disruptions and protecting customers.

There are numerous approaches available to FIs that help address the challenge of managing emerging NFR and enhancing operational resiliency. An integrated framework that covers key components for identifying, measuring, and monitoring NFR is essential. It is also important to adopt a holistic approach to operational resiliency — while remaining cognisant of the interconnectedness of people, processes, and systems.

Industry challenges for managing NFR and embedding operational resiliency

Complexity in identification and quantification

NFR commonly emerge from complex and interconnected systems, making their identification challenging. These risks can originate from diverse sources, including issues such as, technology, cybersecurity, supply chain disruptions, regulatory changes, and reputational issues. Compared to financial risks, non-financial risks have a broader range of root causes, event types, and impacts, with more complex relationships between cause, event, and impact. The availability of risk data is often limited, which poses challenges in utilising quantitative techniques to measure and assess risks.

Siloed operations

Typically, financial risks are managed by a centralised team. In contrast, NFR are managed by a wide range of front-line staff across various business areas. This lack of visibility of the firm's end-to-end business processes makes it challenging to identify and address emerging risks effectively, as well as embed an effective operational resilience framework.

Evolving regulatory landscape

In the UK financial sector, an operational resilience regime, introduced by the Prudential Regulation Authority (PRA), emphasises client protection. This involves taking a client lifecycle view and evaluating the operational, IT, and third-party service providers to understand how all systems and technologies ultimately impact end-client services.

The EU's Digital Operational Resilience Act (DORA) introduces a similar oversight framework. In the US, the focus may lean towards recovery and infrastructure restoration from events, such as cyberattacks. However, keeping pace with regulatory changes and understanding their impacts on policies, procedures, risks, and controls is resource-intensive and challenging.

People and culture

Culture, behaviour, and ethics within an organisation play a significant role in shaping NFRs. Effective NFR management can be affected by challenges, such as:

Insufficient risk awareness of the first line of defence, due to inadequately trained staff in risk identification or assessment.
Poor communication between risk management teams (second line of defence) and the operational staff (first line of defence).
Resistance to change at the leadership level which can ripple throughout the organisation, creating barriers to both improvement and engagement with risk protocols.

How to navigate challenges to operational resilience

Firms can adopt various strategies to navigate the challenges of measuring, managing, and mitigating NFRs and implementing an operational resiliency strategy. Below we explore four approaches for FIs to consider along their journey to operational resilience

Risk identification and an integrated risk taxonomy

Institutions could implement a thorough review of their risk taxonomy as an initial measure for identifying all applicable NFR. Firms need to prioritise their investments effectively and should engage in a comprehensive assessment of their existing framework.

To achieve this, organisations could begin by reviewing their risk identification strategies across short, medium, and long-term timeframes and conduct materiality assessments of the risks involved. For example, a UK-based retail bank may need to develop a risk roadmap and consider digitalisation enhancements in its IT system. For a large investment bank, risk roadmap and horizon scanning will differ as it may be planning to use emerging technologies, such as quantum computing which would introduce different types of risk.

Firms should also revisit their horizon scanning approach, as this will help to identify and prioritise new emerging risks. For example, utilising products that help assess the viability and reputation of vendors, as well as their operational locations, can provide valuable insights regarding third-party risk management.

While internal key performance indicators and key risk indicators offer useful insights, there is a wealth of external data firms could make use of. Adopting an outside-in view can assist firms — particularly Chief Risk Officers (CROs) — navigating emerging and evolving risks. Once identified, appropriate risk appetites, metrics, and risk limits need to be defined to support these key NFR.

To achieve integrated management of NFR, it is essential for all parties involved to establish a shared understanding to support the enhancement of risk taxonomies, with new revised risk roadmap and horizon scanning.

Risk interplay assessment

A broader assessment is needed to understand the interconnectivity between different risks — specifically between emerging risks and existing, defined operational risks. Firms need to identify connections across risks and events and gain a comprehensive understanding of their true exposure and interdependencies. This will involve comparing the drivers and consequences of different risks to effectively manage and mitigate their impact.

To fully understand the interconnectivity between risks, FIs need to leverage a wide range of data inputs — which will include qualitative and quantitative information from various sources. It is crucial for FIs to identify new internal and external sources to enhance the value of their data.

Enabling technologies, such as advanced analytics, intelligent automation, and data visualisation can play a vital role in this process. FIs could leverage new technologies — such as big data, natural language processing, and predictive analytics — to automatically scan a broader set of data sources. This enables the early detection of potential risk events, while simultaneously reducing compliance costs through automation.

Scenario analysis and quantification

With the changing risk landscape and emergence of new risks, the importance and role of scenario analysis is evolving. To achieve operational resilience, firms need to consider various scenarios and possible tail events.

FIs must assess how one risk event impacts other threats through scenario analysis and explore the interconnectivity of emerging risks. Rather than focusing solely on first-order impacts, firms may extend their risk analytics to capture how second- and third-order effects can amplify impacts and affect their firm's resilience. Risk managers should encourage "tail thinking", considering extreme events and potential failures, such as a cyberattack on a third-party provider that services their data centres.

Scenario analysis can be supported by risk quantification, which will include gathering qualitative and quantitative information from various sources. Scenario analysis plays a crucial role in determining the priority of control and infrastructure improvement investments by providing insights into the potential financial and non-financial impact.

In the context of silo practices and scenario analysis, firms might experience that whenever new regulatory expectations are introduced, there is a tendency for each section of the organisation to focus solely on addressing the specific question or request from the regulator. This approach often overlooks the opportunity to integrate these solutions with existing practices in other areas.

For instance, stress testing involves idiosyncratic scenarios with operational risk scenarios considered separately. Recovery and resolution plans account for extreme situations. Climate risk, resilience, and business continuity plans are developed with their own regulatory requirement agenda. These programmes are often run independently, in silos, and ineffectively optimised.

Business leaders should encourage teams to contribute to efforts aimed at understanding potential outcomes — as this can help integrate these programmes and achieve a more holistic view of risk management.

Approach for better alignment

Regulatory publications, in the UK and EU for example, on operational resilience serve as key resources for operational risk managers and business lines — illustrating how all components are interconnected. While firms still have much to accomplish, many are actively working towards creating a mechanism to fulfil this through two different approaches.

Some may prioritise centralising their operational resilience programme and capabilities, which could cover, among others, business continuity, information security, third-party risk management, and digitalisation. This unified function allows them to bring together different elements while addressing various regulatory requirements.

Another approach is to continue developing these functions and establish a strategic group committee to facilitate collaboration while maintaining the individual objective of each discipline.

As banks adopt varied approaches, it’s essential to establish early engagement, clearly define roles and responsibilities, and provide necessary training for staff at all levels. To ensure a unified objective and focus on critical products and services for customers, organisations should introduce a mechanism to integrate information and actions. A coordinating body or committee could be established to ensure that the overarching objective of NFR management remains a priority, supporting the firm’s overall resilience strategy.

Marsh advisory: Risk capital analytics

All FIs are facing various forms of the challenges explored above. To respond effectively, firms in the financial services sector need to develop comprehensive, adaptable, and resilient risk management frameworks to keep pace with the rapidly changing risk landscape.

Marsh Risk Capital Analytics can provide support for your organisation to help address your specific risk capital analysis requirements.

¹There is often debate about what constitutes NFR, as its definition can vary between organisations. A simple definition is that NFR includes all risk types except for credit, market, interest rate, and liquidity risks.

Article

Managing emerging NFRs and embedding operational resilience strategy