Written by a human
Non-financial risks, while often underestimated, can become some of the most consequential. In fact, the threats of fraud, natural disasters, system errors and compliance challenges can each bring businesses to a standstill.
Learn about what non-financial risks are (with examples), how to approach risk management and the key regulations to be aware of.
What is non-financial risk?
Non-financial risk (NFR) works on an exclusionary basis; in that the term encompasses all of an organizations’ threat events except for those with a direct link to finances.
Financial risks typically describe potential events where the primary impact is a loss of capital. For example:
- Credit risk, like when a bank that lends money to an individual who can’t afford to repay them
- Liquidity risk (such as an institution who can’t turn their assets into cash during an emergency)
- Market risk caused by sudden stock price changes
- Currency risk caused by local market fluctuations
Non-financial risks therefore cover all other potential events which could affect the business.
One real-world scenario of non-financial risk occurred at Sanibel Captiva Community Bank in Florida. During Hurricane Ian in September 2022, one of the bank’s branches became overwhelmed with floodwater.
Operationally, the bank was affected for about two weeks before they could open their doors again, with limited access to banking services like check cashing, for customers. Clearly, this natural disaster event was nothing to do with the wider financial markets, but it will have affected profits, expenses and operations.
Risk is also increased by AI technology, which the SEC is currently following closely.
Enterprise risk management approach to non-financial risk
Enterprise risk management (ERM) is one of the most common frameworks for managing non-financial risks. The methodology uses a top-down approach to risk, and requires the whole firm to invest.
There are four key risk areas to ERM:
- Internal environment: what is the level of pressure on employees, systems and processes? Are proper auditing and monitoring methods in place?
- Event identification: how will you detect when a risk turns into an event?
- Objective setting: what are the goals around risk occurrence and management?
- Risk assessment: how will you measure the approach towards risk?
In terms of response and risk appetite, plans should choose one of the four following areas: avoid, reduce, share or accept.
Examples of non-financial risk
Thanks to the wide definition of NFR, there are endless possibilities in terms of risk events. But we’re going to highlight three of the most important for companies in regulated environments:
- Fraud
- Natural disasters
- Operational risks
Fraud
During a routine audit of their IT systems in 2018, British tech company Dixons Carphone discovered that approximately 10 million customer records had been leaked in a hack. This included financial transaction data, alongside personal information such as names, addresses and email accounts.
It was later found that the hackers had entered Dixon Carphone’s internal systems through their website, which wasn’t updated to include the newest security measures.
Another of the company’s cyber risk management failures included the fact that its data wasn’t properly segmented and protected. Attackers were able to access multiple databases without facing significant security barriers.
This risk event could have been detected sooner with measures like 24-7 monitoring and suspicious activity tracking. Moreover, simple methods like multi-factor login authentication, security upgrades and cloud infrastructure could have played a part in prevention.
But Dixons Carphone ended up paying the ultimate price, as they were fined £400,000 and experienced reputational damage so bad that they ended up closing within 2 years of this breach.
Natural Disasters
Natural disasters pose a different kind of threat to fraud, due to their frequency. While it’s likely that your business will face some kind of cyber fraud attack at least once per year, natural disasters like earthquakes, floods and hurricanes are far less predictable.
That being said, the impacts of environmental risks like natural disasters can include:
- Operational disruptions: including staff shortages, the need to quickly transition into remote working, and systems going offline
- Strategic curveballs: caused by a change in priorities
- Customer dissatisfaction: if services go offline and customers can’t access their accounts
In most cases, preventing the effects of natural disasters on your business is impossible.
However, risk response planning is key to ensuring the impacts are felt as little as possible.
For example, Unilever takes a “three-pronged approach to natural disasters:
- Resilience: building preparedness before emergencies strike
- Relief: immediate response during the crisis
- Rehabilitation: helping to rebuild communities, economies, and value chains”
Operational risks
Non-financial risks in operational resilience include cases like technological failures and problems with employees. In fact, the FCA highlighted operational risks in its 2020 letter to credit brokers, when the regulator noted that financial companies face harsher customer limits in this area.
In the letter, the FCA recommended that compliant firms demonstrate clear governance and oversight in their operational controls.
In particular, credit brokers were advised to ensure their actions are proportionate to the size of their business. One key impact from operational risks is that vulnerable groups like the elderly would suffer worse when systems are down, because they can’t use the internet as proficiently. Therefore, a final consideration was for all customers to have fair access to services, even during operational disruptions.
Regulations are still relevant
One type of risk that we’ve neglected to mention is the legal and compliance category. In the Dixons Carphone case study above, the company was one of the first high-profile cases to inform GDPR regulators within 72 hours of their information breach.
Regulatory risks are another form of non-financial risk, and can lead to huge financial and reputational impacts if things go wrong.
For example, SOX Law requires public companies to maintain controls for sensitive financial information in the US. In particular, the CFO and CEO must certify that financial reports are accurate, and companies risk investigations and penalties if they fail to comply (let alone if they fall victim to a cyber-attack).
Finally, two international standards (ISO 31000 and ISO 31010) refer to risk management principles and guidelines, and risk assessment techniques. Companies should use these frameworks as guides for adhering to best practices, and keeping their risks to a minimum.
Comply without compromise
It’s clear from all of the examples above that non-financial risks can harm a business just as much as direct finance threats, so putting plans into place is important.
Don’t know where to start?
Global Relay takes nothing more seriously than the security of your data. Privacy and confidentiality are the fundamental drivers behind our strategy, and we help reduce risk by pre-empting threats with 24 hourly scans.
Conduct and culture are present on the regulatory agenda across regions. To ensure that your firm is in line with guidelines and developing expectations, consider the benefit of training, education, and surveillance solutions to deter non-financial misconduct and support productivity.