Оглавление
Группа авторов. Non-financial Risk Management in the Financial Industry
N. Gittfried G. Lienke F. Seiferlein. J. Leiendecker B. Gehra (eds.) Non-financial. Risk Management. in the Financial Industry
Inhaltsverzeichnis
Editors
Contributors
Foreword
1 Introduction: Rising to the Challenges of Non-Financial Risk Management, Compliance and ESG
1.1 New risks and challenges
1.2 A forward-looking solution for non-financial risk management in the financial industry
1.3 Defining and aligning non-financial risk categories
1.4 Establishing a non-financial risk appetite framework to prevent an undesirable risk-taking
1.5 Building key governance and organisational pillars for non-financial risk management
1.6 Generating excellence in the non-financial risk management lifecycle
1.7 Using data, IT and artificial intelligence
1.8 Putting conduct and ethics at the centre of sustainable non-financial risk management
1.9 Environment, social and governance: Implications for effective risk management
2 Definition of Non-Financial Risk in Financial Institutions
2.1 Introduction
2.2 History of non-financial risk and specifications by key regulators
2.2.1 A short history of non-financial risk
Figure 1: Development of non-financial risk
2.2.2 Existing non-financial risk specifications by key global and regional regulators and associations
2.3 Differentiation of financial and non-financial risk
2.3.1 Financial risk definition
2.3.2 Non-financial risk definition
2.4 Specific clusters of non-financial risk
Figure 2: Risk taxonomy in financial institutions
2.4.1 Operational risk
2.4.1.1 Financial crime risk
2.4.1.1.1 Money-laundering/terrorist financing risk
2.4.1.1.2 Sanctions and embargoes risk
2.4.1.1.3 Bribery and corruption risk
2.4.1.1.4 Facilitation of tax evasion
2.4.1.2 Conduct risk
2.4.1.2.1 Market conduct risk
2.4.1.2.2 Client conduct risk
2.4.1.2.3 Employee conduct risk
2.4.1.3 Regulatory compliance risk
2.4.1.4 Fraud risk
2.4.1.4.1 Account-opening fraud risk
2.4.1.4.2 Debt/credit card fraud risk
2.4.1.4.3 Fraudulent paper-based payment transactions risk
2.4.1.4.4 Online banking fraud risk
2.4.1.4.5 Credit fraud risk
2.4.1.4.6 Theft risk
2.4.1.4.7 Embezzlement/breach of trust risk
2.4.1.4.8 Antitrust violation risk
2.4.1.4.9 Balance sheet manipulation
2.4.1.5 Information, Communication & Technology (ICT) and Cyber risk
2.4.1.5.1 Data confidentiality risk
2.4.1.5.2 Data availability risk
2.4.1.5.3 Data integrity risk
2.4.1.5.4 Information security risk
2.4.1.6 Data privacy and bank secrecy risk
2.4.1.6.1 Data privacy risk
2.4.1.6.2 Bank secrecy risk
2.4.1.7 Resilience risk
2.4.1.8 Outsourcing and vendor risk
2.4.1.8.1 Intragroup outsourcing risk
2.4.1.8.2 External outsourcing risk
2.4.1.8.3 Vendor risk
2.4.1.9 Tax reporting risk
2.4.1.10 Other operational risk
2.4.1.10.1 Human resources risk
2.4.1.10.2 Legal risk
2.4.1.10.3 Physical damage risk
2.4.1.10.4 Execution, delivery and process risk
2.4.1.10.5 Reporting risk
2.4.1.10.6 Accounting risk
2.4.1.10.7 Project risk
2.4.1.10.8 Competition law risk
2.4.1.10.9 Model risk
2.4.2 Strategic risk
2.4.2.1 Reputational risk
2.4.2.2 Sustainability risk
2.4.2.2.1 Climate change risk
2.4.2.2.2 Human rights risk
2.4.2.3 Business risk
2.4.2.3.1 Forecasting risk
2.4.2.3.2 Inorganic growth risk
2.4.2.3.3 New business risk
2.4.2.3.4 Investor relations risk
2.5 Conclusion and outlook
3 Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks
3.1 Introduction. 3.1.1 Regulatory requirements
3.1.2 RAF in practice
Figure 1: Three levels in risk appetite frameworks
3.2 RAF Level 1: Overall Risk Appetite Statement
3.2.1 Overall statement
Table 1: Examples of risk appetite statements for non-financial risks (focus: compliance risks)
3.2.2 Prohibited activities
Table 2: Examples of prohibited activities in risk appetite statements
3.3 RAF Level 2: Risk Appetite metrics
3.3.1 Defining appropriate metrics
Table 3: Example of Level 1 overall statement and related guidance for Level 2 metrics
3.3.2 Metrics: setting the thresholds
3.3.2.1 Thresholds based on benchmark and historical internal loss data for a metric based on operational losses
Figure 2: Definition of thresholds for a Level 2 metric based on operational losses
3.3.2.2 Thresholds based on residual risk levels for a metric based on risk assessment
Figure 3: Definition of thresholds for a Level 2 metric based on risk assessment
Figure 4: Aggregate Level 2 metric based on risk assessment results
3.4 RAF Level 3: Key Risk Indicators
3.4.1 Selecting key risk indicators
Figure 5: Drivers for key risk indicators selection
3.4.1.1 Candidate indicators identification
3.4.1.2 Appetite tracking suitability
3.4.1.3 Expert judgement
Table 4: Example of KRI selection process in three steps
Table 5: Examples of KRIs monitored in the RAF
3.4.2 KRIs: setting and calibrating the thresholds
3.4.2.1 Threshold calibration based on historical data analysis and percentiles
Figure 8: Example of thresholds calibration applying a percentile-based approach
3.4.2.2 Threshold fine-tuning based on benchmarking and backtesting
Table 6: Example of KRI threshold calibration and fine-tuning
3.5 RAF Governance
Figure 9: Annual RAF cycle
3.5.1 RAF design and update
3.5.2 RAF monitoring and reporting
Table 7: Example of RAF monitoring and reporting
3.5.3 RAF threshold breaches and escalation
Tabelle 8: Example of RAF monitoring & reporting
3.5.4 Action plan definition
Table 9: Example of RAF thresholds breaches prioritisation (Findings Severity Matrix)
4 The Three Lines of Defence Model: Key Success Factors for Effective Risk Management
4.1 Introduction
4.2 Regulatory framework in selected key jurisdictions
4.2.1 European Union
4.2.2 United States of America
4.2.3 Hong Kong
4.2.4 Singapore
4.2.5 Risk-type-specific qualifications of the 3LoD model: financial crime prevention
4.2.5.1 EU: remaining country-specific variation in 1st and 2nd LoD mandate
4.2.5.2 United States of America: BSA Compliance officer
4.2.5.3 Hong Kong: Money Laundering Reporting Officer and Compliance Officer
4.3 Key roles and responsibilities of 1st, 2nd and 3rd LoD
Figure 1: Overview key mandates 1st, 2nd and 3rd line of defence
4.3.1 The first line of defence: risk owner
4.3.1.1 Scope of 1st LoD mandate
4.3.1.1.1 Risk ownership
4.3.1.1.2 Implementation and execution of 1st LoD controls
4.3.1.2 Allocation of 1st LoD responsibility
4.3.1.3 1st LoD risk-coordinating function (1.5th LoD)
4.3.1.3.1 Coordination of risk management activities
4.3.1.3.2 Interface to 2nd LoD
4.3.1.3.3 Regulatory advisor
Figure 2: Key mandate 1st LoD risk-coordinating function
4.3.2 The second line of defence: internal control functions
4.3.2.1 Scope of 2nd LoD mandate
4.3.2.1.1 Standard setting
4.3.2.1.2 Testing of 1st LoD controls
4.3.2.1.3 Risk assessment
4.3.2.1.4 Training and advisory
4.3.2.2 Risk materiality and corresponding intensity of 2nd LoD risk oversight
4.3.2.3 Independence of 2nd LoD risk oversight
4.3.2.3.1 Organisational independence
4.3.2.3.2 Functional independence
4.3.2.3.3 Internal control functions performing 1st LoD activities
Role as genuine 1st LoD for generalist risk types
Financial crime prevention: possible outsourcing of specific 1st LoD controls to AML team
4.3.2.4 Key success factors for effective 2nd LoD risk oversight
4.3.2.4.1 Methodology consistency across 2nd LoD functions
4.3.2.4.2 Bodies and committees: adequate 2nd LoD participation and information sharing
4.3.2.4.3 Appointment of primus inter pares non-financial risk governance function
4.3.3 The third line of defence: internal audit as provider of independent assurance
4.3.3.1 Independent assurance
4.3.3.1.1 Adequacy of risk management framework
4.3.3.1.2 Design and operating effectiveness
4.3.3.1.3 Compliance with regulatory requirements and internal standards
4.3.3.2 Advising the board of directors
4.4 Common pitfalls of the 3LoD model and precautionary measures
4.4.1 Insufficient risk ownership by 1st LoD
4.4.2 Lack of 2nd LoD expertise
4.4.3 Inadequate assurance by 3rd LoD
4.5 Conclusion
5 Global Functional Lead in Non-Financial Risk Management: Ensuring Consistency and. Integration in Complex Organisations
5.1 Introduction
5.2 Regulatory framework in select key markets
5.2.1 European Union
5.2.2 United States of America
5.2.3 Hong Kong
5.2.4 Singapore
5.3 Global functional lead: individual corporate parameters to consider
5.3.1 Corporate culture
5.3.2 Organisation’s complexity
5.3.3 IT landscape
5.3.4 Geographical footprint
5.4 Major components of global functional lead in non-financial risk management
Figure 1: Major GFL components
5.4.1 Operating model: striking a balance between global standards and regional execution
5.4.1.1 Regulatory horizon screening
5.4.1.2 Setting of risk-specific standards
5.4.1.3 Training and advisory
5.4.1.4 Controls by the 1st and 2nd line of defence
5.4.1.5 Non-financial risk assessment
5.4.1.6 Non-financial risk reporting
5.4.1.7 Group risk oversight
5.4.2 Reporting lines: establishing implementation accountability in vertical functions
Figure 2: Reporting lines under GFL
5.4.2.1 Solid reporting lines into local legal entity and branch
5.4.2.2 Dotted reporting lines into global risk management organisation
5.4.3 Meeting governance: supporting effective management of a global risk function
Figure 3: GFL meeting governance
5.5 Conclusion
6 Policies and Procedures: Framework and Governance Requirements in the Financial Sector
6.1 Introduction
6.2 Regulatory framework in selected key jurisdictions
6.2.1 European Banking Authority (EBA)
6.2.2 US regulators. 6.2.2.1 The Federal Reserve
6.2.2.2 Office of the Comptroller of the Currency
6.2.3 Hong Kong Monetary Authority
6.2.4 Monetary Authority of Singapore
6.3 Policy framework: key implications for a target concept
6.3.1 Status quo: need for structured approach
6.3.1.1 Lack of a harmonised approach
6.3.1.2 Policy gaps and redundancies
6.3.2 Policy framework: design concept and hierarchies. 6.3.2.1 Design concept: key hypotheses for an effective policy framework
6.3.2.1.1 Harmonised design approach
6.3.2.1.2 Completeness
6.3.2.1.3 Uniform naming convention
6.3.2.1.4 Precise wording
6.3.2.1.5 Assignment of responsibilities
6.3.2.1.6 Governance rules
6.3.2.1.7 Linkage to internal processes and controls
6.3.2.2 Suggested hierarchy levels: key criteria and examples
Figure 1: Example for four-tiered policy hierarchy
6.3.2.3 Level one: overarching risk strategies, policies and documents – risk and business segment agnostic. 6.2.2.3.1 Key criteria
6.3.2.3.2 Key risk type and business segment agnostic topics
6.3.2.4 Level two: risk-type-specific policies and procedures. 6.3.2.4.1 Key criteria
6.3.2.4.2 Risk-type-specific documents
6.3.2.5 Level three: customer-related and business-specific policies and procedures. 6.3.2.5.1 Key criteria
6.3.2.5.2 Customer-related and business-specific topics
6.3.2.6 Level four: policies and procedures in international locations
6.3.2.6.1 Scope of applicability: subsidiary companies and branch offices
6.3.2.6.2 Key criteria
Figure 2: Financial crime policy hierarchy (example for a corporate and retail bank)
6.4 Policy governance, repository and workflow tool
6.4.1 Approval of policies and procedures
6.4.1.1 Level one: board of directors
6.4.1.2 Level two: responsible board member
6.4.1.3 Level three: senior management on N-1 level
6.4.1.4 Level four: general manager or 2nd LoD N-1
6.4.2 Authorship, ownership, creation as well as update of policies and procedures
6.4.2.1 Document authorship
6.4.2.2 Document ownership
6.4.2.3 Document creation process
6.4.2.4 Stringent management of update process
6.4.2.4.1 Regular validation based on time intervals
6.4.2.4.2 Ad hoc updates
6.4.3 Policy repository, including workflow tool: centralised management of policies and procedures
6.4.3.1 Facilitation of access
6.4.3.2 Document lifecycle management
6.4.3.2.1 Regular validation of documents
6.4.3.2.2 Ad hoc updates
6.4.3.2.2.1 Changes in business and operating model
6.4.3.2.2.2 Changes in regulatory framework
6.4.3.3 Audit-proof change log
6.5 Conclusion
7 Top-Down Risk and Control Assessment: A Forward-Looking Approach to Evaluate Company-Wide Non-Financial Risk Exposure
7.1 Introduction
7.2 Top-down vs. bottom-up: different approaches based on desired outcomes
7.2.1 Approaches: risk-specific focus vs. overarching non-financial risk coverage
7.2.1.1 Bottom-up approach: risk-specific, granular focus
7.2.1.2 Top-down approach: overarching, holistic non-financial risk coverage
7.2.2 Potential outcomes: different scope of risk-coverage and level of granularity
7.3 Key success factors: maximising the effectiveness of top-down risk and control assessments
7.4 Regulatory framework, best practice and standard setter guidelines
7.4.1 COSO ERM framework
7.4.2 Bank for International Settlements
7.4.3 EBA and ECB
7.5 Methodology of top-down risk and control assessment: evaluation of inherent risk, control adequacy and residual risk
7.5.1 Non-financial risk taxonomy as a starting point
7.5.2 Measurement of inherent risk
7.5.2.1 Calculation of severity
7.5.2.1.1 Organisation-specific risk indicators
7.5.2.1.2 Industry adjustments
7.5.2.1.3 Weighting of risk indicators based on data source reliability
7.5.2.2 Calculation of likelihood
7.5.2.3 Inherent risk matrix
7.5.3 Measurement of internal control adequacy
7.5.3.1 Control indicators
7.5.3.2 Weighting of control indicators
7.5.3.3 Control rating
7.5.4 Determination of residual risk
7.6 Breakout: building an institution-wide internal control system
7.6.1 Introduction
7.6.2 Alternative path to building an internal control framework: top-down, risk-based approach
7.6.3 Five-step approach: building an internal control framework
7.6.3.1 Step 1: determination of NFR criticality
7.6.3.2 Step 2: mapping of key risks to process landscape
7.6.3.3 Step 3: definition of control objectives, key controls and control repository
7.6.3.4 Step 4: assessment of controls
7.6.3.5 Step 5: design NFR control report
7.7 Approach to handling residual risk
7.7.1 High residual risk: project and investment imperative to mitigating residual risk
7.7.2 Medium-high residual risk: action plan to reduce inherent risk exposure
7.7.3 Medium-low residual risk: continuous control testing and selected action requested
7.7.4 Low residual risk: periodic, risk-based controls
7.8 Integrated process to perform annual top-down risk and control assessment
7.8.1 Phase 1: pre-assessment by control functions
7.8.2 Phase 2: assessment by business senior management
7.8.3 Phase 3: validation and reporting
8 A Top-Down Approach to Non-Financial Risk Reporting: Collaboration Across Risk Types for Sustainable Risk Steering
8.1 Introduction: the imperative of top-down non-financial risk reporting
8.2 Regulatory framework in selected key markets
8.2.1 European Union
8.2.2 United States
8.2.3 Hong Kong
8.2.4 Singapore
8.3 Current state of non-financial risk reporting: formats with inconsistent scopes and methodologies
8.3.1 Operational risk reports
8.3.2 Additional 2nd LoD reports on specific non-financial risk types
8.3.3 Reports on internal control system
8.4 Key parameters of top-down non-financial risk reporting: methodology, required input and results
8.4.1 Identification and evaluation of key risk indicators
8.4.1.1 Determination of key risk indicators, thresholds and potential input sources
8.4.1.1.1 Step 1: understand risk factors
8.4.1.1.2 Step 2: identify key risk indicators
8.4.1.1.3 Step 3: derive institution-specific thresholds
8.4.1.2 Example KRIs: financial crime risk, outsourcing risk and human resources risk
8.4.1.2.1 Key risk indicators for financial crime risk
Table 1: Financial crime risk key risk indicators
8.4.1.2.2 Key risk indicators for outsourcing risk
Table 2: Outsourcing risk key risk indicators
8.4.1.2.3 Key risk indicators for human resources risk
Table 3: Human resources risk key risk indicators
8.4.1.3 Evaluation of key risk indicators
Figure 1: Evaluation of key risk indicators
8.4.2 Assessment of key controls as risk-mitigating measures
8.4.2.1 Step 1: capturing and allocation of controls
Table 4: Examples of key controls to mitigate financial crime risk
8.4.2.2 Step 2: assessment of controls
Figure 2: Control assessment on aggregated levels
8.4.3 Determination of residual risk and required risk-mitigating actions
Figure 3: Representation of residual risk levels
8.4.3.1 High level of residual risk
8.4.3.2 Medium level of residual risk
8.4.3.3 Low level of residual risk
8.5 Reporting process and governance
8.5.1 Governance arrangements
8.5.1.1 Board of directors
8.5.1.2 Chairman of the supervisory board
8.5.1.3 Central reporting unit
8.5.1.4 2nd LoD control functions
8.5.1.5 Operational risk department
8.5.2 Reporting process
8.6 Conclusion
9 Internal Investigations into Corporate Misconduct: Applying an Investigative Approach to Enable Proactive Risk Oversight
9.1 Introduction
9.2 Selected laws, regulations and standards
9.2.1 Supervisory sanction relief based on voluntary investigation and cooperation
9.2.1.1 Jurisdictions potentially reducing sanctions and enforcement actions due to effective investigation and cooperation
9.2.1.2 Jurisdictions not explicitly providing a bonus for self-disclosure and cooperation
9.2.1.3 Jurisdictions where investigations and cooperation do not change assessment of law enforcement
9.2.2 Statutory disclosure requirements
9.2.3 Investigation standards and requirements
9.3 Concept for proactive risk oversight using an investigative approach
9.3.1 Investigation process
9.3.1.1 Proactive risk management
9.3.1.2 Strategic and tactical investigations
9.3.1.3 Example: sanctions-driven investigations
9.3.2 Information sharing and global risk management
9.3.2.1 How to connect needles in the same haystack (in a financial institution)
9.3.2.2 How to connect needles in different haystacks (between different financial institutions)
9.4 Success factors and common pitfalls
10 Technical Application and Data Architecture for Non-Financial Risk Management
10.1 Introduction
10.1.1 A fragmented IT landscape
Figure 1: Illustrative decentralised NFR IT landscape
10.1.2 IT’s impact on data availability
10.1.3 Data availability across borders
10.1.4 Additional challenges associated with group companies
Figure 2: Typical data availability by NFR risk type
10.2 Regulatory requirements
10.3 Six challenges in NFR management and reporting
10.3.1 Challenge 1: the lack of a defined NFR-IT strategy
10.3.2 Challenge 2: responsibility for and execution of NFR reporting-related activities (operational unit vs. NFR management)
10.3.3 Challenge 3: consistency and transparency of IT architecture
10.3.4 Challenge 4: alignment of data architecture for transparency on data lineage
10.3.5 Challenge 5: implementing a solid IT target architecture
10.3.6 Challenge 6: cost-benefit considerations
10.4 A target IT architecture for NFR
Figure 3: An illustrative target architecture
10.4.1 The NFR architecture ecosystem
10.4.2 Dashboards and reporting
10.4.3 Other key enabling technologies
11 Data Governance in Non-Financial Risk Management
11.1 Introduction
11.2 Regulatory requirements
11.3 Data governance to support NFR management
Figure 1: Key building blocks of data governance
11.3.1 Data structures
11.3.2 Target operating model (TOM)
11.3.3 Data policies
11.3.4 Data tools
11.4 Scaling up state-of-the-art NFR data governance
Figure 2: Scaling up NFR data governance
11.4.1 Specific roles and responsibilities
Figure 3: High-level roles and responsibilities in data governance
11.4.2 Tool optimisation
11.5 Conclusion
12 Optimising Effectiveness and Efficiency: Deployment of Artificial Intelligence in Non-Financial Risk Management
12.1 Introduction
12.2 Financial sector digitisation: the front-to-back case for AI
12.2.1 Digital transformation of business and operating models
12.2.1.1 Changed customer expectations and behaviour
12.2.1.2 Increasing efficiency challenges
12.2.2 Impact of COVID-19
12.2.2.1 Accelerator of digitisation
12.2.2.2 Modified risk environment
12.3 Regulatory approach to artificial intelligence
12.3.1 Overview
12.3.1.1 European Union
12.3.1.1.1 European Commission
12.3.1.1.2 European Banking Authority
12.3.1.1.3 National financial supervisors
12.3.1.2 United States
12.3.1.3 Hong Kong
12.3.1.4 Singapore
12.3.2 Summary of key regulatory expectations
12.3.2.1 Governance
12.3.2.2 Design and development
12.3.2.3 Ongoing maintenance
12.4 Machine learning algorithms: Key learning modes and examples
Figure 1: Volume of data/information created, captured, copied and consumed worldwide from 2010 to 2025 (in zettabytes)[19]
12.4.1 Supervised learning
12.4.2 Unsupervised learning
12.4.3 Reinforcement learning
12.4.4 Deep learning
12.5 Deployment of AI in non-financial risk management
12.5.1 Financial crime prevention: biometric customer identification, dynamic CRR calculation and AI-based transaction screening
12.5.1.1 Know your customer: automated biometric identification of customers
12.5.1.2 Dynamic calculation of customer risk ratings: faster reaction to material changes in client risk profiles
12.5.1.2.1 Automatic data import into the CRR system
12.5.1.2.2 Dynamic recalculation of customer risk ratings
12.5.1.3 Negative news screening: AI-supported reduction of screening efforts
12.5.1.3.1 Matching of customer names to negative news
12.5.1.3.2 Contextual pre-evaluation of news articles
12.5.1.4 Sanctions name screening: AI-supported reduction of false positive alerts and pre-assessment of screening alerts
12.5.1.4.1 Reduction of false positive alerts via feedback loop
12.5.1.4.2 Pre-assessment of generated alerts and optimisation of manual alert reviews
12.5.1.5 Sanctions transaction screening
12.5.1.6 AML transaction monitoring: deploying artificial intelligence to manual investigations
12.5.2 Prevention of market abuse: AI-based detection of irregularities in securities trading
12.5.2.1 Behaviour-based tracking of trading portfolios: AI-based detection of irregular transactions
12.5.2.2 AI-based assessment of trader’s voice and email communication
12.5.3 Management of AI (model) risk: key discipline for data-driven financial institutions
12.5.4 AI4ESG: tech-driven sustainable finance
12.5.5 AI infrastructure for non-financial risk management
12.6 Conclusion
13 Core Elements of Conduct and Ethics in the Context. of Non-Financial Risk
13.1 Conduct risk: definitions, characteristics and regulatory landscape. 13.1.1 Conduct and compliance, ethics versus integrity. 13.1.1.1 Finding common ground: definition of key terms
13.1.1.2 Conduct-based versus integrity-based ethics
13.1.1.3 An integrative approach for synthesising conduct-/compliance-based and integrity-based ethics
Figure 1: Definitions of key terms[30]
13.1.2 What is meant when we talk about conduct risk? 13.1.2.1 No universal definition
13.1.2.2 Three key topics: market, client and employee conduct risk
13.1.3 Conduct risk in the NFR taxonomy
Figure 2: NFR taxonomy
13.2 Regulatory landscape
Figure 3: Timeline and trends in the conduct risk regulatory landscape
13.2.1 European perspective. 13.2.1.1 European/UK regulators
13.2.1.2 Other European countries
13.2.2 US perspective
13.2.3 Asia-Pacific perspective
13.3 Why conduct risk matters. 13.3.1 Increased regulatory scrutiny. 13.3.1.1 Focus on regulatory oversight
13.3.1.2 Frequency of regulatory actions
13.3.2 Supervisory and legal actions. 13.3.2.1 Actions against firms
13.3.2.2 Actions against individuals
14 Managing Conduct Risk: Framework and Perspectives
14.1 Trends and perspectives in respect of conduct risk in the regulatory context
14.1.1 Treating Customers Fairly (TCF)
Figure 1: TCF’s six consumer outcomes
14.1.2 Senior management regimes as emerging global trends in conduct risk
14.1.2.1 UK
14.1.2.2 Hong Kong and Singapore
14.1.2.3 Malaysia
14.1.2.4 Australia
14.2 Conduct Risk Management as integral part of ESG. 14.2.1 G like conduct
14.2.2 New legislative focus and recent regulatory developments
14.2.3 Activities at the EU level
14.2.4 Optimising ESG risk management
Figure 2: Five pillars in ESG risk management
14.3 Managing conduct risk. 14.3.1 The Conduct Risk House. Figure 3: Conduct Risk House
14.3.2 Building a Conduct Risk framework
15 Successful ESG Transition: Implications and Challenges for Effective Risk Management
15.1 Introduction
Figure 1: Example ESG factors for corporate sustainability topics, defined in line with global sustainability definitions
15.2 Regulatory frameworks in selected key jurisdictions. 15.2.1 General overview
15.2.2 European Union
15.2.2.1 Non-Financial Reporting Directive & Corporate Sustainability Reporting Directive
15.2.2.2 Sustainable finance taxonomy
Figure 2: Overview of taxonomy-related document interdependencies
15.2.2.3 EU Disclosure Regulation
15.2.2.4 EU Prudential Regulations
Figure 3: EBA infographic showing a summary of Pillar 3 ESG disclosures (EBA 2022)
15.2.3 United States
15.2.4 Hong Kong
15.2.5 Singapore
15.3 Sustainable finance: upcoming challenges for companies
15.4 Target picture: effective management of ESG risk
Figure 4: ESG Compliance Target Operating Model (TOM)
15.4.1 ESG strategy
15.4.2 Governance and organisation
15.4.3 ESG risk steering
Figure 5: ESG Compliance Target Operating Model: 3. ESG risk steering
15.4.4 Identification of enabling factors
15.4.5 ESG as an opportunity
15.5 Conclusion
Bibliography
Beitrag: 2 Definition of Non-Financial Risk in Financial Institutions. Figure 1: Development of non-financial risk
Beitrag: 2 Definition of Non-Financial Risk in Financial Institutions. Figure 2: Risk taxonomy in financial institutions
Beitrag: 3 Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks. Figure 1: Three levels in risk appetite frameworks
Beitrag: 3 Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks. Figure 2: Definition of thresholds for a Level 2 metric based on operational losses
Beitrag: 3 Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks. Figure 3: Definition of thresholds for a Level 2 metric based on risk assessment
Beitrag: 3 Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks. Figure 4: Aggregate Level 2 metric based on risk assessment results
Beitrag: 3 Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks. Figure 5: Drivers for key risk indicators selection
Beitrag: 3 Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks. Figure 8: Example of thresholds calibration applying a percentile-based approach
Beitrag: 3 Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks. Figure 9: Annual RAF cycle
Beitrag: 4 The Three Lines of Defence Model: Key Success Factors for Effective Risk Management. Figure 1: Overview key mandates 1st, 2nd and 3rd line of defence
Beitrag: 4 The Three Lines of Defence Model: Key Success Factors for Effective Risk Management. Figure 2: Key mandate 1st LoD risk-coordinating function
Beitrag: 5 Global Functional Lead in Non-Financial Risk Management: Ensuring Consistency and Integration in Complex Organisations. Figure 1: Major GFL components
Beitrag: 5 Global Functional Lead in Non-Financial Risk Management: Ensuring Consistency and Integration in Complex Organisations. Figure 2: Reporting lines under GFL
Beitrag: 5 Global Functional Lead in Non-Financial Risk Management: Ensuring Consistency and Integration in Complex Organisations. Figure 3: GFL meeting governance
Beitrag: 6 Policies and Procedures: Framework and Governance Requirements in the Financial Sector. Figure 1: Example for four-tiered policy hierarchy
Beitrag: 6 Policies and Procedures: Framework and Governance Requirements in the Financial Sector. Figure 2: Financial crime policy hierarchy (example for a corporate and retail bank)
Beitrag: 8 A Top-Down Approach to Non-Financial Risk Reporting: Collaboration Across Risk Types for Sustainable Risk Steering. Figure 1: Evaluation of key risk indicators
Beitrag: 8 A Top-Down Approach to Non-Financial Risk Reporting: Collaboration Across Risk Types for Sustainable Risk Steering. Figure 2: Control assessment on aggregated levels
Beitrag: 8 A Top-Down Approach to Non-Financial Risk Reporting: Collaboration Across Risk Types for Sustainable Risk Steering. Figure 3: Representation of residual risk levels
Beitrag: 10 Technical Application and Data Architecture for Non-Financial Risk Management. Figure 1: Illustrative decentralised NFR IT landscape
Beitrag: 10 Technical Application and Data Architecture for Non-Financial Risk Management. Figure 3: An illustrative target architecture
Beitrag: 11 Data Governance in Non-Financial Risk Management. Figure 1: Key building blocks of data governance
Beitrag: 11 Data Governance in Non-Financial Risk Management. Figure 2: Scaling up NFR data governance
Beitrag: 11 Data Governance in Non-Financial Risk Management. Figure 3: High-level roles and responsibilities in data governance
Beitrag: 12 Optimising Effectiveness and Efficiency: Deployment of Artificial Intelligence in Non-Financial Risk Management. Figure 1: Volume of data/information created, captured, copied and consumed worldwide from 2010 to 2025 (in zettabytes)
Beitrag: 13 Core Elements of Conduct and Ethics in the Context of Non-Financial Risk. Figure 1: Definitions of key terms
Beitrag: 13 Core Elements of Conduct and Ethics in the Context of Non-Financial Risk. Figure 2: NFR taxonomy
Beitrag: 13 Core Elements of Conduct and Ethics in the Context of Non-Financial Risk. Figure 3: Timeline and trends in the conduct risk regulatory landscape
Beitrag: 14 Managing Conduct Risk: Framework and Perspectives. Figure 1: TCF’s six consumer outcomes
Beitrag: 14 Managing Conduct Risk: Framework and Perspectives. Figure 2: Five pillars in ESG risk management
Beitrag: 14 Managing Conduct Risk: Framework and Perspectives. Figure 3: Conduct Risk House
Beitrag: 15 Successful ESG Transition: Implications and Challenges for Effective Risk Management. Figure 1: Example ESG factors for corporate sustainability topics, defined in line with global sustainability definitions
Beitrag: 15 Successful ESG Transition: Implications and Challenges for Effective Risk Management. Figure 2: Overview of taxonomy-related document interdependencies
Beitrag: 15 Successful ESG Transition: Implications and Challenges for Effective Risk Management. Figure 3: EBA infographic showing a summary of Pillar 3 ESG disclosures (EBA 2022)
Beitrag: 15 Successful ESG Transition: Implications and Challenges for Effective Risk Management. Figure 4: ESG Compliance Target Operating Model (TOM)
Beitrag: 15 Successful ESG Transition: Implications and Challenges for Effective Risk Management. Figure 5: ESG Compliance Target Operating Model: 3. ESG risk steering
