Non-financial Risk Management in the Financial Industry

Managing compliance, operational, digital, AI and sustainability risks has become increasingly critical for businesses in the financial services industry. Furthermore, expectations by regulators are ever more demanding, while monetary sanctions are being scaled up. Accordingly, non-financial risk (NFR) management requires sophistication in various aspects of a risk management system.

This handbook analyses a major success factor necessary for meeting the requirements of modern risk management: an institution-specific target operating model – integrating strategy, governance & organisation, risk management, data architecture and cultural elements to ensure maximum effectiveness. Fully updated to reflect the latest regulatory and industry developments, the second edition features two brand-new chapters on the deployment of (Gen) AI in non-financial risk management and cyber resilience in financial institutions.

The book has been written by senior NFR experts from key markets in Europe, the US and Asia. It gives practitioners the necessary guidance to master the challenges in today’s global risk environment. Each chapter covers key regulatory requirements, major implementation challenges as well as both practical solutions and examples.

Editors

Norbert Gittfried is a Partner and Director at Boston Consulting Group. As topic coordinator for Compliance & Regulation, he advises large financial institutions worldwide on complex compliance transformations and the development of overarching non-financial risk (NFR) steering approaches. His focus lies both on establishing effective Compliance and NFR management systems, on digitising those functions and making them more efficient. Prior to joining BCG 15 years ago, he was Senior Manager at a Big 4 Company. He is a lecturer at Goethe Business School and a permanent representative in various industry bodies for FI.

Dr. Georg Lienke is a lawyer and Associate Director at Boston Consulting Group focusing on non-financial risk management and Compliance. Georg regularly publishes on non-financial risk topics. He holds a Ph.D. in law from the Technical University Dresden and an LL.M. in Corporate and Financial Law from the University of Hong Kong. Prior to joining BCG, Georg worked at a Big 4 Company, a global bank and an international law firm.

Florian Seiferlein is a former Partner at Boston Consulting Group. For more than a decade, he advised leading Financial Institutions on Strategy, Finance and Risk Management. He managed large-scale transformations, implementations of digitalized End-to-End Target Operating Models as well as regulatory assessments in Europe, North America and Africa, and he was also a part of US Monitor teams. After BCG, a Big4 and another management consulting firm, he moved into a leading role in the financial industry. Florian holds a Master of Science in business engineering (Karlsruhe Institute of Technology).

Jannik Leiendecker is a Partner and Associate Director at Boston Consulting Group. He is co-leading BCG’s Center for Sustainability Policy and Regulation and is also a member of EFRAG’s Sustainability Reporting Technical Expert Group. Over the last 15 years, his work has been focused on Non-Financial Risk Management and Sustainabilityrelated topics especially within the Financial Services Industry. He is a regular guest lecturer and has published intensively on the subject.

Dr. Bernhard Gehra is a Managing Director and Senior Partner at Boston Consulting Group, based in New York City. With more than 20 years of experience, he specializes in Risk, Compliance, and Technology, advising global organizations on complex challenges in these domains. In the past decade, he has led large-scale, international programs with a particular focus on Risk and Non-Financial Risk management. At BCG, Bernhard holds multiple leadership roles within the firm’s Risk & Compliance practice, including heading the North America branch. Prior to joining BCG, he worked for a leading global securities services provider. He holds a Ph.D. in Information Science.

Dr. Katharina Hefter is a Managing Director and Partner at Boston Consulting Group. With more than 15 years of experience, she specializes on Compliance, Risk, and Ethics supporting clients in preventive transformative programs as well as remediation efforts. She leads complex, international programs in Non-Financial Risk Management for Banks, Payment Providers and Insurance Companies. Furthermore, Katharina holds several leadership roles within BCG and is BCG’s Global Lead for Compliance and Crisis Management. Katharina holds a Ph.D. in international management from ESCP Europe.

Felix Hildebrand is a Managing Director & Partner at Boston Consulting Group, where he leads the firm’s Compliance business for financial institutions across Central & Northern Europe. With roughly 15 years of experience in the industry, his work focuses on the design and transformation of Compliance and Non-Financial Risk functions. He has led numerous large-scale engagements related to risk governance, operational resilience, and regulatory-driven change. Felix regularly publishes on compliance & nonfinancial risk topics, and actively drives the agenda of several think tanks.

Contributors

Dr. John Ashley, Director, Global Public Sector Solutions Architecture & NVIDIA AI Technology Centers, NVIDIA, Los Angeles

Ulrike Brouzi, Member of the Board of Managing Directors, DZ BANK AG, Frankfurt

Dr. Oliver Engels, Senior expert in the field of integrated governance, risk and compliance as well as sustainability, process improvement and operations in the financial service industry, Frankfurt

Dr. Erasmus Faber, Managing Director, Chief Compliance Officer, Twelve Securis, Munich

Lorenzo Fantini, Managing Director & Partner, Boston Consulting Group, Milan

Barbara Fojcik, Senior Strategist, Group Strategy & Impact, Allianz SE, Munich

Dr. Jan-Oliver Fröhlich, Associate Director, Boston Consulting Group, Hamburg

Kai Gammelin, Senior expert of governance, risk management and compliance in a leading position in the financial industry, Bludenz

Dr. Julia Gebhardt, Managing Director & Partner, Boston Consulting Group, Munich

Dr. Ulrich Göres, Frankfurt

Peter Gürtlschmidt, Mag. MA, Director, Head BLAFC Corporate Bank BizBanking Germany, Deutsche Bank AG, Frankfurt

Hurdogan Irmak, Head of Risk Management, Isbank, Istanbul

Marc Peter Klein, Ass. jur., Managing Director, Group Chief Compliance Officer & Chief Human Rights Officer, Deutsche Börse AG, Eschborn

Dr. Michael Lange, Managing Director, Divisional Head Compliance, DZ BANK AG, Frankfurt

Annika Melchert, Principal, BCG Platinion, Dubai

Robert Mieszkowski, DZ BANK AG, Frankfurt

Burcu Nasuhoglu, Head of Operational Risk Management, Isbank, Istanbul

Dr. Jochen Papenbrock, EMEA Head of Financial Technology, NVIDIA, Frankfurt

Larissa Pilz, Manager (VP), Chief Risk Office, Deutsche Börse AG, Frankfurt

Aytech Pseunokov, Project Leader, Boston Consulting Group, Dubai

Jennifer Rabener, Compliance Specialist, Green Climate Fund, Seoul

Luca Rancan, Chief Executive Officer, Gratitude Holding, Milan

Dr. Stiene Riemer, Managing Director and Partner, Boston Consulting Group, Munich

Michele Rigoni, Partner and Associate Director, Boston Consulting Group, Milan

Dr. Barbara Roth, LL.M., Chief Administration Officer, Executive Board Member, State Street Bank International GmbH, München

Dr. Christian N. Schmid., Managing Director & Partner, Boston Consulting Group, Munich

Dr. Roman Schnalle, Executive Director, Chief Information Security Officer, Helaba Landesbank Hessen-Thüringen, Frankfurt

Prof. Dr. Martin Schulz, Attorney at law, Counsel, CMS Hasche Sigle, Frankfurt, Professor of Business Law, IU International University of Applied Sciences, Erfurt

Hanjo Seibert, Managing Director and Partner, Boston Consulting Group, Washington D.C.

Björn Stauber, M.Sc., First Vice President Compliance, KfW Bankengruppe, Frankfurt

Anna Streuli, Managing Director, Head Chief Risk Office, Helaba Landesbank Hessen-Thüringen, Frankfurt

Rei Tanaka, Senior risk management expert in the financial services consulting sector, Tokyo

Benedetta Testino, Associate Director, Boston Consulting Group, Milan

Federico Truffelli, Deputy Head of Group Anti-Financial Crime, Group Head of AML/FS Monitoring Strategy, UniCredit Group, Milan

Anita Varshney, Global Vice President, Strategic Customer Engagements, SAP Sustainability, Singapore

Valérie Villafranca, Managing Director, Group Head of ESG Transformation, Société Générale, Paris

Lora von Ploetz, LL.M. Law, LL.M. Finance, Senior financial crime and compliance expert with expertise in regulatory supervision, investigative strategy and global compliance frameworks, Frankfurt

Daniel Wagner, Delivery Executive, Google, Frankfurt

Constanze Westwood, Partner, Boston Consulting Group, Munich

Dr. Carsten Wiegand, Director, Boston Consulting Group, Frankfurt

Editors

Contributors

Foreword

1 Introduction: Rising to the Challenges of Non-Financial Risk Management

Dr. Bernhard Gehra, Jannik Leiendecker, Dr. Georg Lienke

1.1 New risks and challenges

1.2 A forward-looking solution for non-financial risk management in the financial industry

1.3 Defining and aligning non-financial risk categories

1.4 Establishing a non-financial risk appetite framework to prevent an undesirable risk-taking

1.5 Building key governance and organizational pillars for non-financial risk management

1.6 Generating excellence in the non-financial risk management lifecycle 5

1.7 Using data, IT and artificial intelligence and staying cyber resilient

1.8 Putting conduct and ethics at the center of sustainable non-financial risk management

1.9 A holistic approach to Sustainability Risk Management in Financial Institutions

2 Definition of Non-Financial Risk in Financial Institutions

Dr. Julia Gebhardt, Dr. Katharina Hefter, Jennifer Rabener, Dr. Carsten Wiegand

2.1 Introduction

2.2 History of non-financial risk and specifications by key regulators

2.2.1 A short history of non-financial risk

2.2.2 Existing non-financial risk specifications by key global and regional regulators and associations

2.3 Differentiation of financial and non-financial risk

2.4 Specific clusters of non-financial risk

2.5 Conclusion and outlook

3 Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks

Federico Truffelli, Dr. Ulrich Göres, Lorenzo Fantini, Michele Rigoni, Luca Rancan

3.1 Introduction

3.2 RAF level 1: overall risk appetite statement

3.3 RAF level 2: risk appetite metrics

3.4 RAF level 3: Key Risk Indicators

3.5 RAF governance

4 The Three Lines of Defence Model: Key Success Factors for Effective Risk Management

Dr. Georg Lienke, Dr. Oliver Engels, Marc Peter Klein, Peter Gürtlschmidt, Rei Tanaka

4.1 Introduction

4.2 Regulatory framework in selected key jurisdictions

4.3 Key roles and responsibilities of 1st, 2nd and 3rd LoD

4.4 Common pitfalls of the 3LoD model and precautionary measures

4.5 Conclusion

5 Global Functional Lead in Non-Financial Risk Management: Ensuring Consistency and Integration in Complex Organisations

Ulrike Brouzi, Dr. Michael Lange, P. Robert Mieszkowski, Jannik Leiendecker, Dr. Georg Lienke, Florian Seiferlein, Norbert Gittfried, Rei Tanaka

5.1 Introduction

5.2 Regulatory framework in selectkey markets

5.3 Global functional lead: individual corporate parameters to consider

5.4 Major components of global functional lead in non-financial risk management

5.5 Conclusion

6 Policies and Procedures: Framework and Governance Requirements in the Financial Sector

Dr. Erasmus Faber, Björn Stauber, Dr. Georg Lienke

6.1 Introduction

6.2 Regulatory framework in selected key jurisdictions

6.3 Policy framework: key implications for a target concept

6.4 Policy governance, repository and workflow tool

6.5 Conclusion

7 Top-Down Risk and Control Assessment: A Forward-Looking Approach to Evaluate Company-Wide Non-Financial Risk Exposure

Hurdogan Irmak, Burcu Nasuhoglu, Dr. Erasmus Faber, Lorenzo Fantini, Benedetta Testino, Jannik Leiendecker, Barbara Fojcik, Dr. Georg Lienke

7.1 Introduction

7.2 Top-down vs. bottom-up: different approaches based on desired outcomes

7.3 Key success factors: maximising the effectiveness of top-down risk and control assessments . . . . .

7.4 Regulatory framework, best practice and standard setter guidelines

7.5 Methodology of top-down risk and control assessment: evaluation of inherent risk, control adequacy and residual risk

7.6 Breakout: building an institution-wide internal control system

7.7 Approach to handling residual risk

7.8 Integrated process to perform annual top-down risk and control assessment

8 A Top-Down Approach to Non-Financial Risk Reporting: Collaboration Across Risk Types for Sustainable Risk Steering

Valérie Villafranca, Dr. Georg Lienke, Florian Seiferlein, Kai Gammelin, Dr. Katharina Hefter, Norbert Gittfried

8.1 Introduction: the imperative of top-down non-financial risk reporting

8.2 Regulatory framework in selected key markets

8.3 Current state of non-financial risk reporting: formats with inconsistent scopes and methodologies

8.4 Key parameters of top-down non-financial risk reporting: methodology, required input and results

8.5 Reporting process and governance

8.6 Conclusion

9 Internal Investigations into Corporate Misconduct: Applying an Investigative Approach to Enable Proactive Risk Oversight

Lora von Ploetz, Florian Seiferlein

9.1 Introduction

9.2 Selected laws, regulations and standards

9.3 Concept for proactive risk oversight using an investigative approach

9.4 Success factors and common pitfalls

10 Technical Application and Data Architecture for Non-Financial Risk Management

Kai Gammelin, Björn Stauber, Dr. Christian N. Schmid, Dr. Jan-Oliver Fröhlich, Annika Melchert, Daniel Wagner

10.1 Introduction

10.2 Regulatory requirements

10.3 Seven challenges in NFR management and reporting

10.4 Atarget ICT architecture for NFR

11 Data Governance in Non-Financial Risk Management

Björn Stauber, Dr. Christian N. Schmid, Dr. Jan-Oliver Fröhlich, Annika Melchert, Daniel Wagner

11.1 Introduction

11.2 Regulatory requirements

11.3 Data governance tosupportNFR management

11.4 Scaling up state-of-the-art NFR data governance

11.5 Conclusion

12 Optimizing Effectiveness and Efficiency: Deployment of Artificial Intelligence in Non-Financial Risk Management

Dr. Jochen Papenbrock, Dr. John Ashley, Dr. Georg Lienke, Florian Seiferlein, Norbert Gittfried, Dr. Stiene Riemer, Hanjo Seibert

12.1 Introduction

12.2 The transformative journey of AI: from rule-based systems to advanced analytics, machine learning and generative AI

12.3 Global approachesto AIregulation . . . . .

12.4 Deep dive: AI-driven prevention of financial crime

12.5 Responsible AI: addressing key challenges in AI deployment

12.6 Conclusions and key takeaways

13 Enhancing the Cyber Resilience of Financial Institutions

Anna Streuli, Dr. Roman Schnalle, Felix Hildebrand, Dr. Georg Lienke

13.1 Introduction

13.2 Regulatory requirements and oversight: strengthening cyber resilience

13.3 Industryframeworks for cyber resilience

13.4 The six functions of NIST CSF

13.5 Emerging challenges and adaptation strategies in cyber resilience

13.6 Four strategic recommendations for strengthening cyber resilience

14 Core Elements of Conduct and Ethics in the Context of Non-Financial Risk

Dr. Barbara Roth, Dr. Erasmus Faber, Dr. Julia Gebhardt, Dr. Katharina Hefter, Constanze Westwood

14.1 Conduct risk: definitions, characteristics and regulatory landscape

14.2 Regulatory landscape

14.3 Why conduct risk matters

15 Managing Conduct Risk: Framework and Perspectives

Prof. Dr. Martin Schulz, Dr. Julia Gebhardt, Dr. Katharina Hefter, Constanze Westwood

15.1 Trends and perspectives in respect of conduct risk in the regulatory context

15.2 Conduct risk management as an integral part of sustainability

15.3 Managing conduct risk

16 A Holistic Approach to Sustainability Risk Management in Financial Institutions– A Global Perspective

Oliver Engels, Jannik Leiendecker, Larissa Pilz, Aytech Pseunokov, Benedetta Testino, Anita Varshney

16.1 Introduction

16.2 Regulatory frameworks in selected key jurisdictions

16.3 Sustainability risk management: upcoming challenges for FIs

16.4 Target picture: effective management of sustainability risk drivers

16.5 Conclusion

Bibliography