Non-financial Risk Management in the Financial Industry

Managing environment, social and governance (ESG) risk, compliance risk and non-financial risk (NFR) has become increasingly critical for businesses in the financial services industry. Furthermore, expectations by regulators are ever more demanding, while monetary sanctions are being scaled up. Accordingly, ESG, Compliance and NFR risk management requires sophistication in various aspects of a risk management system.

This handbook analyses a major success factor necessary for meeting the requirements of modern risk management: an institution-specific target operating model (TOM) – integrating strategy, governance & organisation, risk management, data architecture and cultural elements to ensure maximum effectiveness. Also, institutions need to master the digital transformation for their business model to be sufficiently sustainable for the years to come. This book will offer ways on how to achieve just that.

The book has been written by senior ESG, Compliance and NFR experts from key markets in Europe, the U.S. and Asia. It gives practitioners the necessary guidance to master the challenges in today's global risk environment. Each chapter covers key regulatory requirements, major implementation challenges as well as both practical solutions and examples.

Editors

Norbert Gittfried is a Partner and Director at Boston Consulting Group. As topic coordinator for Compliance & Regulation, he advises large financial institutions worldwide on complex compliance transformations and the development of overarching non-financial risk steering approaches. His focus lies both in establishing effective Compliance and NFR Management systems, in digitising those functions and making them more efficient. Prior to joining BCG 11 years ago, he was Senior Manager at a Big 4 Company. He is a lecturer at Goethe Business School and a permanent representative in various industry bodies for FI.

Georg Lienke is a lawyer and Associate Director at Boston Consulting Group focusing on non-financial risk management and Compliance. In his work for financial institutions and corporate clients over the last 15 years, his focus was on the design and implementation of target operating models for non-financial risk management. Georg regularly publishes on non-financial risk topic. He holds a Ph.D. in law from the Technical University Dresden and a Master of Laws in Corporate and Financial Law from the University of Hong Kong. Prior to joining BCG, Georg worked at a Big 4 Company and a global bank.

Florian Seiferlein is an Associate Director at Boston Consulting Group. For over a decade, he advised leading companies on Compliance & Non-Financial Risks (NFR). He managed large-scale Compliance & NFR transformations, investigations and regulatory assessments in Europe, North America and Africa, and he was also a part of US Monitor teams. Prior to joining BCG, he worked for Big 4 and management consulting firms. Florian holds a Master of Science in business engineering (Karlsruhe Institute of Technology).

Jannik Leiendecker is a Partner and an Associate Director at Boston Consulting Group. Over the last 11 years, his focus has been on Non-Financial Risk (incl. Compliance) and ESG. He has advised numerous clients especially within the Financial Services industry on the set-up and optimisation of their respective operating model. He has also co-authored various corresponding publications. Jannik holds a Master of Science in Economic History from the London School of Economics and a Bachelor of Science in Business from the Ludwig-Maximilians-University in Munich.

Bernhard Gehra is a Senior Partner and Managing Director at Boston Consulting Group. His focus has been on Risk, Compliance and Technology for more than 20 years. During the last of those, he has led large worldwide projects focused on Risk and Non-Financial Risk. Furthermore, Bernhard recently managed ESG Compliance issues for large companies. Prior to joining BCG, he worked for a global securities service provider. Bernhard holds a Ph.D. in information science.

Contributors

Prof. Dr. Douglas Arner, Kerry Holdings Professor in Law, RGC Senior Fellow in Digital Finance and Sustainable Development, Faculty of Law, University of Hong Kong, Hong Kong

Dr. John Ashley, General Manager, Financial Services and Technology, NVIDIA Inc., San Francisco Bay Area

Ulrike Brouzi, Member of the Board of Managing Directors, DZ BANK AG, Frankfurt

Rene Bystron, Project Leader, Boston Consulting Group, Seattle

Dr. Oliver Engels, Chief Risk Officer, Deutsche Börse AG, Frankfurt

Dr. Erasmus Faber, Managing Director, Head of Compliance & Risk Management Germany, Twelve Capital (DE) GmbH, Munich

Lorenzo Fantini, Managing Director & Partner, Boston Consulting Group, Milan

Barbara Fojcik, Project Leader, Boston Consulting Group, Munich

Dr. Jan-Oliver Fröhlich, Project Leader, Boston Consulting Group, Hamburg

Kai Gammelin, Risk prevention and compliance expert in a leading position in the financial industry, Bludenz

Dr. Julia Gebhardt, Partner, Boston Consulting Group, Munich

Dr. Ulrich Göres, Frankfurt

Peter Gürtlschmidt, Mag. MA, Vice President, Head AFC GMIC Corporate & Investment Bank Germany / EMEA, Deutsche Bank AG, Frankfurt

Dr. Katharina Hefter, Managing Director & Partner, Boston Consulting Group, Berlin

Hurdogan Irmak, Head of Risk Management, Isbank, Istanbul

Marc Peter Klein, Ass. jur., Managing Director, Head AFC Corporate & Investment Bank Germany / EMEA, Deutsche Bank AG, Frankfurt

Dr. Michael Lange, Managing Director, Divisional Head Compliance, DZ BANK AG, Frankfurt

Annika Melchert, Manager, BCG Platinion, Dubai

P. Robert Mieszkowski, DZ BANK AG, Frankfurt

Martina Mietzner, Managing Director, Chief Compliance Officer, Bayerische Landesbank, Munich

Burcu Nasuhoglu, Head of Operational Risk Management, Isbank, Istanbul

Dr. Jochen Papenbrock, Financial Services and Technology Developer Relationship Lead EMEA, Gaia-x FAIC Lead, NVIDIA GmbH, Frankfurt

Aytech Pseunokov, Project Leader, Boston Consulting Group, Dubai

Jennifer Rabener, Project Leader, Boston Consulting Group, Munich

Luca Rancan, Project Leader, Boston Consulting Group, Milan

Michele Rigoni, Principal, Boston Consulting Group, Milan

Dr. Barbara Roth, Managing Director, Head Group Internal Audit, Deutsche Börse AG, Frankfurt

Dr. Christian N. Schmid, Managing Director & Partner, Boston Consulting Group, Munich

Prof. Dr. Martin Schulz, Attorney at law, Counsel, CMS Hasche Sigle, Frankfurt

Björn Stauber, M.Sc., First Vice President Compliance, KfW Bankengruppe, Frankfurt

Rei Tanaka, Managing Director & Partner, Boston Consulting Group, Tokyo

Benedetta Testino, Project Leader, Boston Consulting Group, Milan

Federico Truffelli, Deputy Head of Group Anti-Financial Crime, Group Head of AML/ FS Risk Assessment, Controls and Liaison Office Support, UniCredit Group, Milan

Anita Varshney, Global Vice President, Strategy SAP S/4HANA Sustainability, SAP, Hong Kong

Valérie Villafranca, Managing Director, Group Head of ESG Transformation, Société Générale, Paris

Lora von Ploetz, LL.M. Law, LL.M. Finance, Director, Head of Global Financial Crime Unit, Commerzbank AG, Frankfurt

Daniel Wagner, Manager, BCG Platinion, Frankfurt

Dr. Carsten Wiegand, Knowledge Expert, Team Manager, Boston Consulting Group, Frankfurt

Table of contents

Editors

Contributors

Foreword

1 Introduction: Rising to the Challenges of Non-Financial Risk Management, Compliance and ESG
Prof. Dr. Douglas Arner, Dr. Bernhard Gehra, Jannik Leiendecker, Dr. Georg Lienke
1.1 New risks and challenges
1.2 A forward-looking solution for non-financial risk management in the financial industry
1.3 Defining and aligning non-financial risk categories
1.4 Establishing a non-financial risk appetite framework to prevent an undesirable risk-taking
1.5 Building key governance and organisational pillars for non-financial risk management
1.6 Generating excellence in the non-financial risk management lifecycle
1.7 Using data, IT and artificial intelligence
1.8 Putting conduct and ethics at the centre of sustainable non-financial risk management
1.9 Environment, social and governance: Implications for effective risk management

2 Definition of Non-Financial Risk in Financial Institutions
Martina Mietzner, Dr. Julia Gebhardt, Dr. Katharina Hefter, Jennifer Rabener, Dr. Carsten Wiegand
2.1 Introduction
2.2 History of non-financial risk and specifications by key regulators
2.2.1 A short history of non-financial risk
2.2.2 Existing non-financial risk specifications by key global and regional regulators and associations
2.3 Differentiation of financial and non-financial risk
2.3.1 Financial risk definition
2.3.2 Non-financial risk definition
2.4 Specific clusters of non-financial risk
2.4.1 Operational risk
2.4.1.1 Financial crime risk
2.4.1.1.1 Money-laundering/terrorist financing risk
2.4.1.1.2 Sanctions and embargoes risk
2.4.1.1.3 Bribery and corruption risk
2.4.1.1.4 Facilitation of tax evasion
2.4.1.2 Conduct risk
2.4.1.2.1 Market conduct risk
2.4.1.2.2 Client conduct risk
2.4.1.2.3 Employee conduct risk
2.4.1.3 Regulatory compliance risk
2.4.1.4 Fraud risk
2.4.1.4.1 Account-opening fraud risk
2.4.1.4.2 Debt/credit card fraud risk
2.4.1.4.3 Fraudulent paper-based payment transactions risk
2.4.1.4.4 Online banking fraud risk
2.4.1.4.5 Credit fraud risk
2.4.1.4.6 Theft risk
2.4.1.4.7 Embezzlement/breach of trust risk
2.4.1.4.8 Antitrust violation risk
2.4.1.4.9 Balance sheet manipulation
2.4.1.5 Information, Communication & Technology (ICT) and Cyber risk
2.4.1.5.1 Data confidentiality risk
2.4.1.5.2 Data availability risk
2.4.1.5.3 Data integrity risk
2.4.1.5.4 Information security risk
2.4.1.6 Data privacy and bank secrecy risk
2.4.1.6.1 Data privacy risk
2.4.1.6.2 Bank secrecy risk
2.4.1.7 Resilience risk
2.4.1.8 Outsourcing and vendor risk
2.4.1.8.1 Intragroup outsourcing risk
2.4.1.8.2 External outsourcing risk
2.4.1.8.3 Vendor risk
2.4.1.9 Tax reporting risk
2.4.1.10 Other operational risk
2.4.1.10.1 Human resources risk
2.4.1.10.2 Legal risk
2.4.1.10.3 Physical damage risk
2.4.1.10.4 Execution, delivery and process risk
2.4.1.10.5 Reporting risk
2.4.1.10.6 Accounting risk
2.4.1.10.7 Project risk
2.4.1.10.8 Competition law risk
2.4.1.10.9 Model risk
2.4.2 Strategic risk
2.4.2.1 Reputational risk
2.4.2.2 Sustainability risk
2.4.2.2.1 Climate change risk
2.4.2.2.2 Human rights risk
2.4.2.3 Business risk
2.4.2.3.1 Forecasting risk
2.4.2.3.2 Inorganic growth risk
2.4.2.3.3 New business risk
2.4.2.3.4 Investor relations risk
2.5 Conclusion and outlook

3 Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks
Federico Truffelli, Dr. Ulrich Göres, Lorenzo Fantini, Michele Rigoni, Luca Rancan
3.1 Introduction
3.1.1 Regulatory requirements
3.1.2 RAF in practice
3.2 RAF Level 1: Overall Risk Appetite Statement
3.2.1 Overall statement
3.2.2 Prohibited activities
3.3 RAF Level 2: Risk Appetite metrics
3.3.1 Defining appropriate metrics
3.3.2 Metrics: setting the thresholds
3.3.2.1 Thresholds based on benchmark and historical internal loss data for a metric based on operational losses
3.3.2.2 Thresholds based on residual risk levels for a metric based on risk assessment
3.4 RAF Level 3: Key Risk Indicators
3.4.1 Selecting key risk indicators
3.4.1.1 Candidate indicators identification
3.4.1.2 Appetite tracking suitability
3.4.1.3 Expert judgement
3.4.2 KRIs: setting and calibrating the thresholds
3.4.2.1 Threshold calibration based on historical data analysis and percentiles
3.4.2.2 Threshold fine-tuning based on benchmarking and backtesting
3.5 RAF Governance
3.5.1 RAF design and update
3.5.2 RAF monitoring and reporting
3.5.3 RAF threshold breaches and escalation
3.5.4 Action plan definition

4 The Three Lines of Defence Model: Key Success Factors for Effective Risk Management
Dr. Oliver Engels, Marc Peter Klein, Peter Gürtlschmidt, Dr. Georg Lienke, Rei Tanaka
4.1 Introduction
4.2 Regulatory framework in selected key jurisdictions
4.2.1 European Union
4.2.2 United States of America
4.2.3 Hong Kong
4.2.4 Singapore
4.2.5 Risk-type-specific qualifications of the 3LoD model: financial crime prevention
4.2.5.1 EU: remaining country-specific variation in 1st and 2nd LoD mandate
4.2.5.2 United States of America: BSA Compliance officer
4.2.5.3 Hong Kong: Money Laundering Reporting Officer and Compliance Officer
4.3 Key roles and responsibilities of 1st, 2nd and 3rd LoD
4.3.1 The first line of defence: risk owner
4.3.1.1 Scope of 1st LoD mandate
4.3.1.1.1 Risk ownership
4.3.1.1.2 Implementation and execution of 1st LoD controls
4.3.1.2 Allocation of 1st LoD responsibility
4.3.1.3 1st LoD risk-coordinating function (1.5th LoD)
4.3.1.3.1 Coordination of risk management activities
4.3.1.3.2 Interface to 2nd LoD
4.3.1.3.3 Regulatory advisor
4.3.2 The second line of defence: internal control functions
4.3.2.1 Scope of 2nd LoD mandate
4.3.2.1.1 Standard setting
4.3.2.1.2 Testing of 1st LoD controls
4.3.2.1.3 Risk assessment
4.3.2.1.4 Training and advisory
4.3.2.2 Risk materiality and corresponding intensity of 2nd LoD risk oversight
4.3.2.3 Independence of 2nd LoD risk oversight
4.3.2.3.1 Organisational independence
4.3.2.3.2 Functional independence
4.3.2.3.3 Internal control functions performing 1st LoD activities
4.3.2.4 Key success factors for effective 2nd LoD risk oversight
4.3.2.4.1 Methodology consistency across 2nd LoD functions
4.3.2.4.2 Bodies and committees: adequate 2nd LoD participation and information sharing
4.3.2.4.3 Appointment of primus inter pares non-financial risk governance function
4.3.3 The third line of defence: internal audit as provider ofindependent assurance
4.3.3.1 Independent assurance
4.3.3.1.1 Adequacy of risk management framework
4.3.3.1.2 Design and operating effectiveness
4.3.3.1.3 Compliance with regulatory requirements and internal standards
4.3.3.2 Advising the board of directors
4.4 Common pitfalls of the 3LoD model and precautionary measures
4.4.1 Insufficient risk ownership by 1st LoD
4.4.2 Lack of 2nd LoD expertise
4.4.3 Inadequate assurance by 3rd LoD
4.5 Conclusion

5 Global Functional Lead in Non-Financial Risk Management: Ensuring Consistency and Integration in Complex Organisations
Ulrike Brouzi, Dr. Michael Lange, P. Robert Mieszkowski, Jannik Leiendecker, Dr. Georg Lienke, Florian Seiferlein, Norbert Gittfried, Rei Tanaka
5.1 Introduction
5.2 Regulatory framework in select key markets
5.2.1 European Union 5.2.2 United States of America
5.2.3 Hong Kong
5.2.4 Singapore
5.3 Global functional lead: individual corporate parameters to consider
5.3.1 Corporate culture
5.3.2 Organisation's complexity
5.3.3 IT landscape
5.3.4 Geographical footprint
5.4 Major components of global functional lead in non-financial risk management
5.4.1 Operating model: striking a balance between global standards and regional execution
5.4.1.1 Regulatory horizon screening
5.4.1.2 Setting of risk-specific standards
5.4.1.3 Training and advisory
5.4.1.4 Controls by the 1st and 2nd line of defence
5.4.1.5 Non-financial risk assessment
5.4.1.6 Non-financial risk reporting
5.4.1.7 Group risk oversight
5.4.2 Reporting lines: establishing implementation accountability in vertical functions
5.4.2.1 Solid reporting lines into local legal entity and branch
5.4.2.2 Dotted reporting lines into global risk management organisation
5.4.3 Meeting governance: supporting effective management of a global risk function
5.5 Conclusion

6 Policies and Procedures: Framework and Governance Requirements in the Financial Sector
Dr. Erasmus Faber, Björn Stauber, Dr. Georg Lienke
6.1 Introduction
6.2 Regulatory framework in selected key jurisdictions
6.2.1 European Banking Authority (EBA)
6.2.2 US regulators
6.2.2.1 The Federal Reserve
6.2.2.2 Office of the Comptroller of the Currency
6.2.3 Hong Kong Monetary Authority
6.2.4 Monetary Authority of Singapore
6.3 Policy framework: key implications for a target concept
6.3.1 Status quo: need for structured approach
6.3.1.1 Lack of a harmonised approach
6.3.1.2 Policy gaps and redundancies
6.3.2 Policy framework: design concept and hierarchies
6.3.2.1 Design concept: key hypotheses for an effective policy framework
6.3.2.1.1 Harmonised design approach
6.3.2.1.2 Completeness
6.3.2.1.3 Uniform naming convention
6.3.2.1.4 Precise wording
6.3.2.1.5 Assignment of responsibilities
6.3.2.1.6 Governance rules
6.3.2.1.7 Linkage to internal processes and controls
6.2.2.2 Suggested hierarchy levels: key criteria and examples
6.3.2.3 Level one: overarching risk strategies, policies and documents – risk and business segment agnostic
6.2.2.3.1 Key criteria
6.3.2.3.2 Key risk type and business segment agnostic topics
6.3.2.4 Level two: risk-type-specific policies and procedures
6.3.2.4.1 Key criteria
6.3.2.4.2 Risk-type-specific documents
6.3.2.5 Level three: customer-related and business-specific policies and procedures
6.3.2.5.1 Key criteria
6.3.2.5.2 Customer-related and business-specific topics
6.3.2.6 Level four: policies and procedures in international locations
6.3.2.6.1 Scope of applicability: subsidiary companies and branch offices
6.3.2.6.2 Key criteria 6.4 Policy governance, repository and workflow tool
6.4.1 Approval of policies and procedures
6.4.1.1 Level one: board of directors
6.4.1.2 Level two: responsible board member
6.4.1.3 Level three: senior management on N-1 level
6.4.1.4 Level four: general manager or 2nd LoD N-1
6.4.2 Authorship, ownership, creation as well as update of policies and procedures
6.4.2.1 Document authorship
6.4.2.2 Document ownership
6.4.2.3 Document creation process
6.4.2.4 Stringent management of update process
6.4.2.4.1 Regular validation based on time intervals
6.4.2.4.2 Ad hoc updates
6.4.3 Policy repository, including workflow tool: centralised management of policies and procedures
6.4.3.1 Facilitation of access
6.4.3.2 Document lifecycle management
6.4.3.2.1 Regular validation of documents
6.4.3.2.2 Ad hoc updates
6.4.3.2.2.1 Changes in business and operating model
6.4.3.2.2.2 Changes in regulatory framework
6.4.3.3 Audit-proof change log
6.5 Conclusion

7 Top-Down Risk and Control Assessment: A Forward-Looking Approach to Evaluate Company-Wide Non-Financial Risk Exposure
Hurdogan Irmak, Burcu Nasuhoglu, Dr. Erasmus Faber, Lorenzo Fantini, Benedetta Testino, Jannik Leiendecker, Barbara Fojcik, Dr. Georg Lienke
7.1 Introduction
7.2 Top-down vs. bottom-up: different approaches based on desired outcomes
7.2.1 Approaches: risk-specific focus vs. overarching non-financial risk coverage
7.2.1.1 Bottom-up approach: risk-specific, granular focus
7.2.1.2 Top-down approach: overarching, holistic non-financial risk coverage
7.2.2 Potential outcomes: different scope of risk-coverage and level of granularity
7.3 Key success factors: maximising the effectiveness of top-down risk and control assessments
7.4 Regulatory framework, best practice and standard setter guidelines
7.4.1 COSO ERM framework
7.4.2 Bank for International Settlements
7.4.3 EBA and ECB
7.5 Methodology of top-down risk and control assessment: evaluation of inherent risk, control adequacy and residual risk
7.5.1 Non-financial risk taxonomy as a starting point
7.5.2 Measurement of inherent risk
7.5.2.1 Calculation of severity
7.5.2.1.1 Organisation-specific risk indicators
7.5.2.1.2 Industry adjustments
7.5.2.1.3 Weighting of risk indicators based on data source reliability
7.5.2.2 Calculation of likelihood
7.5.2.3 Inherent risk matrix
7.5.3 Measurement of internal control adequacy
7.5.3.1 Control indicators
7.5.3.2 Weighting of control indicators
7.5.3.3 Control rating
7.5.4 Determination of residual risk
7.6 Breakout: building an institution-wide internal control system
7.6.1 Introduction
7.6.2 Alternative path to building an internal control framework: top-down, risk-based approach
7.6.3 Five-step approach: building an internal control framework
7.6.3.1 Step 1: determination of NFR criticality
7.6.3.2 Step 2: mapping of key risks to process landscape
7.6.3.3 Step 3: definition of control objectives, key controls and control repository
7.6.3.4 Step 4: assessment of controls
7.6.3.5 Step 5: design NFR control report
7.7 Approach to handling residual risk
7.7.1 High residual risk: project and investment imperative to mitigating residual risk
7.7.2 Medium-high residual risk: action plan to reduce inherent risk exposure
7.7.3 Medium-low residual risk: continuous control testing and selected action requested
7.7.4 Low residual risk: periodic, risk-based controls
7.8 Integrated process to perform annual top-down risk and control assessment
7.8.1 Phase 1: pre-assessment by control functions
7.8.2 Phase 2: assessment by business senior management
7.8.3 Phase 3: validation and reporting

8 A Top-Down Approach to Non-Financial Risk Reporting: Collaboration Across Risk Types for Sustainable Risk Steering
Valérie Villafranca, Dr. Georg Lienke, Florian Seiferlein, Kai Gammelin, Dr. Katharina Hefter, Norbert Gittfried
8.1 Introduction: the imperative of top-down non-financial risk reporting
8.2 Regulatory framework in selected key markets
8.2.1 European Union
8.2.2 United States
8.2.3 Hong Kong
8.2.4 Singapore
8.3 Current state of non-financial risk reporting: formats with inconsistent scopes and methodologies
8.3.1 Operational risk reports
8.3.2 Additional 2nd LoD reports on specific non-financial risk types
8.3.3 Reports on internal control system
8.4 Key parameters of top-down non-financial risk reporting: methodology, required input and results
8.4.1 Identification and evaluation of key risk indicators
8.4.1.1 Determination of key risk indicators, thresholds and potential input sources
8.4.1.1.1 Step 1: understand risk factors
8.4.1.1.2 Step 2: identify key risk indicators
8.4.1.1.3 Step 3: derive institution-specific thresholds
8.4.1.2 Example KRIs: financial crime risk, outsourcing risk and human resources risk
8.4.1.2.1 Key risk indicators for financial crime risk
8.4.1.2.2 Key risk indicators for outsourcing risk
8.4.1.2.3 Key risk indicators for human resources risk
8.4.1.3 Evaluation of key risk indicators
8.4.2 Assessment of key controls as risk-mitigating measures
8.4.2.1 Step 1: capturing and allocation of controls
8.4.2.2 Step 2: assessment of controls
8.4.3 Determination of residual risk and required risk-mitigating actions
8.4.3.1 High level of residual risk
8.4.3.2 Medium level of residual risk
8.4.3.3 Low level of residual risk
8.5 Reporting process and governance
8.5.1 Governance arrangements
8.5.1.1 Board of directors
8.5.1.2 Chairman of the supervisory board
8.5.1.3 Central reporting unit
8.5.1.4 2nd LoD control functions
8.5.1.5 Operational risk department
8.5.2 Reporting process
8.6 Conclusion

9 Internal Investigations into Corporate Misconduct: Applying an Investigative Approach to Enable Proactive Risk Oversight
Lora von Ploetz, Florian Seiferlein
9.1 Introduction
9.2 Selected laws, regulations and standards
9.2.1 Supervisory sanction relief based on voluntary investigation and cooperation
9.2.1.1 Jurisdictions potentially reducing sanctions and enforcement actions due to effective investigation and cooperation
9.2.1.2 Jurisdictions not explicitly providing a bonus for self-disclosure and cooperation
9.2.1.3 Jurisdictions where investigations and cooperation do not change assessment of law enforcement
9.2.2 Statuto ry disclosure requirements
9.3 Concept for proactive risk oversight using an investigative approach
9.3.1 Investigation process
9.3.1.1 Proactive risk management
9.3.1.2 Strategic and tactical investigations
9.3.1.3 Example: sanctions-driven investigations
9.3.2 Information sharing and global risk management
9.3.2.1 How to connect needles in the same haystack (in a financial institution)
9.3.2.2 How to connect needles in different haystacks (between different financial institutions)
9.4 Success factors and common pitfalls

10 Technical Application and Data Architecture for Non-Financial Risk Management
Kai Gammelin, Björn Stauber, Dr. Christian N. Schmid, Dr. Jan-Oliver Fröhlich, Annika Melchert, Daniel Wagner
10.1 Introduction
10.1.1 A fragmented IT landscape
10.1.2 IT's impact on data availability
10.1.3 Data availability across borders
10.1.4 Additional challenges associated with group companies
10.2 Regulatory requirements
10.3 Six challenges in NFR management and reporting
10.3.1 Challenge 1: the lack of a defined NFR-IT strategy
10.3.2 Challenge 2: responsibility for and execution of NFR reporting-related activities (operational unit vs. NFR management)
10.3.3 Challenge 3: consistency and transparency of IT architecture
10.3.4 Challenge 4: alignment of data architecture for transparency on data lineage
10.3.5 Challenge 5: implementing a solid IT target architecture
10.3.6 Challenge 6: cost-benefit considerations
10.4 A target IT architecture for NFR
10.4.1 The NFR architecture ecosystem
10.4.2 Dashboards and reporting
10.4.3 Other key enabling technologies

11 Data Governance in Non-Financial Risk Management
Björn Stauber, Dr. Christian N. Schmid, Dr. Jan-Oliver Fröhlich, Annika Melchert, Daniel Wagner
11.1 Introduction
11.2 Regulatory requirements
11.3 Data governance to support NFR management
11.3.1 Data structures
11.3.2 Target operating model (TOM)
11.3.3 Data policies
11.3.4 Data tools
11.4 Scaling up state-of-the-art NFR data governance
11.4.1 Specific roles and responsibilities
11.4.2 Tool optimisation
11.5 Conclusion

12 Optimising Effectiveness and Efficiency: Deployment of Artificial Intelligence in Non-Financial Risk Management
Dr. Jochen Papenbrock, Dr. John Ashley, Dr. Georg Lienke, Florian Seiferlein, Norbert Gittfried
12.1 Introduction
12.2 Financial sector digitisation: the front-to-back case for AI
12.2.1 Digital transformation of business and operating models
12.2.1.1 Changed customer expectations and behaviour
12.2.1.2 Increasing efficiency challenges
12.2.2 Impact of COVID-19
12.2.2.1 Accelerator of digitisation
12.2.2.2 Modified risk environment
12.3 Regulatory approach to artificial intelligence
12.3.1 Overview
12.3.1.1 European Union
12.3.1.1.1 European Commission
12.3.1.1.2 European Banking Authority
12.3.1.1.3 National financial supervisors
12.3.1.2 United States
12.3.1.3 Hong Kong
12.3.1.4 Singapore
12.3.2 Summary of key regulatory expectations
12.3.2.1 Governance
12.3.2.2 Design and development
12.3.2.3 Ongoing maintenance
12.4 Machine learning algorithms: Key learning modes and examples
12.4.1 Supervised learning
12.4.2 Unsupervised learning
12.4.3 Reinforcement learning
12.4.4 Deep learning
12.5 Deployment of AI in non-financial risk management
12.5.1 Financial crime prevention: biometric customer identification, dynamic CRR calculation and AI-based transaction screening
12.5.1.1 Know your customer: automated biometric identification of customers
12.5.1.2 Dynamic calculation of customer risk ratings: faster reaction to material changes in client risk profiles
12.5.1.2.1 Automatic data import into the CRR system
12.5.1.2.2 Dynamic recalculation of customer risk ratings
12.5.1.3 Negative news screening: AI-supported reduction of screening efforts
12.5.1.3.1 Matching of customer names to negative news
12.5.1.3.2 Contextual pre-evaluation of news articles
12.5.1.4 Sanctions name screening: AI-supported reduction of false positive alerts and pre-assessment of screening alerts
12.5.1.4.1 Reduction of false positive alerts via feedback loop
12.5.1.4.2 Pre-assessment of generated alerts and optimisation of manual alert reviews
12.5.1.5 Sanctions transaction screening
12.5.1.6 AML transaction monitoring: deploying artificial intelligence to manual investigations
12.5.2 Prevention of market abuse: AI-based detection of irregularities in securities trading
12.5.2.1 Behaviour-based tracking of trading portfolios: AI-based detection of irregular transactions
12.5.2.2 AI-based assessment of trader's voice and email communication
12.5.3 Management of AI (model) risk: key discipline for data-driven financial institutions
12.5.4 AI4ESG: tech-driven sustainable finance
12.5.5 AI infrastructure for non-financial risk management
12.6 Conclusion

13 Core Elements of Conduct and Ethics in the Context of Non-Financial Risk
Dr. Barbara Roth, Dr. Erasmus Faber, Dr. Julia Gebhardt, Dr. Katharina Hefter
13.1 Conduct risk: definitions, characteristics and regulatory landscape
13.1.1 Conduct and compliance, ethics versus integrity
13.1.1.1 Finding common ground: definition of key terms
13.1.1.2 Conduct-based versus integrity-based ethics
13.1.1.3 An integrative approach for synthesising conduct-/ compliance-based and integrity-based ethics
13.1.2 What is meant when we talk about conduct risk?
13.1.2.1 No universal definition
13.1.2.2 Three key topics: market, client and employee conduct risk
13.1.3 Conduct risk in the NFR taxonomy
13.2 Regulatory landscape
13.2.1 European perspective
13.2.1.1 European/UK regulators
13.2.1.2 Other European countries
13.2.2 US perspective
13.2.3 Asia-Pacific perspective
13.3 Why conduct risk matters
13.3.1 Increased regulatory scrutiny
13.3.1.1 Focus on regulatory oversight
13.3.1.2 Frequency of regulatory actions
13.3.2 Supervisory and legal actions
13.3.2.1 Actions against firms
13.3.2.2 Actions against individuals

14 Managing Conduct Risk: Framework and Perspectives
Prof. Dr. Martin Schulz, Dr. Julia Gebhardt, Dr. Katharina Hefter, Rene Bystron
14.1 Trends and perspectives in respect of conduct risk in the regulatory context
14.1.1 Treating Customers Fairly (TCF)
14.1.2 Senior management regimes as emerging global trends in conduct risk
14.1.2.1 UK
14.1.2.2 Hong Kong and Singapore
14.1.2.3 Malaysia
14.1.2.4 Australia
14.2 Conduct Risk Management as integral part of ESG
14.2.1 G like conduct
14.2.2 New legislative focus and recent regulatory developments
14.2.3 Activities at the EU level
14.2.4 Optimising ESG risk management
14.3 Managing conduct risk
14.3.1 The Conduct Risk House
14.3.2 Building a Conduct Risk framework

15 Successful ESG Transition: Implications and Challenges for Effective Risk Management
Anita Varshney, Jannik Leiendecker, Aytech Pseunokov
15.1 Introduction
15.2 Regulatory frameworks in selected key jurisdictions
15.2.1 General overview
15.2.2 European Union
15.2.2.1 Non-Financial Reporting Directive & Corporate Sustainability Reporting Directive
15.2.2.2 Sustainable finance taxonomy
15.2.2.3 EU Disclosure Regulation
15.2.2.4 EU Prudential Regulations
15.2.3 United States
15.2.4 Hong Kong
15.2.5 Singapore
15.3 Sustainable finance: upcoming challenges for companies
15.4 Target picture: effective management of ESG risk
15.4.1 ESG strategy
15.4.2 Governance and organisation
15.4.3 ESG risk steering
15.4.4 Identification of enabling factors
15.4.5 ESG as an opportunity
15.5 Conclusion

Bibliography