E-Book, Englisch, 374 Seiten
A Target Operating Model for Compliance and ESG Risks
E-Book, Englisch, 374 Seiten
ISBN: 978-3-95647-190-2
Verlag: Frankfurt School Verlag
Format: PDF
Kopierschutz: Wasserzeichen (»Systemvoraussetzungen)
Norbert Gittfried is a Partner and Director at Boston Consulting Group. As topic coordinator for Compliance & Regulation, he advises large financial institutions worldwide on complex compliance transformations and the development of overarching non-financial risk steering approaches. His focus lies both in establishing effective Compliance and NFR Management systems, in digitising those functions and making them more efficient. Prior to joining BCG 11 years ago, he was Senior Manager at a Big 4 Company. He is a lecturer at Goethe Business School and a permanent representative in various industry bodies for FI. Georg Lienke is a lawyer and Associate Director at Boston Consulting Group focusing on non-financial risk management and Compliance. In his work for financial institutions and corporate clients over the last 15 years, his focus was on the design and implementation of target operating models for non-financial risk management. Georg regularly publishes on non-financial risk topic. He holds a Ph.D. in law from the Technical University Dresden and a Master of Laws in Corporate and Financial Law from the University of Hong Kong. Prior to joining BCG, Georg worked at a Big 4 Company and a global bank. Florian Seiferlein is an Associate Director at Boston Consulting Group. For over a decade, he advised leading companies on Compliance & Non-Financial Risks (NFR). He managed large-scale Compliance & NFR transformations, investigations and regulatory assessments in Europe, North America and Africa, and he was also a part of US Monitor teams. Prior to joining BCG, he worked for Big 4 and management consulting firms. Florian holds a Master of Science in business engineering (Karlsruhe Institute of Technology). Jannik Leiendecker is a Partner and an Associate Director at Boston Consulting Group. Over the last 11 years, his focus has been on Non-Financial Risk (incl. Compliance) and ESG. He has advised numerous clients especially within the Financial Services industry on the set-up and optimisation of their respective operating model. He has also co-authored various corresponding publications. Jannik holds a Master of Science in Economic History from the London School of Economics and a Bachelor of Science in Business from the Ludwig-Maximilians-University in Munich. Bernhard Gehra is a Senior Partner and Managing Director at Boston Consulting Group. His focus has been on Risk, Compliance and Technology for more than 20 years. During the last of those, he has led large worldwide projects focused on Risk and Non-Financial Risk. Furthermore, Bernhard recently managed ESG Compliance issues for large companies. Prior to joining BCG, he worked for a global securities service provider. Bernhard holds a Ph.D. in information science.
Autoren/Hrsg.
Weitere Infos & Material
1;Title;1
2;Table of contents;5
3;Editors;21
4;Contributors;22
5;Foreword;25
6;1 Introduction: Rising to the Challenges of Non-Financial Risk Management, Compliance and ESG;27
6.1;1.1 New risks and challenges;27
6.2;1.2 A forward-looking solution for non-financial risk management in the financial industry;28
6.3;1.3 Defining and aligning non-financial risk categories;28
6.4;1.4 Establishing a non-financial risk appetite framework to prevent an undesirable risk-taking;29
6.5;1.5 Building key governance and organisational pillars for non- financial risk management;29
6.6;1.6 Generating excellence in the non-financial risk management lifecycle;30
6.7;1.7 Using data, IT and artificial intelligence;31
6.8;1.8 Putting conduct and ethics at the centre of sustainable non- financial risk management;32
6.9;1.9 Environment, social and governance: Implications for effective risk management;33
7;2 Definition of Non-Financial Risk in Financial Institutions;35
7.1;2.1 Introduction;35
7.2;2.2 History of non-financial risk and specifications by key regulators;37
7.2.1;2.2.1 A short history of non-financial risk;38
7.2.2;2.2.2 Existing non-financial risk specifications by key global and regional regulators and associations;41
7.3;2.3 Differentiation of financial and non-financial risk;42
7.3.1;2.3.1 Financial risk definition;43
7.3.2;2.3.2 Non-financial risk definition;44
7.4;2.4 Specific clusters of non-financial risk;44
7.4.1;2.4.1 Operational risk;47
7.4.1.1;2.4.1.1 Financial crime risk;47
7.4.1.1.1;2.4.1.1.1 Money-laundering/terrorist financing risk;48
7.4.1.1.2;2.4.1.1.2 Sanctions and embargoes risk;48
7.4.1.1.3;2.4.1.1.3 Bribery and corruption risk;49
7.4.1.1.4;2.4.1.1.4 Facilitation of tax evasion;49
7.4.1.2;2.4.1.2 Conduct risk;50
7.4.1.2.1;2.4.1.2.1 Market conduct risk;50
7.4.1.2.2;2.4.1.2.2 Client conduct risk;51
7.4.1.2.3;2.4.1.2.3 Employee conduct risk;51
7.4.1.3;2.4.1.3 Regulatory compliance risk;51
7.4.1.4;2.4.1.4 Fraud risk;52
7.4.1.4.1;2.4.1.4.1 Account-opening fraud risk;53
7.4.1.4.2;2.4.1.4.2 Debt/credit card fraud risk;53
7.4.1.4.3;2.4.1.4.3 Fraudulent paper-based payment transactions risk;54
7.4.1.4.4;2.4.1.4.4 Online banking fraud risk;54
7.4.1.4.5;2.4.1.4.5 Credit fraud risk;54
7.4.1.4.6;2.4.1.4.6 Theft risk;54
7.4.1.4.7;2.4.1.4.7 Embezzlement/breach of trust risk;54
7.4.1.4.8;2.4.1.4.8 Antitrust violation risk;55
7.4.1.4.9;2.4.1.4.9 Balance sheet manipulation;55
7.4.1.5;2.4.1.5 Information, Communication & Technology (ICT) and Cyber risk;55
7.4.1.5.1;2.4.1.5.1 Data confidentiality risk;57
7.4.1.5.2;2.4.1.5.2 Data availability risk;58
7.4.1.5.3;2.4.1.5.3 Data integrity risk;58
7.4.1.5.4;2.4.1.5.4 Information security risk;58
7.4.1.6;2.4.1.6 Data privacy and bank secrecy risk;59
7.4.1.6.1;2.4.1.6.1 Data privacy risk;59
7.4.1.6.2;2.4.1.6.2 Bank secrecy risk;60
7.4.1.7;2.4.1.7 Resilience risk;60
7.4.1.8;2.4.1.8 Outsourcing and vendor risk;61
7.4.1.8.1;2.4.1.8.1 Intragroup outsourcing risk;62
7.4.1.8.2;2.4.1.8.2 External outsourcing risk;62
7.4.1.8.3;2.4.1.8.3 Vendor risk;63
7.4.1.9;2.4.1.9 Tax reporting risk;63
7.4.1.10;2.4.1.10 Other operational risk;63
7.4.1.10.1;2.4.1.10.1 Human resources risk;63
7.4.1.10.2;2.4.1.10.2 Legal risk;63
7.4.1.10.3;2.4.1.10.3 Physical damage risk;64
7.4.1.10.4;2.4.1.10.4 Execution, delivery and process risk;64
7.4.1.10.5;2.4.1.10.5 Reporting risk;64
7.4.1.10.6;2.4.1.10.6 Accounting risk;65
7.4.1.10.7;2.4.1.10.7 Project risk;65
7.4.1.10.8;2.4.1.10.8 Competition law risk;65
7.4.1.10.9;2.4.1.10.9 Model risk;65
7.4.2;2.4.2 Strategic risk;66
7.4.2.1;2.4.2.1 Reputational risk;66
7.4.2.2;2.4.2.2 Sustainability risk;67
7.4.2.2.1;2.4.2.2.1 Climate change risk;67
7.4.2.2.2;2.4.2.2.2 Human rights risk;68
7.4.2.3;2.4.2.3 Business risk;68
7.4.2.3.1;2.4.2.3.1 Forecasting risk;68
7.4.2.3.2;2.4.2.3.2 Inorganic growth risk;69
7.4.2.3.3;2.4.2.3.3 New business risk;69
7.4.2.3.4;2.4.2.3.4 Investor relations risk;69
7.5;2.5 Conclusion and outlook;69
8;3 Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks;71
8.1;3.1 Introduction;71
8.1.1;3.1.1 Regulatory requirements;71
8.1.2;3.1.2 RAF in practice;73
8.2;3.2 RAF Level 1: Overall Risk Appetite Statement;75
8.2.1;3.2.1 Overall statement;75
8.2.2;3.2.2 Prohibited activities;77
8.3;3.3 RAF Level 2: Risk Appetite metrics;77
8.3.1;3.3.1 Defining appropriate metrics;77
8.3.2;3.3.2 Metrics: setting the thresholds;78
8.3.2.1;3.3.2.1 Thresholds based on benchmark and historical internal loss data for a metric based on operational losses;79
8.3.2.2;3.3.2.2 Thresholds based on residual risk levels for a metric based on risk assessment;80
8.4;3.4 RAF Level 3: Key Risk Indicators;81
8.4.1;3.4.1 Selecting key risk indicators;81
8.4.1.1;3.4.1.1 Candidate indicators identification;82
8.4.1.2;3.4.1.2 Appetite tracking suitability;82
8.4.1.3;3.4.1.3 Expert judgement;82
8.4.2;3.4.2 KRIs: setting and calibrating the thresholds;86
8.4.2.1;3.4.2.1 Threshold calibration based on historical data analysis and percentiles;86
8.4.2.2;3.4.2.2 Threshold fine-tuning based on benchmarking and backtesting;88
8.5;3.5 RAF Governance;89
8.5.1;3.5.1 RAF design and update;90
8.5.2;3.5.2 RAF monitoring and reporting;91
8.5.3;3.5.3 RAF threshold breaches and escalation;92
8.5.4;3.5.4 Action plan definition;94
9;4 The Three Lines of Defence Model: Key Success Factors for Effective Risk Management;97
9.1;4.1 Introduction;97
9.2;4.2 Regulatory framework in selected key jurisdictions;98
9.2.1;4.2.1 European Union;98
9.2.2;4.2.2 United States of America;99
9.2.3;4.2.3 Hong Kong;99
9.2.4;4.2.4 Singapore;99
9.2.5;4.2.5 Risk-type-specific qualifications of the 3LoD model: financial crime prevention;100
9.2.5.1;4.2.5.1 EU: remaining country-specific variation in 1st and 2nd LoD mandate;100
9.2.5.2;4.2.5.2 United States of America: BSA Compliance officer;100
9.2.5.3;4.2.5.3 Hong Kong: Money Laundering Reporting Officer and Compliance Officer;101
9.3;4.3 Key roles and responsibilities of 1st, 2nd and 3rd LoD;101
9.3.1;4.3.1 The first line of defence: risk owner;102
9.3.1.1;4.3.1.1 Scope of 1st LoD mandate;102
9.3.1.1.1;4.3.1.1.1 Risk ownership;102
9.3.1.1.2;4.3.1.1.2 Implementation and execution of 1st LoD controls;102
9.3.1.2;4.3.1.2 Allocation of 1st LoD responsibility;102
9.3.1.3;4.3.1.3 1st LoD risk-coordinating function (1.5th LoD);103
9.3.1.3.1;4.3.1.3.1 Coordination of risk management activities;103
9.3.1.3.2;4.3.1.3.2 Interface to 2nd LoD;103
9.3.1.3.3;4.3.1.3.3 Regulatory advisor;103
9.3.2;4.3.2 The second line of defence: internal control functions;104
9.3.2.1;4.3.2.1 Scope of 2nd LoD mandate;104
9.3.2.1.1;4.3.2.1.1 Standard setting;104
9.3.2.1.2;4.3.2.1.2 Testing of 1st LoD controls;105
9.3.2.1.3;4.3.2.1.3 Risk assessment;105
9.3.2.1.4;4.3.2.1.4 Training and advisory;105
9.3.2.2;4.3.2.2 Risk materiality and corresponding intensity of 2nd LoD risk oversight;105
9.3.2.3;4.3.2.3 Independence of 2nd LoD risk oversight;106
9.3.2.3.1;4.3.2.3.1 Organisational independence;106
9.3.2.3.2;4.3.2.3.2 Functional independence;106
9.3.2.3.3;4.3.2.3.3 Internal control functions performing 1st LoD activities;107
9.3.2.4;4.3.2.4 Key success factors for effective 2nd LoD risk oversight;108
9.3.2.4.1;4.3.2.4.1 Methodology consistency across 2nd LoD functions;108
9.3.2.4.2;4.3.2.4.2 Bodies and committees: adequate 2nd LoD participation and information sharing;109
9.3.2.4.3;4.3.2.4.3 Appointment of primus inter pares non-financial risk governance function;110
9.3.3;4.3.3 The third line of defence: internal audit as provider of independent assurance;111
9.3.3.1;4.3.3.1 Independent assurance;111
9.3.3.1.1;4.3.3.1.1 Adequacy of risk management framework;111
9.3.3.1.2;4.3.3.1.2 Design and operating effectiveness;111
9.3.3.1.3;4.3.3.1.3 Compliance with regulatory requirements and internal standards;112
9.3.3.2;4.3.3.2 Advising the board of directors;112
9.4;4.4 Common pitfalls of the 3LoD model and precautionary measures;112
9.4.1;4.4.1 Insufficient risk ownership by 1st LoD;112
9.4.2;4.4.2 Lack of 2nd LoD expertise;113
9.4.3;4.4.3 Inadequate assurance by 3rd LoD;113
9.5;4.5 Conclusion;114
10;5 Global Functional Lead in Non-Financial Risk Management: Ensuring Consistency and Integration in Complex Organisations;115
10.1;5.1 Introduction;115
10.2;5.2 Regulatory framework in select key markets;117
10.2.1;5.2.1 European Union;117
10.2.2;5.2.2 United States of America;117
10.2.3;5.2.3 Hong Kong;118
10.2.4;5.2.4 Singapore;118
10.3;5.3 Global functional lead: individual corporate parameters to consider;118
10.3.1;5.3.1 Corporate culture;118
10.3.2;5.3.2 Organisation’s complexity;119
10.3.3;5.3.3 IT landscape;119
10.3.4;5.3.4 Geographical footprint;119
10.4;5.4 Major components of global functional lead in non-financial risk management;119
10.4.1;5.4.1 Operating model: striking a balance between global standards and regional execution;120
10.4.1.1;5.4.1.1 Regulatory horizon screening;121
10.4.1.2;5.4.1.2 Setting of risk-specific standards;122
10.4.1.3;5.4.1.3 Training and advisory;123
10.4.1.4;5.4.1.4 Controls by the 1st and 2nd line of defence;123
10.4.1.5;5.4.1.5 Non-financial risk assessment;124
10.4.1.6;5.4.1.6 Non-financial risk reporting;125
10.4.1.7;5.4.1.7 Group risk oversight;125
10.4.2;5.4.2 Reporting lines: establishing implementation accountability in vertical functions;126
10.4.2.1;5.4.2.1 Solid reporting lines into local legal entity and branch;126
10.4.2.2;5.4.2.2 Dotted reporting lines into global risk management organisation;127
10.4.3;5.4.3 Meeting governance: supporting effective management of a global risk function;127
10.5;5.5 Conclusion;128
11;6 Policies and Procedures: Framework and Governance Requirements in the Financial Sector;131
11.1;6.1 Introduction;131
11.2;6.2 Regulatory framework in selected key jurisdictions;131
11.2.1;6.2.1 European Banking Authority (EBA);132
11.2.2;6.2.2 US regulators;132
11.2.2.1;6.2.2.1 The Federal Reserve;132
11.2.2.2;6.2.2.2 Office of the Comptroller of the Currency;133
11.2.3;6.2.3 Hong Kong Monetary Authority;133
11.2.4;6.2.4 Monetary Authority of Singapore;134
11.3;6.3 Policy framework: key implications for a target concept;135
11.3.1;6.3.1 Status quo: need for structured approach;135
11.3.1.1;6.3.1.1 Lack of a harmonised approach;135
11.3.1.2;6.3.1.2 Policy gaps and redundancies;135
11.3.2;6.3.2 Policy framework: design concept and hierarchies;136
11.3.2.1;6.3.2.1 Design concept: key hypotheses for an effective policy framework;136
11.3.2.1.1;6.3.2.1.1 Harmonised design approach;136
11.3.2.1.2;6.3.2.1.2 Completeness;136
11.3.2.1.3;6.3.2.1.3 Uniform naming convention;136
11.3.2.1.4;6.3.2.1.4 Precise wording;137
11.3.2.1.5;6.3.2.1.5 Assignment of responsibilities;137
11.3.2.1.6;6.3.2.1.6 Governance rules;137
11.3.2.1.7;6.3.2.1.7 Linkage to internal processes and controls;137
11.3.2.2;6.2.2.2 Suggested hierarchy levels: key criteria and examples;137
11.3.2.3;6.3.2.3 Level one: overarching risk strategies, policies and documents – risk and business segment agnostic;138
11.3.2.3.1;6.2.2.3.1 Key criteria;138
11.3.2.3.2;6.3.2.3.2 Key risk type and business segment agnostic topics;138
11.3.2.4;6.3.2.4 Level two: risk-type-specific policies and procedures;139
11.3.2.4.1;6.3.2.4.1 Key criteria;139
11.3.2.4.2;6.3.2.4.2 Risk-type-specific documents;139
11.3.2.5;6.3.2.5 Level three: customer-related and business-specific policies and procedures;140
11.3.2.5.1;6.3.2.5.1 Key criteria;140
11.3.2.5.2;6.3.2.5.2 Customer-related and business-specific topics;141
11.3.2.6;6.3.2.6 Level four: policies and procedures in international locations;141
11.3.2.6.1;6.3.2.6.1 Scope of applicability: subsidiary companies and branch offices;141
11.3.2.6.2;6.3.2.6.2 Key criteria;141
11.4;6.4 Policy governance, repository and workflow tool;142
11.4.1;6.4.1 Approval of policies and procedures;143
11.4.1.1;6.4.1.1 Level one: board of directors;143
11.4.1.2;6.4.1.2 Level two: responsible board member;143
11.4.1.3;6.4.1.3 Level three: senior management on N-1 level;143
11.4.1.4;6.4.1.4 Level four: general manager or 2nd LoD N-1;143
11.4.2;6.4.2 Authorship, ownership, creation as well as update of policies and procedures;144
11.4.2.1;6.4.2.1 Document authorship;144
11.4.2.2;6.4.2.2 Document ownership;144
11.4.2.3;6.4.2.3 Document creation process;144
11.4.2.4;6.4.2.4 Stringent management of update process;144
11.4.2.4.1;6.4.2.4.1 Regular validation based on time intervals;145
11.4.2.4.2;6.4.2.4.2 Ad hoc updates;145
11.4.3;6.4.3 Policy repository, including workflow tool: centralised management of policies and procedures;145
11.4.3.1;6.4.3.1 Facilitation of access;146
11.4.3.2;6.4.3.2 Document lifecycle management;146
11.4.3.2.1;6.4.3.2.1 Regular validation of documents;146
11.4.3.2.2;6.4.3.2.2 Ad hoc updates;146
11.4.3.2.2.1;6.4.3.2.2.1 Changes in business and operating model;146
11.4.3.2.2.2;6.4.3.2.2.2 Changes in regulatory framework;147
11.4.3.3;6.4.3.3 Audit-proof change log;147
11.5;6.5 Conclusion;147
12;7 Top-Down Risk and Control Assessment: A Forward- Looking Approach to Evaluate Company-Wide Non- Financial Risk Exposure;149
12.1;7.1 Introduction;149
12.2;7.2 Top-down vs. bottom-up: different approaches based on desired outcomes;150
12.2.1;7.2.1 Approaches: risk-specific focus vs. overarching non-financial risk coverage;150
12.2.1.1;7.2.1.1 Bottom-up approach: risk-specific, granular focus;151
12.2.1.2;7.2.1.2 Top-down approach: overarching, holistic non-financial risk coverage;151
12.2.2;7.2.2 Potential outcomes: different scope of risk-coverage and level of granularity;152
12.3;7.3 Key success factors: maximising the effectiveness of top-down risk and control assessments;152
12.4;7.4 Regulatory framework, best practice and standard setter guidelines;153
12.4.1;7.4.1 COSO ERM framework;153
12.4.2;7.4.2 Bank for International Settlements;154
12.4.3;7.4.3 EBA and ECB;154
12.5;7.5 Methodology of top-down risk and control assessment: evaluation of inherent risk, control adequacy and residual risk;155
12.5.1;7.5.1 Non-financial risk taxonomy as a starting point;155
12.5.2;7.5.2 Measurement of inherent risk;155
12.5.2.1;7.5.2.1 Calculation of severity;156
12.5.2.1.1;7.5.2.1.1 Organisation-specific risk indicators;156
12.5.2.1.2;7.5.2.1.2 Industry adjustments;158
12.5.2.1.3;7.5.2.1.3 Weighting of risk indicators based on data source reliability;159
12.5.2.2;7.5.2.2 Calculation of likelihood;159
12.5.2.3;7.5.2.3 Inherent risk matrix;160
12.5.3;7.5.3 Measurement of internal control adequacy;160
12.5.3.1;7.5.3.1 Control indicators;161
12.5.3.2;7.5.3.2 Weighting of control indicators;162
12.5.3.3;7.5.3.3 Control rating;162
12.5.4;7.5.4 Determination of residual risk;163
12.6;7.6 Breakout: building an institution-wide internal control system;164
12.6.1;7.6.1 Introduction;164
12.6.2;7.6.2 Alternative path to building an internal control framework: top-down, risk-based approach;164
12.6.3;7.6.3 Five-step approach: building an internal control framework;165
12.6.3.1;7.6.3.1 Step 1: determination of NFR criticality;165
12.6.3.2;7.6.3.2 Step 2: mapping of key risks to process landscape;165
12.6.3.3;7.6.3.3 Step 3: definition of control objectives, key controls and control repository;166
12.6.3.4;7.6.3.4 Step 4: assessment of controls;166
12.6.3.5;7.6.3.5 Step 5: design NFR control report;167
12.7;7.7 Approach to handling residual risk;167
12.7.1;7.7.1 High residual risk: project and investment imperative to mitigating residual risk;168
12.7.2;7.7.2 Medium-high residual risk: action plan to reduce inherent risk exposure;168
12.7.3;7.7.3 Medium-low residual risk: continuous control testing and selected action requested;168
12.7.4;7.7.4 Low residual risk: periodic, risk-based controls;168
12.8;7.8 Integrated process to perform annual top-down risk and control assessment;169
12.8.1;7.8.1 Phase 1: pre-assessment by control functions;169
12.8.2;7.8.2 Phase 2: assessment by business senior management;170
12.8.3;7.8.3 Phase 3: validation and reporting;170
13;8 A Top-Down Approach to Non-Financial Risk Reporting: Collaboration Across Risk Types for Sustainable Risk Steering;171
13.1;8.1 Introduction: the imperative of top-down non-financial risk reporting;171
13.2;8.2 Regulatory framework in selected key markets;172
13.2.1;8.2.1 European Union;172
13.2.2;8.2.2 United States;173
13.2.3;8.2.3 Hong Kong;173
13.2.4;8.2.4 Singapore;174
13.3;8.3 Current state of non-financial risk reporting: formats with inconsistent scopes and methodologies;174
13.3.1;8.3.1 Operational risk reports;174
13.3.2;8.3.2 Additional 2nd LoD reports on specific non-financial risk types;175
13.3.3;8.3.3 Reports on internal control system;176
13.4;8.4 Key parameters of top-down non-financial risk reporting: methodology, required input and results;176
13.4.1;8.4.1 Identification and evaluation of key risk indicators;177
13.4.1.1;8.4.1.1 Determination of key risk indicators, thresholds and potential input sources;177
13.4.1.1.1;8.4.1.1.1 Step 1: understand risk factors;177
13.4.1.1.2;8.4.1.1.2 Step 2: identify key risk indicators;177
13.4.1.1.3;8.4.1.1.3 Step 3: derive institution-specific thresholds;177
13.4.1.2;8.4.1.2 Example KRIs: financial crime risk, outsourcing risk and human resources risk;178
13.4.1.2.1;8.4.1.2.1 Key risk indicators for financial crime risk;178
13.4.1.2.2;8.4.1.2.2 Key risk indicators for outsourcing risk;180
13.4.1.2.3;8.4.1.2.3 Key risk indicators for human resources risk;180
13.4.1.3;8.4.1.3 Evaluation of key risk indicators;181
13.4.2;8.4.2 Assessment of key controls as risk-mitigating measures;182
13.4.2.1;8.4.2.1 Step 1: capturing and allocation of controls;182
13.4.2.2;8.4.2.2 Step 2: assessment of controls;184
13.4.3;8.4.3 Determination of residual risk and required risk-mitigating actions;185
13.4.3.1;8.4.3.1 High level of residual risk;186
13.4.3.2;8.4.3.2 Medium level of residual risk;186
13.4.3.3;8.4.3.3 Low level of residual risk;187
13.5;8.5 Reporting process and governance;187
13.5.1;8.5.1 Governance arrangements;187
13.5.1.1;8.5.1.1 Board of directors;187
13.5.1.2;8.5.1.2 Chairman of the supervisory board;187
13.5.1.3;8.5.1.3 Central reporting unit;187
13.5.1.4;8.5.1.4 2nd LoD control functions;188
13.5.1.5;8.5.1.5 Operational risk department;188
13.5.2;8.5.2 Reporting process;188
13.6;8.6 Conclusion;189
14;9 Internal Investigations into Corporate Misconduct: Applying an Investigative Approach to Enable Proactive Risk Oversight;191
14.1;9.1 Introduction;191
14.2;9.2 Selected laws, regulations and standards;192
14.2.1;9.2.1 Supervisory sanction relief based on voluntary investigation and cooperation;194
14.2.1.1;9.2.1.1 Jurisdictions potentially reducing sanctions and enforcement actions due to effective investigation and cooperation;194
14.2.1.2;9.2.1.2 Jurisdictions not explicitly providing a bonus for self-disclosure and cooperation;196
14.2.1.3;9.2.1.3 Jurisdictions where investigations and cooperation do not change assessment of law enforcement;196
14.2.2;9.2.2 Statutory disclosure requirements;197
14.2.3;9.2.3 Investigation standards and requirements;198
14.3;9.3 Concept for proactive risk oversight using an investigative approach;199
14.3.1;9.3.1 Investigation process;200
14.3.1.1;9.3.1.1 Proactive risk management;201
14.3.1.2;9.3.1.2 Strategic and tactical investigations;203
14.3.1.3;9.3.1.3 Example: sanctions-driven investigations;204
14.3.2;9.3.2 Information sharing and global risk management;207
14.3.2.1;9.3.2.1 How to connect needles in the same haystack (in a financial institution);208
14.3.2.2;9.3.2.2 How to connect needles in different haystacks (between different financial institutions);209
14.4;9.4 Success factors and common pitfalls;211
15;10 Technical Application and Data Architecture for Non- Financial Risk Management;213
15.1;10.1 Introduction;213
15.1.1;10.1.1 A fragmented IT landscape;213
15.1.2;10.1.2 IT’s impact on data availability;216
15.1.3;10.1.3 Data availability across borders;216
15.1.4;10.1.4 Additional challenges associated with group companies;216
15.2;10.2 Regulatory requirements;218
15.3;10.3 Six challenges in NFR management and reporting;219
15.3.1;10.3.1 Challenge 1: the lack of a defined NFR-IT strategy;219
15.3.2;10.3.2 Challenge 2: responsibility for and execution of NFR reporting-related activities (operational unit vs. NFR management);220
15.3.3;10.3.3 Challenge 3: consistency and transparency of IT architecture;221
15.3.4;10.3.4 Challenge 4: alignment of data architecture for transparency on data lineage;222
15.3.5;10.3.5 Challenge 5: implementing a solid IT target architecture;223
15.3.6;10.3.6 Challenge 6: cost-benefit considerations;223
15.4;10.4 A target IT architecture for NFR;223
15.4.1;10.4.1 The NFR architecture ecosystem;226
15.4.2;10.4.2 Dashboards and reporting;226
15.4.3;10.4.3 Other key enabling technologies;227
16;11 Data Governance in Non-Financial Risk Management;229
16.1;11.1 Introduction;229
16.2;11.2 Regulatory requirements;230
16.3;11.3 Data governance to support NFR management;230
16.3.1;11.3.1 Data structures;231
16.3.2;11.3.2 Target operating model (TOM);232
16.3.3;11.3.3 Data policies;233
16.3.4;11.3.4 Data tools;233
16.4;11.4 Scaling up state-of-the-art NFR data governance;234
16.4.1;11.4.1 Specific roles and responsibilities;236
16.4.2;11.4.2 Tool optimisation;238
16.5;11.5 Conclusion;238
17;12 Optimising Effectiveness and Efficiency: Deployment of Artificial Intelligence in Non-Financial Risk Management;239
17.1;12.1 Introduction;239
17.2;12.2 Financial sector digitisation: the front-to-back case for AI;239
17.2.1;12.2.1 Digital transformation of business and operating models;240
17.2.1.1;12.2.1.1 Changed customer expectations and behaviour;240
17.2.1.2;12.2.1.2 Increasing efficiency challenges;240
17.2.2;12.2.2 Impact of COVID-19;240
17.2.2.1;12.2.2.1 Accelerator of digitisation;241
17.2.2.2;12.2.2.2 Modified risk environment;241
17.3;12.3 Regulatory approach to artificial intelligence;242
17.3.1;12.3.1 Overview;242
17.3.1.1;12.3.1.1 European Union;242
17.3.1.1.1;12.3.1.1.1 European Commission;242
17.3.1.1.2;12.3.1.1.2 European Banking Authority;243
17.3.1.1.3;12.3.1.1.3 National financial supervisors;244
17.3.1.2;12.3.1.2 United States;244
17.3.1.3;12.3.1.3 Hong Kong;245
17.3.1.4;12.3.1.4 Singapore;245
17.3.2;12.3.2 Summary of key regulatory expectations;245
17.3.2.1;12.3.2.1 Governance;245
17.3.2.2;12.3.2.2 Design and development;245
17.3.2.3;12.3.2.3 Ongoing maintenance;246
17.4;12.4 Machine learning algorithms: Key learning modes and examples;247
17.4.1;12.4.1 Supervised learning;249
17.4.2;12.4.2 Unsupervised learning;249
17.4.3;12.4.3 Reinforcement learning;249
17.4.4;12.4.4 Deep learning;250
17.5;12.5 Deployment of AI in non-financial risk management;251
17.5.1;12.5.1 Financial crime prevention: biometric customer identification, dynamic CRR calculation and AI-based transaction screening;251
17.5.1.1;12.5.1.1 Know your customer: automated biometric identification of customers;251
17.5.1.2;12.5.1.2 Dynamic calculation of customer risk ratings: faster reaction to material changes in client risk profiles;252
17.5.1.2.1;12.5.1.2.1 Automatic data import into the CRR system;252
17.5.1.2.2;12.5.1.2.2 Dynamic recalculation of customer risk ratings;253
17.5.1.3;12.5.1.3 Negative news screening: AI-supported reduction of screening efforts;253
17.5.1.3.1;12.5.1.3.1 Matching of customer names to negative news;253
17.5.1.3.2;12.5.1.3.2 Contextual pre-evaluation of news articles;254
17.5.1.4;12.5.1.4 Sanctions name screening: AI-supported reduction of false positive alerts and pre-assessment of screening alerts;254
17.5.1.4.1;12.5.1.4.1 Reduction of false positive alerts via feedback loop;255
17.5.1.4.2;12.5.1.4.2 Pre-assessment of generated alerts and optimisation of manual alert reviews;255
17.5.1.5;12.5.1.5 Sanctions transaction screening;256
17.5.1.6;12.5.1.6 AML transaction monitoring: deploying artificial intelligence to manual investigations;256
17.5.2;12.5.2 Prevention of market abuse: AI-based detection of irregularities in securities trading;257
17.5.2.1;12.5.2.1 Behaviour-based tracking of trading portfolios: AI-based detection of irregular transactions;257
17.5.2.2;12.5.2.2 AI-based assessment of trader’s voice and email communication;258
17.5.3;12.5.3 Management of AI (model) risk: key discipline for data-driven financial institutions;258
17.5.4;12.5.4 AI4ESG: tech-driven sustainable finance;261
17.5.5;12.5.5 AI infrastructure for non-financial risk management;262
17.6;12.6 Conclusion;265
18;13 Core Elements of Conduct and Ethics in the Context of Non-Financial Risk;267
18.1;13.1 Conduct risk: definitions, characteristics and regulatory landscape;267
18.1.1;13.1.1 Conduct and compliance, ethics versus integrity;267
18.1.1.1;13.1.1.1 Finding common ground: definition of key terms;267
18.1.1.2;13.1.1.2 Conduct-based versus integrity-based ethics;269
18.1.1.3;13.1.1.3 An integrative approach for synthesising conduct-/compliance-based and integrity-based ethics;270
18.1.2;13.1.2 What is meant when we talk about conduct risk?;272
18.1.2.1;13.1.2.1 No universal definition;272
18.1.2.2;13.1.2.2 Three key topics: market, client and employee conduct risk;273
18.1.3;13.1.3 Conduct risk in the NFR taxonomy;275
18.2;13.2 Regulatory landscape;276
18.2.1;13.2.1 European perspective;278
18.2.1.1;13.2.1.1 European/UK regulators;278
18.2.1.2;13.2.1.2 Other European countries;283
18.2.2;13.2.2 US perspective;286
18.2.3;13.2.3 Asia-Pacific perspective;288
18.3;13.3 Why conduct risk matters;291
18.3.1;13.3.1 Increased regulatory scrutiny;291
18.3.1.1;13.3.1.1 Focus on regulatory oversight;291
18.3.1.2;13.3.1.2 Frequency of regulatory actions;292
18.3.2;13.3.2 Supervisory and legal actions;293
18.3.2.1;13.3.2.1 Actions against firms;293
18.3.2.2;13.3.2.2 Actions against individuals;294
19;14 Managing Conduct Risk: Framework and Perspectives;297
19.1;14.1 Trends and perspectives in respect of conduct risk in the regulatory context;297
19.1.1;14.1.1 Treating Customers Fairly (TCF);297
19.1.2;14.1.2 Senior management regimes as emerging global trends in conduct risk;299
19.1.2.1;14.1.2.1 UK;299
19.1.2.2;14.1.2.2 Hong Kong and Singapore;301
19.1.2.3;14.1.2.3 Malaysia;301
19.1.2.4;14.1.2.4 Australia;302
19.2;14.2 Conduct Risk Management as integral part of ESG;303
19.2.1;14.2.1 G like conduct;303
19.2.2;14.2.2 New legislative focus and recent regulatory developments;303
19.2.3;14.2.3 Activities at the EU level;304
19.2.4;14.2.4 Optimising ESG risk management;306
19.3;14.3 Managing conduct risk;307
19.3.1;14.3.1 The Conduct Risk House;307
19.3.2;14.3.2 Building a Conduct Risk framework;308
20;15 Successful ESG Transition: Implications and Challenges for Effective Risk Management;311
20.1;15.1 Introduction;311
20.2;15.2 Regulatory frameworks in selected key jurisdictions;313
20.2.1;15.2.1 General overview;313
20.2.2;15.2.2 European Union;314
20.2.2.1;15.2.2.1 Non-Financial Reporting Directive & Corporate Sustainability Reporting Directive;315
20.2.2.2;15.2.2.2 Sustainable finance taxonomy;316
20.2.2.3;15.2.2.3 EU Disclosure Regulation;319
20.2.2.4;15.2.2.4 EU Prudential Regulations;319
20.2.3;15.2.3 United States;321
20.2.4;15.2.4 Hong Kong;324
20.2.5;15.2.5 Singapore;325
20.3;15.3 Sustainable finance: upcoming challenges for companies;326
20.4;15.4 Target picture: effective management of ESG risk;329
20.4.1;15.4.1 ESG strategy;329
20.4.2;15.4.2 Governance and organisation;331
20.4.3;15.4.3 ESG risk steering;333
20.4.4;15.4.4 Identification of enabling factors;336
20.4.5;15.4.5 ESG as an opportunity;337
20.5;15.5 Conclusion;338
21;Bibliography;341
Editors
Contributors
Foreword
Introduction: Rising to the Challenges of Non-Financial Risk Management, Compliance and ESG
Prof. Dr. Douglas Arner, Dr. Bernhard Gehra, Jannik Leiendecker, Dr. Georg Lienke
Definition of Non-Financial Risk in Financial Institutions
Martina Mietzner, Dr. Julia Gebhardt, Dr. Katharina Hefter, Jennifer Rabener, Dr. Carsten Wiegand
Risk Boundaries – Setting an Analytical Risk Appetite Framework for Non-Financial Risks
Federico Truffelli, Dr. Ulrich Göres, Lorenzo Fantini, Michele Rigoni, Luca Rancan
The Three Lines of Defence Model: Key Success Factors for Effective Risk Management
Dr. Oliver Engels, Marc Peter Klein, Peter Gürtlschmidt, Dr. Georg Lienke, Rei Tanaka
Global Functional Lead in Non-Financial Risk Management: Ensuring Consistency and Integration in Complex Organisations
Ulrike Brouzi, Dr. Michael Lange, P. Robert Mieszkowski, Jannik Leiendecker, Dr. Georg Lienke, Florian Seiferlein, Norbert Gittfried, Rei Tanaka
Policies and Procedures: Framework and Governance Requirements in the Financial Sector
Dr. Erasmus Faber, Björn Stauber, Dr. Georg Lienke
Top-Down Risk and Control Assessment: A Forward-Looking Approach to Evaluate Company-Wide Non-Financial Risk Exposure
Hurdogan Irmak, Burcu Nasuhoglu, Dr. Erasmus Faber, Lorenzo Fantini, Benedetta Testino, Jannik Leiendecker, Barbara Fojcik, Dr. Georg Lienke
A Top-Down Approach to Non-Financial Risk Reporting: Collaboration Across Risk Types for Sustainable Risk Steering
Valérie Villafranca, Dr. Georg Lienke, Florian Seiferlein, Kai Gammelin, Dr. Katharina Hefter, Norbert Gittfried
Internal Investigations into Corporate Misconduct: Applying an Investigative Approach to Enable Proactive Risk Oversight
Lora von Ploetz, Florian Seiferlein
Technical Application and Data Architecture for Non-Financial Risk Management
Kai Gammelin, Björn Stauber, Dr. Christian N. Schmid, Dr. Jan-Oliver Fröhlich, Annika Melchert, Daniel Wagner
Data Governance in Non-Financial Risk Management
Björn Stauber, Dr. Christian N. Schmid, Dr. Jan-Oliver Fröhlich, Annika Melchert, Daniel Wagner
Optimising Effectiveness and Efficiency: Deployment of Artificial Intelligence in Non-Financial Risk Management
Dr. Jochen Papenbrock, Dr. John Ashley, Dr. Georg Lienke, Florian Seiferlein, Norbert Gittfried
Core Elements of Conduct and Ethics in the Context of Non-Financial Risk
Dr. Barbara Roth, Dr. Erasmus Faber, Dr. Julia Gebhardt, Dr. Katharina Hefter
Managing Conduct Risk: Framework and Perspectives
Prof. Dr. Martin Schulz, Dr. Julia Gebhardt, Dr. Katharina Hefter, Rene Bystron
Successful ESG Transition: Implications and Challenges for Effective Risk Management
Anita Varshney, Jannik Leiendecker, Aytech Pseunokov
Bibliography
