786
required by various regulators. At the core of these approaches lies a fundamental
understanding that risks can be quantified and expressed in terms of an equity-capital
buffer that banks need to hold in order to compensate for potential losses.
Financial risks are reflected in the financial positions on banks’ balance sheets
and result from their risk-taking activity. Nonfinancial risks arise from the bank’s
operations (processes and systems) and are similar
to risks faced by companies
outside the financial sector (“corporates”). Over time, corporates have developed
approaches to address nonfinancial risk while adapting approaches developed by
banks to manage financial risk, which corporates also face. We believe that financial
institutions can learn from the experience of corporates in managing nonfinancial
risks. A cross-industry comparison can highlight promising opportunities in key
areas:
Digitization.
As the banking industry moves
rapidly to digitize its
business model, new risks will emerge, including cyberrisks, IT delivery risks,
business-continuity risks, as well as new model risks from AI. Technology is the
corporate sector that has the most experience with these risks.
Critical
infrastructure.
Banking
is
considered
highly
critical
infrastructure. Therefore, the industry could benefit
from studying how risks are
addressed by other critical-infrastructure sectors, including telecommunications,
transport, and energy.
Regulation.
Banking is probably the most heavily regulated industry. As
a result, it has developed a highly centralized approach to risk management. Banking
is the only industry, for example, with a regulatory obligation to include a chief risk
officer (CRO) in its C-suite ranks. For these reasons, banking may have the most
important risk-management experience in the area of regulatory risk.
Nonfinancial companies hold a variety of views on nonfinancial risks and how
to approach them, differences mainly determined by market and sector. The divergent
perspectives relate to each industry’s risk appetite and risk-management practices.
McKinsey explored these perspectives in a 2021 executive survey on corporate
787
resilience (see sidebar, “The McKinsey–FERMA corporate risk survey: What
executives revealed about resilience”).
The survey revealed organizations’ varying approaches to resilience. A
prominent factor is the sector in which the organization operates. For instance, in the
airline industry, safety is of paramount importance. Data on near accidents are valued
so highly that pilots can be penalized more severely
for not providing this
information than for having made actual mistakes. In contrast, software providers
thrive on developing stable products that are improved incrementally over time. In
telecommunications, cloud providers focus on stability as well. Their services
performed so well during the pandemic that many banks and nonfinancial companies
overcame their doubts about cloud risks. These reservations were formerly a barrier
to the transfer of critical software services. After observing the high security
standards maintained by cloud providers, organizations came to regard them as safer
than on-premises data centers. Finally,
in the automotive industry, global production
is highly sophisticated, with up to 80 percent outsourcing in the supply chain. This
allows for product scalability but creates vulnerabilities from geopolitical risks as
well as regulatory and technological change. The industry is thus engaged in
rethinking strategies across supply chains, software, and
product and environmental
compliance.
The lessons from particular industries suggest two caveats when comparing
practices between banks and corporates:
When deciding whether risk-management practices are transferable from
another industry, financial institutions have to weigh these practices within the
context of particular business models and risk appetites.
Risk management cannot be seen as a collection of static practices but
must evolve to keep pace with rapidly changing business models.
It will be worthwhile to explore these two points,
comparing operational risk
and enterprise-risk-management (ERM) frameworks in banking and corporates and
then looking at the broader question of resilience over time. The importance of this
788
second point has grown in recent years and intensified during the pandemic. Many
corporates have begun rethinking their risk-management mindset in light of the
present disruptive and rapidly changing business environment. We believe that these
developments hold potent lessons for financial institutions.
