Abridged Minutes

Today Non-Financial Risk (‘NFR’) is managed within silos, with no single point of data aggregation existing to provide holistic oversight that would support decision making (in relation to NFR).

It is recognized:
-Data is the lifeblood for effective NFR management
-The aggregation of this data is an evolving necessity if the COO (or other) is to be able to have an informed oversight of these risks
-Emerging risk identification and horizon scanning would help contextualize decision making born from integrated NFR data

Q. What sits within this spectrum and where, who and how are these risks managed?

A. It was agreed unanimously that NFR has no definitive categorization, the following being commonly used classifications:

(The following has been sent to iCOOC participating members to complete to enable Armstrong Wolfe to develop a reference for NFR categorization to work from moving forward)

Q. Integrated or segregated, what benefits arise to a fully integrated process to manage NFR?

A. Overwhelmingly a desire to establish an integrated approach, noting:

The COO often operates with a fragmented or incomplete view across the Threat & Risk landscape

No one bank has a systematic approach to aggregating and analysing NFR

Reservations exist in relation to capital expenditure to develop this capability

It is noted that much if not most of this data is already captured somewhere in the organisation and therefore there is little or no need to invest in technologies to do so; limiting expenditure to a technology solution needed to collect from established data pools, and to aggregate and translate it

Aggregation of NFR data will allow (the COO) to separate the signal from the noise and how to identify points of correlation within the NFR spectrum.

This function should be positioned as the centre of threat management education, ensuring it helps develop a culture of non-financial risk awareness that will further protect the franchise

Q. CRO or COO – who is better positioned to provide the answer to ‘so what?’

A. The business heads (be this CEO, SMR, other accountable executives), with the COO as the managing agent of this risk, noting:

The business owns the risks and the COO, working with the CRO and other partners (providing data), is best positioned to translate NFR and to make informed commercial decisions based upon this data

This would enable the business to operate on an anticipatory footing and be prepared for the inevitability of future crises

Q. If the above is correct, would you build or buy a solution, and if the latter, with whom?

Next steps:

Follow on deep-dive COO Cluster Calls to be offered to iCOOC members to participate.

1-to-1 meetings with AW and Control Risks to discuss outline solutions.