NFR Leaders 2022

SEPTEMBER 2022

REFLECTING THE VOICE OF THE MARKET TOP NON-FINANCIAL RISKS, INVESTMENT PRIORITIES, UPCOMING TRENDS AND OPPORTUNITIES AS VOTED FOR BY THE INDUSTRY

TABLE OF FIGURES

FIGURE 1. TYPE OF ORGANIZATION

FIGURE 2. SIZE OF ORGANIZATION

FIGURE 3. COUNTRIES OF OPERATION

FIGURE 4. LINE OF DEFENSE

FIGURE A. INVESTMENT PRIORITIES

FIGURE B. RELATIVE PRIORITY FOR MANAGING NON-FINANCIAL RISK, COMPARED TO FINANCIAL RISK

FIGURE C. CYBERSECURITY EFFECTIVENESS

FIGURE D. CRITICAL GEOPOLITICAL RISK FACTORS OVER NEXT 12 MONTHS

FIGURE E. CYBERSECURITY INVESTMENT

FIGURE F. THIRD-PARTY RISK FRAMEWORK INVESTMENT & OVERSIGHT PRIORITIES

FIGURE G. TECHNOLOGY INVESTMENT LEVELS FOR MANAGING THIRD-PARTY RISK

FIGURE H. DATA CHALLENGES

FIGURE I. INVESTING IN DIGITALIZATION – KEY CONSIDERATIONS & PRIORITIES

FIGURE J. DATA MANAGEMENT INVESTMENT REQUIREMENTS

FIGURE K. BENEFITS OF DIGITALIZATION TO NON-FINANCIAL RISK

FIGURE L. RELATIVE IMPORTANCE OF INVESTMENT PRIORITIES

FIGURE M. INVESTMENT PRIORITIES IN AML & FINANCIAL CRIME

FIGURE N. WHAT ASPECT OF AML RISK IS CURRENTLY RECEIVING MOST ATTENTION WITHIN YOUR ORGANIZATION

FIGURE O. STRENGTH OF FRAUD PROGRAMS IN FINANCIAL INSTITUTIONS

FIGURE P. KEY INVESTMENT PRIORITIES FOR FRAUD PREVENTION

FIGURE Q. EFFECTIVE CONDUCT & CULTURE

FIGURE R. PEOPLE & PERSONNEL CONSIDERATIONS OVER NEXT 12 MONTHS

ABOUT CEFPRO

The Center for Financial Professionals, CeFPro®, is an international research, events, and media company. CeFPro is the focal point for financial risk, technology, and regulatory professionals, advancing the profession through renowned thought leadership, knowledge sharing, unparalleled networking, industry solutions, and lead generation. CeFPro is driven by, and dedicated to, high quality and reliable primary market research. It is this market research that allows us to provide an excellent portfolio of peer-to-peer conferences, live interactive webinars, industry-led content, international surveys, and a membership area for the industry to connect.

CeFPro strives to provide insights, support, and benchmarks for organizations as the traditional operational risk arena expands and splinters into many sub-sectors. Supported by more than 60 industry professionals from various sectors, positions, and backgrounds, the Non-Financial Risk (NFR) Leaders Advisory Board provides guidance, direction, support, industry insight, and knowledge. The objective is to provide a comprehensive report examining the opportunities, investment priorities, key obstacles, and main benefits within the industry. Findings are based predominantly on the views of the extensive international survey and the NFR Leaders Advisory Board, with CeFPro’s analysts and senior management reviewing the results and ensuring the integrity of the methodology and data in the final report.

The final NFR Leaders report can therefore be viewed as ‘the voice of the market’, providing a comprehensive understanding of and insight into financial risk, technology advances, governance and regulatory compliance, and other aspects of non-financial operational risk.

CeFPro is solely focused on financial risk, regulation, and technology, drawing on a decade of experience and expertise in the industry to provide a clear distinction from generic market research companies that cover multiple industries. Now in its third year, the international NFR Leaders survey and report is increasingly recognized as the go-to resource, delivering unparalleled research and knowledge through the Advisory Board, CeFPro’s analysts, and other industry professionals. Visit www.cefpro.com for more information.

Join our global community to receive complimentary updates, e-newsletters, webinars, and more at www.nfr-leaders.com, or become a CeFPro member at www.cefpro.com

© Copyright Center for Financial Professionals Limited, CeFPro®, 2022-2023. All Rights Reserved. Non-Financial Risk LeadersTM, or NFR LeadersTM, is wholly owned by CeFPro®

No part of the NFR Leaders publication, or other material associated with CeFPro® or the NFR Leaders report, may be reproduced, adapted, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of Centre for Financial Professionals Limited, or as trading as the Center for Financial Professionals or CeFPro®

The facts of the NFR Leaders report are believed to be correct at the time of publication but cannot be guaranteed. Please note that the findings, conclusions, and recommendations that CeFPro® delivers will be based on information gathered in good faith, whose accuracy we cannot guarantee. CeFPro® acknowledges the guidance and input from the Advisory Board, though all views expressed are those of the Center for Financial Professionals, and CeFPro® accepts no liability whatsoever for actions taken based on any information that may subsequently prove to be incorrect, or for errors in our analysis. For further information, contact CeFPro®

CeFPro®, Fintech LeadersTM, and Non-Financial Risk LeadersTM are either Registered or Trade Marks of the Center for Financial Professionals Limited in the UK, and pending registered trade mark within the EU and the USA. Unauthorized use of the Center for Financial Professionals Limited or CeFPro® name and trademarks is strictly prohibited and subject to legal penalties.

NFR ADVISORY BOARD

CeFPro® would like to thank all Advisory Board members for their time, views, and opinions.

Any views expressed in Non-Financial Risk Leaders 2022 are those of CeFPro® and are not endorsed by the Advisory Board or the organizations they represent.

Tanweer Ansari, Esq, EVP Internal Counsel & CCO, The First National Bank of Long Island

Sucharita Banerjee Lodha, Head of Governance and Reporting/Chief of ERM, AIG

Ian Burgess, Director, Cyber and Third Party Risk, UK Finance

Simon Cartlidge, CRO (L&G Retirement Solutions), Legal and General

Patricia Catharino, Compliance Officer and US Head of Risk Management and Internal Controls – SVP, Banco ITAÚ Europa

Albert Chin, Model Development and Risk Management, Freelance

Paul Clarke, SVP, Segment Director, Operational Risk Management, TD Bank

Lewis Cox, EMEA Regulatory Risk Lead, Amazon Web Services

Brandon Davies, Trustee and Lecturer, Institution of International Monetary Research, Buckingham University

Nick Diieso, Director, Global Head of Operational Risk – ICG Ops, Markets, and Securities Services, Citi

Charles Forde, Head of Operational Risk for Global Markets and Investment Banking, Nomura

Maurizio Garro, Senior Lead – IBOR Transition Programme, Lloyds Banking Group

Hafstein Gislason, Director, Operational Risk, Silvergate Bank

Mariana Gomez de la Villa, Centre Expertise Lead –Distributed Ledger Technology, ING

Stephen Griffith, Head of UK Non-Financial Risk/Operational Risk, Bank of Ireland

Hasib Haq, Global Program Lead IFRS9, ING Group

Dr Jimi Hinchcliffe, COE, NJ Risk and Regulatory Consulting

Paul Huggett, Head of Third Party Risk, Nationwide Building Society

Andrey Itkin, Quantitative Research & Development Lead, Abu Dhabi Investment Authority (ADIA)

Amit Lakhani, Head of IT, Third Party Risk and Fraud Risk Management for CIB, BNP Paribas

Julia Lo, Head of Credit Risk Governance, Cross River

Arindam Majumdar, Managing Director – Enterprise Risk Management, Bank OZK

Phil Masquelette, SVP, Chief Risk Officer and Chief Information Security Officer, Ulster Savings Bank

Jennifer Matney, SVP, Chief Financial Officer, National Advisors Trust Company

Sean Miles, Head of Operational Risk, Shawbrook Bank

Vasanth Murugan, Director, Operational Risk and Governance, American Express

Nison Nagdimov, Head of Risk and Controls, HSBC

Ebbe Negenman, Chief Risk Officer & Member of the Executive Board, Knab

Christopher Nestore, EVP, Head of Enterprise and Operational Risk Management, TD Bank

Carlos Orel, Head of AML, Risk, Products and Monitoring, TD Bank

Roderick Powell, Senior Vice President – Head of Model Risk Management, Ameris Bank

Mandy Ramlow, Managing Director, AML Systems, Data, Innovation and Operations, BMO Financial Group

Jeremy Resler, SVP, Director Third Party Risk Management Governance, US Bank

Gary Savill, Head of ERM Programme Delivery, Starr Insurance

John Schiavetta, SVP, Chief Risk Officer, Alliance Bernstein

Andrew Sheen, Director, AJ Consulting

Chris Smigielski, Director of Model Risk Management, Arvest Bank

Craig Spielmann, Risk Intelligence Leader, CNM LLP

Jack Sprague, SVP, Operational and Resilience Risk, HSBC

Thomas Tobin, Director, Operational Risk, Mizuho

Freek Van Velsen, Chief Audit Executive, LeasePlan

Stephen Woitsky, VP, Operational Risk Business Oversight, Wells Fargo

Ken Wolkenhaur, VP Vendor Management, Nordea Bank

Chris Wood, Head of Third Party & Outsourcing Risk (NFR), Credit Suisse

DEFINITIONS & METHODOLOGY

Below are two broad definitions of financial vs. non-financial risk as defined by a selection of NFR Leaders Advisory Board members and industry experts.

FINANCIAL RISKS

Financial risks typically cover quantitative risks, such as credit, market, liquidity, and insurance risk. Organizations tend to have significant amounts of data on these risks, enabling them to be managed by a central team of risk experts in a measurable way, through models and statistics.

Non-financial risks (NFR) typically cover more qualitative risks, such as operational, strategic, compliance, and reputational risk. Firms tend to lack data on these risks, and they cannot be managed by a central team of risk experts. Moreover, these risks can fall into the ‘uncertainty’ arena, where they cannot be easily measured nor modeled. Effective NFR management requires a wide range of both internal stakeholders, such as senior executives and employees, and external stakeholders, such as outside third parties, outsourced partners, or business partners.

In essence, non-financial risks are all risks that are not covered by traditional financial risk management. Although this may seem a negative definition, in so much as it is identifying what the risk is not, this is very much in line with the initial definition of operational risk. Increasingly, this definition is also being adopted and encouraged by regulatory bodies and used by financial institutions. NFR is considered a contemporary description of operational risk. As one Advisory Board member mentioned, ‘so many areas that had not been considered before, such as third-party risk or advanced analytics, can fall under non-financial risk’. This is an enterprise risk mindset; a broader definition of operational risk as defined by the Basel Committee on Banking Supervision.

OUR METHODOLOGY

As an independent, international research company, CeFPro seeks to serve those involved in managing financial & non-finanical risk within the global financial services industry through impartial analysis of key industry trends collated from a global community of experts. CeFPro launched its latest NFR survey in February 2022 to collect and collate global market research on the status of non-financial risks, with the objectives of:

The final 2022 NFR Leaders report was signed off by the Centre for Financial Professionals (CeFPro) management team on September 5, 2022. NON-FINANCIAL RISKS

• Ranking in order of priority the most pressing and topical non-financial risks of today, as voted for by the industry.

• Analyzing and further exploring the key non-financial risks identified.

• Examining the upcoming key investment priorities and opportunities.

The findings in this survey were compiled from an extensive global outreach program, which ran from March 10 to June 23, 2022 and received 975 responses.

The initial stages of the research consisted of an online survey of industry professionals within non-financial risk, providing quantitative data and opportunity for analysis on the critical issues identified. CeFPro also distributed print versions of the survey at relevant events, such as the flagship Risk Americas and Risk EMEA conferences.

The second stage featured a series of one-to-one interviews with CeFPro Advisory Board members. The interviews were conducted throughout July 2022, providing additional insight, clarity, and analysis. The views of the Advisory Board were used as a qualitative source to further understand and review the quantitative results from the survey.

I have great confidence in the relevance and importance of the top NFR risks and investment priorities detailed in the NFR Leaders report. The current and emerging trends in financial services are clearly outlined, and the risks identified are ranked and explained for a wide audience which makes the report vital to our industry. Practitioners can distil valuable information from the NFR Leaders report to evaluate direct and indirect program impacts across the risk spectrum.

RESEARCH DEMOGRAPHICS & INFORMATION

The objective of Non-Financial Risk Leaders is to gather a global cross-sector view and range of opinions on the current key non-financial and operational risk trends and critical challenges. Below is a breakdown of the demographics and make-up of the respondent profiles. Collectively, these views, alongside those of a distinguished line up of industry experts, shape the final rankings and report of the 2022 Non-Financial Risk Leaders.

TYPE OF ORGANIZATION

SIZE OF ORGANIZATION

TOP 10 NON-FINANCIAL RISKS FOR 2022

1. CYBER RISK

(LAST YEAR 3RD)

Measuring and managing attacks against an organization and/or department or individual. Attacks can include phishing, email links, external hackers, and ransomware.

6. COMPLIANCE AND REGULATION (LAST YEAR 5TH)

The threat posed to reputation (and resulting financial penalties) due to violations of, or non-compliance with, laws, regulations, codes of conduct, and standards of practice.

2. ESG (INCLUSIVE OF CLIMATE RISK) (LAST YEAR 13TH)

Risks associated with environmental, social, and governance (ESG) factors, along with the potential financial, social, and economic consequences. ESG includes the risks associated with a diverse range of issues such as climate change, greenhouse gas emissions, deforestation, biodiversity, customer and employee relations, labor, human rights, supply chains, board management practices, diversity, equity and inclusion, compliance, and more.

3. GEOPOLITICAL RISK

(LAST YEAR 12TH)

Challenges of conflict, as well as internal and external events and politics (domestic or international), impacting an organization or business operations.

7. PEOPLE RISK

(LAST YEAR 8TH & 9TH, PEOPLE AND CONDUCT/CULTURE WERE LISTED SEPARATELY)

Risks associated with the recruitment, retention, development, and capability of the workforce to deliver the strategy. This can also include misconduct, personnel dependencies, and company culture. For 2022, this also includes the actions of an organization or individual that can lead to customer detriment or market instability, or that can impact competitive practices.

4. THIRD-PARTY RISK (EQUAL TO LAST YEAR)

Risks associated with relationships and services provided by external suppliers. This includes fourth parties and further external parties used by an organization to fulfil operations and tasks.

8. FRAUD (LAST YEAR 7TH)

The risks of fraud being committed by external parties and/or employees and managing the resulting financial, material, or reputational losses.

5. RESILIENCE AND BUSINESS CONTINUITY (LAST YEAR 1ST)

Preventing, adapting, responding, recovering, and learning from operational disruptions, alongside ensuring continuity and recovery of critical business processes in the face of adverse operational events.

9. TECHNOLOGY RISK (LAST YEAR 2ND)

Predominantly focusing on infrastructure, including data usage and protection, failure of legacy systems, cloud providers, and the use of AI, including machine learning and deep learning.

10. AML AND FINANCIAL CRIME (LAST YEAR 6TH)

Risks associated with facilitating financial crimes, including money laundering, sanctions compliance, and terrorism financing.

KEY FINDINGS FROM 2022 RANKINGS

CYBERSECURITY DOMINATES NFR

The findings for 2022 have catapulted cybersecurity into first place for both risk and investment level. The 2021 results saw a dramatic rise in mentions and votes for cyber risk, and this trend has continued into 2022 to make it this year’s top non-financial risk, receiving more than twice as many votes as the second-placed risk area of ESG.

Interestingly, CeFPro’s NFR Leaders Advisory Board stated that with the exception of the increase in ransomware attacks, other forms of cyber risk remain largely unrealized with minimal financial impacts to date. The potential for disruption to financial institutions is, in their opinion, greater than what has been experienced to date. Some board members attributed the heightened risk to an increase in ransomware attacks and a volatile threat landscape with the increased risk of cyber warfare because of geopolitical tensions, specifically the conflict in Ukraine. However, cybersecurity in general remains a key concern for many financial institutions; push payment fraud has become, and continues to be, one of the greatest challenges being faced. Furthermore, the pandemic forced transactions and payments to move online, with financial institutions effectively becoming cyber-businesses, shifting cybersecurity to the forefront of their concerns.

ESG AND GEOPOLITCAL RISK CLIMB THE RANKINGS

The highest climber for 2022 is ESG (inclusive of climate risk), rising from 13th position in 2021 to second place this year. In the 2021 report, ESG was a new entrant to the rankings and has therefore rapidly solidified itself as a NFR key trend.

Another growth area that unsurprisingly rose up the rankings for 2022 is geopolitical risk, moving from 12th position to third. This is most likely because the timing of the survey coincided with significant global socio-economic and political unrest, most notably the conflict in Ukraine.

THE CHANGING FACE OF PEOPLE RISK

A change in definition and ranking came in the form of people risk, which was previously divided into two separate categories: People Risk/HR and Conduct and Culture. For 2022, the NFR Leaders Advisory Board gave a compelling case to merge the two, as people risk continues to increase in significance with conduct issues frequently aligned. Against a backdrop of an evolution in working practices and an increase in staff working from home, people risk (including culture and conduct) looks set to remain a key risk category for 2022 and beyond.

A VOLATILE WORLD

As we emerge from the grips of the pandemic and global economies continue their efforts towards recovery, economic and social volatility appears to have influenced the 2022 rankings. The survey was conducted at a time when geopolitical risks were at a particular high, with the escalation of the conflict in Ukraine. This catalyzed a series of risks from supply chain issues, civil unrest, market fluctuations, and political tensions, to humanitarian and social crises. It also had a profound impact on markets and resulted in a flurry of unprecedented sanctions against Russia (and closely aligned regimes), individuals, and organizations. As a result, geopolitical risk was drastically elevated to third place in the rankings for 2022.

Given the nature of threats, speculation circulated as to the potential of a heightened cyber risk. Organizations were encouraged to bolster their cyber defenses in light of the conflict, which could be a contributing factor behind cyber risk emerging as the leading non-financial risk for this year. Many commentators remarked that Western interests were being reviewed very carefully. Most specifically, countries close to or bordering Ukraine received the greatest attention, while physical, technological, and cybersecurity interests in Eastern European financial institutions were also of particular interest to risk professionals.

When looked at holistically, it could be interpreted that the top three NFR rankings for 2022 (namely cyber, ESG, and geopolitical) have all been heavily influenced by global events and the resulting repercussions.

PANDEMIC RECOVERY

In the 2021 report, the impact of the global pandemic on human interaction and working environments was a key theme. As a result of Covid-19, 2020 saw much of the world effectively closed to human interaction, including ‘normal’ office operations. Organizations almost overnight had to pivot to a remote working environment, resulting in a much stronger focus on technology and resilience in the rankings last year.

Now, as many countries begin to establish a ‘new normal’, organizations are making practical decisions and transitions toward either a full-time remote environment, office-based operations, or a hybrid combination of the two. The move to a more business-as-usual environment could have influenced the rankings away from technology and resilience, which was top of many risk professionals’ agenda in 2021.

Changes to working practices could also be a factor behind cyber’s strong performance in this year’s report. Control environments were disrupted with the move to remote and hybrid working; as new controls continue to be embedded, security protocols and protection of data in a remote or hybrid environment are not yet fully established.

RISK SYNERGIES

As is the nature of non-financial and operational risks, there remain a number of overlaps across the rankings, as some categories may be key drivers or consequences of another. A key example is AML and financial crime, last year ranked sixth and now in 10th position. Sanctions are heightened because of the conflict in Ukraine and actions taken against the Russian government

and financial institutions; therefore, the categories of cybersecurity, geopolitical risk, and AML/financial crime could overlap, with respondents’ individual interests and areas of focus potentially determining which is ranked higher. Another example is third-party risk; this often has a strong cyber focus, alongside resilience, compliance, and data challenges, all of which are closely linked to the management of vendors and third parties.

In short, the rankings provide a snapshot of the current and immediate key NFR concerns faced by industry professionals. However, as with most non-financial and operational risks, they do not operate in silos and both cause and consequence overlap across different sectors. The 2022 overall rankings have evolved significantly from 2021, with notable high climbers and fallers, largely because of respondents prioritizing point-in-time risks that reflect the current global volatility.

The NFR Leaders report is informative, comprehensive and one of the best information sources in the marketplace. I look through it to identify new risk and investment trends which enhance my capabilities to support our clients. I believe as risk professionals we need to constantly challenge ourselves using new information. Since the NFR Leaders report started, it has established itself as a valuable strategic tool to challenge conventional thinking and spot investment trends which could change the risk landscape and thus our management of it.

INVESTMENT PRIORITIES

FIGURE A. HOW IMPORTANT ARE THE FOLLOWING INVESTMENT AREAS FOR 2022 (IMPORTANCE OF SPEND)?

OBSERVATIONS & KEY FINDINGS

Non-financial risk is evolving annually, though disparities in the risk ranking vs. investment ranking demonstrate that organizations are often reactive in managing emerging risks. When comparing risk ranking with how this translates into spend, the results demonstrate a divergence.

KEY OBSERVATIONS

• CYBER LEADS FOR BOTH RANKING AND INVESTMENT

Cyber risk and investment in cybersecurity remain head and shoulders above all other rankings. Information security is a key driver for organizations, with a string of associated repercussions including data loss and resulting reputational damage. It is also clear that risk professionals have spent much of 2022 preparing for cyber to be used as a weapon of war, whether via state-sponsored or individual attacks. The landscape appears to pose an imminent threat.

• PANDEMIC HANGOVER REMAINS

While remote working looks set to continue indefinitely for many, some are returning to a full-time office environment, and others are somewhere in between, meaning control environments are in a state of flux. People risk continues to climb in importance; with so many staff working remotely, keeping track of team safety and wellbeing is top of mind, as is mitigating against potential conduct challenges.

• GEOPOLITICAL RISKS RISE FAST

As tensions continue with the conflict in Ukraine, strained relations with China, political upheaval in the UK, and much more, it is perhaps unsurprising that geopolitical risks have leapt up the rankings.

DOES THIS TRANSLATE INTO SPEND?

When analyzing investment priorities in Figure A, some disparities begin to emerge, further highlighting the reactive nature of the risk rankings. The top three investment priorities align closely with the 2021 risk rankings, which saw a high technology focus with resilience, technology/IT risk, and cyber risk making up the top three. The results could be interpreted as demonstrating that, although teams can be reactive in managing risks, they are not necessarily investing the requisite time and resources into these areas, instead prioritizing technology enablement and security for longer-term strategic direction.

One of the key investment areas for 2022 is data, ranking as the second-highest investment priority. This is in stark contrast to its risk ranking, where it did not even feature in the top 10. However, its importance as an investment priority aligns with the strong focus on technology –without accurate and complete data, investment in technology and IT projects could be incomplete. Data challenges and investment could also align with a broader efficiency drive, further demonstrating why this risk silo may not appear as a top-ranked category, more as a tool to manage other key risks. Data is increasingly being leveraged to inform strategy and provide an analytical view. Investment levels may therefore be high as it remains a critical component in risk management, strategy, automation, and decision making.

Moreover, as the challenges of ESG evolve and adapt – with greater regulatory and consumer pressures, including stress tests – data requirements will no doubt increase. Cybersecurity, technology, fraud, and financial crime all require data for effective measurement and management. Therefore, spending and investment in data is only likely to be accelerated over the coming years.

The area of ESG was the highest riser for 2022 in both the risk rankings and as an investment priority. However, investment in ESG has not yet been fully realized, as while it ranks second in the risk ranking, it is only ninth for investment. The ranking of ESG as a relatively low investment priority (despite being the highest climber year on year), sparked mixed debate amongst the Advisory Board; some members are seeing a rapid advancement in investment with regards to time, resources, and externally, while others have yet to realize the impact or even begin assigning teams and resources. It was mentioned that with some firms yet to fully define their ESG strategy and formally set targets, the main expense at this stage remains with external consultants. Collecting and analyzing greenhouse gas emissions data appears to be an enormous challenge for banks, with a significant price tag associated.

Technology and IT risks ranked high as an investment priority, taking the third spot. This surprised some Advisory Board members, who expected to see it ranked first or second. It was highlighted that the rankings could be diluted due to some areas of technology being classed separately, such as digitalization and automation. Had these been combined within the overarching area of IT and technology risk, this category would have ranked as the leading investment priority.

KEY INVESTMENT CHANGES

Operational resilience remains consistently high, with 35% of respondents rating it as their most significant risk. However, it is worth noting that some responses were submitted prior to the Bank of England’s March 2022 deadline, which could have influenced the ranking. Consensus seemed to demonstrate that views have shifted to not if, but when, a risk may materialize. The resilience push therefore seems to be beyond regulatory drivers; the influence of the pandemic has sparked a need to enhance resilience and integrate a plan B.

• Regulation and Compliance has risen from 10th to fifth place, with 28.6% of respondents ranking it as most significant. This could be because of changes on the horizon, rather than current regulatory drivers. Resilience remains a substantial project for NFR experts, with the expectation of additional ESG guidance and changing responsibilities for the management of third parties, specifically the use of cloud providers as a vendor. The anticipated regulation on ESG from various international bodies is also likely to be a factor.

• AML has climbed from 13th to eighth place, possibly due to the current geopolitical environment and rise in sanctions because of the conflict in Ukraine.

• Climate moves from 18th to ninth, under the header of ESG. Since making its first appearance in the nonfinancial risk rankings in 2021 as an investment priority (although not a key risk area), ESG continues to climb in importance as both a risk area and an investment priority.

• Digitalization falls from eighth to 11th place though, as outlined above, this could be due to the dilution of technology as a category. The pandemic may also be a factor, with significant digitalization drives being implemented as a result of branch closures and minimal human interaction. Investment may therefore have temporarily subsided as organizations edge back to business as usual and seek to define their future digitalization strategies.

Non-Financial Risk / ORM has never been higher profile following the disruption due to the response to Covid19 and the regulatory focus on operational resilience. The new CeFPro industry led research report is timely and an extremely valuable contribution.

Dr Jimi Hinchcliffe, COE, NJ Risk and Regulatory Consulting, Non-Financial Risk Leaders Advisory Board Member, CeFPro

FUTURE OF NFR

The survey looked to review the standing of non-financial risk within organizations and its relative priority over financial risks (such as credit and market risks). A total of 38.1% of respondents ranked NFR as a very high priority, and 45.1% as high priority (Figure B).

FIGURE B. PLEASE STATE THE RELATIVE PRIORITY FOR MANAGING NON-FINANCIAL RISK, COMPARED TO FINANCIAL RISK (SUCH AS CREDIT AND MARKET RISKS), IN YOUR ORGANIZATION

This research report is important because it has been compiled based on extensive research from experts in their field. The collective intelligence of diverse leaders gives this report gravitas and kudos that makes it an essential read.

Historically, non-financial risks, particularly operational risks, have fallen in priority in times of recession or economic downturn. Non-financial risks continue to establish themselves within organizations, but their future priority remains unclear as we edge closer to the likelihood of a recession. Advisory Board members commented that the fact that 83% of respondents view NFR as a high or very high priority may be due to the relatively strong market and credit conditions at the time of the survey. As inflation and interest rates continue to rise, focus is expected to move more towards credit and market risks.

However, boards appear to be moving away from just accepting non-financial risk towards understanding and investing in it to further advance the discipline. With increased focus on automation and efficiency, developing effective controls could make NFR teams more automated and self-sufficient, thereby enhancing predictability, data integrity, and risk intelligence and allowing controls to monitor changes.

DEMONSTRATING VALUE IN A RECESSION

NFR has established itself as a discipline by which to measure and monitor critical risk functions, but the financial repercussions of NFR remain limited when compared with market and credit risks. Those interviewed stated that it seems unrealistic to expect NFR, as a non-revenue generating function, to remain a priority in a recession or economic downturn. However, it was highlighted that, given the significance of cyber risk, investment in security could reasonably be expected to be maintained. Ultimately, NFR must continue to demonstrate value within an organization and showcase that, while not directly generating revenue, the associated financial risks are significant and unquantifiable given their direct and indirect reach.

CYBERSECURITY & RESILIENCE

Cyber risk has cemented itself as the key non-financial risk area for 2022, receiving the highest ranking as both a risk category and an area of investment.

As the global environment remains turbulent and unpredictable, the threat of a cyberattack continues to escalate. Although the true cost and level of risk remain uncertain, the potential risks – both monetary and reputational – are significant. Cyber criminals continue to innovate, developing new practices to breach an organization or individual. With many firms making substantial changes to their operations as a result of the pandemic, both in terms of remote working and increased

AREAS?

Cyber risk should not be seen as a holistic risk, rather an umbrella term incorporating numerous risks such as ransomware, phishing, insider threat, data leakage, and hacking. Moreover, Advisory Board members stated that they had seen a significant shift in the mix of cyber risk away from data breaches towards ransomware. Therefore, although some areas have seen a dramatic rise, others have seen a drop.

An additional 43.7% of respondents reported that their controls are ‘effective’ in managing homeworking,

digitalization of services, the potential vulnerabilities are not always known.

The Non-Financial Risk Leaders survey explored respondents’ views as to the level of effectiveness of their cybersecurity measures. Surprisingly, homeworking was ranked as the most effective measure, with 31% of respondents confirming that their WFH security and controls are very effective (Figure C). This proved surprising when the results were analyzed with the NFR Advisory Board. Board members expected homeworking to be a key concern, with uncertainty around developing controls in a remote or hybrid environment.

meaning a total of 75% have a positive view of the security and soundness of their homeworking control measures. This could point towards advances in security practices in a remote environment as the industry accepts the change is here to stay. As of summer 2022, many banks were awaiting regulatory bodies’ decisions regarding the lack of controls and oversight of conversations and deals taking place through social media rather than regulated channels. The suspicion is that significant fines will soon be announced.

FIGURE D. WHAT DO YOU CONSIDER MOST PRESSING FOR THE NEXT 12 MONTHS IN REGARD TO

THE INTERSECTION OF GEOPOLITICAL AND CYBER RISK

When asked to rank various geopolitical risks, cyber warfare and state-sponsored hacks were rated as the second most pressing geopolitical risk over the next 12 months (Figure D).

However, only 11.2% of respondents believe their organizations’ measures are very effective against professional activists and state-sponsored hackers (Figure C). This is concerning, given the escalation in geopolitical tensions since the start of the Russia-Ukraine conflict. Russia has long been suspected as responsible for cyberattacks on national infrastructure, including the recent attack on communications company Viasat, which saw disruptions to windfarms and internet users across Europe. In a joint Cybersecurity Advisory statement, cybersecurity authorities from the US, Australia, Canada, New Zealand, and the UK issued a warning around

potential exposures to increased ‘malicious cyber activity’. Advice was given to patch all systems, enforce multifactor authentication, secure and monitor remote desktops and risk services, and provide additional enduser awareness and training. Despite this threat emerging during the period that the NFR survey was live, only 8.5% of respondents felt their cybersecurity measures were ineffective against professional activists, with 32.4% rating them as less effective.

As previously mentioned, cybersecurity overlaps with several other risk areas, highlighting further potential vulnerabilities. Only 21.1% of respondents rated their firm’s security measures for cyber risks from a third-party provider as very effective (Figure C), with an additional 52.1% classing them as effective. With such heightened reliance on third parties to provide a range of services, ensuring security and resilience within the supply chain is critical if organizations are to effectively protect themselves and their customers from cyberattacks.

CYBER INVESTMENT PRIORITIES

Regarding investment in cybersecurity over the next 12 months, 19.7% of respondents ranked this area as being of the highest importance, requiring very significant investment; an additional 22.5% expect it to require significant investment (Figure E).

• Data management software

• Biometrics hardware

• Data protection

• Protection against state-sponsored cyberattacks

• Monitoring personnel

• Insider risk and data loss prevention

• Malware, phishing, and data theft (detection and threat intelligence)

• Ransomware protection – continued patching/ monitoring

• Transition strategy

• Upgrading process controls

When focusing on more specific areas of investment and how spend may be allocated across both hardware and software, there was a variety of responses, including:

• Third-party cybersecurity

• Analytics to provide earlier threat detection

• Updating legacy technology

• Cloud/enhanced controls/perimeter/automation

• Customer-focused security

To summarize, cyber risk has solidified its position as a critical non-financial risk, remaining the number one priority for investment in 2021 and 2022, and rising from third to first place in the risk rankings. As a result of overlapping with so many other risk silos, this category seems to be increasing in importance as organizations continue to battle against ongoing and developing threats. With a continued focus on resilience from global regulators, cyber and IT resilience stands as a critical aspect of the regulatory standards. As organizations develop their online offerings and progress their digitalization agendas, new vulnerabilities continue to emerge, each representing a potential breach. And with geopolitical volatility increasing the likelihood of cyber warfare or state-sponsored attacks, tightening defenses across all aspects of an organization, including both in-house and outsourced activity, is critical to stay ahead of the cyber criminals.

VENDOR & THIRD-PARTY RISK

Vendor and third-party risk has consistently ranked highly as both a key NFR area and an investment priority, with its position remaining stable. Taking fourth place in the risk rankings and sixth as an investment area, it is clear that organizations continue to grapple with the risks around leveraging outsourced services.

In particular, the global pandemic highlighted the need to increase resilience within third-party risk. As was the case with many organizations and industries, most third-party teams were required to move to a remote environment, and many have remained remote ever since. This poses contractual challenges, including the introduction of clauses for onsite assessments, and geographical constraints to teams. Contracts do not generally provide access to teams’ homes to conduct onsite or risk assessments, making oversight and due diligence a challenge.

Furthermore, as regulations across the globe continue to advance, financial institutions face challenges in complying with a host of overlapping and often disparate requirements. With both direct regulations governing third-party risk management programs, and indirect focus from data privacy acts including GDPR or CCPA, aligning all requirements under one cohesive third-party risk management framework is an increasing challenge, particularly for those operating across borders.

As regulators begin to shift their attention towards larger organizations holding a monopoly over the industry, it is hoped that future oversight may become more streamlined and efficient. The UK, for example, is moving towards finalizing critical third-party regulations, set to impact predominantly cloud computing providers serving UK financial services. Challenges continue to arise with critical third parties, including cloud providers, to provide effective oversight and due diligence and this change looks set to address increasing concentration risks; a challenge seen across the industry globally with monopolization by certain organizations including, but not limited to, Amazon and Google.

The European Union has also put forward a Digital Operational Resilience Act (commonly known as DORA), looking to address the same issues and limit concentration risks across supply chains and within business lines.

Concentration risk therefore remains a key challenge within third-party risk management as organizations try to gain insight deeper into the supply chain, not only to consider third-party vulnerabilities but also to identify concentrations in outsourced activity of vendors that could impact critical services.

AREAS?

The NFR survey also explored the investment and oversight priority of certain third-party risk areas (Figure F). A total of 42% of respondents rated the area of onboarding and due diligence as a very significant priority when assessing third-party risk frameworks, with 45.8% rating supply chain cyber defenses the same. It stands to reason that onboarding and due diligence would be a high priority, enabling organizations to sufficiently vet potential business relationships.

This has become increasingly important since the rise of ESG and the subsequent issuing of social mandates to which organizations are seeking to adhere, both internally and across supply chains. Although the survey does not explicitly confirm this, increased customer focus means that non-compliance with social and governance requirements across the supply chain can have an unpredictable impact, including reputational fallout and potential associated fines. As a result, organizations are considering an ever-increasing number of social and governance aspects to ensure they are monitoring and removing any form of modern slavery, malpractice, or exploitation across their supply chains. They are also looking more directly at potential vendor organizations’ diversity and inclusion agendas, examining a range of criteria to ensure a diverse network of outsourced companies that will uphold their preferred social requirements.

PRIORITIZING RESILIENCE

Unsurprisingly, cyber ranks as a very significant priority when considering third parties, with 43.8% of respondents rating it as very significant and an additional 41.6% rating it as very important. Organizations must get comfortable with supply chain activities and understand vulnerabilities and potential service disruptions. What remains unclear is how many layers a firm should review, and to what extent oversight will be permitted across the supply chain.

Organizations are also developing recovery plans in the event of a breach or service disruption, often requiring them to cut links with the affected service provider.

Balancing recovery of service with limiting disruption to the customer as a result of disconnecting from a vendor remains a key challenge in ensuring business continuity and recovery.

Falling down the rankings as a low priority in terms of investment and oversight was onsite assessments. As stated earlier, questions arise as to when an onsite assessment is required, across how many organizations, and how this may have evolved with the recent rise in homeworking. Only 12.5% of respondents rated onsite assessments as their most significant priority, with over 14% stating it was not important. With a high proportion of organizations still operating in a predominantly remote environment, onsite assessments have become challenging; however, many due diligence plans still require them. The future of onsite assessments and prioritizing which vendors are critical enough to require one therefore remains a discussion point.

An area of increased importance highlighted as a topic for deeper analysis is the financial health of a vendor or supplier. Though not listed as a specific category in its own right, Advisory Board members felt it could be considered under the sub-sector of contracts and legal agreements, which 57.3% of respondents deemed very important. With so much disruption from Covid-19 and the continued volatility and impact to supply chains since the start of the Russia-Ukraine conflict, financial health has become a critical component of a vendor risk program. Once again, this is aligned with resilience requirements, as having oversight of the financial viability of a company and any potential service disruptions is critical for effective resilience planning.

Finally, inventory of all third parties continues to fall as a relative priority, with just 30.4% of respondents rating it as their most significant area for investment and oversight, and an additional 44.9% rating as very important. For more immature programs, inventory of third parties is a starting point to better understand the entire vendor profile. As the industry continues to mature and progresses from initial steps to more effective oversight, we would expect to see inventory fall further as it becomes a lower priority.

The significant shifts in top non financial risks over the past year and their relative priority for investment demonstrates more than ever that the rapidly changing risk landscape requires frequent oversight and response from senior leaders.

FIGURE G. IN REGARD TO TECHNOLOGY, HOW WOULD YOU RATE THE INCREASED USE OF, AND INVESTMENT LEVEL FOR, THIRD-PARTY RISK MEASUREMENT AND MANAGEMENT? Advanced analytics

Use of cloud for benefits (such as scalability, storage, efficiency)

Integration of vendor risk management to the GRC system Predictive analytics Robotic process automation / Data robotics

intelligence (AI) Automated control monitoring Cognitive computing

APPETITE FOR TECHNOLOGY

Another area covered in the survey was technology and the investment level for the measurement and management of third-party risk (Figure G).

As the discipline matures, technology is playing an increasingly important role in effective third-party risk management and as a tool to drive efficiency. A new addition for 2022 is the integration of vendor risk management to the GRC system, with 24.5% ranking it as the most significant third-party management tool. With the aim of cutting across risk silos and providing a holistic view of risk data, integrating vendor risk into a broader GRC system can facilitate detailed insight into some of the significant crossovers between various risk disciplines.

Regarding the use of cloud, 26.4% of respondents named it the most significant technology within third-party risk. However, cloud computing services are proving increasingly challenging for organizations with limited offerings globally. Concentration risk is most prevalent within cloud computing, which could explain why regulators are enhancing efforts to better regulate its use.

Many of the previously-mentioned themes apply to the use of cloud service providers – as a relatively new area, oversight and governance processes may need updating to reflect the nature of the agreement, and there are also questions around onsite assessment requirements. As a critical service provider, heightened due diligence, oversight, and assurance would be expected; in a concentrated marketplace, this continues to remain a challenge with very few opportunities to look elsewhere.

Ranking lower for use and investment level are technologies such as AI, cognitive computing, and robotic process automation (RPA), tools that are discussed heavily across the industry, though not yet fully leveraged. AI continues to advance in areas including fraud and financial crime detection and prevention but has not yet permeated through to third-party risk teams, where the benefits are still to be realized.

In summary, third-party risk has advanced globally. Since the Target breach in 2013 first catapulted this discipline into the limelight, organizations have been swift to realize the increasing third-party threat. The fallout from the Target breach served to demonstrate the potential losses from seemingly innocuous third parties and the vulnerabilities that can be opened by by granting them access to in-house systems.

TECHNOLOGY, INNOVATION, & AUTOMATION

As technology continues to advance across all areas of financial services, data challenges remain within NFR, hindering organizations’ technology agendas. When reviewing the key data challenges within NFR, data quality and standardization were top concerns. While data collection drives and advances are occurring across organizations, they are not always happening in a consistent and standardized manner (Figure H).

Aligning format and taxonomies will allow for consistency across silos, enabling risk professionals to gain an integrated and holistic view. To this end, 44% of respondents ranked data quality and standardization

as very significant challenges, with a further 48% ranking them as significant. The results shown in Figure H demonstrate that technology implementation may continue to stall until data challenges can be addressed.

The use of AI, machine learning, and deep learning attracted the fewest number of votes, though 30% of respondents still rated this as a very significant challenge. This ranking perhaps demonstrates the work still required to develop data management programs before deeper analysis and implementation of the technology can be applied.

H. HOW WOULD YOU RATE THE FOLLOWING DATA CHALLENGES WITHIN YOUR ORGANIZATION?

Not important

Important

Very important

Very significant

When exploring more detailed information on digitalization and the change environment over the coming 12 months, 58% of respondents anticipate significant investment in digitalization, defined as enhancing customer service of financial products and services through technology (Figure I).

Upon further examination, data quality emerged as the leading investment requirement for the next 12 months, with 41% of respondents citing it as a very significant area for investment (Figure J). AI usage and implementation also ranks highly, with 25% viewing this as a very significant investment area. In addition, the use of unstructured data is continuing to evolve, although it currently represents a relatively new topic in the nonfinancial risk space. Unstructured data attracted 19% of votes as a very significant area for investment, though the benefits remain largely unrealized, not least because of ethical questions around issues such as the use of social media data.

ENHANCING THE CUSTOMER EXPERIENCE

The benefits of digitalization are wide reaching, and though many organizations were forced to accelerate their digitalization drives as a result of the pandemic and the closure of in-person branches, the changing business model continues to be driven by customer expectations. Digitalization is also seen as a critical tool for improved data collection, predominantly on transactions (Figure K).

With customers moving online, behaviors and trends are easier to follow and track. Transactional data is more accessible and provides more detailed insight into customer habits and expectations, allowing organizations to tailor their services and offerings according to demand. Unsurprisingly therefore, enhanced customer experience was rated third, with 52.2% of those that ranked it deeming it the most important benefit of technology.

FIGURE K. OVERALL, WHAT DO YOU CONSIDER THE MOST IMPORTANT BENEFIT OF DIGITALIZATION TO NON-FINANCIAL RISK?

Much of the digitalization movement is centered around the customer, remaining agile and responsive to changing demands, and staying in front of or keeping up with competition. As customer expectations continue to evolve and competition increases, staying ahead of the curve with improved offerings and remaining agile are seen as the most important benefits of technology to 34.8% of respondents, with an additional 52.2% rating them as very important. Reputation and keeping pace with others ranked lower on the list of benefits, coming in last place, with just 27.5% rating this as most important. However, this could be because competition was also included as a standalone option, possibly causing confusion.

What is clear is that digitalization is a long-term strategy, but one which has been accelerated by the onset of the pandemic. Providing full services remotely and responsively is fast becoming a basic customer demand. Data programs are therefore being developed and streamlined to capture additional data in a consistent and high-quality format, to better inform decision making and drive change across the industry.

IN-HOUSE VS. EXTERNAL CAPABILITIES

Looking more broadly at where investment in technology is being made, we asked respondents to list their key emerging technologies as an investment opportunity. Individual responses included:

• AI and machine learning

• Robotic process automation (RPA)

• Cloud computing

• Open banking and APIs

• Automating risk management for onboarding new suppliers

• Blockchain/DLT

• Updating legacy systems for risk reporting

• Digitalization

• Natural language processing

• Authentication

However, regardless of where they see technology heading, it is clear that many organizations are grappling with whether to invest in external or in-house capabilities. Although 25% of respondents stated that their most significant investment is in external technology vendors (Figure L), 16.1% of respondents said their most significant investment is in internal or in-house technology capabilities. The conundrum was summarized by one respondent, who stated:

“We continue to recognize that some suppliers will provide superior solutions to what we can build and will continue to partner with suppliers on specific technology initiatives. However, we also recognize that there is valuable flexibility in being able to design certain solutions and services internally. The key is developing a principles-based risk approach that the entire organization can be brought into, to manage the technology and other NFRs associated with these efforts.”

These results highlight the need for alignment across in-house and external offerings, as well as assessment as to where opportunities lie externally and where external providers could integrate more effectively.

MINIMAL APPETITE FOR BLOCKCHAIN

Across other technology areas, blockchain remains a low priority for investment, coming in last with only 5.4% of respondents ranking it as the most significant investment area within their organization. Although the benefits of blockchain continue to be reported as far reaching, its potential within non-financial risk more broadly is yet to be realized, especially within the realm of fraud and financial crime where many see it as a hindrance to AML practices and the traceability of information and data.

In summary, non-financial risk against the backdrop of a recession is not seen typically as a priority, and investment has historically fallen. However, the influx of technology opportunities gives NFR professionals the chance to build agility, flexibility, and self-efficiency, helping to demonstrate the value of the discipline.

AML, FINANCIAL CRIME, & FRAUD

Throughout 2021 and 2022 we have seen a dramatic change in the financial risk landscape with the introduction of a series of unprecedented sanctions as a result of the Russia-Ukraine conflict. The amendments to sanctions requirements posed a significant operational challenge as global regimes increased their demands.

The NFR Leaders survey explored challenges within financial crime and AML, asking respondents to rate the effectiveness of their organizations’ AML measures. A total of 43% rated their AML measures as very good (5 on a scale of 1-6), with an additional 20% rating it as perfect. To receive a fifth of votes stating that respondents’ AML measures were perfect was a surprise, not least because 25.2% highlighted AML and financial crime as their most significant investment area (Figure A). For the most part, respondents appear confident in their AML measures, with over 90% voting positively.

CRIME DEPARTMENT AND

Upon reviewing the investment requirements specifically for AML and financial crime, the area of information security came out on top, with 39.7% of respondents rating information security as the most significant area of investment (Figure M).

Often overlapping with AML and cybersecurity, information security remains a critical function of any organization as the value of data continues to increase. As organizations seek to enhance their digitalization and automation efforts, new vulnerabilities are opened up through which information and data have the potential to be accessed. Though more widely considered a fraud challenge, those focusing on AML and financial crime are also increasingly seeing a risk to information security.

REQUIRED FOR YOUR ORGANIZATION’S

AND

SANCTIONS RISE IN IMPORTANCE

Sanctions received the highest percentage of votes for most investment required, at 43.1% (Figure M). However, it falls to third place when weighted with the votes for significant investment. The area of sanctions has received considerable attention of late, and has seen the most significant swings in regard to changes and requirements. Therefore, it was somewhat of a surprise to see that 25.9% of respondents rated it as requiring only some investment, and an additional 8.6% felt it required the least amount of investment.

Although sanctions is a critical investment area, it is clear that not all organizations are experiencing the same requirement or demand for investment. This could be as a result of a very sudden surge in sanctions activity at the onset of the Ukraine conflict, when global organizations scrambled to adhere to requirements and better understand expectations. However, the landscape has since remained relatively settled, with organizations having conducted the work required to remain compliant. Firms may have also leveraged the opportunity to enhance their resilience around sanctions and ensure they are prepared for any future major changes.

As an interesting side note, the use and understanding of artificial intelligence scored relatively low, with just 28.1% of respondents rating it as the discipline requiring most investment. AI is frequently referenced as the future of risk management and praised for its capabilities, though in many areas, little investment and understanding is in place.

FOCUS ON COMPLIANCE

The survey moved on to explore the AML areas currently receiving the most attention within organizations, but not necessarily reflecting investment levels (Figure N). Regulation and compliance emerged as the key focus area when considering AML risk aspects only, with 56.1% of respondents rating it as the most significant area and an

additional 31.6% deeming it very important. It is worth noting that the issue of sanctions was not an option in this question; Advisory Board members indicated that, for many, sanctions would fall within the remit of regulation and compliance and this could be a factor as to why it ranked so highly. Although different to the investment rankings, this could also support the earlier hypothesis that some respondents completed the survey when the changes resulting from the Russia-Ukraine conflict were first implemented.

Also rating highly was KYC, with 43.9% of respondents voting this area as the most significant and 42.1% citing is as very important. A key tool within AML and financial crime in identifying trends and patterns to better identify risks, Know Your Customer (KYC) remains fundamental to a successful AML and financial crime program, enabling organizations to gather data on customers and ensure the services they are using are within legal and regulatory parameters. This aligns closely with regulation and compliance, as there are demands and expectations on organizations to include KYC as part of their AML framework. KYC also aligns closely with ESG social requirements to identify information for monitoring potentially exposed persons for modern slavery or terrorist financing, for example.

Once again, AI falls towards the end of the rankings, with just 24.6% of respondents rating it as most significant and over 50% rating it as either not important or somewhat important. AI could assist with AML and KYC functions to better detect risks and criminal activity in a more efficient, less human intensive process. The Financial Action Taskforce (FATF) recently focused on AI within AML in its publication on opportunities and challenges of new technology for AML/CFT, outlining that machine learning (a subset of AI) has significant potential within antimoney laundering. Thanks to its ability to detect patterns and therefore anomalies, AI could alter the future AML landscape and provide a more streamlined and automated view of risks.

FIGHTING FRAUD

Fraud, often confused with financial crime, has seen increased attention of late as an area more likely to directly impact a customer. As a result, organizations are consistently rolling out new techniques to combat fraud and protect customers.

When reviewing the relative strength of an organization’s fraud program, people and organization (including culture and leadership) came out on top, with 43.8% of respondents believing that their fraud program is strong (Figure O). A further 45.8% also rated their employee training and customer awareness as strong, potentially indicating that they believe any risk to be external and that internally, the initiative is being driven forward with effective oversight, training, and awareness.

When looking at investment in fraud programs, it comes as no surprise that cybersecurity again came out on

top, with 46.7% of respondents stating it required the most investment (Figure P). As outlined across different disciplines, the influx of digitalization opportunities and advances in technology initiatives mean that new vulnerabilities are being opened up. Organizations therefore face a wider cyber challenge as they continue to leverage a greater number of external parties to provide key services, entrust cloud computing organizations with vast amounts of data, and develop customer-facing applications. A fine balance must be found to advance the customer experience yet, at the same time, drive efficiencies to safeguard customers and ensure that both their funds and data are protected. The difficulty is that customers are increasingly demanding a streamlined, interactive, and instant service – balancing this expectation with security measures that serve to protect but also prolong a transaction can seem inconvenient to the customer, yet are necessary to protect them.

I hope the report will provide a current pulse of new emerging risk themes and any areas that appear to be maturing. The challenges that industry peers are experiencing are valuable insights that we can learn from while allowing us to operate proactively instead of reactively.

FIGURE P. WHICH AREAS DO YOU BELIEVE REQUIRE THE GREATEST INVESTMENT IN RELATION TO THE PREVENTION OF FRAUD?

Another area that rated highly as a priority for combating fraud (Figure P) was employee training and awareness, with 32.3% of respondents stating that most investment was required in this area. This could be interpreted that this is a particularly challenging area. However, given the results in Figure O, it more likely demonstrates that a continued investment in training and awareness is resulting in being it rated highly by employees as a strong area within their fraud management program, rather than an aspect which is hugely problematic.

Finally, authorized push payments (APP) have historically rated as a key fraud risk, rising as the leading challenge for fraud teams and formerly the leading cause of fraud to customers in the UK. In 2022, APP fell to fifth position – although 33.3% of respondents rated it as requiring the most investment, only 23.3% felt it required significant investment, bringing down the weighting. Despite a focus on combating APP and changes in legislation around reimbursement or compensation of customers, APP continues to grow worldwide. In what was described as an ‘epidemic of fraud’ , it is surprising to see investment in APP falling across many organizations.

GEOPOLITICAL RISK

Geopolitical risk has influenced several key areas already outlined in this survey. It has far-reaching implications and appears to have impacted results across a number of nonfinancial risk silos. As a standalone risk category, it is one of the fastest risers from 2021 to 2022, though this is to be expected against a backdrop increasing global tension, primarily the Russia-Ukraine conflict. As much analysis of this silo has already been cited throughout this report, little assessment remains; however, as such a substantially rising area, some additional focus is justified.

Reviewing which factors are viewed as the most pressing areas for the next 12 months, global political change was the front runner, with 41.9% of respondents rating it as the most significant (Figure D). It is worth noting that the survey opened prior to the start of the Russia-Ukraine conflict, and this was therefore not included as an option. Upon discussion with Advisory Board members, it was suggested that the conflict may have been encompassed within the category of political change.

This is supported by the individual answers we received relating to arising challenges, which included:

• China, including US relations, Taiwan tensions, export politics and international relationships as a result of the Ukraine conflict

• Consequences of the Russia-Ukraine conflict – impact on EU countries, sanctions, global implications

• Disintegration of multi- and supra-national bodies

• Food and water insecurity

• Cyberattacks, including state-sponsored and cyber warfare

• Rising interest rates

During analysis with Advisory Board members, further areas highlighted included nuclear war, the energy crisis, EU relations, trade flows, and sanctions. As a result, it seems unsurprising that global political change was rated the most significant consideration over the next 12 months. It was suggested that the results could have been diluted with EU relations, with trade and Brexit ranking second to last. Some respondents might have viewed this area under the umbrella term of global political change, which could serve as an explanation as to why it ranks so low. Survey respondents are predominantly based in the UK, EU, and US – many with a global remit – and so would reasonably be expected to have been impacted by the economic fallout of Brexit.

Cyber warfare and state-sponsored hacks ranked second, with 39% rating this area as most significant and an additional 36% as very important. This highlights a trend towards cyber seen throughout this report, supporting the analysis of the research findings that cyber risk infiltrates all business areas and overlaps with the vast majority of non-financial risks.

Interestingly, only 13% of respondents rated the global pandemic as a most significant area for the next 12 months. As much of the world continues to edge ever closer to a so-called normal environment, it is reassuring to see such a drop in significance and a move towards business as usual after the pandemic.

Regulators and shareholders expect that firms are using every tool at their disposal to assess their own independent progress and keep a watchful eye on how non-financial risk themes evolve across the industry.

THE RISE OF ESG

Another area increasing as a trend term and rising up the rankings dramatically for 2022 is ESG. Much like geopolitical risk, ESG has been referenced across many risk areas and has wide-reaching implications and considerations. Social and governance aspects continue to gain traction and impact areas such as third-party risk as a key concern at onboarding and throughout the relationship lifecycle. Organizations globally are grappling with defining expectations and setting taxonomies to set achievable pledges, even when these are likely to be implemented by a new generation. Environmental concerns continue to receive increased attention across the industry, as well as considerable media attention and focus from customers when deciding with whom to do business.

One of the key challenges within ESG is data. Inconsistent approaches and taxonomies across organizations and ratings agencies mean that alignment is required to enable better benchmarking and provide valuable information to stakeholders. Staffing teams with subject matter experts in such an immature area is also a challenge; many organizations are therefore looking to reskill existing staff and drive organizational change and culture.

Respondents were asked to rank their top three ESG risk challenges over the next 12 months in an open text box. The responses on the right demonstrate the scale of ESG as a non-financial risk and the specific challenges faced by organizations.

Investment opportunities within ESG remain very broad; ESG spans so many areas that organizations are grappling with where to prioritize and begin any investment projects. While not all concepts are new – most have been part of risk management considerations for many years – as a whole, ESG represents a considerable challenge for the industry. Starting externally, when reviewing third parties and their vendors, firms must now conduct assessments across the board to ensure that vendors comply with net zero objectives and goals, social requirements, and much more. Adding climate risk into stress tests, with the challenge of obtaining Scope 1, 2, and 3 of GHG data, is likely to be a significant undertaking and require considerable investment.

However, one area for investment emerged as the clear leader: data, specifically, finding ways of collecting data to provide insights into all aspects of ESG. Aligning data

across the industry is essential to ensure comparability and measurable outcomes from ratings agencies because of inconsistent practices.

What is evident is that ESG has the potential to impact all aspects of an organization, including new products and market entrants. Additional understanding is required to track impacts externally from a social and climate perspective, as well as internally to drive business whilst remaining compliant. Some respondents highlighted that no investment has begun as yet; with such a vast range of upcoming changes and requirements, many are still in the fact-finding phase, looking to understand expectations, competition approaches, and internal and external impacts, alongside how any changes may impact the viability of their business, services, and product lines.

PEOPLE RISK

An area discussed heavily among the industry and regularly raised at networking events is people risk. However, it ranked relatively low as a priority for both risk and investment, placing seventh as a risk rating and 12th as an overall investment area. This proved surprising to Advisory Board members, who have seen a significant increase in attention and focus on people risk in light of dramatic changes to working environments.

For the purposes of clarity, people risk for 2022 incorporated conduct and culture risk and was defined as follows:

Risks associated with employee misconduct, key personnel dependencies, talent management, and staff retention. For 2022, this also includes risks resulting from the actions of an organization or individual that can lead to customer detriment, market instability, or impact competitive practices.

As a new inclusion under people risk, culture and conduct risk was also analyzed, with many aspects appearing to be either fully integrated or mainly integrated. In total, over 87% of respondents found that sound ethics and behavior across their organization and value and strategy were either fully or mainly integrated and implemented (Figure Q).

Management was praised for spearheading a top-down approach to promote good conduct and culture, with 84% agreeing that such an approach is very effective or mainly effective. Remuneration and appraisals ranked lower, with only 16% believing these are a very effective tool to promote good conduct.

FIGURE Q. HOW EFFECTIVELY HAS YOUR ORGANIZATION DEFINED AND COMMUNICATED THE FOLLOWING CONDUCT/ CULTURE CONCEPTS?

Sound ethics and behavior (defining, communicating across the organization)

awareness/Intelligence (anticipating vulnerabilities, ongoing surveillance)

Tolerance (penalizing and not tolerating unacceptable actions in line with values of organization)

Across personnel challenges more broadly, unsurprisingly, the shortage of talent and staff rated highest, with 75% rating this as a very significant challenge over the next 12 months (Figure R).

As organizations continue to expand and develop, some of the previously-mentioned emerging risk silos will require changes in talent and skills. Areas such as ESG and digitalization pose a new set of challenges and demand unique skill sets, which many organizations currently lack.

In addition, the move to remote working poses a significant talent retention threat to organizations globally. With location no longer a consideration when looking for opportunities, the pool of options for individuals has opened significantly. In what was pegged ‘The Great Resignation’, swathes of industry professionals took the opportunity to change career path or move organization. This is evidenced by the fact that 70.6% of respondents view retention as the most significant challenge to personnel over the next 12 months.

FIGURE R. HOW SIGNIFICANT DO YOU CONSIDER THE FOLLOWING PEOPLE/PERSONNEL ISSUES TO BE IN THE COMING 12 MONTHS?

DIVERSITY, EQUITY, AND INCLUSION

Finally, although falling under the remit of ESG, diversity, equity, and inclusion (DE&I) has received heightened attention internally as management teams seek to ensure that opportunities, pay, and promotions are equal across an organization. DE&I was rated as very significant by 32.7% of respondents, with an additional 34.6% deeming it significant, pushing this category up to fourth place as the most important ESG challenge. In reality, for knowledge based industries, capital is embedded in

labor, which is becoming more evident and a challenge to manage.

The NFR Advisory Board commented that many DE&I aspects, including gender and ethnicity, should have been tackled and addressed many years ago. They also highlighted that an area missing from Figure R is that of staff health and wellbeing; with so many people working under new conditions at home, safeguarding employees’ mental wellbeing has become increasingly important.

SUMMARY & CONCLUSIONS

The events that have unfolded since 2020 have impacted organizations on a global and unprecedented scale. There is little doubt that the pandemic has had a residual effect on many firms, changing the way we work for the foreseeable future.

On a personal level, many staff members have found a better work/life balance in a remote environment; productivity continues to increase and overall team output has improved. However, remote working continues to pose challenges, not least because of a change in control environments and difficulties in staying on top of everevolving criminal tactics. Over 75% of survey respondents deemed flexible working or working from home the biggest change as a result of the pandemic, and one which has posed significant challenges from a risk and control perspective. By contrast, rating low in priority were areas such as productivity and output, with many Advisory Board members noting a substantial upswing in output and efficiency.

Non-financial risk continues to evolve, attracting significant investment and increasing levels of confidence, despite the threat of an economic downturn. Many respondents felt that certain aspects of non-financial risk would remain a priority even in such a scenario, and with revenues affected.

There is no doubt that both the pandemic and the escalating geopolitical landscape have demonstrated the need for resilience, with global regulatory initiatives driving the need for resilience across all areas, including technology and cyber projects. Over half of respondents highlighted identifying critical business services as extremely important and a key area of focus over the next year. Taking a step back and identifying vulnerabilities and potential weaknesses in controls internally and across outsourced services is therefore critical.

As a final note, ESG and geopolitical risk have seen the most significant increase in attention, posing a range of challenges to organizations over the next year. It comes as no surprise that the geopolitical landscape and aftermath of Covid-19 continue to have a significant impact on the sector. As the industry moves towards a business-as-usual environment, resilience will be key to maintaining the ability to continue critical services in a range of scenarios, including preparing for events such as those experienced in 2020 and 2021.

An appreciation of the industries views on the risks it faces and the challenges the industry faces in managing them are vital to the industry itself, its advisors and suppliers and very importantly its regulators and supervisory authorities. In the former cases an open discussion of the issues involved in achieving risk and regulatory objectives lead to clarity of understanding in how they might be achieved. In the case of regulatory and supervisory authorities I feel that too much regulation stems from an understanding of policy objectives, but too little appreciation of the problems involved in achieving them within sensible budgetary constraints, industry led reports are an important tool for uncovering these challenges.

Brandon Davies, Trustee and Lecturer, Institution of International Monetary Research, Buckingham University, Non-Financial Risk Leaders Advisory Board Member, CeFPro

CEFPRO RESEARCH AND SERVICES

The Center for Financial Professionals, CeFPro®, is an international research organization dedicated to the advancement of the profession, offering customized information and information services. CeFPro has a long history of engagement within the industry, and with industry professionals, that allows us to provide in-depth research, reports, and information on a range of financial, risk, and technology subject matters. We have assisted numerous clients with their content requirements, as well as providing suppliers with a deeper understanding of market practices, future opportunities, and investment requirements.

Just some of the opportunities that CeFPro can offer your organization include:

MARKET PLACEMENT, POSITIONING, AND PROMOTION

CeFPro’s clients include consultancies, vendors, financial institutions, and regulatory bodies. Our positioning is unique, guided by advisory boards made up of industry professionals from a variety of backgrounds across the world. CeFPro can offer a greater insight into the marketplace, using our clear understanding of the industry and technical knowledge to provide tailored and bespoke analysis of specific challenges being faced by our clients.

In addition to placement in a dynamic and competitive marketplace, CeFPro offers compelling, robust, and independent research. Research can be co-branded, targeting critical business needs, industry sectors, and geographies. We assist clients by delivering a greater understanding of their position in the marketplace, as well as supporting them to better position their solutions. We can offer a clear differentiator in a crowded sector, assisting in the enhancement of clients’ branding and awareness.

All CeFPro’s research papers are based on a partnership, with direct business applications to end-users that are current and relevant. Our understanding of the marketplace and knowledge of institutions also enables us to assist with competitor analysis, helping our clients gain a greater understanding of their competition and their relative positioning, and assisting in their strategy to pursue a better market position for increased success.

RESEARCH AND REPORTS

Our co-branded projects provide insight into businesscritical challenges. All co-branded research and reports are bespoke, tailored to the needs and requirements of each individual client, from mass online surveys to bespoke qualitative approaches, such as one-on-one interviews with industry professionals. Our deep and widespread expertise allows for a blend of differing approaches.

ROUNDTABLES AND EVENTS

CeFPro’s international events are established as world leading, allowing us to host targeted roundtable discussions or bespoke events, with research and market challenges at the center of the discussion.

MEDIA AND PROMOTION

CeFPro offers members a complimentary bi-monthly magazine, weekly e-newsletter, and online membership area, allowing our research partners the opportunity to leverage their products and services across multiple channels to maximize outreach, awareness, and branding.

FINTECH LEADERS REPORT

Fintech Leaders 2022 is the most comprehensive business intelligence study on the status of the fintech industry.

The 2022 report explores critical areas such as:

• Key opportunities

• Challenges to implementation

• Investment priorities for fintech

• Impact of Covid-19

Fintech Leaders is the voice of the marketplace, with the votes and comments of nearly 2,000 respondents contributing to the content of the final report. In addition, Fintech Leaders includes a guide to suppliers through the inclusion of a list of key solution providers, including rankings across 30 different categories and an overall fintech solution vendor ranking system.

This report is freely available to download from our members’ hub at www.cefpro.com/membershub

INFRONT MAGAZINE

A bespoke, bi-monthly magazine created by the industry, for the industry, iNFRont provides insight and thought leadership-driven content from industry experts across all areas of non-financial risk. Aiming to provide clarity on key challenges, benchmark approaches with industry peers, and spark ideas for future development, iNFRont is a leading resource for all non-financial risk silos.

For further information on CeFPro, or to become a member, please visit www.cefpro.com

© Copyright Center for Financial Professionals Limited, CeFPro®, 2020-2021. All Rights Reserved. Non-Financial Risk LeadersTM, or NFR LeadersTM, is wholly owned by CeFPro®

No part of the NFR Leaders publication, or other material associated with CeFPro® or the NFR Leaders report, may be reproduced, adapted, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of Centre for Financial Professionals Limited, or as trading as the Center for Financial Professionals or CeFPro®

The facts of the NFR Leaders report are believed to be correct at the time of publication but cannot be guaranteed. Please note that the findings, conclusions, and recommendations that CeFPro® delivers will be based on information gathered in good faith, whose accuracy we cannot guarantee. CeFPro® acknowledges the guidance and input from the Advisory Board, though all views expressed are those of the Center for Financial Professionals, and CeFPro® accepts no liability whatsoever for actions taken based on any information that may subsequently prove to be incorrect, or for errors in our analysis. For further information, contact CeFPro®

CeFPro®, Fintech LeadersTM, and Non-Financial Risk LeadersTM are either Registered or Trade Marks of the Center for Financial Professionals Limited in the UK, and pending registered trade mark within the EU and the USA. Unauthorized use of the Center for Financial Professionals Limited or CeFPro® name and trademarks is strictly prohibited and subject to legal penalties.