Unanticipated events can wreak havoc across every aspect of business, financial, and human activity—as the pandemic has made all too clear. Now, top executives and boards of directors want to know their institutions’ full risk profiles and which exposures need active management. For those charged with managing the credit portfolio, identifying, measuring, and managing non-traditional risks (which we define as those generally not categorized as credit risk, market risk, interest rate risk in the banking book, or liquidity risk) has gained considerable urgency.
Against this backdrop, BCG and the International Association of Credit Portfolio Managers (IACPM) surveyed financial institutions around the world about their practices and aspirations for managing the non-financial risks in their credit portfolios. (See Exhibit 1.)
To focus the study, we prioritized five key risks—climate change and ESG (environmental, social, and governance) risk, reputational risk, cybersecurity, technology disruption, and pandemics and natural disasters. These selections were confirmed by the respondents themselves as the top non-financial risks that their institutions face. (See Exhibit 2.)
The survey results yielded several important observations and insights about the accelerated evolution of the credit portfolio management (CPM) function. CPM has gained greater influence over the balance sheet and underwriting by expanding its mandate to include analysis and management of non-financial risks. While the majority of surveyed institutions have begun to develop governance, risk management frameworks, and analytics for the non-financial risks in their portfolios, few believe their capabilities have reached the necessary level of maturity and sophistication. Institutions recognize the importance of improving their ability to perform risk identification, of understanding better how risks affect their business, and of creating analytics and reporting around non-financial threats.
The key challenges identified by the survey relate to the difficulty in quantifying non-financial risks and the complexity of incorporating them into the existing risk management and risk appetite frameworks. This report will explore the various ways institutions are responding to these challenges and redefining best practice in non-financial risk management.
The pandemic struck just as we were beginning the survey in early 2020, which gave us a live window into how CPM and risk management functions reacted to actual—and substantial—risk. While COVID-19 temporarily shifted institutions’ focus away from their overall strategic roadmaps for non-financial risk management, we found that their appreciation and support for further investment in this area increased overall.
Partly as a result of COVID-19, the CPM function has emerged as a center for action and thought leadership—and has gained significant influence in helping businesses navigate the recent market turmoil. Using scenario analytics and modeling enhancements, CPM functions have provided insight into sectors and client segments that face increasing risks. These functions have also served as important coordinating hubs and links among their financial institutions’ business units, capital management, finance functions, and risk management. The experience from the current pandemic, coupled with anticipated longer-term trends, signals the need for an accelerated expansion of risk-management practices with respect to non-financial risks.
While most institutions view the management of non-financial risks as a shared capability among different groups, we observed the CPM function often taking the lead in helping shape and prioritize such efforts. Risk managers and others in the first line of defense are not idly waiting for robust quantification of risks before taking action; they are aggressively collecting data to further understand those risks, refining their estimation methodologies, and making investments in non-financial risk capability building. At many institutions, CPM advocacy is helping to shape underwriting decisions.
Among the investments that institutions are making in improving CPM are:
Institutions have improved their management capabilities with respect to such risks as cyber security and technology; still, there is not a great deal of clarity in the industry on what constitutes best practice for tracking how non-financial risks manifest in the portfolio (via the underlying companies) or how such risks should be managed.
Our survey found that some regions appear to have invested more in certain types of non-financial risk management capabilities. Europe, as many might expect, leads in climate risk management, especially given the advancement of supervisory guidance in this area. Capabilities for non-financial portfolio risks in APAC are relatively more nascent than other regions; APAC institutions have also made fewer investments in the area of pandemic-related risk. Respondents in APAC and the Americas highlighted their intentions to prioritize climate change and digital disruption—and to catch up with their European counterparts. Heightened attention on non-financial risks among supervisors worldwide is perhaps part of the reason for this convergence.
As it turns out, size is not necessarily a good determinant of whether an institution takes a particular non-financial risk seriously—institutions of all sizes noted a strong desire to invest in their non-financial risk capabilities. The digitization and automation of risk management has also eased the identification, inventorying, and tracking of these risks (just as the risks themselves have become faster to manifest).
The impact of COVID-19 and the rapidly expanding concern over climate change have emphasized the need to more fundamentally rethink how to deal with emerging threats—particularly with respect to the expertise base and operating models used to manage portfolio risks. There is wide consensus on the top risks, all of which are seen as having the potential today to be sources of large unexpected losses and to even present systemic challenges. But concern is not limited to the “big five.” The survey found that banks also see a “fat tail” of a dozen or more other risks. The relatively heterogenous list reflects the complexity of today’s market and business environments, and shows that institutions are aware that risks can arise from different circumstances and timeframes.
The significant gap between respondents’ current and targeted non-financial risk management capabilities is a serious issue. On a 1 to 5 scale, with 5 being the most developed state, respondents’ target state averaged about 4, which is good news. But their current level of maturity averaged about 2.5, leaving plenty of room to improve. (See Exhibit 3.) The widest gap is in climate change, while the smallest is in reputational risk.
We asked respondents to name their motivations for improvement. Four of the five most-cited factors reflected internal recognition of the need to improve risk-management capabilities; regulatory pressure was cited by less than half of the respondents. Institutions clearly see non-financial risks as an economic issue as well as a regulatory imperative.
Generally, survey respondents felt that CPM functions are emerging from the evolving COVID-19 crisis with elevated reputation and credibility. The functions have performed well in dealing with the heightened expectations placed upon them, including increased demands for risk analytics, scenario analysis, sector insights, and coordination between the front office and risk and finance functions. Two-thirds of respondents felt that the pandemic has materially altered the role of CPM, with many firms achieving closer integration between CPM and teams such as treasury and finance and the business units.
COVID-19 has also affected CPM’s core mandate, roles, and responsibilities. There is more coordination with working groups from other functions and with senior leaders across the firms surveyed. Institutions are using more forward-looking analytics to anticipate future challenges and their potential impact on portfolios, and they are integrating analytics into their risk mitigation strategies. There is a generally more preemptive approach to managing emerging risks and performing “what if” or pro forma analyses. More institutions are integrating groups across the first and second lines of defense for risk monitoring, credit action approvals, and pricing.
Specifically, respondents said that COVID-19 has changed how CPM manages non-financial risks in the following ways:
Overall, at most institutions CPM is increasingly involved in strategic questions as well as issues of credit policy, risk appetite, and credit decisioning. This expanded role, many felt, has the potential to continue after the COVID-19 crisis recedes.
Breaking Down the Readiness Challenges
Institutions cite a significant handful of common challenges in assessing and managing non-financial risks. (See Exhibit 4.) Almost all point to the short history and emerging nature of these risks, which make them hard to quantify. Banks are often challenged by how to adjust traditional tools, such as risk ratings, when they lack sufficient data to develop different assessments of the probability of default—or of loss given default—even when they have an opinion on the extent of the risk. “Quantification is the key difficulty which drives all other difficulties,” one respondent said.
The complexity of integrating non-financial risks into the existing risk management framework is a significant hurdle, one that requires more work on taxonomies and governance. Policies, procedures, and even first-order risk identification need thoughtful (and continuous) updating. Even with the growing appreciation of non-financial risks, four out of five survey respondents cited the lack of integration of such risks into the risk appetite—although banks are working hard to change this, starting with risk identification and education efforts. “We do spend a lot of time trying to educate our colleagues around these non-financial risks,” a risk manager told us. “We feel it’s time well spent.”
This issue ties back to the first challenge—the difficulty in quantification—and leads to a Catch-22. In some instances, such as those related to reputation risk, it may be easy to create a threshold at which an institution rejects or dismisses a borrower or counterparty outright. But it is much harder to define sufficient granularity of analysis, or shades of grey, for such factors as pricing and risk rating adjustment—or to provide guidance on how to adjust the amount of reputation-risk exposure the bank can bear in the portfolio as a whole. At the same time, when a risk is not specified within the risk management framework, there can be less incentive to do the hard, expensive, and necessary work of data collection and quantification—which is what enables understanding the risk in the first place.
Underscoring this point, our survey found that lack of understanding and lack of clear incentives round out the top five risk-specific challenges. “I’m surprised not to see more highlighting the lack of incentives,” one respondent told us. “Incentives are everything.”
With the increasing focus on non-financial risks, how do institutions raise their risk mitigation and management capabilities to the next level? We asked survey respondents to rate their current capabilities on three dimensions: governance and operating model, risk management framework, and data and analytics. We found that current capabilities are low but that aspirations are realistic: institutions are targeting the possible and not trying to achieve perfection right away. (See Exhibit 5.)
Among capabilities, the widest current-to-target gaps are in risk management frameworks and data and analytics. Large and smaller institutions show similar profiles on this front, while APAC trails other regions in current maturity. In terms of risk categories, the biggest perceived gap is in climate and ESG-related risks.
Governance and Operating Model. Respondents reported their institutions falling into one of three stages of operating model maturity (see Exhibit 6):
For all non-financial risks other than climate change and ESG, we found that approximately 50% of institutions identified themselves as having only emerging operating models. About a quarter of institutions reported having an integrated operating model, where the required expertise is part of each team in the first and second line of defense. The remaining firms saw themselves as having a developing operating model—that is, they are making progress in building capabilities, which are typically coordinated by a center of excellence or similar body. Climate change models are more advanced; with respect to this risk, the majority of institutions report a developing or integrated model. Meanwhile, we found significant regional variations in operating model maturity for addressing climate and pandemic-related risk. (See Exhibit 7.)
Risk Management Framework. In the absence of robust risk-quantification capabilities, respondents reported two increasingly popular approaches for incorporating non-financial risks into their risk management frameworks. First, institutions are creating integrated qualitative-quantitative approaches for managing risk (as opposed to purely quantitative), although it merits noting that almost a third of respondents do not yet explicitly consider three major categories of non-financial risk—pandemics, cybersecurity, and technology—in their credit portfolio risk-management framework. (See Exhibit 8.)
These qualitative-quantitative views are based on sector analyses that often involve a more granular look at sectors and subsectors than those traditionally taken by CPM, which have typically assumed that all companies in a particular Global Industry Classification Standard code are the same. The qualitative-quantitative approach examines each non-financial risk individually and begins to manage the portfolio accordingly.
For example, when analyzing potential sources of portfolio risk from the pandemic, institutions are seeking to look beyond the expected winners and losers in each sector and uncover narrative connections between the evolution of COVID-19 and future business prospects—rather than waiting for financial statement data to input into credit models. To do so, institutions are using sector analyses that look for relationships among predicted patterns in unemployment, reduced spending, and lost revenue for their borrowers. While previous predictive models used sector-level cyclical stress factors to forecast higher losses, banks have found that they could not usefully assume that an entire industry would suffer equally from the impact of COVID-19. Instead, leading institutions are digging deeper into subsectors to identify differentiable risk factors. In the transportation sector, for instance, this analysis has led to the discovery of resilience in the markets for commercial haulage and used cars.
Second, the matrixing of various non-financial risk factors yields insights for managing overall risk. The pandemic accelerated the risk of digital disruption for many borrowers, not to mention entire industries; for some firms, however, this was also an opportunity if handled well. Recognizing this dynamic, some leading institutions were sufficiently nimble to set up ad-hoc teams to help loan officers identify borrowers at risk of digital disruption from the pandemic—perhaps because of dependence on foot traffic or in-person delivery of a service—and assist these borrowers in managing their exposures or encouraging (through targeted credit offers) increased investment in e-commerce capabilities.
Even without the effects of the pandemic, it’s clear that portfolio management can take a similar approach to making granular sector-based assessments of the potential for digital disruption risk—and perhaps climate, reputational, and cyber risk as well. This would be a useful first step toward adjusting the traditional inputs (or model outputs) used for credit decision making and loan pricing. Take the example of the power-generation sector with regards to climate risk. Banks are taking steps to ensure that upgrades or downgrades are based on specific assessments of each borrower’s exposure to physical and transition risks; utilities that are working to increase their resilience to rising wildfire risk, for example, or reducing their reliance on coal while increasing investments in renewable power sources, may have lower default risk in the long run.
Data and Analytics. Our survey found widespread material gaps in the use of customer or counterparty non-financial risk data points in the credit rating process. The lack of reliable data sources and specific risk-factor taxonomies hinder wide use of analytics for non-financial risk identification, assessment, and management. In fact, only about 10% of respondents had enough quantitative data to include NFRs in their underwriting process; about 40% supplement non-financial quantitative data with other sources, primarily benchmarks and external risk ratings. (See Exhibit 9.)
We also observed a need to better incorporate non-financial risks in stress tests. With the exception of pandemics, most financial institutions do not regard the five non-financial risks surveyed as “very material” to their stress tests. (See Exhibit 10). Less than 20% regard them as somewhat material. This is changing, as the development of stress scenarios is increasingly recognized as a powerful tool for incorporating emerging risks into the risk management framework—even in the absence of a long history of risk-related losses. Institutions do this by developing scenario narratives that describe potential losses and defining the processes through which the risks can be best estimated.
The pandemic has highlighted the need for institutions to play offense as well as defense when it comes to managing non-financial risks. The industry has been forced to catch up fast to an unforeseen crisis that morphed rapidly out of control—and it needs to get its collective arms around the other types of risk that pose growing threats to profitability and even stability. Despite the challenge of quantifying and articulating non-financial risks, most institutions are making headway, using many approaches and tools, often with the encouragement and support of regulators. Many are trying to establish best practice before the next crisis occurs.
The quantification challenge for non-financial risks calls for a measured and targeted approach to phasing in what might otherwise be a disruptive effort. Institutions are pursuing a variety of initiatives to improve their capabilities in each of three capability domains. These include the following:
Each institution is different, and its way forward will require a tailored approach that takes into account its complexity, business model, risk appetite, and client base. Such an approach will also reflect the institution’s prior investment in risk management, technological debt, and competitive position. But implementation can be guided by a roadmap that considers each initiative’s projected impact and the effort required to put it in place. (See Exhibit 11.)
In terms of building a roadmap, we recommend two parallel courses. The first involves solving the risk-quantification challenge with new data and new efforts at developing the necessary analytics. The second, and perhaps more important, step is to stand up an appropriate governance for non-financial risks, and make the concomitant adjustments to the existing institutional risk-management framework.
CPM teams can help their institutions move beyond a pure risk-reduction mindset, and toward adding broader business value, by using the rising awareness of non-financial risks as a catalyst for development of new credit offerings—especially in circumstances where the customer has less risk than the portfolio average. To give one example, many institutions are now approaching existing clients that they deem to have high risk from climate change and offering sustainable-finance solutions to help them transition effectively and efficiently to lower-carbon ways of doing business. For the increasing numbers of companies making commitments towards “net zero,” such offerings have become all the more urgent.
Outside of the climate arena, institutions are asking customers to take on more digital ways of doing business and to strengthen their supply chains—all as part of a more typical package of advice on how those customers can keep within their covenants and reduce their credit riskiness.
For CPM functions, there may never be a better time to lead efforts to enhance their capabilities with respect to non-financial risks. This is a rare moment when executive focus, regulatory scrutiny, and the potential for value creation—or the prevention of value destruction—come into alignment. The potential steps to improve institutions’ capabilities are increasingly well-established, even if wholesale changes to quantification methodologies cannot be fully adopted until data challenges are addressed. The way forward is clear, and institutions need to move now to structure programmatic, coordinated approaches that will strengthen their positions in the years to come.
The authors wish to thank Anand Kumar, Duncan Martin, Miguel Saez, and Neha Sharma for their insights and assistance.