top of page
Julien Haye

Beyond the Bottom Line: The Growing Impact of Non-Financial Risks on Companies and Industries

How to effectively manage non-financial risks with AI

In today's fast-paced and complex business landscape, companies face a multitude of risks that can impact their bottom line and reputation. While traditional financial risks such as market fluctuations and credit risk have long been the focus of risk management efforts, non-financial risks (or NFRs) are becoming increasingly important.


There has been a growing awareness of the potential impact of non-financial risks on a company's financial performance, reputation, and long-term viability. Facebook's stock price fell 18% in just a week in March 2018 following the Cambridge Analytica scandal, which highlighted the potential risks associated with data privacy.


NFRs can range from environmental, social, and governance (ESG) issues to cybersecurity threats, and can have a significant impact on a company's financial performance and reputation. And the impact of non-financial risks can dramatically vary across different sectors and industries, depending on the nature of their operations, the regulatory environment they operate in, their risk culture, and the level of stakeholder scrutiny they face.


As part of our ongoing efforts to identify key trends shaping enterprise risk management each year, we explore every year the top ERM priorities and trends. From the profound impact of artificial intelligence to the growing focus on ESG risks and supply chain resilience, the insights shared in our trend articles delve into the emerging challenges and opportunities for Chief Risk Officers and risk practitioners.

 

TABLE OF CONTENTS

 

ESG Issues and Sustainability Risks


ESG issues have gained significant attention in recent years as stakeholders, including investors, customers, and employees, increasingly prioritise sustainability and social responsibility. A study by McKinsey found that companies that effectively manage ESG issues can outperform their peers by as much as 12% annually. However, failing to address ESG issues can have a negative impact on a company's reputation and bottom line.


Companies that do not address environmental risks may face fines and legal action, as well as damage to their reputation among consumers and investors. In addition, companies that do not prioritise social responsibility and employee wellbeing may experience high turnover rates and difficulty attracting top talent.


Then, investors are increasingly interested in understanding a company's exposure to ESG risks and how those risks are being managed. This has led to an increase in reporting and disclosure requirements related to ESG risks. For example, in 2020, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would require companies to disclose more information about their climate-related risks.


Cybersecurity Risks


According to a report by Accenture, cyber-attacks cost companies an average of $13 million per incident in 2020. These costs can come from a variety of sources, including data loss, business disruption, and reputational damage. In addition, companies may face legal and regulatory consequences if they fail to adequately protect sensitive information. The rise of remote work and the increased use of cloud-based systems have further increased the risk of cybersecurity threats.


You can also refer in my review of the ION Trading cyber attack.


Reputation and Brand Risks


In today's interconnected world, news of a scandal or controversy can spread rapidly through social media and other channels, damaging a company's reputation and bottom line. A survey by Deloitte found that 67% of companies believe that managing reputation and corporate brand is more important today than it was in the past. To mitigate this risk, companies must prioritise transparency and communication with stakeholders and address issues quickly and effectively.


Companies that fail to manage NFR effectively will suffer significant reputational harm, which can lead to decreased revenue, increased regulatory scrutiny, and other financial costs. For example, companies that are found to have violated data privacy laws or engaged in unethical conduct may face significant reputational damage that can impact their bottom line.


Legal and Regulatory Risks


Since the 2008 financial crisis, there has been an increasing focus on non-financial risks in the financial industry. Regulators have implemented new regulations aimed at addressing a range of risks, including NFRs such as operational risk and conduct risk. The goal of these regulations is to help prevent a repeat of the financial crisis by ensuring that financial institutions are better equipped to manage a range of risks.


Increased regulatory oversight does not necessarily translate into increased non-financial risks. The purpose of increased regulatory oversight is to ensure that financial institutions are managing NFRs appropriately and to reduce the likelihood of those risks leading to negative outcomes for the financial system and broader economy. Effective regulation can help to reduce such risks by requiring financial institutions to implement robust risk management frameworks and to meet certain standards related to issues such as data privacy, cybersecurity, and social responsibility.


Then, companies that fail to manage non-financial risks effectively may be subject to legal action from regulators, customers, or other stakeholders, which can result in fines, legal fees, and other costs. For example, companies that are found to have violated environmental regulations may face fines and legal action that can impact their financial performance.


Operational Risks


Operational risks are another type of NFR that can impact a company's bottom line. These risks can include supply chain disruptions, natural disasters, and employee misconduct. While these risks may not always be preventable, effective risk management strategies can help companies minimise the impact and ensure business continuity.


Key Tools and Frameworks for Managing Non-Financial Risks


To manage non-financial risks effectively, companies must integrate robust tools and frameworks into their risk management practices. These tools help organisations identify, assess, and mitigate risks while aligning risk management efforts with strategic goals. Below are some key tools and frameworks:


Risk and Control Self-Assessment (RCSA)

RCSA is a cornerstone of non-financial risk management. This tool enables organisations to proactively identify and evaluate risks and controls within their processes. By engaging stakeholders across the business, RCSA fosters ownership of risk management and highlights areas requiring additional controls or mitigation strategies.


Risk Event Management

Documenting and analysing risk events—whether they result in financial loss, reputational damage, or operational disruption—provides critical insights into vulnerabilities. Organisations can use these insights to strengthen controls, prevent recurrence, and refine their overall risk management strategy.


Enterprise Risk Management (ERM) Frameworks

Frameworks like ISO 31000 and the COSO ERM Framework provide structured approaches for identifying, assessing, and responding to risks, including non-financial risks. These frameworks emphasise integrating risk management into decision-making and strategic planning.


Environmental, Social, and Governance (ESG) Reporting Standards

As ESG risks gain prominence, companies are adopting tools like the Global Reporting Initiative (GRI), Sustainability Accounting Standards Board (SASB), and the Task Force on Climate-related Financial Disclosures (TCFD). These frameworks help organisations assess and disclose their exposure to sustainability risks, meeting stakeholder expectations for transparency.


Cybersecurity Standards and Tools

Managing cybersecurity risks requires adherence to established frameworks such as the NIST Cybersecurity Framework or ISO/IEC 27001. These standards help organisations secure sensitive data and systems, while tools like threat intelligence platforms enable real-time monitoring and response.


Operational Risk Management Tools

Tools such as the Bowtie Method and business continuity planning frameworks (e.g., ISO 22301) help organisations prepare for and mitigate operational disruptions. These approaches ensure resilience in the face of risks like supply chain interruptions or natural disasters.


Data Analytics and AI-Driven Solutions

Modern organisations leverage predictive analytics and AI to anticipate and mitigate risks. Platforms like Tableau or Power BI provide visual insights into trends, while AI-driven tools enhance decision-making by identifying hidden risk patterns and providing actionable recommendations.


Cultural and Behavioral Risk Tools

Understanding the cultural drivers of non-financial risks is critical. Tools such as employee pulse surveys and psychological safety assessments can help organisations detect and address risks stemming from disengagement, siloed thinking, or misaligned incentives.


The impact of non-financial risk management on the cost base


The impact of non-financial risks on a company's cost base can vary depending on the nature and severity of the risks. In general, managing non-financial risks can involve additional costs for a company, such as:


  • Compliance costs: Meeting regulatory requirements related to non-financial risks can involve additional compliance costs for a company, such as investing in new technology, training staff, and implementing new processes and controls. Non-compliance with regulations, laws, or industry standards can also result in fines and penalties, which can be substantial and impact a company's bottom line.

  • Reputation costs: non-financial risks, such as environmental, data breaches, environmental incidents, or social responsibility issues can damage a company's reputation, leading to a loss of customer trust and loyalty. This can result in decreased revenue, reduced market share, and increased costs to rebuild the brand. Managing these risks may require investments in sustainability initiatives or stakeholder engagement activities to protect and enhance the company's reputation.

  • Operational costs: Cybersecurity risks can lead to operational disruptions, such as data breaches or system failures, which can result in significant financial and reputational costs. In addition, natural disasters, or supply chain disruptions can cause operational disruptions, resulting in lost productivity and revenue. This can also lead to increased costs associated with remediation and recovery efforts. Managing these risks require investments in technology and staff training to ensure that systems and data are secure.

  • Legal costs: non-financial risks can also result in legal costs if a company is found to be in violation of laws or regulations related to issues such as data privacy or ESG standards. Then, product defects or workplace safety issues can lead to litigation costs, which can be significant and impact a company's financial position.

  • Stakeholder activism: non-financial risks such as social responsibility issues can lead to stakeholder activism, including shareholder activism, consumer boycotts, or employee protests. This can result in increased costs associated with managing these issues and can also impact a company's reputation and revenue.


Cultural and Behavioural Drivers of Non-Financial Risks


Corporate culture plays a pivotal role in the management of non-financial risks. In our experience, the behaviours, values, and attitudes embedded within an organisation can either mitigate or exacerbate NFRs. A strong risk-aware culture fosters accountability, transparency, and proactive risk management, while cultural weaknesses can create blind spots, hinder risk escalation, and expose the organisation to significant vulnerabilities.


Psychological Safety: Enabling Whistleblowing and Compliance

Psychological safety—where employees feel safe to speak up without fear of retaliation—is a critical enabler of effective NFR management. Organisations with high psychological safety empower employees to:


  • Report Issues Early: Encourage whistleblowing and risk escalation, enabling timely resolution of emerging threats.

  • Raise Concerns Without Fear: Create an environment where employees feel comfortable discussing ethical dilemmas or operational risks without fear of punishment.

  • Foster Open Communication: Break down hierarchical barriers, ensuring that critical information flows freely across teams and levels.


Example: In organisations where employees feel psychologically safe, operational issues or unethical practices, such as fraud or non-compliance, are more likely to be flagged before they escalate into significant incidents. Companies like Google have highlighted the importance of psychological safety in building innovative and risk-aware cultures.


The Leadership Tone: Defining Risk Culture

The tone set by leaders significantly impacts an organization's ability to manage NFRs. Leadership behaviours and priorities shape the organisation's collective attitudes toward risk, driving actions and decision-making processes. Key factors include:


  • Risk Ownership: Leaders who model accountability and transparency encourage the same behavior throughout the organization, creating a culture where risks are proactively managed.

  • Ethical Leadership: Demonstrating integrity and a commitment to compliance fosters trust and reduces the likelihood of unethical behavior.

  • Strategic Alignment: Leaders who align risk management with organisational goals ensure that risk culture supports, rather than obstructs, business objectives.


Example: The Wells Fargo fake accounts scandal serves as a cautionary tale of leadership failing to instill an ethical risk culture. Pressure to meet aggressive sales targets led to widespread misconduct, underscoring how leadership tone can drive or deter NFR management.


Cross-Functional Collaboration: Breaking Down Silos


Cultural silos—where departments operate in isolation—can severely hinder the management of NFRs by limiting collaboration and information sharing. Organisations that encourage cross-functional engagement benefit from:


  • Shared Risk Awareness: A collective understanding of risks across departments, fostering alignment in mitigation efforts.

  • Collaborative Problem-Solving: Diverse perspectives lead to innovative solutions for addressing complex risks.

  • Integrated Risk Management: Breaking silos ensures that operational, reputational, and compliance risks are addressed holistically.


Example: Effective NFR management at multinational corporations often relies on integrating risk intelligence across legal, compliance, and operational teams, ensuring a unified response to threats.


Behavioral Incentives: Aligning Goals with Risk Management

Incentive structures can reinforce or undermine risk-aware behaviors. Misaligned incentives—such as rewarding short-term profits without considering long-term risks—can drive risky decision-making. Conversely, organisations that incentivise ethical behaviour and long-term performance see:


  • Reduced Risk Appetite for Unethical Practices: Employees prioritize compliance and ethical standards over quick wins.

  • Stronger Accountability: Teams are motivated to address risks rather than overlook them in pursuit of immediate gains.


Example: Firms that incorporate ESG performance into executive compensation frameworks encourage leaders to prioritise sustainability and social responsibility, reducing exposure to ESG risks.


Cultural Adaptability: Responding to Emerging Risks

A culture that embraces adaptability is better equipped to manage NFRs in a dynamic environment. This includes:


  • Proactive Risk Identification: Encouraging teams to anticipate and prepare for emerging threats.

  • Resilience Through Change: Maintaining risk management effectiveness during periods of organizational or market change.

  • Continuous Learning: Building a culture of learning from past incidents and evolving best practices.


Example: Organisations that embraced cultural adaptability during the COVID-19 pandemic were better able to manage supply chain disruptions and operational challenges.


Impact of non-financial risk across sectors


The impact of non-financial risks can vary across different sectors and industries, depending on the nature of their operations, the regulatory environment they operate in, and the level of stakeholder scrutiny they face.


Here are some examples of how non-financial risks can impact different sectors and industries:


  • Financial services: non-financial risks, such as operational risk and cybersecurity risk, can have a significant impact on financial services companies, which rely heavily on technology and data to conduct their operations. Additionally, conduct risk has become a major concern for regulators in the financial services industry, as misconduct scandals can result in significant financial and reputational costs. For example, the Wells Fargo fake accounts scandal resulted in billions of dollars in fines and damaged the bank's reputation.

  • Energy and natural resources: Environmental risks, such as climate change and resource depletion, are a major concern for companies in the energy and natural resources sector. Failure to manage these risks effectively can result in reputational damage and regulatory fines, as well as impact the long-term viability of the company. For example, BP's Deepwater Horizon oil spill in 2010 resulted in significant financial and reputational costs for the company.

  • Technology: Technology companies are particularly vulnerable to non-financial risks such as cybersecurity risk and data privacy risk, as they collect and process vast amounts of sensitive data. These risks can result in significant costs, both in terms of fines and reputational damage, as well as lost revenue if customers lose trust in the company's ability to protect their data. For example, the Equifax data breach in 2017 resulted in the exposure of sensitive personal information for millions of people and led to a significant decline in the company's stock price.

  • Healthcare: Healthcare companies are subject to a range of non-financial risks, including product liability, data privacy, and regulatory compliance. Failure to manage these risks effectively can result in significant financial and reputational costs, as well as impact patient safety. For example, the opioid crisis in the United States has resulted in significant legal and reputational costs for pharmaceutical companies that were accused of contributing to the epidemic.


Risk Management Strategies


To effectively manage non-financial risks, companies must prioritise risk management as a key part of their business strategy. This includes identifying potential risks, assessing their impact, and implementing measures to mitigate and manage these risks.


Some key risk management strategies include:


  • Conducting regular risk assessments: Companies should regularly assess potential risks and their impact on the organisation to identify areas of vulnerability.

  • Developing a risk management plan: Once risks have been identified, companies should develop a plan to manage and mitigate these risks.

  • Investing in cybersecurity: With cyber-attacks becoming increasingly common, companies must invest in cybersecurity measures to protect sensitive data and systems.

  • Prioritising sustainability and social responsibility: To address ESG risks, companies must prioritise sustainability and social responsibility in their business practices and supply chains.

  • Communicating with stakeholders: Transparent communication with stakeholders, including customers, investors, and employees, can help companies build trust and mitigate reputational risks.

 

Non-financial risks are an increasingly important focus for companies, investors, and regulators. These risks can have a significant impact on a company's financial performance and reputation, and failure to manage them effectively can result in significant costs. Companies should invest in effective risk management strategies that can help to identify, mitigate, and monitor non-financial riss in a cost-effective manner. Additionally, regulators and other stakeholders should continue to focus on promoting effective risk management practices and standards to help ensure the long-term sustainability and stability of the financial services industry.


190 views0 comments

Related Posts

See All

Comments


bottom of page