Risk & Resilience Practice

How a defined risk

appetite can improve
nonfinancial risk
management
Costly and disruptive, nonfinancial risks are an ever-present
concern in the financial services industry. A defined risk appetite
strategy can mitigate the problem.
by Björn Nilsson, Thomas Poppensieker, Jan Peter Schmütsch, and Sebastian Schneider

© Getty Images

October 2023
 In 2022, losses, fines, and legal expenses for
nonfinancial risks cost the banking industry
$19 billion, bringing the total price tag for nonfinancial
risks to more than $460 billion since 2010.
Nonfinancial risks—those that emerge from people,
processes, systems, and external events—are
challenging to manage for all institutions, and
executives are faced with a constantly changing
landscape of risk events and disruptions. Despite
the inherent challenges, it is important to clearly
define an appetite for these risks to limit the risk
taking in areas that go beyond a company’s risk
capacity and threaten its business objectives. This
appetite needs to be balanced against return
optimization by investing in activities that offer the
highest yield.
For financial institutions, risk appetite is a
particularly important component of an end-to-
end risk management framework. It needs to be
supported by other risk management components,
such as a comprehensive risk taxonomy, robust risk
identification and assessment processes, data and
analytics capabilities, and a risk aggregation and
prioritization logic based on risk materiality. Risk
appetite needs to be integrated into risk governance
and oversight, reporting, and risk decision making
and mitigation actions (Exhibit 1).
At financial institutions, setting risk appetite for
financial risks is an extensive, regulatory-driven
practice to manage risks to the balance sheet,
profit-and-loss statement, and cash flows. The
objective is to limit the credit, market, and liquidity
risk capacity of financial assets and liabilities in
relation to capital and funding. At the same time,
executives need to trade off allocation of scarce
capital and funding with risks to optimize returns,
which are measured by the return on equity and
risk-adjusted capital.
For nonfinancial risks, setting risk appetite is a
much more elusive and theoretical concept than for
financial risks.

Web <2023>
<RiskAppetite>
Exhibit
Exhibit <1>1of <3>

Risk appetite is a core component of an end-to-end nonfinancial risk

management framework.

Nonfinancial risk management framework

Risk
taxonomy AREA WHERE BOARD INVOLVEMENT IS REQUIRED

Common risk TOP Risk Monitoring/ Decision Risk

language across RISKS appetite reporting making mitigation
the organization
Metrics for top risks Scenario-based Predefined
Monitoring against risk decision making measures for risk
Risk identification Risk aggregation
and assessment and prioritization appetite Decision outside appetite
Escalation thresholds/ outcomes for Mitigation plans
Risk and Control Prioritization of risks triggers and channels scenarios Implementation
self-assessments based on financial Decision rights/ and effectiveness
Risk-type-specific and reputational authority monitoring
assessments impact, regulatory
Findings, issues, scrutiny, operational
events and customer impact

Data-driven
analytics
OTHER Appropriate level of monitoring,
Monitoring data and remediation as needed
RISKS
Key performance
indicators, key risk
indicators
Findings, issues,
events

McKinsey & Company

2 How a defined risk appetite can improve nonfinancial risk management

In this article, we share our experience of working
with financial institutions that have an assured grasp
of their nonfinancial-risk appetite through actions to
enhance nonfinancial-risk management. We identify
the principles that guide the framework design and the
methods used to achieve the emerging approach in
managing nonfinancial-risk appetite for an institution.
new regulations, and heightening supervisory
expectations. Risk managers must also contend
with new obstacles: advanced-intelligence-
driven, digitized operating models; regulatory
requirements for compliance and operational safety;
and organizational and process challenges that
come from a need for continuous efficiency and
productivity enhancements.

Shifting focus from management of
financial to nonfinancial risks
The focus of the financial industry has, in recent
years, shifted from management of financial risks
to nonfinancial ones, such as operational risk,
regulatory compliance, and the compliance and
conduct necessary to prevent financial crimes.
The shift has been driven by major industry
trends such as the mis-selling of products,
facilitation of tax evasion, breakdown of controls
to protect institutions against money laundering,
In many ways, the impact of nonfinancial risks on
financial institutions is more threatening than that
of financial risks: these risks cannot be passed on
to customers, have more extensive reputational
effects, and often require more complex
remediation efforts at higher costs than financial
risks. In some years, the nonfinancial-risk losses
have equaled or exceeded the cumulated credit risk
provisions or impairments at banks. As mentioned,
losses, fines, and litigation expenses have cost
the biggest European and US banks more than
$460 billion since 2010 (Exhibit 2).

Web <2023>
<RiskAppetite>
Exhibit 2
Exhibit <2> of <3>

Operational losses, fines, and litigation costs for nonfinancial risks have
cumulated to approximately $460 billion over the past 14 years.

Operational losses, fines, and litigation Operational losses, fines, and litigation
costs 2010–23,¹ $ billion (annually) costs 2010–23, $ billion (cumulative)

80 500

70
400
60

50
300

40

200
30

20
100
10

0 0
2010 2015 2020 2023² 2010 2015 2020 2023²

1
Includes operational risk losses (eg, unauthorized trading), fines, settlements, and expenses for provision buildup (eg, provisions for compensating customers).
Based on incidents settled/expensed and gathered through news and press search. Sample of European and US banks totals 304, comprising 830
event/fine/cost entries.
2
Year-to-date Jan–Aug 2023.

McKinsey & Company

How a defined risk appetite can improve nonfinancial risk management 3

 Yet these firms typically continue to spend much
more than the industry average on managing
nonfinancial risks. While the average European
bank employs 8 to 9 percent of its staff in money-
laundering prevention, the most efficient banks
employ just 4 to 5 percent. For banks with money-
laundering issues, as much as 18 percent of
employees work in money-laundering prevention.
Similarly, for regulatory compliance, large
international banks that have experienced a major
conduct or regulatory compliance breach employ
2.0 to 3.0 percent of their staff in the second-line
regulatory compliance function, while the average
large international bank has just 1.5 percent on the
second line and the most efficient bank well below
1.0 percent.
It is no surprise that even in a post-financial-crisis
era of strong capital ratios and stricter regulation,
we have seen bank failures and tremors within the
financial industry resulting from nonfinancial risk.
Executives may therefore feel unmoored when it
comes to measuring an institution’s appetite for
nonfinancial risk.
Principles for designing a risk appetite
framework
Designing a risk appetite framework for nonfinancial
risk relies on five fundamental principles. These are
different from the approach for financial risks, which
can be more easily aggregated to form a view of the
risk of financial losses.
Principle 1: Focus on top nonfinancial risks by
business areas and shared services
Institutions often use the risk taxonomy as an
anchor point for risk appetite and define statements
for each risk type, which leads to a one-size-fits-
all approach rather than a prioritization of risks by
importance to the group or an individual business
unit (see sidebar “How a global bank used a
business-driven risk appetite framework to manage
nonfinancial risks”).
Instead, setting risk appetite by business unit and
shared-services function ensures focus on the risk
that matters the most and strengthens the quality
4 How a defined risk appetite can improve nonfinancial risk management
of outcomes for people, processes, and systems
through the following means:
— business and risk ownership alignment
— risk prioritization from a business view that also
helps to define appropriate key performance
indicators (KPIs) and key risk indicators (KRIs)
that the business and shared-services functions
should follow
— appropriate target setting for improvement
and frequency
Leading institutions take a risk-based approach and
set a more specific risk appetite for the top risks,
using both qualitative statements and a set of three
to five risk-specific metrics to formulate appetite.
They tie the risk appetite to the institution’s risk
taxonomy and typically set the appetite for top risks
one level down in the nonfinancial-risk taxonomy
because of the large variety of risk types within the
nonfinancial-risk category with different risk drivers.
A McKinsey analysis has shown that this approach,
on average, results in ten to 12 top risk types in retail
banking, wealth management, asset management,
and capital markets and 15 in corporate and
investment banking, compared with risk taxonomies
that often have more than 30.
In this scenario, top risk types are often jointly
decided among the business, control, and shared-
services functions, where the second line ultimately
confirms or reviews or challenges the top-risk
selection. Institutions use a wide range of sources
to identify top risks around which to subsequently
formulate appetite. The most common sources
are results of the risk and control self-assessment,
issues and events, monitoring data, audit reports,
and KPIs and KRIs (see sidebar “How an insurer
used key risk and performance metrics to quantify
nonfinancial risk appetite”).
Principle 2: Draw on subject matter expertise as
much as possible
Building on the first point, risk expertise is scarce
and needs to be used as much as possible. This
means abolishing the concept of a central risk and
compliance function that can manage all risks.
How a global bank used a business-driven risk appetite
framework to manage nonfinancial risks
A global bank implemented a business-
driven risk appetite framework with a specific
risk appetite for top nonfinancial risks.
The bank redesigned its nonfinancial-
risk-appetite framework to strengthen its
effectiveness by defining the risk appetite
from a business perspective, rather than
from a control function perspective. The
risk appetite definition was proposed to
the board at the outset by the risk and
compliance functions, but the business
did not find this risk appetite actionable to
guide decision making in the day-to-day
business operations.
The bank based its framework on a set of
five core principles:
— Not all risks are of equal importance.
Risk appetite should focus on top risks
that matter the most for each business
unit and these risks’ specific drivers
to maximize the effectiveness and
usefulness of the risk appetite for
the business.
— Qualitative statements, metrics, and
limits or thresholds should be linked
to the true drivers of each business
unit’s top risks to make the risk
appetite operational.
— Risk appetite should be embedded in
the business and its strategic decisions
by putting the business in the lead for
proposing risk appetite to avoid making
it an exercise run by the control function.
— Thresholds and tolerance levels
should be complemented with control-
based key performance and inherent
risk indicators to unlock business
management relevance.
— Governance process for risk appetite
breaches should be formalized by
predefined actions and timelines
for getting back within the threshold
to trigger real consequences for
the business.
The risk appetite was defined on a business
unit level. Each unit described its business
model and strategy and how its client
segments, distribution channels, products
and services, infrastructure, and external
factors—such as market conditions and
regulation—create inherent risk.
Each business unit set an overarching,
general risk appetite applicable for all its
nonfinancial risks (including risks for which
management had been delegated to a
support function, such as cybersecurity). For
these risks, each unit formulated overarching
qualitative statements on accepted and
rejected risks, and expectations on the
control environment. Specific non-risk-type
metrics were defined as applicable for all risk
types in the risk taxonomy, such as material
issues identified by regulators or an internal
audit and operational losses.
The business units defined the seven
to ten top risks driving most of their risk
profiles. For these risks, a risk-type-
How a defined risk appetite can improve nonfinancial risk management
specific appetite was formulated, and the
underlying risk drivers were identified to
track and understand the exposure to the
top risks. Specific risk-type statements
were articulated on which risks to take
and not to take and the expectations on
risk-specific control frameworks and
processes. Risk-specific metrics to monitor
top risks were based on their identified
drivers. Thresholds for the metrics were
based on historical data, benchmarks, and
discussions between the business and the
control functions. Ultimately, the thresholds
were cascaded to the region or desk level
where appropriate (exhibit).
A business unit dashboard was built to
track the development of the risk profile of
the unit, covering both generic risk metrics
and specific risk-type metrics for top
risks. A breach review process with “hard
triggers” for residual risk metrics indicates
a potential risk appetite breach. Exceeding
a hard trigger initiates a formalized review
to determine whether the risk appetite has
been breached and, if so, to decide on the
appropriate remediation measures. “Soft
triggers” are set for metrics monitoring
effectiveness of controls and development
of inherent risks that may warrant further
preventative or preemptive actions but do
not trigger a risk appetite breach.
If a risk appetite breach is confirmed, the
business unit can develop a remediation
plan that is reviewed, challenged, and
agreed to by the relevant control function
or functions. The remediation plan is based
5
on one, or a combination, of the following
options to either reduce the inherent risk,
improve the control environment, or adjust
risk appetite within three months, so as to
bring residual risks back into appetite:
— accelerating the strengthening or
remediation of control frameworks
— temporary or tactical controls
— temporary risk acceptance
— stopping new business
— additional capital allocation
— permanent change of risk appetite
Consistency between the risk appetites
set on business unit level and group level
is ensured through a set of common
metrics and limits on both levels, such as
operational risk losses.

Web <2023>
<RiskAppetite>
Exhibit
Exhibit <3> of <3>

For top risks, risk drivers are defined, specific qualitative statements are
developed, and metrics and thresholds are selected.

Methodology for defining risk appetite, focusing on top risks

Top Risk Qualitative Metrics Thresholds Cascading

risks drivers statements metrics

Description Identification of Identification Formulation of Translation of Definition of Cascading of

top risks for the of key drivers qualitative risk formulated metric levels/ metrics and
business unit of the appetite state- statements into thresholds based thresholds
based on inherent inherent risk ments per top quantifiable on historical down to lower
risk level, speed risk based on metrics for the data, external organizational
of change/ risk drivers following: benchmarks, levels (where
crystallization discussions appropriate)
Inherent risk
of inherent risk, between 1st and
ease of risk Control 2nd line, etc
mitigation, etc framework
Residual risk

Illustrative AML/KYC¹ Number of “We conduct Change in the >+–% change in % change in new
example PEPs² business with number of new new number of PEPs in
Suitability PEPs, which PEPs onboarded PEPs onboarded
Proportion of X% in Region 1
Product risks present height- (inherent risk) during the last
high-risk ened money- period Y% in Region 2
customers laundering risk,
Number of but place these
clients clients under
domiciled in stricter
high-risk monitoring and
countries controls.”

¹Anti–money laundering/know your customer.

²Politically exposed persons.

McKinsey & Company

6 How a defined risk appetite can improve nonfinancial risk management

Create instead a clear view of where the subject
matter expertise for the risk types resides and
what the operating model is—whether it is in the
business, such as the retail or wholesale bank;
in shared services, such as IT or operations; or in
a corporate or control function, such as finance,
legal, risk, or compliance.
Where the subject matter expertise resides is where
the guidance should be given on appropriate risk
operating model, key controls, and target KPIs
and KRIs to monitor risk appetite, which would be
supported and overseen by the second line.
In essence, the formulation of risk appetite may
be a joint process among business, second-line
control, and shared-services functions but start
from a business and operations perspective while
maintaining a clear and independent second-line
oversight and challenge role.
Leading institutions put ownership of risk appetite in
the business or first line of defense. Risk appetite is
an outcome of a business management perspective,
and executives can use it in their daily decision
making. The risk appetite sets the starting point for
the quality of business operations.
Principle 3: Use metrics and quantify KPIs
and KRIs for key controls for people, processes,
and systems
Metrics are the basis of a clear risk appetite
statement following the principle, “What you cannot
measure, you cannot manage.” Defining metrics
for nonfinancial risks is not an easy task, but the
following principles should be considered:
— Avoid “zero tolerance” statements—violations
and breaches do happen even where they’re
not tolerated.
— Metrics need to be anchored against a view on
current error rates and quality levels, as well as
targets, to avoid starting from an “out of appetite”
position immediately.
— Error rates should be calibrated against a
multitude of negative outcomes to avoid—
these can be financial but also operational,
How a defined risk appetite can improve nonfinancial risk management
reputational, and in customer impact. Thus,
scenario analyses can help set limits for metrics
for these top risks.
— Metrics should serve as proxies of residual risks
rather than inherent risks to account for the
already existing risk management processes
and controls.
— Metrics need to be defined by balancing
investments in controls versus targeted impact—
leading (forward-looking) indicators should be
included to help identify and prevent quality
issues in processes before risks materialize.
— Metrics should be available by organizational
responsibility and mapped to the business unit
to create a holistic front-to-back business view
including shared services and control functions.
— Information on metrics versus targets needs to
be available for regular monitoring.
Leading institutions often use both metrics that are
agnostic to the risk type and are risk-type specific,
and a combination of forward- and backward-
looking metrics to set risk appetite. Typically, three
to five risk-specific metrics are used per risk type.
A common approach is to set risk appetite breach
thresholds for residual-risk metrics, with hard-
risk appetite breaches complemented by early-
warning triggers—levels are calibrated based on
historical data, expert judgment, and management
experience. A major advantage of using early-
warning triggers derived from residual risk is the
opportunity to integrate nonfinancial risks into
“standard” limit management processes—that is,
explicit decisions on exceptions, business limits, and
strengthening the control environment for top risks
can be taken on an objective basis.
Consistency among group, business unit, and function-
level risk appetites is typically ensured by using a set of
identical metrics on all organizational levels.
In the financial-services industry, anti–money
laundering and sanctions, fraud, information
and cybersecurity, and data management and
7
How an insurer used key risk and performance metrics to quantify
nonfinancial risk appetite

A leading international insurance
company sought to uplift the quality of its
nonfinancial-risk management in response
to recent litigation cases and regulatory
inquiries. On first reading, this looked
puzzling, as the management of risk was
the very nature of the insurance business.
But quantifying vast amounts of dispersed
qualitative information is different from
evaluating actuarial data and requires a
clearly steered transformative effort.
The institution opted for a top-down risk
assessment starting from an existing
taxonomy of nonfinancial risks. To allow
for greater manageability, these were
split into a dozen risk domains composed
of approximately three times as many
risk vectors. For each risk, the institution
calculated in a recurring cycle, first,
the inherent risk exposure; second, the
adequacy of the internal controls system;
and, third—after data quality adjustments
and weighing of factors—the residual risk.
Intuitively, inherent risk exposure is a
function of the severity and the likelihood of
risk events. Severity is best observed in the
potential economic and reputational impact
seen in the frequency of external or internal
breaches. The key to using such a system,
then, was twofold. First, the insurer needed
to identify metrics for suitable quantitative
and qualitative data (for example, the
sum of internal operational losses per
annum such as fines) and apply industry-
wide adjustments (for example, from the
operational risk loss database ORX).
Second, the identification and application
needed to be harmonized into one single
scoring logic and weighed according to
their relevance.
To form an opinion of the adequacy of the
internal-controls system, the company
turned to a set of proactive (for example,
audits, regulatory inspections, internal
regulations, training) and reactive
(for example, customer complaints,
whistleblowing allegations, litigations) risk
management metrics. Using existing data
to the maximum extent was paramount
to increase acceptance across the
organization. Again, the outcomes
were translated into a single quantitative
scoring logic.
The combination of the risk exposure
and the controls metrics yields a residual
risk matrix. However, the insurer desired
to report the current nonfinancial-risk
exposure in a single metric, which was
achieved by taking the average of the sum
of squared residual risk scores.
The effects of introducing such a system
were multiple. By adopting an annual
or quarterly standard process, analysis
efforts dropped drastically. The increased
quantification led to greater comparability
across business units and periods and,
eventually, better prioritized investment
decisions. Lastly, by involving top
management—by means of an interactive
reporting dashboard allowing for slicing
and dicing—far higher levels of ownership
and integration into strategic decision
making were achieved.

technology make up most of the material risks
around which risk appetite is formulated.
Principle 4: Develop a monitoring dashboard
based on a single source of truth across the first
and second lines
Dashboards are important for monitoring
compliance with the risk appetite set and can be
defined at group and divisional levels front to back
or by risk type.
Information needs to be timely. Monitoring
information should be provided on at least a
monthly basis. Both drawn from a single source of
truth, information and data can be in different cuts,
such as by division responsible for the overall risk
profile of the business, by shared or corporate unit
owning the process, or by risk type to create an
aggregated view. The latter is particularly important
from a group perspective for sensitive risk areas
such as cybersecurity, regulatory compliance, and
transformational risks.

8 How a defined risk appetite can improve nonfinancial risk management

Reporting formats can consider how to prompt
action with the following means:
— questions regarding realignment against risk
appetite following limit breaches
— negative trends—where situations worsen rather
than improve
— root-cause analysis and cross-reading
(for instance, comparison against industry
and competitors)
Lastly, reporting needs to be efficient, automated,
and readily available. Timely data sources enable
timely action.
At leading institutions, the risk function most often
monitors and reports on risk appetite dashboard
metrics and compliance with appetite set. Reporting
on risk appetite is often done on a monthly or
quarterly basis.
Principle 5: Establish a flexible governance
that continually reviews processes and
realigns metrics
Governance on risk appetite for nonfinancial risk is
critical. Risks emerge, evolve, and are managed on
a different timescale against an operating model,
sourcing model, and technological and regulatory
requirements that are constantly changing.
A centralized risk committee, particularly if also
tasked with financial risks, can become too crowded,
blindsided by second-line dominance and formalities.
Such a committee is unable to constantly balance risk
appetite against the status of the organization and
the maturity of its operating model.
By contrast, an effective approach to risk appetite
and nonfinancial risks incorporates discussions of
each business unit’s risk profile, the risk profile of
shared services, and specific risk categories with
a clear perspective on the need to intervene and to
adjust risk appetite or acceptances.
A carefully crafted nonfinancial risk governance
embeds these questions into the financial
institution’s overarching governance; the divisional
How a defined risk appetite can improve nonfinancial risk management
and infrastructural executive committees; specialty
committees such as IT, data, and cybersecurity; and
an overarching nonfinancial risk committee. The
latter is supported by the second line and reviews
risk acceptances and remediation plans and actions.
It ultimately approves risk appetite by business unit,
shared-services function, and risk type.
Operating models are constantly changing,
whether from digitization, cost savings programs,
or regulatory requirements. Maintaining quality
of processes and execution against multiple
expectations when conflicts arise—particularly
underinvestment—is also necessary. KPIs and KRIs
driving risk appetite against these change risks can
only be managed through a flexible governance.
In addition to flexibility, a mandate is equally
as important. Leading institutions give control
functions the mandate to review, challenge,
and approve the risk appetite proposed by the
business or first line. That authority helps prevent
risk appetite from becoming a compliance or risk
exercise led by the control function. At the same
time, the above-described approach ensures
business ownership by using business knowledge
and insights to derive top risks and risk appetite and
clear accountability.
Similarly, the chief risk officer or risk committee
typically makes the ultimate decision on the
proposed risk appetite before it is approved by the
executive board and board of directors.
Leading institutions also formalize governance on
risk appetite breaches through a predefined set
of actions and timelines for getting back within
the threshold to trigger real consequences. These
can include stopping new business, allocating
more capital, strengthening temporary controls,
accelerating control remediation, or accepting
temporary risk.
Responding fast is critical. Institutions typically
require a remediation plan to be in place within
three months in case of risk appetite breaches, but
the time frame also often depends on the scale or
complexity of the remediation required.
9
 Letting principles lead the process
Nonfinancial risk is a complex topic for financial
institutions. It is made even more complex given that
practices to manage it have evolved from financial
risks. Many of these practices ignore the practical
differences that require a more bottom-up business
perspective with a focus on top risks; a higher quality,
management-driven development of KPIs and KRIs
along the operating model; and a flexible governance
that sets meaningful improvement targets.
Applying the principles above puts financial
institutions significantly closer to other sectors that
have learned to manage risks in their operating
model from an enhanced process-and-system
perspective. Companies in these sectors, including
advanced industries, high tech, and basic materials,
had to undergo—and still are undergoing—
significant changes and quality improvements.

Björn Nilsson is a partner in McKinsey’s Stockholm office, Thomas Poppensieker and Sebastian Schneider are senior
partners in the Munich office, and Jan Peter Schmütsch is an associate partner in the Hamburg office.

Designed by Global Editorial Services

Copyright © 2023 McKinsey & Company. All rights reserved.

10 How a defined risk appetite can improve nonfinancial risk management