Exploring the role of non-financial risk management in strategy processes of large retail banks

The consideration of risk in the banking industry generally involves the understanding of credit and financial risks. However, the occurrence of high-profile, non-financial risk events (such as system downtime and fraud) have resulted in negative financial and reputational implications for banks globally. These events have provided an opportunity for stakeholders to reflect on the consideration of non-financial risk. Therefore, the objective of this research was to understand the incorporation of non-financial risk management into the strategy process at retail banks, including the related benefits and challenges and the initiatives that have been (and require to be) undertaken. To this end, a qualitative research approach was conducted, using an exploratory design. Twelve banking subject matter experts were interviewed to explore their unique insights and experiences into the research problem. The research identified several challenges related to the consideration of operational and business risk. Key findings emerged including: the need for increased awareness of nonfinancial risk concepts, the need to balance risk management and business development, and the dangers of over-confidence in existing internal processes.


Introduction
Companies with a greater focus on risk perform better (Gates, Nicolas & Walker, 2012).In the banking sector, the issue of risk plays a greater role due to government and industry regulation, such as the Basel Accords (Basel, 2009;Basel, 2011).The link between risk management and strategy development, as critical inputs into the organisational performance of banks, is therefore vital to understand.To this end, recent research has focussed on the areas of enterprise risk management (Dionne, 2013;Gates et al., 2012;Gorzeń-Mitka, 2013) as well as its specific relationship with strategy (Ben-Amar, Boujenoui & Zeghal, 2014;Mikes, 2009;Sheehan, 2010).There has also been significant research on the impact of financial risk on bank performance (Abdel-Baki & Shoukry, 2013;Bauer & Ryser, 2004;Jin & Zeng, 2013).Similar studies into operational and business risk, however, have not been conducted to the same depth, with these issues being cited as recommended areas for future exploration (Kaplan, 2010;Mikes, 2009;Soin & Collier, 2013).Consequently, the research problem under investigation is how retail banks incorporate non-financial risk management practices into their broader strategy process.For the purposes of this study, operational and business risks are included under non-financial risk, as defined by Raj and Sindhu (2013) and relevant regulatory pronouncements.These constructs receive attention in the following section.

Literature review
This section provides an examination of the relevant academic literature on non-financial risk management, the strategy process, the role of leadership and culture, and the South African regulatory environment.The concept of strategy has had considerable academic and business focus (Hitt, Ireland & Hoskisson, 2005).Given research limitations, including possible respondent confidentiality requirements, the research did not consider the actual strategy determined by the retail bank.Thus, the focus will be on how the retail bank reaches its strategy outcome, not the outcome itself.The scope of the research is set out in Figure 1: As Figure 1 infers, various stakeholders play a role in the strategy process within banks.In particular, as large organisations enhance their often multiple-matrix structures, various viewpoints will contribute to the development of a retail bank's strategy.Related academic studies have hitherto focussed primarily on the incorporation of financial risk into retail banks' strategy processes (Abdel-Baki & Shoukry, 2013;Bauer & Ryser, 2004;Jin & Zeng, 2013), or the implementation of enterprise risk management in generic industries (Dionne, 2013;Gates et al., 2012;Gorzeń-Mitka, 2013).This research fills a gap in current academic literature in that it seeks to provide a greater understanding of the incorporation of non-financial risk into retail banks' strategy processes.Further, this study provides guidance to understand the benefits and challenges of the above-stated incorporation, as well as recommends leading risk practices.
The next section discusses the concept of non-financial risk management.

Non-financial risk management
The objective of risk management is to create a framework that enables organisations to handle uncertainty and must be embedded within the broader organisational strategy (Dionne, 2013;Gates et al., 2012).As a result, managing risk has become a greater focus within financial services companies, driven by the turbulent external environment (including competition, regulation and increased stakeholder expectations) as well as associated internal pressures (Accenture, 2012;Chytas, Glykas & Valiris, 2011;Gorzeń-Mitka, 2013).This twin-based challenge "requires companies to be alert and watchful so to detect weaknesses and discontinuities in regard to emerging threats and opportunities and to initiate further probing based on such detections" (Chytas et al., 2011: 460).The 2000s saw the rise of Enterprise Risk Management (ERM), an approach that encourages a broader, integrated perspective to be applied to risk (COSO, 2004).However, critics argue that a danger exists "of ERM lapsing into rule-based compliance and failing to become embedded in managers' decision-making and business processes" (Arena, Arnaboldi & Azzone, 2010: 661).The reduced focus on risk as a strategic imperative can therefore result in a compliance-based approach and the 'risk management of everything' (Power, 2004).Kaplan (2010) acknowledges that risk is often overlooked in the strategy and performance management process of organisations stating, "Risk management must be introduced as a third pillar for financial performance" (Kaplan, 2010: 31).This third pillar of risk management would therefore add to the traditional two pillars of sustainable shareholder value creation, being revenue growth and productivity.Kaplan (2010) also highlights key future research opportunities, including to the role of leadership, the need for a detailed systems model, and risk management to be more formally embedded in an organisation's strategy map.This holistic approach is supported by Sheehan (2009), who articulates the link between risk management and organisational performance as decision-makers are increasingly required to consider all types of risks and their relationship to organisational growth.In this regard, the focus on financial and credit risk within banks (and associated impacts on process and performance) is well documented; however, Mikes (2009) and Soin and Collier (2013) highlight the equivalent study of operational and business risk as necessary future research areas.Financial risks are based on decades of historical data and robust models; in contrast, non-financial risk has not been as clearly defined nor have robust quantitative models yet been developed.Consequently, broadening the role of the risk management function of an organisation to include non-financial risk has become a greater strategic imperative.
Operational risk is defined as "the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses" (Basel, 2011: 11).Contrary to financial risks, Jobst (2007) contends operational risks are generally not willingly incurred nor do they have an offsetting revenue return potential.Key examples of operational risk for a retail bank include system downtime, which may impact payments and transactions through its channels, and fraud (whether internal or external).Relationships between risks are also an important consideration: strategic risk can result in increased operational risk which, in turn, can result in downstream risks, such as reputational risk.Lemke and Petersen (2013) note that the difficulty in quantifying non-financial risk does not mean quantitative losses cannot occur.Indeed, a reputational loss event may result in lost revenue, increased costs, or reduced share price.Strategy risk, in turn, can result in loss through a poorly thought out or unsuccessfully executed business decision (Raj & Sindhu, 2013).A new nonfinancial risk type that is gaining traction is that of conduct risk.Often presented in terms of how an individual conducts themselves in discharging their responsibilities within an organisation, this risk considers not just the outcome of an initiative, but the process by which an individual assists in enabling the organisation to reach that point (Deloitte, 2013).
The need to understand risk in a manage-forward way, as opposed to measure-backwards way, has been firmly established as has the need to recognise the strategic role of risk management (Tileaga, Nitu & Nitu, 2013).Kaplan (2010) notes that financial services companies, in particular, have already specified risk management objectives in their financial and process objectives and that "important advances over the next five years will embed risk management objectives more centrally into the strategy execution framework" (Kaplan, 2010: 31).In a study into the performance of two retail banks, Mikes' (2009) research indicated that non-financial risk was just as important as financial risk.Another important construct in this study is strategy process.

Strategy process
For the purposes of this study, strategy has been defined as "a coherent set of analyses, concepts, policies, arguments, and actions that respond to a high-stakes challenge" (Rumelt, 2012: 6).Ben-Amar et al. (2014) contend that choosing the right strategy is critical and that it is the strategy process that will help deliver a positive strategic outcome.This research does not focus on the end strategy developed, rather the strategy process, that generally involves a three-stage process of design, implementation, and control (Hitt et al., 2005).The importance of the latter two stages of the strategy process is noted by Ahmadi, Salamzadeh, Daraei and Akbari (2012), who maintain that "a meaningful strategy will not be a trump card if mostly implemented.Many organisational failures occur due to lack of implementation, not formulation" (Ahmadi et al., 2012: 289).During the stage of strategy design, an organisation must determine its identity (for example, vision, mission, and strategic objectives), grounded in its macro-context.In the strategy planning phase, inclusiveness is critical to informed decisions and buy-in from key stakeholders.To ensure the right strategy is agreed, "it is essential to use industry standards to build a realistic picture of what the business has to look like to be competitive" (McGrath & MacMillan, 1995: 60).For banks, standard industry measures include revenue growth (noninterest and net interest income), credit loss ratio and impairments, and cost-to-income ratio, as well as regulatory measures, such as capital and solvency levels.
Only 50% of strategies formulated are implemented (Mintzberg, 1994).As the seminal work of Chandler (1962) stated, aligning structure and processes to strategy is vital for successful implementation.Further, Mintzberg (1994) argues that "formulation should be an open-ended, divergent process, while implementation should be the closed-ended, convergent one" (Mintzberg, 1994: 60).Evans (2013) and Tennyson (2013) note the vital role of the organisational environment and culture in successful strategy implementation.To successfully control and monitor the implementation of strategy, a combination of iterative qualitative and quantitative performance management is required at organisational, strategic, and financial levels (Hitt et al., 2005).Consequently, there is a need to align the strategy management system with the performance and incentive management system (Tennyson 2013).Strategy control, however, can result in unforeseen consequences, such as increased time to market and impacting a culture of innovation.In banks, already naturally risk-averse environments, these consequences can be amplified.The next section focuses on culture and leadership.

Leadership and culture
A well-developed risk management framework, effectively driven through leadership and organisational culture, is necessary to guide behaviour and decisions.Stulz (2014) and Tennyson (2013) argue that banking leaders on the board and executive committee are critical in instilling a sense of culture in regards to risk.Kulas, Komai, and Grossman (2013) and Power (2011) extend this discussion into the role of leadership in developing and implementing organisational change.Various definitions of leadership emphasise the influencing role of leaders and their ability to enable change (Bass, 1985;Kouzes & Posner, 2003;Scheepers, 2012).Indeed, Stulz (2014) argues the role of leaders in risk management "is not to reduce the bank's total risk per se.It is to identify and measure the risks the bank is taking, aggregate these risks in a measure of the bank's total risk, enable the bank to eliminate, mitigate and avoid bad risks, and ensure that its risk level is consistent with its risk appetite" (Stulz, 2014: 1).
The acknowledgement that banks play a significant socioeconomic role is a key outcome of recent research into the relationship between leadership and the approach to nonfinancial risk within banks (Kulas et al., 2013;Power, 2011).This research aligns with the targeted outcomes of recent regulatory changes.For example, a key objective for the South African Reserve Bank (SARB) is not merely to ensure the health and compliance of individual banks but to ensure the financial stability of the entire financial system.Power (2011) recognised the moral imperative facing banking leaders: "leaders in banks and regulatory organisations will need the courage to be as morally counter-cyclical as their plans for capital reserving" (Power, 2011: 30).Kulas et al. (2013) notes the importance of leading by example and translating words into action: "Leaders are simply individuals who can improve group cooperation by making a costly commitment, thereby persuading others to participate in a project" (Kulas et al., 2013: 350).Similarly, Abernethy, Bouwens, and van Lent (2010) determined that leadership plays a vital role as management, through their innate authority, are able to "define structures, shape strategic priorities, implement formal controls, set targets, and take action to correct deviations" (Abernethy et al., 2010: 3).Tennyson (2013) highlights that a key challenge for those responsible for shaping a financial institution's culture is that no 'best-practice' criteria for a desirable risk culture has been published.Thus, the purpose of this research is to understand culture as an influencing factor in the incorporation of nonfinancial risk into the strategy process.Regulatory factors also have an influence and receive attention in the next section.

External regulatory context
The regulatory context for retail banks globally is significant and constantly evolving, with the need to align with industry, national, and international standards an increasing reality.Managing risk, including non-financial risk, has varying levels of reliance on regulatory requirements.Much of the regulation surrounding retail banks arises from the directions provided by the Basel Committee on Banking Supervision (Basel, 2009;2011), which counts all G-20 economies as members.This guidance is then interpreted and implemented at national level through relevant regulators, such as the SARB.Regulatory objectives include ensuring risk-sensitive capital allocation, increasing disclosure requirements to enable assessment of capital adequacy and quantification of key risks based on formal techniques.
In 2013, the South African National Treasury recommended the implementation of a system known as 'Twin Peaks', which had two overarching objectives: strengthening the approach to regulating market conduct, and, creating a more stable financial system (FSB, 2013;National Treasury, 2011).Supporters of the new framework, such as Gilmour (2013), suggest that Twin Peaks is appropriate for the South African environment due to the few large dominant financial groups that contain both banking and insurance operations.However opponents, including Mhango (2014), argue that the lack of non-bank financial institutions in South Africa reduce the need for, and potential effectiveness of, Twin Peaks and, further, that South Africa's immature consumer protection regime is not sufficiently stable to implement the market conduct aspect.South Africa's corporate governance environment is one of the strongest in the world and is underpinned by the King Reports, for example King I, 1994;King II, 2002& King III, 2009, as quoted by the Institute of Directors of Southern Africa (2009a;2009b).While the code is largely based on aspirational principles and practices, it is a requirement that companies on the Johannesburg Stock Exchange comply.Many of the principles have been incorporated into other legislation, such as the Companies Act.The code comprises three key elements: leadership, sustainability, and good corporate citizenship.
Thus, several variables formed the background of this study; the next section covers the research method.

Research method
This section discusses the methodology undertaken for this study, including the transformation of emergent themes from the literature review into research questions, a description of how research data was gathered and analysed, and discussion on issues encountered, such as validity and reliability.The research questions were as follows: Research Question One: What role does non-financial risk play in Retail Banks' strategy processes?Research Question Two: What are the benefits and challenges related to the integration of non-financial risk management and the strategy process in Retail Banks?Research Question Three: How does organisational culture and leadership influence the incorporation of non-financial risk into Retail Banks' strategy?Research Question Four: What initiatives have Retail Banks undertaken, and should undertake, to improve the incorporation of non-financial risk management into their strategy process?Denzin and Lincoln (2003) and Leedy and Ormond (2001) suggest that qualitative research is appropriate to describe, interpret, verify, evaluate and build theory of complex situations to achieve a better understanding of the subject matter at hand.The nature of the research required a contextual understanding through exploratory research and an inductive method to develop a comprehensive view of the underlying issues.The focus of relevant academic research has primarily been on the credit and financial risks associated with banking activities.Consequently, as this study was aimed at contributing to the theory base relating to the research topic a qualitative, exploratory study was considered most appropriate.
The research project took the form of a three-part qualitative study.The first part involved a detailed literature review, the output of which resulted in the formulation of key research questions.These research questions provided the basis of developing the pre-interview survey, which was aimed at introducing respondents to the topic as well as establishing a foundation for basic comparative analysis.Business, finance, risk, and strategy leaders of selected retail banks, as well as selected external stakeholders, were identified based on their seniority, role, and potential exposure to the research topic.After the University granted ethical clearance, the survey (comprising 10 questions in a Likert-scale format) was forwarded electronically to respondents, one week prior to the interviews.Apart from establishing an initial basis for understanding the banking environment in which the interviewees work, the short survey also provided the foundational themes for the more detailed questions that drove the interviews.Although an exploratory methodology was used, the researchers deemed it necessary to use these simple 10 Likert-style questions to create awareness for the respondents around the research topic prior to the interviews.
Interviews were semi-structured to enable broad themes to be addressed, and were recorded and transcribed after receiving the permission of the respective interviewee.The semistructured nature supported the exploratory nature of the research by allowing relevant tangents to be explored.Given the relatively non-sensitive nature of the research (that is, the focus on the strategy process as opposed to strategic outcome), no significant issues were encountered regarding confidentiality.
Table 1 summarizes the data collection method, sampling technique, and sample size for each of the research phases: Online survey tool with ten highlevel questions, using Likert-scale.

Part Three: Semi-structured interviews
In-depth exploration of subject matter experts' opinions and perspectives on research topic.
Face-to-face, semi-structured interviews with identified functional, business and industry leaders Purposive 12 As all retail banks must consider non-financial risk management, the population for the research was all large retail banks worldwide.Retail banks were defined as customer-focused intermediaries that offer individuals products and services, including savings and transactional accounts, mortgages, personal loans, and credit cards.The research excluded the corporate and/or investment divisions of banks.The research focussed on large publicly-owned banks, defined as listed on one or more stock exchanges and excluding privately-owned banks.These scope definitions assisted in standardising the context for the research.The targeted interviewees required the ability to influence the design and implementation of the strategy process, including individuals with an external perspective (such as consultants and regulators).Given the impracticalities of obtaining a list of the total population, the researcher used a non-probability sampling technique, namely purposive sampling.The sample size (12 participants) was assessed to be sufficient based on the guidance of six to twelve interviews being an appropriate sample size for qualitative research, as recommended by Guest, Bunce, and Johnson (2006).The unit of analysis was the opinion and perceptions of relevant banking experts in relation to the incorporation of non-financial risk into retail banks' strategy processes.The transcripts of the 12 interviews were analysed by indexing and categorizing of statements of respondents in an Excel spreadsheet.The next step involved identifying broad themes in these categories from the transcriptions, followed by cross-referencing data and then utilizing a constant comparative method until theoretical saturation had been reached and, finally, consolidating analysis through synthesising tools.
Key factors considered in regard to validity, per Saunders and Lewis (2012), as well as Flick (2007), were the extent of representativeness of the research population, as well as any unintended consequences of the data collection process on the subject (for example, interviewees' availability and level of interest).It was recognised that the generalisability of findings to other banks and other countries would be impacted by the relevant regulatory and legislative framework as well as the respective internal risk management approach and culture.Key factors that were considered in regard to reliability included subject bias, such as the reluctance of interviewees to be totally open and transparent regarding the information being gathered, as well as observer bias, such as the researcher's interpretation of the data collected.Given the inherent subjectivity of the interview process, the researcher attempted to reduce the risks related to validity and reliability through the use of standardised definitions of key terms, and pre-testing of both survey and interview questions.Other members of the research team assisted in reviewing the data analysis, validating the selected themes, and overseeing the building of a conceptual framework.The next section focuses on the results of the research.

Results
In this section the results and findings are offered per research questions together with the highlighting of main observations and themes.

Research question One (Q1)
What role does non-financial risk play in Retail Banks' strategy processes?
This research question sought to understand the extent of incorporation and integration between non-financial risk and the strategy process, and the organisational context behind this.Survey respondents indicated agreement with the proposition that the strategy process, in their relevant banking environment, was clearly defined and executed, with a large majority 'agreeing' or 'strongly agreeing'.Characteristics such as defined structures, clear governance, and strong processes were highlighted by participants as key enablers of a successful strategy process in their environment.For instance one respondent said, "There's always the element of doing business as usual better, an element of some growth initiatives, and an element of transformational initiatives.In the context of that I think we're pretty clear and we've set up our governance to support those three elements".
However, external consulting participants were less sanguine about the success of banks' strategy processes, raising issues around strategy communication, existence of silos, and historic-based planning frameworks, which processes and structures did not overcome effectively.One external consultant argued that, "The strategy process in retail banks is immature.The challenge they have with strategy often is that they are so fragmented".
Another critical aspect discussed by research participants in relation to the successful execution of an end-to-end strategy process was a well thought out strategy communication plan.This factor was seen as key by participants as it assisted in cascading the strategy through the organisation and devolving necessary authority.While internal participants provided a more positive view regarding this execution, this view was again tempered by the external consulting view: "My observation from working with banks is that it's not a formalised process".
Research findings demonstrated participants' difficulty in clearly distinguishing between financial and non-financial risk or in holding a strong basis for definition.The wide range of responses highlighted the lack of an agreed and understood framework for non-financial risk.This context created difficulties around comparability within and between banks; however, it provided flexibility for respondents to reflect on their unique operating environment, aligned to the overall regulatory framework.While some participants viewed nonfinancial risk through the lens of Basel pronouncements, other focused on more generic items related to strategy and the broader organisation.Non-tangible and non-quantifiable characteristics of non-financial risk were highlighted by participants, with one interviewee stating that, "When financial risks (such as credit, market, liquidity) are excluded, operational risk becomes almost a catch all-the people, process, and systems-everything that doesn't fall into financial will fall into operational" Another participant suggested that, "Non-financial risk for me is literally only two things: one being reputational risk, but that becomes financial at a point, and certain components of operational risk, which also becomes financial".
The difficulty in achieving a narrow agreed definition of nonfinancial risk was highlighted by a suggestion that multiple risk types (financial and non-financial) are linked and therefore must be understood holistically.
All respondents 'agreed' or 'strongly agreed' with the proposition that non-financial risk should be a critical component of a bank's strategy process, with nine respondents 'strongly agreeing'.Participants raised a number of issues around non-financial risk as a compliance-based, versus value-add function, and the importance of formalising the role of non-financial risk as a critical strategic input.
Notably, an external consultant stated that the operational risk function had built its credibility at the executive level: "In this bank, the risk team is given three hours every month on the CEO's agenda, and this is not a credit thing, it's operational risk".
Non-financial risk appeared to play a greater role during the implementation and control stages of the strategy process and less of a role during the planning/design stage.It was found that further progress was necessary to evolve banks' strategy processes and the related incorporation of non-financial risk.

Research question two (Q2)
What are the benefits and challenges related to the integration of non-financial risk management and the strategy process in Retail Banks?
The research findings suggested that the successful incorporation of non-financial risk into the strategy process of a retail bank can provide quantitative and qualitative benefits.Benefits include the freeing up of regulatory capital, which can be utilised for other investments, and improving the customer experience and reputation of the organisation.
In terms of regulatory capital, the benefit was clear-cut in terms of being able to use SARB's Advanced Measurement Approach rather than the Traditional Approach, with a participant noting that, "We can demonstrate that we've put in these controls so we've got permission to use the Advanced Measurement Approach; if we lost that we'd go back to holding more capital".
Multiple interviewees noted that increased regulation and internal requirements provided an opportunity to make stepchange improvements to internal processes and subsequently, customer experiences.One participant noted that, "It is about how you apply it, while staying compliant, to give you an operational advantage … it's about how do I make it work in such a way that my client benefits."Some interviewees, however, referred to stand-alone costbenefit analyses of responding to non-financial risks, with one respondent highlighting that the pursuit of perfection is not always cost-effective.Key challenges raised by interviewees included improving the quantification and transparency of non-financial risk and establishing the right balance for non-financial risk against competing organisational priorities and opportunities.Research participants noted, for instance, a key impact of the lack of transparency was not having a consistent approach to measuring and reporting non-financial risk.Other participants suggested that an imbalance in the approach to incorporating non-financial risk can have unintended consequences, such as missed business opportunities.This view was encapsulated by the following: "I think sometimes we concentrate too much on risk from a business point of view and we might miss innovative or new ways of thinking of how to do business".
The impact of multiple-matrix organisational structures was also highlighted as a challenge, with nine of 11 respondents agreeing that multi-functional relationships were required to successfully incorporate non-financial risk into the strategy process.It was noted that a cross-functional approach to nonfinancial risk has evolved in the pursuit of realising benefits and overcoming related challenges, however, there is opportunity for improvement, including raising the profile of the risk function within the strategy process.The research also confirmed that, in South Africa, a strong relationship between individual banks, the broader industry, and the regulator has developed, which has improved the ability to address the challenges and achieve the abovementioned benefits.These people aspects will receive attention in the next section.

How does organisational culture and leadership influence the incorporation of non-financial risk into Retail Banks' strategy?
There were contradictory findings in relation to this research question.While there was a positive response to the proposition that the participant's respective bank was at a higher level of maturity than peers (influenced, in part, by the organisational leadership and culture), there was less consensus on the respective 'ways of working' that had been established.Most respondents (nine of 11) perceived their bank or, in the case of external respondents their general view of banks, to be at least above peers in terms of the respective incorporation of non-financial risk into the strategy process.
Interviewees from within banks believed their respective bank treated risk as a greater priority than industry competitors: at least one respondent from each of the banks included in the sample made such a comment.Again, external consulting participants did not agree with the proposition, arguing that banks remain immature in their incorporation of non-financial risk into their strategy process.One interviewee suggested, "I think in the last couple of years, from a non-financial risk, most of the debates and considerations and the process have been driven by regulatory changes".
Interviewees argued that a clearly articulated and bought into 'way of working' would generally be a tangible output of strong and positive leadership and culture.A performance management system that could reinforce a culture of risk management was another key requirement noted by multiple interviewees.Thus, the need for a formalised risk framework and policy was also highlighted, with one interviewee maintaining that, The role of leadership in establishing this consistent culture was raised by multiple participants, with one reflecting that, "It's a realisation that leadership drives culture, leadership doesn't drive performance".
The importance of seeing practical manifestations was also highlighted.In this respect, one participant noted that operational risk was a key stand-alone item on the Divisional CEO's monthly agenda while also highlighting that focus in regard to operational risk was not on the materiality of the risk consequences to date, but the materiality of the potential impact.The importance of alignment of the leaders with regards to risk management was highlighted by one of the interviewees in the following way: "Any culture, it needs to come from the top.So if the big boys on the top are not going to talk to each other and bring that mutual relationship back, how do they expect at a lower level that it is going to happen?It is not going to happen".

What initiatives have Retail Banks undertaken to improve the incorporation of non-financial risk management into their strategy process?
Research findings confirmed that significant investment has assisted in the incorporation of non-financial risk into the strategy process.More than half of the respondents agreed that meaningful investment in relation to incorporating nonfinancial risk into the strategy processes had, or would be, undertaken in their environment or, in the case of external participants, the environments they had been exposure to.The trend towards formally aligning non-financial risk and performance was articulated as follows, "All those trainings are tied to your performance compact, so if you don't complete it, it impacts your rating which impacts your bonus and salary increases".
The research participants identified recommendations for future initiatives, such as increased awareness and understanding through specific non-financial risk training, investment in data and systems and embedding non-financial risk in the bank's culture.For instance one interviewee suggested, "I don't think the bank is taking advantage of it by embedding it into the culture of how things are done".
Practically embedding this could include the creation of a central office to coordinate strategy, risk management, and other select functions.Another recommended initiative was increased comparability of regulatory definitions and standards; the findings suggested that there is an opportunity for regulators to play a greater and more formalised role.

Discussion
The researchers conducted an interpretation of the research findings, primarily through the lens of the related literature.
The subsequent analysis and identification of themes arising from the research findings allowed for the aggregation, refinement, and categorisation of key data points.
Discussion of Q1: Role of non-financial risk in Retail Banks' strategy processes The requirement for organisational structure to follow organisational strategy is well established theory, as originally discussed by Chandler (1962).Ahmadi et al. (2012), as well as Priem, Butler, and Li (2013) expand on this principle when arguing that translating strategy design into strategy execution is often more important than the strategy design itself.The research findings broadly supported this philosophy, however participants disagreed regarding the success achieved against the execution objective.It was perhaps not surprising that internal participants held positive views as to how their bank executed their strategy process, possibly representing an element of positive bias.
The research findings produced a range of interpretations relating to non-financial risk suggesting that the lack of a consistent framework may provide an impediment to the successful execution of organisational priorities.Stulz (2014) emphasised that risks that are not incurred with the expectation of a potential return are bad risks.This view followed the argument of Jobst (2007) who noted that, contrary to financial risks, operational risks are generally not willingly incurred nor do they have an offsetting revenue return.The research findings supported this concept, with a participant stating that operational risk lacks the upside potential that is contained with other types of risk, such as credit risk, where a bank will define their risk appetite based on a risk-return analysis.
A concept of an 'ecosystem' of risks was implied in Basel II (Basel, 2009), which noted that there were various upstream and downstream risks associated with operational risk; this was supported by the research findings.In Figure 2 the researchers created a visual representation of the identified interrelationships of the different elements of risk.The need to clarify integration points between risk types becomes more critical considering the upstream and downstream impacts associated with non-financial risks, as well as the lack of upside potential.These viewpoints were supported by the research findings.The interconnectedness of risk types is an important concept for affected stakeholders to ensure that appropriate attention and resources are applied to minimise downside risk.The level of relevant investment and focus will contribute to the maturity of the risk environment and its integration with the strategy process, which may provide the opportunity for a reduced level of regulatory capital to be held.This connection was highlighted by research participants, with the threat of being penalised with a bloated capital requirement being an ongoing concern.Through investing in necessary systems and processes, banks can calculate required capital based on internal models, in line with the Advanced Measurement Approach allowed for in Basel II.This approach enables banks to estimate an appropriate level of capital more closely aligned to their actual environment.
Discussion of Q2: Benefits and challenges related to the integration of non-financial risk management and the strategy process in Retail Banks Gates et al. (2012) and Sheehan (2009) noted the need to successfully incorporate the assessment of profitable opportunities with the management of risk into the strategy process.Many participants focussed on the actual or potential benefits that managing non-financial risk can have on the design and execution of the strategy.These included the need to view evolving regulatory requirements as opportunities, rather than challenges, the relationship with innovation, and the clarity that can be brought to performance management.Notably, the academic literature made minimal reference to the quantifiable opportunity of reducing the level of required capital by improving the management of non-financial risk in the strategy process.However, regulatory reports and guidelines, such as Basel ( 2011), made clear reference to the reduction of required capital as a benefit of improved management of non-financial risk.
The research findings confirmed that significant challenges remain in incorporating non-financial risk into banks' strategy processes.Key themes emerged through the interview process: firstly, relating to the transparency (or lack thereof) of non-financial risk and, secondly, the need to achieve a balance in managing non-financial risk, which was often discussed in terms of organisational culture.The latter view supported the literature, including Stulz (2014), which suggested too much control can stifle an environment through increased time-to-market and suppression of innovation.A third theme regarding challenges that emerged from the research findings was the importance of multi-functional relationships to successfully incorporate non-financial risk into the strategy process and, further, the importance of external relationships with regulators and the broader industry.In his case study, Mikes (2009) also highlighted the important role of multiple stakeholders, and various viewpoints, have on risk management.Thus, the research findings supported the literature in this regard, in that different divisions and functions can play a valuable role in achieving a common goal through their unique understanding and views on non-financial risk and the incorporation into strategy.
Discussion of Q3: Influence of organisational culture and leadership on the incorporation of non-financial risk into Retail Banks' strategy Culture and leadership were two themes continually highlighted by participants, not just relating to this research question but throughout the interviews.The maturity of banks, in relation to the research topic, was difficult to quantify and measure due to being based on perceptions rather than set criteria and, perhaps unsurprisingly, many internal banking respondents perceived their bank had a more mature approach to non-financial risk than peer banks.Gates et al. (2012) suggested internal overconfidence may contribute to the aforementioned view.The views raised contrasted with the literature: Arena et al. (2010) argued that risk management had not been transformed into a strategic organisational focus, while Power (2004) supported this view with his 'risk management of everything' concept, in that multiple types of risks were monitored with little focus on what was strategic.
Some participants referred to their bank's 'risk-averse' culture or an implied need to 'over-comply'.Research findings highlighted the importance of having appropriate structures, governance, and processes in place if a bank is to successfully execute its strategy and successfully incorporate non-financial risk into this process.This view supported the literature that identified formal control systems assisted with the communication and management of objectives (Abernethy et al., 2010).The importance of defined structures, including alignment and collaboration, was also highlighted in regards to the broader banking industry, particularly in relation to performance and incentivisation.In applying the research findings to the adaptation of Schein's organisational culture model, as proposed by Tennyson (2013), a number of items were consistent, despite there being no defined 'best-practice' for a desirable risk culture.Organisational structure and employee communication were, however, raised by participants as specifically required artefacts.Leadership was also identified as a key enabler of organisational culture, which could then influence how banks incorporated non-financial risk into their strategy process.
The need for banking leaders to influence and implement the appropriate structures in support of the targeted culture and risk framework was supported by participants.
Discussion of Q4: Initiatives of Retail Banks to improve the incorporation of non-financial risk management into their strategy process?
Research participants noted tangible projects that had been undertaken to date while also suggesting short-to-medium term initiatives that could improve the organisational approach, as well as longer-term aspirational initiatives that may be pursued.The requirement to elevate the role of nonfinancial risk and align the risk management and performance management frameworks supported Tennyson (2013) and Tileaga et al. (2013).External participants highlighted the need to improve the regulatory framework; however, based on their previous experiences in achieving consensus, and then implementing regulatory change, this was expected to be a long-term initiative.Notably, many of the initiatives appeared to be aspirational, in that few respondents articulated clear, formal plans to execute on the suggested initiatives.Gates et al. (2012) provided reasons for the perceived lack of prioritisation around risk management, in line with what was raised during the interviews, namely: uncertainty as to the value of increased investment in risk management, and overconfidence of leadership in current approaches.
Participants also noted that investments in non-financial risk were generally seen as preventing often unquantifiable downside risk.It appeared that the ''low-hanging fruit'' of training, awareness and to a certain extent, alignment between risk and performance, were currently being targeted; however, more transformational items, such as investment in data, systems, and processes were not a current priority.The development of compelling business cases for the identified aspirational initiatives may be a necessary next requirement for the banks sampled in this research.Kaplan (2010) identified effective risk management as the third pillar in creating shareholder value.In Figure 3 the researchers contribute to the body of knowledge by unpacking how effective risk management, in the context of non-financial risk and the strategy process, can achieve organisational benefits and increase shareholder value.The study's findings identified a series of critical success factors together with known current barriers to optimising the relationship between non-financial risk management and the strategy process.Figure 3 lists these critical success factors as a summary, in addition to the list of barriers.These forces result in required investments, some of which are already being implemented, along with future recommended initiatives.In turn, these initiatives will assist in successfully closing the gap in incorporating non-financial risk management into the three stages of the strategy process (planning, implementation and control).Closing the gap is crucial, as it will result in quantitative and qualitative benefits, which will drive shareholder value creation.

Conclusion and recommendations
This section outlines the study's main findings, recommendations for internal and external banking stakeholders, limitations to the research, opportunities for future research, and an overall conclusion.
The research found that while awareness has increased around non-financial risk, further work is required: awareness must be translated into a deep understanding and then into the underlying ways of working, while the risk function must continue to evolve from a compliance-based function to a strategic, value-add function.There is also a need for a more formalised framework for non-financial risk, including definitions, principles and application guidance.The research suggested that internal overconfidence in the current ability of banks in how they strategically address non-financial risk may be a barrier to future investment in the area and may result in the increased probability of non-financial risk events occurring.A key repeated theme from the research was the need to balance non-financial risk considerations with business opportunities, with interviewees highlighting the pros and cons of the pendulum shifting to either side.Finally, the research found there was a need for banks to continually invest in the area of non-financial risk both with short-term initiatives and longer-term aspirational projects.
The following recommendations are based on leading practices that have been observed through this research process.While short-term initiatives have, and continue to be, undertaken (such as in regards to training and awareness), shifting focus towards the longer-term requirements will likely become an increasing reality.Given banks face similar non-financial risks, there is an opportunity for industry bodies to play a leading role in coordinating the development of acceptable practices, particularly in relation to qualitative risk types.There is a clear need for banks to improve their data and systems in relation to the recording and reporting of nonfinancial risk and banks must consider further investments in these areas, while recognising that a traditional cost-benefit analysis may not be the most appropriate methodology to prioritise and select investments.There is also an opportunity to further integrate structures and process, as highlighted by the upstream and downstream relationships between risk types, which are often managed by different teams.Banking leaders have an important role to play to drive a culture that considers non-financial risk through the strategy process and day-to-day activities, through leading by example and formally linking individual and business performance management with risk management.External parties can play an important role due to their broader view of the industry and exposure to local and international leading practice.
The research findings are limited by the nature of qualitative research.That is, the findings can only be generalised for theory purposes and are not necessarily applicable to the entire population.To test the findings of this research a quantitative approach to future research should be considered, including an explanatory study to establish causal links between specific actions and outcomes.A further potential quantification-based study could endeavour to understand the detailed financial implications relating to non-financial risk, both from regulatory capital and financial performance points of view.Another limitation of this research was that the sample was limited to senior banking executives in South Africa; retail banks in other countries will be influenced by their particular country's regulatory, legislative, and operating environments, notwithstanding the increased harmonisation and globalisation of standards.Future research could consider an international comparative study.Similarly, an industry comparative of banks versus non-banks would provide lessons in regards to how different industries address financial and non-financial risk.Finally, a detailed, perhaps psychologically-based, study into the role of culture and leadership in relation to non-financial risk, in particular the relationship between personal traits/characteristics, individual/organisational behaviour, and individual/ organisational performance, may be an opportunity for future research.
Non-financial risk in the banking industry is subject to a regulatory framework that is evolving and becoming a higher priority for banks.Consequently, banks are achieving gains in elevating the level of consideration of non-financial risk in their strategy process.However, further improvements are required.Clearly, improving the maturity of non-financial risk in banks' strategy processes is a journey: some progress has been made but further attention -and investment -is required.Given the long journey financial risk has undertaken, and which continues to evolve, it can be expected that increasing the maturity of non-financial risk incorporation will take some time.However, given the importance of the issue (as highlighted by various operational and business risk events and related negative financial implications) a slow, natural evolution cannot be accepteddirect, collaborative, and ongoing commitment and action is required.

Figure
Figure 1: Research scope While the literature, including Tileaga et al. (2013) and Lemke and Peterson (2013), and regulatory guidelines, such as Basel (2009) and Basel (2011), are relatively clear in their definition of non-financial risk, this was not reinforced by the understanding of participants.A key area where the literature and research findings were aligned was in relation to the dynamic of risk versus return in relation to non-financial risk.

Figure 2 :
Figure 2: Ecosystem of non-financial riskPower (2004) suggested that, without a clear framework, it is possible that banks may lack focus.Ben-Amar et al. (2014) andSheehan (2009) further emphasised that management should integrate the formulation of strategy and management of risk throughout the strategy planning process.This research's findings provided evidence of, and confirmed the need for, integration of strategy and risk during each of the stages of the strategy process.As Figure2illustrates, the ecosystem of non-financial risk is directly and deeply influenced by a multitude of internal and external stakeholders.The figure demonstrates the expansion of relevant risks by integrating the major findings of this study: firstly, by confirming the role of leadership and culture risks; secondly, illustrating how leadership and culture influence conduct risk; thirdly, the central role of operational risk, as represented by the sub-elements of people, process, and systems risks; fourthly, fraud risks and reputational risks are shown as potential outcomes of the aforementioned nonfinancial risk types; finally, the potential impact these different non-financial risk types can have on a bank's financial performance is confirmed, particularly through credit risk and financial losses.

Figure 3 :
Figure 3: Effective risk management as a pillar of shareholder value creation

Table 1 : Research phase and sampling information Research phase Aim of phase Data collection method Sampling technique Sample size
We actually confuse ourselves and our staff sometimes because one moment you want to be nurturing and the next moment you've got the cut-throat corporate behaviours.So if you don't get that right you will have inconsistency".