Beyond the Bottom Line: The Growing Impact of Non-Financial Risks on Companies and Industries
Updated: Nov 10
In today's fast-paced and complex business landscape, companies face a multitude of risks that can impact their bottom line and reputation. While traditional financial risks such as market fluctuations and credit risk have long been the focus of risk management efforts, non-financial risks are becoming increasingly important.
There has been a growing awareness of the potential impact of non-financial risks on a company's financial performance, reputation, and long-term viability. Facebook's stock price fell 18% in just a week in March 2018 following the Cambridge Analytica scandal, which highlighted the potential risks associated with data privacy.
Non-financial risks can range from environmental, social, and governance (ESG) issues to cybersecurity threats, and can have a significant impact on a company's financial performance and reputation. And the impact of non-financial risks can dramatically vary across different sectors and industries, depending on the nature of their operations, the regulatory environment they operate in, and the level of stakeholder scrutiny they face.
ESG Issues and Sustainability Risks
ESG issues have gained significant attention in recent years as stakeholders, including investors, customers, and employees, increasingly prioritise sustainability and social responsibility. A study by McKinsey found that companies that effectively manage ESG issues can outperform their peers by as much as 12% annually. However, failing to address ESG issues can have a negative impact on a company's reputation and bottom line.
Companies that do not address environmental risks may face fines and legal action, as well as damage to their reputation among consumers and investors. In addition, companies that do not prioritise social responsibility and employee wellbeing may experience high turnover rates and difficulty attracting top talent.
Then, investors are increasingly interested in understanding a company's exposure to ESG risks and how those risks are being managed. This has led to an increase in reporting and disclosure requirements related to ESG risks. For example, in 2020, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would require companies to disclose more information about their climate-related risks.
According to a report by Accenture, cyber-attacks cost companies an average of $13 million per incident in 2020. These costs can come from a variety of sources, including data loss, business disruption, and reputational damage. In addition, companies may face legal and regulatory consequences if they fail to adequately protect sensitive information. The rise of remote work and the increased use of cloud-based systems have further increased the risk of cybersecurity threats.
You can also refer in my review of the ION Trading cyber attack.
Reputation and Brand Risks
In today's interconnected world, news of a scandal or controversy can spread rapidly through social media and other channels, damaging a company's reputation and bottom line. A survey by Deloitte found that 67% of companies believe that managing reputation and corporate brand is more important today than it was in the past. To mitigate this risk, companies must prioritise transparency and communication with stakeholders and address issues quickly and effectively.
Companies that fail to manage non-financial risks effectively will suffer significant reputational harm, which can lead to decreased revenue, increased regulatory scrutiny, and other financial costs. For example, companies that are found to have violated data privacy laws or engaged in unethical conduct may face significant reputational damage that can impact their bottom line.
Legal and Regulatory Risks
Since the 2008 financial crisis, there has been an increasing focus on non-financial risks in the financial industry. Regulators have implemented new regulations aimed at addressing a range of risks, including non-financial risks such as operational risk and conduct risk. The goal of these regulations is to help prevent a repeat of the financial crisis by ensuring that financial institutions are better equipped to manage a range of risks.
Increased regulatory oversight does not necessarily translate into increased non-financial risks. The purpose of increased regulatory oversight is to ensure that financial institutions are managing non-financial risks appropriately and to reduce the likelihood of those risks leading to negative outcomes for the financial system and broader economy. Effective regulation can help to reduce non-financial risks by requiring financial institutions to implement robust risk management frameworks and to meet certain standards related to issues such as data privacy, cybersecurity, and social responsibility.
Then, companies that fail to manage non-financial risks effectively may be subject to legal action from regulators, customers, or other stakeholders, which can result in fines, legal fees, and other costs. For example, companies that are found to have violated environmental regulations may face fines and legal action that can impact their financial performance.
Operational risks are another type of non-financial risk that can impact a company's bottom line. These risks can include supply chain disruptions, natural disasters, and employee misconduct. While these risks may not always be preventable, effective risk management strategies can help companies minimise the impact and ensure business continuity.
The impact of non-financial risk management on the cost base
The impact of non-financial risks on a company's cost base can vary depending on the nature and severity of the risks. In general, managing non-financial risks can involve additional costs for a company, such as:
Compliance costs: Meeting regulatory requirements related to non-financial risks can involve additional compliance costs for a company, such as investing in new technology, training staff, and implementing new processes and controls. Non-compliance with regulations, laws, or industry standards can also result in fines and penalties, which can be substantial and impact a company's bottom line.
Reputation costs: non-financial risks, such as environmental, data breaches, environmental incidents, or social responsibility issues can damage a company's reputation, leading to a loss of customer trust and loyalty. This can result in decreased revenue, reduced market share, and increased costs to rebuild the brand. Managing these risks may require investments in sustainability initiatives or stakeholder engagement activities to protect and enhance the company's reputation.
Operational costs: Cybersecurity risks can lead to operational disruptions, such as data breaches or system failures, which can result in significant financial and reputational costs. In addition, natural disasters, or supply chain disruptions can cause operational disruptions, resulting in lost productivity and revenue. This can also lead to increased costs associated with remediation and recovery efforts. Managing these risks require investments in technology and staff training to ensure that systems and data are secure.
Legal costs: non-financial risks can also result in legal costs if a company is found to be in violation of laws or regulations related to issues such as data privacy or ESG standards. Then, product defects or workplace safety issues can lead to litigation costs, which can be significant and impact a company's financial position.
Stakeholder activism: non-financial risks such as social responsibility issues can lead to stakeholder activism, including shareholder activism, consumer boycotts, or employee protests. This can result in increased costs associated with managing these issues and can also impact a company's reputation and revenue.
Impact of non-financial risk across sectors
The impact of non-financial risks can vary across different sectors and industries, depending on the nature of their operations, the regulatory environment they operate in, and the level of stakeholder scrutiny they face.
Here are some examples of how non-financial risks can impact different sectors and industries:
Financial services: non-financial risks, such as operational risk and cybersecurity risk, can have a significant impact on financial services companies, which rely heavily on technology and data to conduct their operations. Additionally, conduct risk has become a major concern for regulators in the financial services industry, as misconduct scandals can result in significant financial and reputational costs. For example, the Wells Fargo fake accounts scandal resulted in billions of dollars in fines and damaged the bank's reputation.
Energy and natural resources: Environmental risks, such as climate change and resource depletion, are a major concern for companies in the energy and natural resources sector. Failure to manage these risks effectively can result in reputational damage and regulatory fines, as well as impact the long-term viability of the company. For example, BP's Deepwater Horizon oil spill in 2010 resulted in significant financial and reputational costs for the company.
Technology: Technology companies are particularly vulnerable to non-financial risks such as cybersecurity risk and data privacy risk, as they collect and process vast amounts of sensitive data. These risks can result in significant costs, both in terms of fines and reputational damage, as well as lost revenue if customers lose trust in the company's ability to protect their data. For example, the Equifax data breach in 2017 resulted in the exposure of sensitive personal information for millions of people and led to a significant decline in the company's stock price.
Healthcare: Healthcare companies are subject to a range of non-financial risks, including product liability, data privacy, and regulatory compliance. Failure to manage these risks effectively can result in significant financial and reputational costs, as well as impact patient safety. For example, the opioid crisis in the United States has resulted in significant legal and reputational costs for pharmaceutical companies that were accused of contributing to the epidemic.
Risk Management Strategies
To effectively manage non-financial risks, companies must prioritise risk management as a key part of their business strategy. This includes identifying potential risks, assessing their impact, and implementing measures to mitigate and manage these risks.
Some key risk management strategies include:
Conducting regular risk assessments: Companies should regularly assess potential risks and their impact on the organisation to identify areas of vulnerability.
Developing a risk management plan: Once risks have been identified, companies should develop a plan to manage and mitigate these risks.
Investing in cybersecurity: With cyber-attacks becoming increasingly common, companies must invest in cybersecurity measures to protect sensitive data and systems.
Prioritising sustainability and social responsibility: To address ESG risks, companies must prioritise sustainability and social responsibility in their business practices and supply chains.
Communicating with stakeholders: Transparent communication with stakeholders, including customers, investors, and employees, can help companies build trust and mitigate reputational risks.
Non-financial risks are an increasingly important focus for companies, investors, and regulators. These risks can have a significant impact on a company's financial performance and reputation, and failure to manage them effectively can result in significant costs. Companies should invest in effective risk management strategies that can help to identify, mitigate, and monitor non-financial riss in a cost-effective manner. Additionally, regulators and other stakeholders should continue to focus on promoting effective risk management practices and standards to help ensure the long-term sustainability and stability of the financial services industry.