Blog
Insight

Why the 'Tsunami' of Regulatory Non-Financial Risk (NFR) Proves Qualitative Approaches Are Obsolete

Alan Ragueneau
December 1, 2025
5 min read

Table of contents

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

Regulation Was Meant to Protect People, Not Processes

If we go back to first principles, the objective is not controversial. The purpose of non-financial regulation is to improve human life and safeguard fundamental rights.

As Prof. Gian Paolo Romano reminded us, re-reading the preamble of the Universal Declaration of Human Rights is enlightening: people are at the center of the entire edifice. That should remain the guiding principle for any regulatory effort and any risk management framework:

Does this regulation, and the way we implement it, truly help people?

Yet when you look at how non-financial risk (NFR) is managed today inside large organisations, there is often a disconnect between that human-centric goal and the reality on the ground.

Three Structural Obstacles That Block Real-World Impact

Despite their noble intentions, non-financial regulations often fail to deliver on their promise because of three structural obstacles that keep coming back in conversations with risk leaders.

1. A Cryptic and Complex Web of Norms

After years of “simplification agendas”, the regulatory landscape remains staggeringly complex.

  • In ESG alone, the EU now counts dozens of regulations and directives, interlinked but not always consistent.

  • Texts are often drafted in dense legal language that is difficult for operational teams to interpret.

  • Each new crisis tends to add more rules, rarely removing or consolidating existing ones.

As Teresa Ribera wrote in the Financial Times, “Europe can and must simplify rules where necessary and reduce unnecessary burden.” But simplification remains more an aspiration than a reality.

For people to comply, the law must be intelligible. Today, many employees are simply lost in the labyrinth.

2. Too Many Rules Kill the Rule

In many global companies, employees do not ignore the rules – they do not know which rules actually matter.

  • Policies multiply.

  • Local guidelines overlap with group standards.

  • Training becomes a box-ticking exercise.

Volume erodes clarity. And when clarity erodes, compliance deteriorates.

This is how you end up with organisations that are formally “compliant” on paper, but where real-life behaviours diverge from expectations in critical moments.

3. The Financial Exposure Is Potentially Existential

When you aggregate the maximum fines across emerging non-financial regulatory areas – AI, digital, ESG, privacy and more – the theoretical exposure can exceed 50% of global turnover.

Of course:

  • Supervisors rarely apply the legal maximum.

  • Proportionality is a core principle of enforcement.

  • Authorities operate with different priorities, in different countries, with uneven coordination.

But from a board and CEO perspective, the picture is still alarming:

You are effectively a large ship facing hundreds of torpedoes.
Any one of them might only scratch the hull – or it might sink the ship.

In such an environment, relying on qualitative colours and static registers is no longer defensible.

The Illusion of Control: Heat-Maps and Siloed Registers

Most organisations still manage regulatory NFR through:

  • Qualitative heat-maps (low / medium / high).

  • Fragmented risk registers owned by different functions (Compliance, Legal, IT, ESG, Internal Control, etc.).

  • Periodic reviews that are often more about format than about substance.

These tools create an illusion of control:

  • They rarely capture concentration risk across domains (e.g., the same weakness affecting ESG, antitrust and privacy simultaneously).

  • They do not quantify the financial magnitude of exposures.

  • They miss cross-regulatory ripple effects, where one failure triggers multiple regimes (e.g., greenwashing, disclosure, consumer protection, market abuse).

In short, qualitative, siloed approaches do not match the scale, interdependence, or speed of today’s regulatory landscape.

Boards are left with colourful dashboards – but without a clear, monetary view of what is truly at stake.

Why Quantification Is No Longer Optional

To navigate this tsunami, quantification is no longer a “nice to have” – it is a must-have.

A quantitative approach to regulatory non-financial risk should enable leaders to:

  • Translate regulatory exposure into financial language
     – e.g., potential fine ranges by domain, by region, by business line.

  • Identify concentration hot-spots
     – where multiple regulations could be breached by the same root cause.

  • Simulate the impact of mitigation actions
     – how specific controls, training, or governance changes reduce the expected loss.

  • Prioritise investments
     – allocate limited compliance and risk budgets where they reduce the most risk per euro spent.

This is not about replacing professional judgement or ethics with numbers. It is about equipping leadership with a reliable, decision-grade view of their non-financial risk landscape – in the same way credit risk, market risk, or insurance risk have been quantified for decades.

From Regulatory Burden to Better Protection of People

At GLIS Risk, we believe that only a systematic, consistent and global quantification of regulatory NFR can reconcile three objectives that are too often treated separately:

  1. Protecting people and fundamental rights
     – by making sure the most severe human impacts are clearly visible and addressed first.

  2. Providing clarity to boards and executives
     – by expressing non-financial risk in the same financial language used for strategic decisions.

  3. Using scarce resources intelligently
     – by focusing compliance and risk budgets where they truly reduce exposure, instead of spreading them thinly across an ever-growing checklist.

This is exactly the type of quantitative solution we are building with NFR 360 by GLIS Risk: a way to move beyond heat-maps and siloed registers, towards a coherent, monetary view of regulatory non-financial risks across ESG, ABAC, antitrust, privacy, AI and other domains.

A Question for CEOs and Boards

If you sit on a board or executive committee, one question is worth reflecting on:

In the face of a regulatory tsunami that can theoretically threaten more than half of your global turnover, are you still relying on qualitative traffic lights – or do you have a quantified view of your true exposure and how to reduce it?

If the honest answer is “not yet”, this is not a reason for blame. It is a sign that the tools and methods must evolve.

Non-financial risk will not disappear. But with the right quantitative lens, it can be managed, prioritised and aligned with its original purpose: improving human life and protecting fundamental rights, not just avoiding regulatory headlines.

Ready to Turn Risks Into Growth?

Unlock your potential by turning compliance challenges into strategic growth opportunities for your organization.

Book My Executive Briefing
Blog

Insights on Legal Risks

Explore our latest articles on compliance and ESG.