Review of Risk Appetite in Financial Institutions
This paper provides a comprehensive review of risk appetite in financial institutions (“FI”). It focus on i) identifying and evaluating the key elements essential in underpinning an effective Risk Appetite Framework (“RAF”), ii) how various stakeholder expectations are addressed in the RAF, and ii) the challenges encountered in successfully embedding risk appetite into the FIs Enterprise Risk Management (“ERM”) Framework and consequently the institution’s BAU approach to how it views and manages risk .
I work in a pillar Irish bank and my view/conclusions expressed are based on my review of the academic research on risk appetite as well as from my own personal experience of the bank’s approach to implementing its RAF.
What is Risk Appetite and the Risk Appetite Framework
There are a range of definitions of what risk appetite is – my take away is that risk appetite is the amount and type of risk a FI is willing to accept in order to achieve its strategic objectives (with regard to its risk capacity). The Risk Appetite Statement (“RAS”) is the formal document that articulates the types and amounts of risk the FI will accept, within the boundary of its risk strategy. The RAS should be formulated with the input and approval of the Board and is communicated to both internal and external stakeholders.
When I think of the term “risk appetite”, immediately think of the RAS that pops up in my email folder at the start of every summer. However, in preparing for this paper, I appreciate the concept of risk appetite is more complex –a key component of a much bigger process – the RAF – described by the FSB (18 November 2013) as “The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored”.
Using the following graphic, the RAF can be described as an end to end process which broadly breaks down as follows:
- The risk capacity is established (the amount of loss the FI can absorb before failure) and strategic objectives are established and the strategy is determined on how to deliver the objectives
- Risk appetite is established and translated into appropriate risk limits and cascaded. The FI puts in place policies, risk limits/controls, governance and reporting processes.
- The risk profile is monitored and reported on regularly vis risk appetite and;
- Any change in the risk profile vis the stated risk appetite warrants action to sustain the risk profile (and solvency) of the bank over time.
- At the centre of the RAF is communication –the key requisite for all the stakeholders involved.
Key Elements of Effective RAF
The conclusions from my reading is that a genuinely effective RAF should be:
Dynamic – it changes with the operating environment and facilitates the recognition of new risks and different risk treatments that may be appropriate. It is understood by all staff and adds value to decision making – as a core part of the Enterprise ERM framework.
The RAS should be clear and understood to empower the risk takers use the stated risk appetite while the risk limits in place protect the business against excessive risk taking.
Embedded in the FI’s day to day approach to risk – influencing how it views, manages and reports on risk.
Using this description of the RAF (“what good looks like”), the key elements required for effective operating RAF are discussed below.
A critical success factor to an effective operating RAF is a strong underlying risk culture. This is a recurring theme amongst the experts that risk culture and the effectiveness of the RAF are interlinked. Risk culture starts from the top and must filter right through the FI. The Board has to be supportive and its actions must reinforce this support. If the Board support is not credible, effective embedding of the RAF will not happen – staff who are not convinced by the conviction of the Board will take the view the RAF is simply another ”layer” created by the risk function.
Communication of risk appetite in the financial institution is critically important for an effective functioning RAF, if it to be successfully embedded into the broader ERM framework. Communication between the internal stakeholders is at the core of an effective RAF:
Risk appetite needs to be linked to strategy and planning at the outset – otherwise it can’t be fully is linked to the FI’s strategic objectives and planning process, and wont reflect to risk strategy.
Regular reporting to senior management and the Board on how the types of risk faced by the bank are being monitored, controlled and mitigated.
The actual RAS must be clear enough to be easily communicated -right down through the bank to all staff even those with no decision making authority. For my first three years in the bank, I was unaware of the concept of a RAF or the existence of a RAS. I would attribute this mainly to a combination of siloed departments, and ineffective communication of the bank’s purpose and strategy and a slowly developing risk culture in early stage development.
Risk Identification and Assessment of all the Relevant Risks
- The RAF needs to clearly identify all the risks to which the financial institution is exposed – these can be under its control (e.g. non-performing loans) and also external risks it cannot control (e.g. Cyber Risk). In addition, the risks need to assessed and ranked in order of priority. Too many risks can result in an ineffective risk management – attention turns to a mechanical, “tick-box” (or compliance-type) approach without sufficient focus on real risks.
Aggregating the Risks
- Once the key risks are identified, it’s important that there is a process that determines correlation between different risks to avoid concentrations and enables the risks are aggregated and that the quantified level of overall risk does not exceed the FI’s risk capacity.
Risk Appetite Statement (“RAS”)
- A clear and unambiguous RAS to communicate the high level, objectives of the bank and transform them into more granular metrics that guide that the management team and the individual business units in appropriate risk management. The RAS must clearly states the risks and includes risk metrics that are appropriate to individual business lines and uses consistent taxonomy that is unambiguous .
- The risk limits in the RAS where I work, are “hard” limits – i.e. there are no permitted ”risk tolerance levels“  outlined in the RAS I reviewed. If a board approved limit is breached, it is automatically notified to the board without exception.
Accountability, Escalation and Remuneration
- There needs to be accountability and escalation procedures clearly outlined and understood by staff if a risk limit is breached. Each risk should be assigned to a risk owner – this should in turn be reflected/linked to their individual performance review, and any risk limit breaches ideally would result in meaningful actions – ideally a sanction or reflected in any performance linked remuneration. In Ireland, there has been no material individual accountability for institutions performance that lead to the 2008 economic crisis, this situation is expected to change in the future and is expected to be of significant importance in guiding future behaviour/risk taking of those in senior management functions
Effective Data Capture Systems & Stress Testing
- It’s important the underlying data systems and processes (“risk infrastructure”) are fit for purpose and provide reliable data, can provide information in a timely fashion particularly for monitoring of risk limits on a continuous basis.
- Also important that the competency exists to challenge risk appetite outcomes, and use a range of “What if “ scenarios to test future outcomes and risk profile of the FI vis stated risk appetite.
Stakeholders and Risk Appetite
There are a range of stakeholder interests in a financial institution’s risk appetite and they all have different expectations. The challenge is to recognise and balance these different expectations. I have reviewed the RAF /RAS documents in my bank, and concluded that consideration of stakeholders needs is evidenced in a number of ways:
Investors: seeking sustainable returns on deposits/equity investments with minimal volatility. The strategic objectives in the RAS are stated – managing volatility, ensuring the bank remains a going concern, franchise protection and I can see how they are linked to a range by more granular risk measures across the 10 key risk areas defined in the RAS. In recent years , my bank has added additional content into the published accounts vis a vis key risks and risk appetite to enhance understanding of ordinary investors of the levels of risk the bank is exposed to.
The Regulator: uses the RAS and RAF for evidence of strong risk management practices and robust governance. While there is no reference to regulator as a stakeholder in the bank’s RAS – I would conclude the RAS uses clear language and consistent terminology with metrics that are appropriate to the business unit/ risk areas. In addition, the RAF clearly outlines responsibilities of the Board, governance and escalation procedures evidence is provided regarding the communication of risk appetite down through the bank.
The Board: Ultimately the Board is responsible for strategy and risk appetite and needs to be assured that risk taking is controlled and remains within risk limits. It’s crucial that the supporting risk infrastructure is fit for purpose. In my view, the bank’s RAF is very clear in outlining escalation procedures, defining materiality and required governance /remediating actions.
Staff: Disappointingly, very little meaningful content to engage staff (particularly those without specific decision making authority) in either of these documents. Ideally staff want to be engaged in their work, and its vital they are aware of the bank’s values and objectives in order to guide them vis vis day to day behaviour/risk awareness. I also found it interesting that these documents are only circulated to a limited audience.
Key Challenges in Implementing Risk Appetite within the Wider ERM Framework
The list of items discussed below are the key areas that continue to present the biggest challenge to embedding risk appetite in the ERM framework.
Risk Culture and Communication Issues
Effective Communication is at the core of a strong risk culture and it’s crucial that there is collaboration between the relevant business units who are contributing to the establishment of risk appetite.
- The strategy makers need to understand the risks and levels of risk the FI will accept, equally the risk takers in the business units must understand the risk strategy/capacity available. If the process of determining risk appetite is seen “just as another risk management activity” – siloed, separate and not receptive of feedback from individual business inputs (Strategy/Planning/Business Units), then it’s unlikely to identify the relevant risks and determine appropriate risk appetite. Ultimately if operating environment /risks change, and strategy changes, risk appetite will start to diverge and become less effective as it no longer guides the senior management team in terms of risk taking.
- I recently came across an example of poor communication – a new metric (Non Performing Exposures ) was included in the bank’s mid-year RAS refresh in response to changing ECB guidance. The UK subsidiary business unit was not aware of the inclusion of this new risk metric and it transpired that based on the prevailing month end data, the unit was already RAG rated as “Amber” – and increased risk of breaching this newly implemented RAS metric.
- Communicating the RAS: Given its strategic and practical importance, I would argue its audience should be as wide as possible and not limited to “relevant management personnel”. If the FI’s objectives and the risk faced and how they are managed is not known by staff, then the challenge not only to embed risk appetite but also to engage staff becomes more difficult. I believe risk culture in my bank would significantly benefit by sharing the RAS with all staff and should be used as a key lever to increase risk awareness, how we think about risk and what we need to do to manage it. Having reviewed the RAF/RAS documents in my bank, I do believe they stand up well to scrutiny, but my view is that the process falters due to inadequate communication/profiling of risk appetite through the bank, to the front line.
Board “buy in” – vital to embedding risk appetite in the FI
Integration of risk appetite in the ERM framework of the institution requires a strong Board behind it. The Board needs the relevant experience to : i) firstly understand the business risks so it can challenge the risk appetite process (e.g. identifying the right risk, appropriate stress testing assumptions, ii) champion both Risk Appetite and the ERM framework (to internal and external stakeholders) – as a key process that will add value to decision making and the process by which the FI will achieve its objectives, ii) oversee the implementation of strong underlying governance processes, roles and accountability for the management of risk appetite on an going basis. I believe the Board could practically support embedding of risk appetite, simply by allocating additional resources to the Group Commas division with specific responsibility to raise the profile of risk appetite throughout the FI.
Risk Identification and Aggregation of Different Risk Types:
There are still problems in measuring risks at a granular level and determining the FI’s risk appetite for them:
Measuring certain risks and then determining risk appetite for them (e.g. how do you measure reputation/conduct risk?). In the past, FI’s omitted risks that weren’t readily measurable. So the challenge is to establish a metric that accurately quantifies the FI’s risk appetite for individual risks and that can be explained and cascaded to Business Units so that it can be implemented as part of the day to day approach to risk. Some FI’s will typically include a “ management overlay figure ” or qualitative statement as a proxy for the FI’s risk appetite – but typically this is based on judgement more than a systemic approach to quantifying risk appetite.
An even bigger challenge for FI’s is how to “aggregate up” all the risks identified so that overall risk appetite can be quantified within the confines of its overall risk capacity. This is difficult especially as different business units typically have different risk measurement metrics to control their risks (e.g.the mortgage business will have non performing loans whilst Treasury business will use metrics like VAR/LCR). There is a huge challenge to tie all these metrics back to the high level RAS statement in a valid, meaningful way. Currently common measure such as Forward Looking Loss or Economic Capital usage are used, but still more progress is needed on this particular aggregation problem to ensure risk appetite is determined by a robust determination approach.
Adequacy of Data Capture and MIS Systems
The underlying risk infrastructure needs to be sufficiently robust to capture the right information and provide reporting in a timely fashion to control risk appetite and risk profile.
Currently where I work there are a number of manual “work arounds” to report on certain risk limits to the Board, as underlying data systems are not fit for purpose or processes have been discontinued without discussion with other stakeholders in the reporting process(!) – certain risk limits in the RAS are currently not able to be measured – an unacceptable position.
In addition, the escalation and reporting governance needs to be sufficiently robust to accommodate “bad news” up to the Board and free from any “messaging”.
Since the financial crisis in 2008, the importance of knowing your risk appetite in relation to delivering your strategic objectives is generally accepted by FIs. An effective RAF will facilitate the process of systematically determining risk appetite, translating it into risk metrics and limits at business level to guide the risk taking required whilst the risk infrastructure that is part of the RAF will facilitate monitoring and reporting of risk profile against stated appetite. An effectively operating RAF will also facilitate the ongoing evolution of risk appetite as operating environment and risk strategy changes.
Considerable progress has been made in respect of developing and building out the more tangible “ pillars” that underpin the RAF – required analytical skills/ competencies are being developed/acquired, financial investments into more sophisticated data systems are being made and continuous improvement in governance and ways of communication are ongoing.
However, the measure of a truly effectively operating RAF is the extent to which it is embedded in the wider ERM approach and how permeates the FI’s approach to risk, decision taking and risk monitoring. The challenge to embed risk appetite is linked to a robust underlying risk culture – an altogether very intangible pillar in the RAF which itself continues to challenge FIs. Risk appetite and risk culture are mutually re-enforcing and if FIs want to achieve a fully embedded risk appetite, they will need to continue to develop and nurture risk culture in their organisations.
- A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 – Institute of Risk management
- Principles for An Effective Risk Appetite Framework – Financial Stability Board (2013)
- Governance for strengthened risk management (2012) Institute International Finance – Section 2 Risk Appetite
- Understanding and Communicating Risk Appetite (2012) COSO
- Risk Appetite: A Discussion Paper (2014) Central Bank of Ireland
- IIF (June 2011): Implementing robust risk appetite frameworks to strengthen financial institutions
- Deloitte- Risk Appetite Frameworks – How to spot the genuine article
- E&Y: Risk appetite and risk responsibilities – P Jackson
- Using a Risk Appetite Framework to Align Strategy and Risk – Anna Krayn, Ed Young 2015
- Constructing a Risk Appetite Framework: an Introduction –The Society of Actuaries in Ireland 2011
 The amount of risk that an organisation is willing to seek or accept in the pursuit of its long term objectives (Risk Appetite and Tolerance; Guidance Paper, Institute of Risk Management 2011)
“The amount and type of risk that an organisation is prepared to seek, accept or tolerate” (ISO 31000, 2009)
 Sourced from Deloitte- Risk Appetite Frameworks – How to spot the genuine article
IIF (June 2011) Implementing robust risk appetite frameworks to strengthen financial institutions
 Risk tolerance is the accepted deviation or variation from the agreed risk limits – I understand they may be used in Insurance companies – not accepted as an approach in my bank.
 FCA will implement Senior Managers Regime in UK In 2019. There are current proposals by the CBI to introduce a “Senior Executive Accountability Regime” that would envisage that it would pursue individuals directly in an enforcement action.
 Again noting risk limits are hard limits in most banks and certainly in the bank where I work