Risk Appetite as a Strategic Tool
Anna Isacson, EY (f d Ernst & Young)
2
Framing Effect – Asian Disease Problem
Scenario: 600 individuals are infected with a deadly virus. There are two alternative exclusive approaches to
deal with the crisis.
• You can save 200 individuals for sure through quarantine
• You can invest in research and there is a given probability to develop e the right antidote or failure
You choose only between these two alternatives
Framing I
Option A: 200 Individuals are being saved for sure
Option B: 600 individuals are being saved with a probability of 1/3,
600 individuals are not being saved with a probability of 2/3
Framing II
Option A: 400 Individuals die
Option B: 600 individuals do not die with a probability of 1/3
600 individuals die with a probability of 2/3
3
Managing Risk Appetite and Its Cousins
Stress-based scenarios; ‘Reverse’ stress tests and action plans
Define
Appetite
The amount of risk
a company is able
to accept – define
in terms of impact
on capital,
liquidity outflow
and share price
Aggregated risk reporting that is both forward looking (strategic goals, new products) and current (aggregated current
positions and exposures)
Tolerance
The amount of risk
a company is
willing to accept
in pursuit of its
objectives
Current quantitative metric and qualitative reports and assessments of risk by category
Target
The specific
maximum
applicable to each
category of risk
that the firm is
willing to take
Actual v expected return on risk by product lines / risk
taking activity
Limits
The optimum level
of risk taken,
aligned to
expected returns
Measure and manage
Capacity
Threshold monitoring
Thresholds set for
monitoring tolerances
and targets at a
granular level
4
Risk Capacity, Risk Appetite and Buffer Based on
Industry Consensus Definitions
-From the Financial Stability Board, FSB
Risk capacity
►
Maximum loss a firm can sustain
and still remain viable as a business
(ie without breaching regulatory
capital, liquidity and conduct
constraints)
Risk appetite
►
Risk
appetite
Buffer
Funds held above risk appetite due
the uncertainty in the
determination of risk appetite and
risk capacity
Buffer
►
Aggregate amount of risk a
firm is willing to assume
within its risk capacity to
achieve its strategic objectives
and business plan
6
7
EY Risk Appetite Survey
Eight areas have been identified as the main focus to strengthen
risk management and take risk forward
Risk governance
Capital
management
Liquidity risk
►
Board engagement
►
Influence of CROs
►
Improving capital allocation and
management
►
►
Stress testing
Compensation
schemes
►
Enhancing liquidity risk
management and internal
pricing
Risk culture
More sophisticated
methodologies, models and
systems
Risk appetite
Compensation schemes better
align pay to risk-adjusted
performance
Risk transparency
►
Awareness and ownership of
risk
►
Redevelopment and
embedding of risk appetite
►
Systems and processes to
improve transparency of
information (significant
changes in progress)
8
Priorities Differ by Sectors
Banks
Asset management
Insurance
Risk governance
Capital management
Liquidity risk
Stress testing
Compensation schemes
Risk culture
Risk appetite
Risk transparency
High priority/critical to the business
Medium priority
Low priority
9
Risk Appetite – Defining and Embedding
Increase in organizational focus on risk appetite
45%
Moderate
increase
Most firms have formalized enterprise-wide
risk frameworks in place
►
Many are in or moving into the next phase
of developing individual frameworks for
each business unit
*
►
All agree the challenge is how to implement
and enforce risk appetite and make it
relevant to the business units on a day to
day basis
**
50%
5%
No increase
►
Significant
increase
“Risk appetite is a long journey but at
least we have the first phase –
articulation – done”
Key: * = In progress ** = Major challenge
10
Risk Appetite Metrics
Response by firms to the question:
► What do you think is the optimum number of parameters that strikes the right balance
between being comprehensive and comprehensible?
45
Number of metrics per bank
40
35
30
25
20
15
10
5
0
►
►
Popular consensus is no more than 10 at the board level with
Increasing detail to support at levels below the board
High
Low
Mean
Source: IIF Implementing Robust Risk Appetite Frameworks to Strengthen
Financial Institutions
12
Current Areas of Progress and Major Challenges
Current areas of progress
►
►
►
►
►
Integration of risk appetite into strategic/business
plans
Improved understanding of risk at board level
Comfort at board level that risks are
being managed
Better discussion between risk function, senior
management and Board members
Major challenges still to be overcome
►
►
►
Design
Establishing clearer processes for
planning risk linked to performance
►
Allocation
►
Linking risk appetite with business strategy
Understanding the portfolio effect
of risk appetite
Making the risk appetite process
more efficient
Establishment of stronger MI
systems for risk reporting
►
Translating high level objectives into
business level guidelines
Develop a comprehensive risk appetite
framework across all dimensions of risk
►
Embedding
►
Embedding a culture of risk within
the wider business
Having timely ability to monitor
performance against risk appetite
13
Key Challenge – Linking Risk Appetite to Business
Planning Processes
•
Supervisors now expect risk management to participate in all aspects of business planning, providing
risk considerations for new business opportunities, liquidity, funding, and capital planning.
Risk Disconnected from Planning
Risk Management
Finance
Risk
Appetite
Financial
Plan
Risk Integrated with Planning
Capital / Funding
Plan
Strategic
Plan
LOB / BU
Risk
Appetite
Treasury
Financial Plan
Strategic
Plan
Capital /
Funding
Plan
14
Key Challenge – Relating Risk Appetite to Risk Culture
• Regulators have put renewed importance on the management and measurement of risk culture in a more
formal way as critical to the long-term viability of the organization
• The Bank Governance Leadership Network, led by Tapestry Networks with the support of EY, identified four
elements for which risk culture can be evaluated:
1
2
Tone
• Board and senior management visibility
• Frequent communication emphasizing
the institution’s core values and
expected risk behavior
• Prominence of risk education / training
(e.g. all staff, risk staff)
• Integrated with the Code of Conduct
Tone
Enforcement
Risk
Culture
Behavioral Metrics
4
Enforcement
• Employees held accountable for
noncompliance with risk policies or
procedures
• Compensation is aligned with
performance against the stated risk
appetite
Escalation
Behavioral Metrics
• Frequency of limit breaches or
noncompliance with tolerances
• Percentage of self-reported issues or
emerging risks
• Number of audit findings and the
percentage past due
• Number of customer complaints relative
to industry norms
3
Escalation
• Frequency of risk issues escalated to
senior management (e.g. monthly,
quarterly, ad hoc)
• Extent of information filtered as it
escalates to senior management, risk
committees, and the Board of Directors.
15
16
Aligning the Perception of Risk and Risk Preferences
Between Board and Senior Management
Risk
appetite
statements
Allocation of appetite to
business units
Linking appetite to limit frameworks
17
Linking Risk Appetite to the Limit Framework
•
•
►
►
►
►
►
The limit frameworks need to be calibrated to the risk appetite that has been allocated to the business
unit
This provides business units with a level of discretion to deliver their business plans, subject to capital
and liquidity resource constraints
The Board and senior management will
have clear views on:
► The acceptable level of loss from a
particular risk type, eg
insurance/underwriting versus
operational
► The acceptable level of loss from a
particular business unit
Total appetite
Insurance/
Underwriting
risk
The allocation should be aligned to the
risk-register, eg risks considered to exist
within each business unit and where the
responsibility for managing these sits
Business units need to view loss
distribution across portfolios
The portfolios must be able to
remunerate the allocated capital to
support business development
This defines the underwriting guidelines
Health
Disability
Critical illness
Market risk
Protection
Long Term
Care
Wealth
Operational
risk
Risk appetite
statement
Counterparty
default risk
Allocation of
Appetite/
BU level statement
Link to limit
framework
18
Aligning the Perception of Risk and Risk Preferences
Between Board and Senior Management
•
Setting the tone from the top and aligning risk appetite and risk profile with risk culture are key for an
effective risk appetite framework
•
Requires consistent risk preferences between the board and senior management
Approach
1
Design the
questionnaire
2
Facilitate the
workshop
3
Analyse the
results
Engage with
organisation to
identify key topics
for questionnaire
Develop
questionnaire
to cover key
topics
Benefits
Agree
questionnaire
with
management
Facilitate workshop utilising
voting technology
(anonymous voting)
In-depth analysis
of the results and
identification of
key themes
Facilitate
discussions to
achieve a
consensus on risk
preferences
Identify areas
to refine risk
appetite
statements
•
Improved understanding of risk
appetite and risk preferences
across the organisation
•
Explicit identification of nonnegotiable risk areas
•
Consistent view on risk
preferences
•
Refined risk appetite statements
•
Consistent communication on
risk
19
Illustrative Risk Appetite Statements by Risk Type
Risk Type
Risk Appetite Statements
Strategic /
Reputational
1.
2.
We will not accept more than X% earnings volatility
We will maintain capital ratio(s) of X% > [RBC/EcCap and regulatory capital measure(s)]
1.
2.
We will not accept net expected credit losses greater than $X million
The average credit score for new borrowers will not drop below X for consumer
and X for commercial
No greater than X % concentration in (single name, sector, geography, customer
segment, etc.)
Credit
3.
1.
Operational
2.
3.
Market / Interest
Liquidity
Compliance
We will not accept operational losses, including fraud events, to exceed X % of
annual revenues
All loss events in excess of $X will be reported and escalated in line with ORM
policies and guidelines
Fraud to sales ratio for consumer credit products will not exceed X%
1.
2.
Daily VaR will not exceed $X of portfolio
We will not accept net interest income or economic value of equity stress
changes greater than $X
1.
We will maintain liquidity coverage ratios of X (based on survival horizon, stress
scenario, etc.)
1.
We have no tolerance for regulatory breaches and promote compliance as part of
our culture through a robust framework and supporting measures
Tolerances
Quantitative metrics used
to specify the maximum
level of risk a Company is
willing to take by risk
category contained partially
in the Risk Committee risk
reporting package.
These should be supportive
of any risk appetite
statements and allow for
monitoring by the Board,
Risk Committee, Senior
Management and Risk
organization.
Target
The more detailed targets
(optimum level of risk
taken, aligned to expected
returns) and limit
thresholds set for
monitoring tolerances and
escalation are also partially
contained in the Risk
Committee risk reporting
package and other
business lines reports
20
Board Agenda
Overall risk capacity
• Needs to be informed by
view of when the FI
would become unviableeg below A- rating
• Stakeholder expectations
Risk Appetite
• Needs to consider wider
objectives
• But be informed by
current stress testing
results. Implications of
strategy
Consider appetite across
different businesses or
countries and risk types
• The board may have
more tolerance for risk in
core home market
• Core risk types
21
22
In theory, this would be achieved by cascading risk
appetite and tolerance to the limits…
Risk Appetite
Allocate appetite to individual risks
Risk Tolerance
Credit
Risk Tolerance
Market
Risk Tolerance
Volumetric
Risk Tolerance
Operational
Feedback Limits
Allocate Appetite
Risk Target
Market
Transaction
Limit
VaR Limit
Duration and
Tenor Limits
23
In practice, this is more often achieved by establishing risk
appetite and tolerance and comparing existing limits to
the risk target…
Risk Appetite
Allocate appetite to individual risks
Risk Tolerance
Volumetric
Risk Tolerance
Operational
Risk Target
Market
Compare Individual Market Risk
Limits to Risk Target
Transaction
Limit
VaR Limit
Duration and
Tenor Limits
Validate Limits
Risk Tolerance
Market
Allocate Appetite
Risk Tolerance
Credit
24
Risk Appetite Reference Material – Risk Appetite
Statements: What works and what doesn’t

Focus on the key inherent risks at entity and business
unit level

Trying to manage all the risks of the entity – can’t see
the wood for the trees


A consistent taxonomy used enterprise-wide

Lack of understanding of how statement will manage
risk


No clear link between statement and metrics






Reporting not tailored to recipients






Understand the drivers of the risks including Risk
Culture
Base statements on these key risks
Reliable, good quality, and timely data that can be
readily sourced.
Ownership by the board of risk appetite
Appetite statements cascade through the business
Targeted reporting at a meaningful level
Use of Risk Appetite metrics that are easily
measurable and sustainable


Use of existing data sources

Linking incentives to Operational Risk Appetite
statements as part of balanced scorecard
Unclear what the appetite statement means – how
does is affect the business?
Relying on metrics alone
No use of appetite for decision making in the business
Focus on residual risks or known issues
Manually intensive metrics to measure against appetite
Complex statements
Consistent, periodic monitoring and reporting of risk
measures against risk appetite
26
Key components of a risk appetite framework
St rat egy and business
object ives
Risk capacit y
Business forecast ing
1
Enterprise risk appetite
Establish
and
articulate
Market /
Int erest
Operat ional
Liquidit y
St rat egic /
Reput at ional
Ot hers
4
Tolerance & Target s
2
Tolerance & Target s
Credit
Approved and overseen by Board
Set and monit ored by Senior Management
Report,
escalate
and action
Cascade
Business line limit s
Business line limit s
Business line limit s
Operat ing paramet ers /
met rics
Operat ing paramet ers /
met rics
Operat ing paramet ers /
met rics
3
Manage and monit or
28
Link between aggregate risk within countries and the
control environment
Emerging practice shows that banks are starting to look at country and operational risk together and considering the cost of controls when making strategic decisions.
We are working with a major international bank regarding overall country limits which reflect credit and operational risk in the country.
Country risk
Low
Low
High
G10+
BRICs
ROW
UN sanctioned
Controls necessary for
effective risk management
increase as country and
activity risk increase
No-go
Third party
exposure
Trade finance
►
The approach limits
different activities
given the potential
operational skills in
the country
►
The greater risk the
more vanilla the
product
Activity risk
Transaction
services
High
Long term
lending
The risk appetite can set out willingness to deal with particular types of country and set out the dimensions to any limit structure e.g., does it cover non-nationals with
exposures to the country or just nationals?
The risk appetite should also consider the necessary controls – i.e., that the risk per market per product would be managed by having all appropriate control structures in
place.
29