implementing robust risk
appetite frameworks to
strengthen financial institutions
June 2011
implementing robust risk
appetite frameworks to
strengthen financial institutions
June 2011
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
ii
The financial crisis demonstrated clearly that an effective risk appetite
framework (RAF) is a crucial component of sound enterprise-wide risk
management. Accordingly, both the financial services industry and the
regulatory community are devoting a great deal of attention to this
essential governance tool.
The Board of Directors of the IIF and the Steering
Committee on Implementation (SCI) are pleased to present
this Report to the international financial community. As is
clear from the Report and its annexes, there is widespread
recognition of the intrinsic importance of developing
and implementing robust risk appetite frameworks, and
tangible progress is being made in this by a number of firms.
However, despite solid motivation to get this right, the
challenges are complex and this is still very much ‘work in
progress’ for many.
This Report highlights a number of the specific challenges
faced by the industry in the implementation of sound
RAFs. Drawing on real-life case studies, the results of a
comprehensive industry survey and in-depth interviews,
the Report brings industry expertise and experience to bear
on examining how these challenges have been successfully
addressed in a number of leading firms. In doing so, the
report seeks to identify emerging sound practice as it
applies to the key stages in the journey towards establishing
a sound risk appetite framework.
to highlighting emerging good practice this Report is also
offered as the basis for a constructive dialogue with the
global supervisory community on this important issue.
The Institute is grateful to member firms for the
commitment of time and resources in developing this
Report, in particular the members of the IIF Working Group
on Risk Appetite, as well as those firms contributing specific
case-studies. We are extremely grateful to the co-Chairs
of the Working Group, Mark Lawrence, Managing Director,
Mark Lawrence Group and Kevin Nye, Sr. Vice-President,
Royal Bank of Canada for leading the enormous amount of
work that has gone into the production of this Report. In
addition, our special gratitude goes to Ernst & Young and
PwC for their contribution in analyzing the survey data (and
subsequent comments) and identifying themes and insights
from it.
The lists of IIF Board of Directors, the membership of the
SCI, and Risk Appetite Working Group members are included
in the Report.
The key objective of this Report is to offer insights and
specific practical recommendations for the different
stakeholders involved in designing and implementing a
robust and meaningful risk appetite framework. In addition
Josef Ackermann
Rick Waugh
Chairman of the IIF Board
Chairman of the Management Board
and the Group Executive Committee,
Deutsche Bank AG
Member of the IIF Board
President and Chief Executive Officer
Scotiabank
Klaus-Peter Müller
Charles Dallara
Member of the IIF Board
Chairman of the Supervisory Board
Commerzbank AG
Managing Director
Institute of International Finance
Contents
1
IIF Board of Directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
IIF Steering Committee on Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
IIF Risk Appetite Working Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Section 1 - Principal Findings from the Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Section 2 - Key Outstanding Challenges in Implementing Risk Appetite Frameworks . . . . . . . . . . . . . . . . . . 20
Section 3 - Emerging Sound Practices in Overcoming the Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Section 4 - Recommendations for Firms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Section 5 - Implications for Supervisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Annex I: Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Royal Bank of Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
National Australia Bank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Scotiabank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Commonwealth Bank of Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Annex II: Summary of the Responses to the Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
institute of international finance
|
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
IIF BOARD OF DIRECTORS
2
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
Chairman
Josef Ackermann*
Chairman of the Management Board and
the Group Executive Committee
Deutsche Bank AG
Vice Chairman
Roberto E. Setubal*
Vice Chairman
Francisco González*
Vice Chairman
Rick Waugh*
President and Chief Executive Officer,
Itaú Unibanco S/A and
Vice Chairman of the Board of
Itaú Unibanco Holding S/A
Chairman and Chief Executive Officer
BBVA
President and Chief Executive Officer
Scotiabank
Treasurer
Marcus Wallenberg*
Chairman of the Board
SEB
Ms. Suzan Sabanci Dincer
Chairman and Executive Board Member
Akbank T.A.S.
Mr. Baudouin Prot*
Chief Executive Officer
BNP Paribas
Mr. Yannis S. Costopoulos*
Chairman of the Board of Directors
Alpha Bank A.E.
Mr. Robert P. Kelly*
Chairman and Chief Executive Officer
BNY Mellon
Mr. Peter Wallison
Senior Fellow
Financial Policy Studies
American Enterprise Institute
Mr. Vikram Pandit
Chief Executive Officer
Citigroup, Inc.
Mr. Hassan El Sayed Abdalla
Vice Chairman and Managing Director
Arab African International Bank
Mr. Michael Smith
Chief Executive Officer
Australia and New Zealand Banking Group Limited
Mr. Walter Bayly
Chief Executive Officer
Banco de Crédito del Perú (BCP)
Mr. Martin Blessing
Chairman of the Board of Managing Directors
Commerzbank AG
Mr. Urs Rohner
Chairman of the Board of Directors
Credit Suisse Group AG
Mr. Andreas Treichl
Chairman of the Management Board and Chief Executive
Officer
Erste Group Bank AG
Mr. Douglas Flint
Group Chairman
HSBC Holdings PLC
Mr. James Gorman
President and Chief Executive Officer
Morgan Stanley
Mr. K. Vaman Kamath
Chairman of the Board
ICICI Bank Ltd.
Mr. Ibrahim S. Dabdoub
Group Chief Executive Officer
National Bank of Kuwait
Mr. Jiang Jianqing
Chairman of the Board of Directors and President
Industrial and Commercial Bank of China
Mr. Frédéric Oudéa
Chairman and Chief Executive Officer
Société Générale
Mr. Jan Hommen
Chairman of the Executive Board
ING Group
Mr. Peter Sands
Group Chief Executive
Standard Chartered, PLC
Mr. Charles H. Dallara (ex officio)*
Managing Director
Institute of International Finance
Mr. Walter B. Kielholz
Chairman of the Board of Directors
Swiss Reinsurance Company Ltd.
Mr. Corrado Passera
Managing Director and Chief Executive Officer
Intesa Sanpaolo S.p.A.
Mr. Nobuo Kuroyanagi*
Chairman
The Bank of Tokyo-Mitsubishi UFJ, Ltd.
Mr. Jes Staley
Chief Executive Officer
Investment Bank
J.P. Morgan Chase & Co.
Mr. Oswald Gruebel
Group Chief Executive Officer
UBS AG
Mr. Yoon-dae Euh
Chairman
KB Financial Group Inc.
Mr. Martin Senn
Chief Executive Officer
Zurich Financial Services
*Member of the Administrative and Nominations Committee
3
|
Mr. Yasuhiro Sato
President and Chief Executive Officer
Mizuho Corporate Bank, Ltd.
institute of international finance
Mr. Gary D. Cohn
President and Chief Operating Officer
Goldman, Sachs & Co.
IIF steering committee on implementation
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
4
Chairmen
Mr. Richard Waugh
Mr. Klaus-Peter Müller
President and Chief Executive Officer
Scotiabank
Chairman of the Supervisory Board
Commerzbank AG
Mr. Kevin Garvey
Head of Group Credit Review & Reporting
AIB Group
Mr. Brian Rogan
Vice Chairman and Chief Risk Officer
BNY Mellon
Mr. Edward Murray
Partner
Allen & Overy LLP
Mr. James Garnett
Head of Risk Architecture
Citi
Mr. Roberto Sobral Hollander
Director
Dep. Gestao de Riscos e Compliance
Banco Bradesco
Mr. Edward Greene
Partner
Cleary Gottlieb Steen & Hamilton LLP
Ms. Barbara Frohn Verheij
Managing Director
Banco Santander
Mr. Alex Wolff
Head, Risk Strategy
Bank of Ireland
Mr. Robert Pitfield
Group Head, Chief Risk Officer
Bank of Nova Scotia
Mr. Desmond McNamara
Managing Director Capital & Analytics
Group Risk
Barclays PLC
Mrs. Mayte Ledo Turiel
Chief Economist
Chief Economist for Economic, Financial Scenarios and
Regulation
BBVA
Mr. Christian Lajoie
Head of Group Prudential Affairs / Co-Head of Group
Prudential and Public Affairs
BNP Paribas
Mr. Christian Wältermann
Director
Group Risk Management and Market Risk Operations
Commerzbank AG
Mr. Andreas Blatt
Head Risk IT
CRO IT
Credit Suisse
Mr. Tonny Andersen
Member of the Board & Head of Danske Bank DK
Danske Bank A/S
Mr. Andrew Procter
Global Head of Government & Regulatory Affairs
Government & Regulatory Affairs
Deutsche Bank AG
Mr. Bjørn Erik Næss
Group Executive Vice President
Group Finance and Risk Management
DnB NOR
Dr. Florian Strassberger
General Manager
Head of North America
DZ Bank
Mr. JB King
Director
Ernst & Young
Mr. Hideyuki Toriumi
Senior Manager
Basel 2 Implementation Office
Mitsubishi UFJ Financial Group, Inc.
Mr. Robin Vince
Head of Operations
Goldman Sachs & Co.
Mr. Tsuyoshi Monri
President and CEO
Mizuho Corporate Bank (USA)
Mr. Rakesh Jha
Deputy CFO
ICICI Bank
Mr. Naoaki Chisaka
Vice President
Corporate Planning Division
Mizuho Financial Group, Inc.
Mr. Alex Van der Laan
Head of Credit Capitals
ING Group
Mr. Mauro Maccarinelli
Head of Market Risk Management
Risk Management Department
Intesa Sanpaolo S.p.A
Mr. Adam Gilbert
Managing Director
Regulatory Policy
JPMorgan Chase
Dr. Mark Lawrence
Managing Director
Mark Lawrence Group
Dr. Philipp Härle
Director
McKinsey & Company
Mr. Fernando Figueredo Marquez
Global Chief Risk Officer
Global Risk Management
Mercantil Servicios Financieros
Mr. Akihiro Kitano
Senior Manager
Basel 2 Implementation Office
Mitsubishi UFJ Financial Group, Inc.
Mr. Kenji Fujii
Joint Head of Global Risk Management Group
Global Risk Management
Mizuho Securities Co., Ltd.
Ms. Jane Carlin
Managing Director
Morgan Stanley
Mr. Paul Mylonas
General Manager of Strategy and Governance, Chief
Economist of the Group, and Secretary of the Executive
Committee
National Bank of Greece
Mr. Parkson Cheong
General Manager and Group Chief Risk Officer
Group Risk Management
National Bank of Kuwait S.A.K.
Mr. Scott McDonald
Managing Partner
Financial Services
Oliver Wyman
Ms. Monika Mars
Director
Financial Services
PricewaterhouseCoopers AG
5
|
Mr. Masao Hasegawa
Managing Director , CRO, & CCO
Mitsubishi UFJ Financial Group, Inc
institute of international finance
Ms. Patricia Jackson
Partner
FS Risk
Ernst & Young
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
6
Mr. Morten Friis
Chief Risk Officer
Royal Bank of Canada
Mr. Nobuaki Kurumatani
Managing Director
Sumitomo Mitsui Banking Corporation
Mr. Nathan Bostock
Head of Restructuring and Risk
Royal Bank of Scotland
Mr. Philippe Brahin
Director
Risk Management
Swiss Reinsurance Company Ltd
Mr. John Cummins
Group Treasurer
Royal Bank of Scotland
Mr. Steven Oon
Head of Firm Wide Risk Management
Royal Bank of Scotland
Mr. Pierre Mina
Head of Group Regulation Coordination
DGLE/CRG
Société Générale
Mr. Clifford Griep
Executive Managing Director, Risk & Policy Officer
Ratings Group
Standard & Poor’s
Mr. Paul Smith
Group Chief Risk Officer
Group Risk
Standard Bank of South Africa
Mr. Robert Scanlon
Group Chief Credit Officer
Risk
Standard Chartered Bank
Ms. Ozlem Oner Ernart
Manager
Risk Management - Credit & Subsidiaries Risk
T.Garanti Bankasi
Mr. Takashi Oyama
Counsellor on Global Strategy to President and the Board of
Directors
The Norinchukin Bank
Mr. Richard Metcalf
Managing Director and Group Risk Chief Operating Officer
UBS AG
Mr. Sergio Lugaresi
Senior Vice President Head of Regulatory Affairs
Institutional and Regulatory Strategic Advisory
UniCredit Group
Dr. Peter Buomberger
Group Head of Government and Industry Affairs
Zurich Financial Services
IIF risk appetite Working Group
7
Dr. Mark Lawrence
Mr. Kevin Nye
Managing Director
Mark Lawrence Group
Senior Vice President
Enterprise Risk, Group Risk Management
Royal Bank of Canada
Ms. Tamara van den Broek
ABN AMRO
Ms. Barbara Frohn Verheij
Managing Director
Banco Santander
Mr. Alex Wolff
Head, Risk Strategy
Bank of Ireland
Ms. Joan Mohammed
SVP, Central Risk Group
Bank of Montreal
Ms. Jennifer Moore
Senior Manager
Bank of Montreal
Mr. Lawrence Uhlick
Chairman
BBVA Compass
Mr. Thomas Flynn
Chief Financial Officer
BMO Financial Group
Ms. Anne-Charlotte Charpentier
Deputy Head - Risk Appetite Coordination
Group Risk Management - Strategic Risk Analysis
BNP Paribas
Mr. Fredi Rüdisühli
Director, Management Support CRO
Credit Suisse
Mr. Peter Rostrup-Nielsen
Chief Risk Officer
Group Risk
Danske Bank
Mr. Stuart Lewis
Deputy Chief Risk Officer
Legal Risk & Capital
Deutsche Bank AG
Mr. Andrew Procter
Global Head of Government & Regulatory Affairs
Government & Regulatory Affairs
Deutsche Bank AG
Mr. Nick Stone
Government & Regulatory Affairs
Deutsche Bank AG
Mr. Andrew Duff
Manager
Financial Services Risk Management Advisory
Ernst & Young
Mr. Robert Berry
Chief Market Risk Officer
Goldman Sachs & Co.
Mr. Javier Torres
Subdirector General Adjunto
Internal Validation and Integral Risk Control - Risk Division
Grupo Santander
Mr. Peter Lindfelt
Senior Vice President
Handelsbanken
Mr. David McDonald
Head of Economic Capital
HSBC Holdings PLC
Mr. Alan Smith
Global Head of Risk Strategy
Global Risk
HSBC Holdings PLC
institute of international finance
|
Chairmen
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
8
Mr. G Srinivas
General Manager
Global Risk Management Group
ICICI Bank
Mr. Kouhei Kuroda
General Manager
Risk Management
Mizuho Financial Group, Inc.
Mr. Koos Timmermans
Member of the Executive Board and CRO
ING Group
Mr. Kenji Fujii
Executive Officer, Head of Global Risk Management Group
Mizuho Securities Co., Ltd.
Mr. Rodrigo Couto
Superintendent
Integrated Risk Management
Itaú Unibanco S/A
Mr. Robert Armstrong
General Manager Credit Strategy
National Australia Bank Ltd.
Dr. Sérgio Werlang
Executive Vice President
Risk and Financial Control
Itaú Unibanco S/A
Mrs. Robin Doyle
Sr. Vice President, LOB CFO
J.P. Morgan Chase & Co.
Mr. Alastair Holmes
Head of Group Retail Credit
Group Risk
Lloyds TSB Bank Plc
Mr. Fernando Figueredo Marquez
Global Chief Risk Officer
Global Risk Management
Mercantil Servicios Financieros
Mr. Hiroaki Demizu
Chief Manager of BASEL3, Corporate Planning Division
BASEL3 implementation project
Mitsubishi UFJ Financial Group, Inc.
Mr. Akihiro Kitano
Senior Manager
Basel 2 Implementation Office
Mitsubishi UFJ Financial Group, Inc.
Mr. Naoaki Chisaka
Vice President
Corporate Planning Division
Mizuho Financial Group, Inc.
Mr. Shaun Dooley
Group Chief Credit Officer
Risk
National Australia Bank Ltd.
Mr. Richard Barfield
Director
PricewaterhouseCoopers LLP
Mr. David Stephen
Deputy Chief Risk Officer
Risk Management
Royal Bank of Scotland
Mr. Ross Anderson
Director
Government Affairs
Scotiabank
Mr. Victor Gomez
Manager, Financial Sector Policy
Public, Corporate & Government Affairs
Scotiabank
Mr. Sean McGuckin
Senior Vice President & Head, Risk Policy & Capital Markets
Global Risk Management
Scotiabank
Mr. Robert Scanlon
Group Chief Credit Officer
Risk
Standard Chartered Bank
Mr. Eric Reiner
Managing Director
Firm-wide Risk Control and Methodology
UBS
Mr. Darryll Hendricks
Managing Director
Global Head, Risk Methodology
UBS AG
Mr. Edmund Bosworth
Head of Risk Reward
Group Finance
Westpac Banking Corporation
9
|
Mr. Michael Astrinos
Associate Director, Risk-Reward
Group Finance
Westpac Banking Corporation
institute of international finance
Mr. Robert Stribling
Group Chief Risk Officer
Suncorp
Executive Summary
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
10
1.
A clearly articulated statement of risk appetite and
the use of a well-designed risk appetite framework
to underpin decision-making are essential to
the successful management of risk. The recent
financial crisis has shown that an effective risk
appetite framework (RAF) is a key governance tool
and a crucial component of sound enterprise-wide
risk management.
2.Establishing an effective risk appetite framework
is a challenging but essential component of good
risk management and continues to receive a
great deal of attention from both the financial
services industry and the regulatory community.
The Senior Supervisors Group (SSG), in its
analysis of the risk management implications
of the global banking crisis of 2008, focused
extensively on risk appetite issues. Their 2009
report, Risk Management Lessons from the Global
Banking Crisis of 2008, highlighted a number of
deficiencies in the way the Industry in general
was approaching this subject. The SSG cited
the importance of the involvement of Boards
and senior management in the articulation and
implementation of risk appetite and observed
that the Industry needs to continue working to
make risk appetite statements much more robust
to encompass a suitably wide range of measures
and actionable elements. There is broad agreement
across the Industry with these major findings.
In December 2010, the SSG elaborated further
on this subject in its report, Observations on
Developments in Risk Appetite Frameworks and IT
Infrastructure.
3.The IIF’s Steering Committee on Implementation
(SCI) has sought to identify and analyze important
areas of weakness in Industry risk management
practices as well as to promote sound practices
aimed at remedying them. The SCI established a
Working Group on Risk Appetite (WGRA) in mid2010 with the following objectives:
• To assess and evaluate current Industry
practices in the area of risk appetite.
• To identify the key stages and the technical
and management challenges in the journey
toward setting—and monitoring adherence
to—appropriate boundaries for risk, within a
sound risk appetite framework.
• To bring Industry expertise and sound practices
to bear on examining how these challenges
have been addressed in leading firms (including
the analysis of real-life case studies).
• To develop specific practical recommendations
for firms to address the challenges of
implementing a robust and meaningful risk
appetite framework.
4.
For the purposes of this report, the following
definition of “risk appetite”—first set out in
the IIF’s December 2009 report Reform in the
Financial Services Industry: Strengthening
Practices for a More Stable System —is used
(although financial firms use a variety of similar
definitions): Risk appetite is the amount and
type of risk that a company is able and willing to
accept in pursuit of its business objectives. Risk
appetite in this sense is linked to but conceptually
separate from “risk capacity,” which is the
maximum amount of risk a firm is technically
able to assume given its capital base, liquidity,
borrowing capacity, and regulatory constraints.
It is also distinct from but related to the existing
levels of risk being run by a firm. It is obviously
essential to ensure that a firm’s risk appetite is
defined in such a way as to ensure that it does not
exceed the firm’s risk capacity.
5.The WGRA has sought to address these objectives
through a global survey of the progress made by
firms in implementing risk appetite and in-depth
interviews and the creation of a number of case
studies. Responses to the survey were sought from
a diverse cross-section of senior roles in firms,
including Board members, senior management,
and risk officers, all of whom provided a variety
of perspectives on the development of RAFs within
their organizations.
6.This report from the WGRA includes a combination
of findings and, more important, a number
of practical recommendations as to how to
implement a robust and meaningful risk appetite
framework. Some of the findings with respect to
the key challenges that firms face in establishing
8.
A number of participating firms report substantial
progress in the creation of risk appetite
frameworks, and they report seeing tangible
benefits. However, the financial services industry
as a whole is still at the early stages of what needs
to be seen as a journey. It is doubtful whether
any single firm has fully completed that journey,
and the identification of a comprehensive set of
industry-wide sound practices is still some way
off. This report nevertheless contains a number
of valuable insights and proven techniques for
enhancing risk appetite practices.
9.The following key issues and emerging sound
practices are detailed within this report:
• A strong risk culture1 is a prerequisite to
eventually putting in place an effective
RAF, and is also itself reinforced by the
introduction of such a framework. Firms with
demonstrably robust risk cultures that support
“tone from the top” are best equipped to
build engagement and put in place effective
structures. One important implication of this
is that an RAF should not be seen as a discrete
set of mechanisms or processes, but rather as
something inextricably linked to a wider set of
issues that govern a firm’s risk culture.
• It is essential that the determination of risk
appetite is inextricably linked to strategy
development and business plans, otherwise
the two will rapidly come into conflict,
creating significant tensions, and the conduct
of business activities may lead to risk outcomes
that, in aggregate, are outside acceptable
1
• RAFs call for the use of extensive judgment
on the part of Boards and management, in
terms of where to begin, where to focus,
and how to engage business leaders. Diverse
risk cultures and business models, as well as
differing degrees of complexity, mean that this
is definitely an area in which one size does not
fit all. While some convergence of practices
can be expected to emerge over time, diversity
of approaches among firms with different
business models and risk profiles is inevitable,
legitimate, and desirable.
• A risk appetite framework provides a context
for such traditional risk management tools
as risk policies, limits, and management
information based on clear risk metrics.
An RAF should never aim to supplant these
but can provide the framework within which
conventional controls operate and can promote
a better understanding and acceptance of their
rationale and importance.
• Developing a risk appetite framework requires
significant time and intellectual resources.
The firms that have made the most progress
report a substantial element of “learning by
doing” in an iterative manner over time, and
that ongoing dialogue and communication at
all levels of the firm have been crucial in this
process. Risk appetite cannot be implemented
through top-down decrees, but instead needs
to be embraced and understood throughout a
firm. Business leaders need to be given time to
define and embed the concepts of risk appetite
into their decision-making processes, and this
engagement takes time to evolve and mature.
For this reason, the creation and evolution of
a strong risk appetite framework is a multiyear
journey—results do not appear instantly.
• An important implication of the above is
that, in assessing firms’ commitment to, and
progress in, the implementation of a risk
appetite framework, it is not possible to look
The strong link between risk culture and the risk appetite framework also was highlighted in the December 2009 IIF report, Reform in the Financial
Services Industry: Strengthening Practices for a More Stable System, in which the following generic definition was provided: “Risk culture can be
defined as the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify,
understand, discuss, and act on the risks the organization confronts and the risks it takes.”
11
|
7.The case studies in Annex I cover the
development of RAFs at National Australia
Bank, Commonwealth Bank of Australia, Royal
Bank of Canada, and Scotiabank. While none of
these firms would claim to have completed the
process, all report that they have made significant
progress in implementing effective RAFs. In these
case studies, the contributing banks share the
approaches they have taken to overcoming the
challenges involved, thereby providing valuable
insights into this difficult and developing area of
management and supervisory focus.
boundaries. It is important to note that our
study has shown that leading banks have
made this linkage in an effective way. Formal
involvement of the risk management function
in the strategy and business planning processes
has resulted in great benefits, which are evident
in some of the case studies supplied.
institute of international finance
a risk appetite framework are not necessarily
new. However, the report provides new insights
and value through its practical recommendations
regarding how to address the challenges.
at a simple and uniform set of indicators.
Supervisors and internal stakeholders
are encouraged to take a broad and
multidimensional view in making assessments
in this area.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
12
• Clarity regarding the ownership of risk is
essential. To ensure the broad congruence of
business and risk decisions and the overall,
enterprise-wide risk appetite, business heads
should have visible ownership of risk in their
areas and incorporate risk explicitly in their
business planning. In fact, responsibility for the
articulation and management of risk appetite
within the businesses needs to reside firmly
and clearly with business unit leaders—not with
their embedded risk management staff—along
with the ownership of the actual risks in the
businesses. The risk management function
should own the overall RAF, serve in an
advisory capacity, and lead the interface with
the Board on risk appetite.
• Communication is a key enabler, both in
the development of an effective RAF and
in its effective operation. Regular dialogue
about risk appetite and evolving risk profiles
needs to occur among the Board, senior
management, the risk management function,
and the businesses. This dialogue needs to
encompass the development and evolution of
the framework itself as well as the risks that
are being taken throughout the businesses
and the extent to which these (individually
and collectively) conform to the overall risk
appetite. There is also significant value to be
gained from communicating risk principles to
broad employee audiences. The promulgation
of agreed-upon key risk appetite themes needs
to come from the top, and professionals within
the risk management function can also act on
opportunities to illustrate risk principles and
explain and motivate the boundaries of risk
appetite in day-to-day interactions with frontline staff.
• Firms that report the most progress in
risk appetite practices benefit from strong
collaboration among their risk management,
finance, and strategy functions. Such
collaboration is fundamentally required during
the development of statements of risk appetite
and the design of a risk appetite framework,
but it is equally important in the day-today operation of an RAF. While the Board
has final responsibility for risk matters, this
is emphatically not about the Board making
decisions about risk in isolation that are then
handed down as instructions to the businesses.
Rather, it is about developing an iterative and
collaborative process for creating a framework
and shared understanding about the boundaries
of acceptable risk—both individually and in
aggregate—that forms the basis of continuous
dialogue and decision-making about preferred
risk/return tradeoffs at all levels in a firm.
• Stress and scenario testing are important
components of a risk appetite framework.
Specifically, consciously constraining aggregate
risks in advance in such a way as to ensure a
firm’s survival under severe macroeconomic,
market and liquidity stress scenarios is at the
heart of setting risk appetite appropriately. The
choice of stress scenarios needs to balance the
need to focus attention on severe outcomes
while not placing impossible requirements
on the businesses. This is a very important
element of management and Board judgment,
along with assessing the results of the stress
tests and deciding on business and strategic
adjustments that may be necessary to ensure
that plausible losses under severe scenarios
would be held to acceptable levels within the
risk appetite framework. The individual stress
and scenario testing capabilities of firms vary
widely today, and our work has shown that
firms are currently taking diverse approaches
to using these tools for determining risk
appetite. Specifically, some firms are using
extensive stress and scenario testing in a very
fundamental way in the determination of
their risk appetite, whereas others are using
these tests only to “sense-check” their overall
risk appetite, or (in some cases) not at all.
Consequently, this is a challenging area in which
Industry practices are still evolving and further
guidance is needed, but there is agreement that
stress testing results need to be incorporated
into the determination of aggregate risk
appetite in a very fundamental way.
10.The report concludes with a set of implications
and recommendations for Board directors, senior
management, risk management, and supervisors—
the most important of which include these:
• Board directors should set the framework for
risk appetite and put into place mechanisms
to ensure that decision-making will be
consistently and transparently guided by it.
But this is only the beginning of the process.
Effective RAFs involve a highly iterative
approach, with ongoing discussions of
• The risk management function needs to
be actively involved at all levels of the
development of the RAF and its operation. In
its advisory capacity, this function adds value
by being a catalyst for effective conversations
with business leaders about risk and reward.
It also is critical that risk management also
develop supporting risk frameworks, policies,
and reporting capabilities that enable business
leaders to own and enhance their RAFs.
11.The results of this study show that demonstrable,
tangible progress is being made in many areas
of risk appetite by leading firms. However, the
challenges are complex, and the financial
services industry as a whole has a long way to
go in the implementation of effective RAFs. The
development and implementation of RAFs is still
very much a work in progress for most firms,
and the gap between emerging leading practices
and standard Industry practices is likely to be
substantial for some time. The WGRA is confident
that this report contains valuable insights and
guidance for the various stakeholders involved,
including supervisors. As such, it will support the
Industry’s efforts to understand and implement
effective risk appetite frameworks as a cornerstone
of effective risk management.
13
|
• Senior management should provide visible
support and own the development of the
RAF. Behaviors need to be continually and
transparently consistent with the risk appetite
principles that have been enunciated at the top.
Business leaders need to articulate risk appetite
in ways that are both tailored to their business
strategies and operations and consistent with
the enterprise-wide RAF, and they need to
establish appropriate controls and reporting to
manage risk.
• Supervisors are encouraged to take a broad
perspective when forming views regarding
firms’ commitment to, and progress in, the
implementation of RAFs. The process is
complex and time consuming, and it touches
fundamentally on culture and behaviors in
organizations. Assessments of commitment
and success need to reflect this complexity.
Successful outcomes are not reflected in the
creation of ever more granular limit structures,
and no single set of indicators or checklists can
capture individual firms’ progress in this area.
institute of international finance
risk involving senior management and the
businesses, and must be rooted in a strong
risk culture. Engagement and challenge by
the Board are key to achieving the right
balance between rigidity and flexibility in the
risk appetite framework; this is necessary if
the framework is to be both workable and a
meaningful source of discipline.
Introduction
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
14
12.One of the key lessons of the financial crisis
was that some firms took more risk in aggregate
than they were able to bear given their capital,
liquidity, and risk management capabilities, and
some took risks that their management and Boards
did not properly understand or control. Indeed, in
its October 2009 report, Risk Management Lessons
from the Global Banking Crisis of 2008, the
Senior Supervisors Group (SSG) highlighted major
governance challenges at the 20 largest banks in
the most-affected jurisdictions, in particular “the
unwillingness or inability of Boards of Directors
and senior managers to articulate, measure and
adhere to a level of risk acceptable to the firm.”
The SSG concluded that “a key weakness in
governance stemmed from … a disparity between
the risks that their firms took and those that their
Boards of Directors perceived the firms to be
taking.” Put simply, Boards did not understand
well enough, or properly control in advance,
the risks that their firms were taking. These
conclusions are not disputed by the Industry.
13.Three years after the crisis, largely as a
consequence of these conclusions, there is now
consensus between supervisors and the Industry
that a clearly articulated statement of risk appetite
and the use of a well-designed risk appetite
framework to underpin decision-making are
essential to the successful management of risk.
Taken together, such a statement and framework
provide clear direction for the enterprise and
ensure alignment of expectations among the
Board, senior management, the risk management
function, supervisory bodies, and shareholders.
In combination with a strong risk culture, they
provide the cornerstone for building the effective
enterprise-wide risk management framework that
is essential to the long-term stability of a firm.
14. In 2008 the Institute of International Finance
formed a high-level Committee on Market Best
Practices (CMBP) to draw key lessons for the
financial services industry from the global
financial crisis that was unfolding at that time.
The CMBP issued a report containing a number
of key principles and recommendations for the
Industry, focusing on areas such as governance,
risk management, and transparency. The core
purpose of these recommendations was to
promote much more robust risk management and
governance frameworks in financial institutions.
15.Early in the discussion and analytical process
that led to the final CMBP report, IIF members
identified risk appetite as being of fundamental
importance. The CMBP report defined risk appetite
as “a firm’s view on how strategic risk taking can
help achieve business objectives while respecting
constraints to which the organization is subject.”
A key finding of the CMBP was that putting in
place a robust risk appetite framework constitutes
an essential component of adequate risk
management. The CMBP elaborated on a number
of aspects regarding risk appetite, including the
high-level governance aspects of defining and
implementing a risk appetite framework.
16. In 2009 the IIF, recognizing the need to
actively promote the implementation of the
CMBP recommendations, established a Steering
Committee on Implementation (SCI). This
committee was charged with steering the IIF’s
efforts on further analysis of key risk management
implications of the crisis as well as tracking IIF
members’ efforts in revising their practices and
implementing Industry practices recommendations.
In December 2009 the SCI issued its report,
Reform in the Financial Services Industry:
Strengthening Practices for a More Stable System,
which assessed the progress made by the Industry
in implementing and embedding revised risk
management and governance practices.
17. Among other issues, the 2009 SCI report focused
once again on risk appetite, further developing
and discussing the concept and a number of
related issues. The report also provided an
augmented definition of risk appetite as being “the
amount and type of risk that a company is able
and willing to accept in pursuit of its business
objectives.” The statement of risk appetite balances
the needs of all stakeholders by acting both as
a governor of risk and a driver of current and
future business activity. It is expressed in both
19. In December 2010, the SSG issued another
report, Observations on Developments in Risk
Appetite Frameworks and IT Infrastructure, which
elaborated on this subject. In particular, the SSG
highlighted the importance of Board and senior
management involvement in the articulation and
implementation of the risk appetite framework and
emphasized the need to embed revised practices
within firms so that such practices can be
sufficiently resilient in an increasingly competitive
environment.
20.While there is clearly a substantial amount of
ongoing work by both the Industry and the
regulatory community in the area of risk appetite
frameworks, it is widely recognized that additional
guidance would be helpful as firms continue
refining their practices and methodologies. The
reports by the IIF and the SSG, together with the
substantial experience gained by firms in the
last several years, constitute a fertile ground in
which to continue developing guidance as to how
management and Boards should confront and
resolve difficult, basic issues linked to the design
and implementation of a risk appetite framework.
21. As firms, in response to the crisis, continue to
make progress in improving their risk appetite
processes, primarily in pursuit of stronger
risk management but also to meet evolving
22. In order to organize the in-depth analysis and
discussion of risk appetite issues, assess the
Industry’s state of practice on the subject, and
learn by leveraging the experience and expertise
of a broad range of market participants, the IIF SCI
established the Working Group on Risk Appetite
(WGRA). The WGRA and the present report have
the following key objectives:
• To assess and evaluate current Industry
practices in the area of risk appetite.
• To identify the key stages and the technical
and cultural challenges in the journey toward
setting—and monitoring adherence to—
appropriate boundaries for risk, within a sound
risk appetite framework.
• To bring Industry expertise and sound practices
to bear on examining how these challenges
have been addressed, including the analysis of
real-life case studies.
• To develop specific practical recommendations
for firms to address the challenges of
implementing a robust and meaningful risk
appetite framework.
23.The WGRA has carried out an Industry survey,
group discussions, interviews, and case studies
involving a diverse sample of participants
globally. As detailed in Annex II, respondents
to the survey represented a cross-section of
geography and institutional size, all at various
stages of the implementation journey. The survey
was sent to 79 firms; 73 responses were received
from 40 firms. Although the survey responses
received were rich and comprehensive, in order
to get behind them to understand at a practical
level how challenges were overcome to enable
the sharing of good practices, multiple thematic
conference calls, as well as bilateral in-depth
discussions, were held with Industry participants
in several continents, covering the key topics and
challenges considered in Section 2. The survey
responses, conference calls, extensive bilateral
discussions, and the four case studies supplied
have provided the background for our in-depth
analysis of the current challenges facing the
Industry and a practical set of recommendations to
move forward.
15
|
18. Risk appetite has also received a great deal of
attention from the regulatory community. In
particular, the SSG—which has been the public
sector group most deeply involved in the analysis
of the risk management implications of the crisis—
has focused extensively on risk appetite issues
and related supervisory implications. Specifically,
the SSG’s 2009 report, Risk Management Lessons
from the Global Banking Crisis of 2008, identified
risk appetite as a crucial element of robust risk
management. The SSG identified a number
of deficiencies in the way the Industry was
approaching risk appetite issues, observing, for
example, that much more evidence was needed
of Board involvement in setting and monitoring
adherence to firms’ risk appetite, and that the
Industry needed to continue working to make
risk appetite statements much more robust to
encompass a suitably wide range of measures and
actionable elements.
supervisory expectations, additional guidance
should draw on lessons from firms’ experience
and from the successful practices that are being
developed globally by many in the Industry. This
can, in turn, form the basis for a constructive
dialogue with the global supervisory community.
institute of international finance
quantifiable and qualitative terms and covers all
risks.” In particular, the 2009 report set out an
analytical framework for risk appetite and outlined
a number of key issues in regard to the practical
implementation of the concept by financial firms.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
16
24. Annex I presents four highly detailed case
studies which were generously provided, upon
request, by Commonwealth Bank of Australia,
National Australia Bank, Royal Bank of Canada,
and Scotiabank. These case studies are intended
to complement the evidence gathered through
the survey and the WGRA discussions and
to provide valuable insights and “real-life”
examples of the approaches that large firms have
taken to overcoming the challenges involved in
establishing a risk appetite framework (RAF).
The case studies represent an integral part of
this report and are recommended reading as they
contain a wealth of detailed information regarding
the diversity of approaches taken, the role of
leadership and collaboration, the iterative nature
of RAF development and the influence of culture
in the risk appetite process.
Section 1 – principal findings from the
investigation
26. It is clear from the responses to the survey
and from the discussions that followed that
developing a risk appetite framework is a journey
on which the Industry finds itself in the early
stages. Although the cultural, organizational,
and technical challenges are formidable and the
majority of firms are not yet where they either
need or want to be, our investigation has shown
that a number of leading firms in the Industry
are making good progress. Evidence suggests
that there has been more progress in designing,
implementing, and embedding risk appetite
frameworks—at least in participating firms—than
has been generally realized until now.
27.The aggregate risk profiles of large financial
institutions are complex, multidimensional,
and, even where risk IT is well developed,
relatively opaque.2 Consequently, developing
a risk appetite framework requires time and
significant intellectual and financial resources.
Not surprisingly, the degree of progress varies
across participating banks, and a substantial gap
is likely to remain for some time between leadingedge practices and what is “typical.” One very
striking feature of the results of this investigation,
however, is the widespread recognition of the
intrinsic importance of risk appetite to good risk
management and the motivation to get this right.
2
29.Not only are firms at different stages of
development of their RAFs, they are also
adopting a wide range of approaches, as can
be clearly seen from the important and detailed
case studies supplied in Annex I. This reflects
differing business models, structures, and degrees
of complexity. Thus, an important finding of
our work is that one size does not fit all. While
some convergence of practices can be expected
to emerge over time, diversity of approach
is inevitable and should not be discouraged.
Supervisors need to be alert to this and avoid
insisting on formulaic solutions that may not be
aligned with business needs.
30.Despite the different stages of development of
firms’ RAFs and the multiplicity of approaches
being taken, our investigation has shown
that there is some convergence of thought
and experience around the implementation,
design, and impact of an effective risk appetite
framework. These areas of convergence include:
a.Successful implementation is highly dependent
on effective interactions among all key
stakeholders, including Board members, senior
management, the risk management function,
and the operating businesses. In a large majority
of firms, defining or setting the risk appetite is
initiated by senior management and, after an
effective challenge process, is approved by the
Board. In all cases the “tone from the top” was
essential to driving the process. It is clear that
where there is visible and continuous support
of the risk appetite concept from the Board
and senior management, the development and
implementation of the risk appetite framework
was much more effective in all respects.
The identification of sound industry practices for risk IT is the subject of a parallel IIF report: Risk IT and Operations: Strengthening Capabilities,
June 2011.
17
|
28.Where progress has been made to date, it has
been driven principally by a recognition by the
firms’ leadership of the need to strengthen risk
management and governance arrangements. It
has not typically been solely, or even primarily,
a response to specific regulatory or supervisory
requirements.
institute of international finance
25.This section outlines a number of key findings
of our work on risk appetite, the extent to which
the Industry is embracing it, and the principal
impediments to implementation. It outlines a
number of practical steps that firms have taken to
overcome the principal challenges and which form
the basis of emerging Industry sound practices in
this evolving area. In some instances the findings
of this report are not new. The survey highlights,
reinforces, or otherwise clarifies issues that the
Industry continues to struggle with and that
at times have been commented on elsewhere.
The report does, however, aim to offer valuable
insights on how many of these challenges are
being overcome.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
18
b.The in-depth discussion around the survey
results indicates quite clearly that putting in
place an effective risk appetite framework
is inextricably linked to the risk culture of
a firm. To be fully effective, the risk appetite
framework, together with an appreciation
of its benefits, needs to be disseminated
throughout the institution. Done properly,
implementation of a risk appetite framework
can act as a powerful reinforcement to a strong
risk culture in providing a coherent rationale
and consistent framework for understanding
risk at all levels. It can never substitute for
proper systems, controls, and limits, but
instead supplements and motivates these and
may even increase compliance. Firms with
strong risk cultures that provide staff with
guidance for their own behavior and what
to look for and challenge in others are much
more effective in the implementation process.
This is especially important when developing
appetite statements around those risks that are
less quantifiable (e.g., operational risk, risks
of legal or regulatory non-compliance, and
reputational risk). It is also clear that risks
cannot be completely avoided, and aspirational
statements relating to “zero tolerance” of
certain types of risk are less useful than
detailed guidance to the businesses about how
such risks should be viewed and managed.
c.While implementing an RAF is challenging,
those firms that have made progress are clear
that they see tangible benefits resulting
from their risk appetite process. While these
benefits are not always apparent at the start,
there is a high degree of consensus among
such firms that the RAF is allowing the Board
and the senior management to have a more
informed discussion of the risks in the business
plan and strategy. Firms reporting the most
progress have also established strong linkages
between risk issues and strategy, planning, and
finance—the last two of these being areas in
which risk was often not formally considered
in the past. These linkages have been put in
place at both the enterprise-wide and business
unit (BU) levels. Such processes may, at least
initially, make the resource planning cycle
longer and more complicated, but this is a
price well worth paying in return for fostering
a more robust risk culture and a stronger
awareness throughout the organization. Firms
at a more advanced stage also highlight the
benefits deriving from a stronger integration
of risk considerations into the strategic and
business plans and more effective risk/reward
decision-making across the organization. These
benefits can be clearly seen in the case studies
attached in Annex I.
d.There is a high degree of commonality around
the most relevant inputs driving the shaping
of a firm’s risk appetite. Most often used is
capital capacity, followed by budget targets,
liquidity, and other market constraints and
stress test results. Although not captured in the
survey data, several firms emphasized that a
firm’s overall strategy and financial objectives
should be considered as a key input.
e. Limits and controls have a central role in
any well-run organization, but an excessively
narrow emphasis on granular limits (or too
many of them) can provide false comfort
to management and supervisors; lead to a
mechanical, “tick-box” (or compliance-type)
approach; and detract from or undermine this
crucial dialogue. A strong RAF is much more
powerful than limits alone: staff at all levels
with any significant responsibility should know
what they need to do and why, rather than
merely follow instructions. The overwhelmingly
important conclusion from firms’ experiences
in this area is that developing an RAF is
not about putting in place “tablets of stone”
and creating and implementing a structure
of many hundreds of highly granular limits.
It is important that stakeholders, including
supervisors, should recognize this when
assessing progress in this area.
f.The survey shows that a large majority of firms
(70%) are taking a comprehensive view of all
risks across the firm, not merely focusing on
those risks that can be easily measured, and
are using a combination of quantitative and
qualitative metrics in expressing risk appetite.
This reinforces the point that risk appetite does
not mean the creation of a complex, highly
granular set of limits. That said, at this stage
in the journey the most common transmission
mechanism for communicating Board-level risk
appetite statements throughout the enterprise is
the translation into limits. This in part reflects
the quantifiable nature of some risks and
provides for clear, recognizable boundaries.
g. Stress testing and stress metrics play a role
in the risk appetite framework of almost all
respondents (only one firm stated that they are
not used). The use of stress tests varies, with
some banks putting them at the center of the
risk appetite setting process, whereas others
use stress tests primarily to “sense-check” their
appetite.
19
|
31. As noted above, the case studies in Annex I are an
essential part of this report and clearly illustrate
many of the points listed above. Additionally,
the complete summary findings and data from
the survey are appended to the main body of this
report (see Annex II).
institute of international finance
h. A large majority of those responding indicated
that risk appetite is monitored on an ongoing
basis at the group level and that a contingency
plan or escalation procedure is triggered when
a risk appetite metric is exceeded.
section 2 – Key outstanding challenges in
implementing risk appetite frameworks
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
20
32.Despite the visible progress being made by many
in the Industry in the implementation of effective
risk appetite frameworks, more needs to be done.
The survey and discussion reveal there is a degree
of commonality in the hurdles firms are facing
and the need for proven practical solutions to
these issues. Section 3 provides a number of
examples of emerging Industry sound practices
in addressing these. This section outlines the
largest challenges that are proving most difficult
to overcome. The chart below shows the most
relevant survey results in this context.
33. The link with the wider risk culture is of central
importance but is also problematic in some
firms. Broad discussion among firms reinforces
the point that without a strong risk culture
success on the risk appetite journey is extremely
difficult, if not impossible, while it is easiest to
implement an effective RAF where there is already
a strong culture around risk. However, a number
of respondents cited culture and its link to risk
appetite as being an important and difficult issue.
A strong culture implies that staff understand
what is required of them with respect to risk and
why, and where such a strong risk culture exists
it may be possible for firms to place less reliance
on narrow compliance with limits and processes.
Nevertheless, even the strongest culture needs to
be supported with good systems, controls, and
limits. It is also necessary to establish a strong
link between risk appetite and compensation. At
the simplest level this can be an assessment of
whether business results and key performance
indicators (KPIs) have been achieved by operating
within limits and in accordance with the
behaviors and culture described and embedded
within the risk appetite. Where this is not the
case remuneration incentive awards should be
moderated or adjusted accordingly.
34. Effectively cascading the risk appetite
framework throughout the firm and embedding
and integrating it into the operational decisionmaking process is clearly the largest challenge
for almost all firms. While most firms have
risk policies and risk measures in the form of
limits that can easily be cascaded through the
organization, other guidance on risk tends to be
more general and at a higher level. The linkage
0
5
Effectively cascading the risk appetite statement through the operational levels
of the organization and embedding it into operational decision making processes
15
10
How to best express risk appetite for different risk types,
some of which can be quantified in generally accepted ways,
and some of which cannot be easily quantified
Using the risk appetite framework as a dynamic tool for managing risk rather than
another way of setting limits or strengthening compliance
10
4
7
6
2
25
6
3
7
4
5
Using the risk appetite framework as a driver of strategy and business decisions
20
5
2
1
2
Achieving sufficient clarity around the concept of risk appetite and some of the
terminology used (e.g. difference between risk appetite and risk limits)
7
4
How to effectively relate risk appetite to risk culture
2
1
How to make best use of stress-testing in the risk appetite process
1
3
How to most effectively aggregate risks from different business units and/or
different risk types, for risk appetite purposes
1
3
5
5
3
3
35. The best way of expressing risk appetite in a
way that covers all relevant risks is also proving
a challenge for firms. This is particularly true
in respect to risks that are less quantifiable and
require a more qualitative approach. Once the
process moves beyond traditional credit and
market risks—where historical data is abundantly
available—to focus on reputational, strategic, and
operational risks, significant challenges remain.
However, it is widely recognized that an RAF
cannot be confined to risks that can be easily
measured. To be meaningful, risk appetite needs to
take a comprehensive view across a firm, and risk
appetite statements need to capture and include
those risks that cannot be easily quantified. The
identification and effective mitigation of such
risks is a difficult challenge that is not, of course,
confined to risk appetite. While some firms are
comfortable tracking these risks with qualitative
indicators, most are making significant efforts to
quantify such risks, through, for example, proxy
measures and use a combination of qualitative and
detailed quantitative elements in their risk appetite
statements.
37. Many firms have difficulty forging the necessary
links between risk appetite and the strategic
and business planning processes, though
leading firms have done this successfully. It is
relatively straightforward to establish an RAF in
the sense of the Board setting out a statement of
risk preferences that the business then seeks to
translate into a range of limits. There is a growing
recognition, however, that this is a very narrow
concept of risk appetite and that the establishment
of actionable guidance at the business unit level
is crucial. The traditional approach of making
high-level statements and then seeking to turn
these into a plethora of granular and not wellunderstood limits has been shown to have serious
limitations, as it tends to result in risk appetite
being seen within the businesses as a remote and
sometimes irrelevant part of the risk management
apparatus. As explained further below, risk
appetite needs to be an integral part of a business.
Its effects need to be pervasive throughout the
organization, and there needs to be a clear link
between the RAF and business decisions.
36. Some respondents are finding it difficult to shift
the perception that risk appetite is primarily
about setting limits. While limits and risk policies
are important components of an effective risk
appetite framework, the more dynamic nature
of risk appetite and its role in managing risk,
driving strategy, and optimizing return on a much
broader basis needs to be ingrained throughout the
organization. Ensuring that the RAF is positioned
and perceived internally as a dynamic tool for
shaping the risk profile of the institution, rather
than as merely a dressed-up, “grander” process for
38. Stress testing, and how it should be effectively
incorporated into the risk appetite framework,
remains an area of uncertainty and evolving
practice in the Industry. While it is widely
accepted as being a component of an effective
risk appetite framework, there is less consensus
about exactly how stress testing should be
incorporated into a framework. The use of stress
tests varies widely, with some banks putting them
at the center of the risk appetite–setting process,
even as others use stress tests primarily to sensecheck their appetite. As a general observation,
the firms that were most affected by the financial
21
|
setting limits and additional business constraints
is also an important challenge. In reality, it is
necessary to strike the right balance between a
framework on the one hand which is so rigid,
constraining and inflexible over time as to be
unable to sensibly and prudently accommodate
the evolution of the businesses and group strategy
in a timely fashion, having due regard to the risk
implications, and one on the other hand which is
excessively flexible and too easily substantially
changed from one period to the next (perhaps
in response to any number of proposed growth
initiatives), and consequently imposes insufficient
discipline on the businesses, lacks continuity,
and is difficult for all employees to understand
and embrace. Striking this balance correctly
requires careful judgment by Boards and senior
management.
institute of international finance
between high-level risk appetite principles and
the risk policies and metrics guiding day-to-day
decision-making needs further development. As
noted, firms that have been most successful in
creating an RAF to date have recognized that it
needs to pervade the organization in the sense
that risk concepts are fully understood by staff
at a range of levels and influence behavior as a
result of being internalized. The benefits of a risk
appetite framework are often much more apparent
to Board members and senior management than
they are to mid-level staff. This raises questions
of how best to train and educate staff to enable
them to perceive the benefits of the new approach
and also touches upon the desired responsibilities
of management in such training and the way
in which the new approaches can or should be
supplemented with formal controls and limits.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
22
crisis appear to be more advanced in this area,
but further guidance is required for the majority.
While an important focus of an RAF will be the
level of risk with which the Board and senior
management are comfortable during “business
as usual” conditions, it is equally important to
understand and consider the implications of
extreme but plausible scenarios on the risk profile.
The technical and methodological challenges of
stress and scenario testing are well known. In the
RAF context, Boards, senior management, and
business units need to ask how the results of stress
tests should be interpreted and what they mean
for risk profiles and preferences. One particularly
important question in this context is the extent
to which Board members and risk professionals
are equipped a) to make sense of scenarios that
have potentially very substantial impacts but
low probability and b) to push back against the
pressures from the business that are curtailing
apparently profitable lines of business.
39. A related issue is how to achieve an appropriate
aggregation at the group level of the levels of
risks for the different individual businesses
and how to establish relationships between these.
Individual business units need to have a consistent
framework for setting their own tolerances
for risk, and these need to be consistent with
the overall enterprise-wide risk appetite, both
individually and in aggregate. Although progress
has been made in this area by a number of firms,
no single approach is dominant today. There is
currently no uniform process for translating highlevel risk appetite indicators into more specific
measures, such as risk limits and tolerances,
and further work is needed in the area of risk
aggregation.
Section 3 – emerging sound practices in
overcoming the challenges
3.1 Risk Appetite and Risk Culture
41. A crucial challenge is building a strong link and
an effective interaction between culture and the
RAF. Risk culture can be defined as the norms and
traditions of behavior of individuals and of groups
within an organization that determine the way in
which they identify, understand, discuss, and act
on the risks the organization confronts and the
risks it takes.3 It is widely recognized that a strong
(or weak) risk culture manifestly and directly
impacts the risk appetite process.
42. Firms that had made the most progress in
establishing a risk appetite framework report that
there is a close and indissoluble link between
risk appetite and culture. Risk appetite is about
the organization being clear, and making clear to
others its desired level of risk. This in turn informs
the planning and risk taking decisions of the
business units. Decision-makers, while continuing
to be bound by policies and limits, have a clearer
understanding of why the policies and limits are
as they are. And to the extent that they have the
discretion and scope to exercise judgment, the risk
appetite will provide them with a lodestone that
helps to inform them in doing so.
43.Some firms have found that internal “values”
statements can be of some use in reinforcing
culture. If these are seen as self-serving and
isolated examples of “management-speak,” such
statements are likely to be counterproductive;
however, if they are part of a consistent set
of messages and behaviors that provide staff
3
44.The link with culture is therefore potentially selfreinforcing: firms with a strong risk culture find
it relatively more straightforward than others to
implement a risk appetite framework. At the same
time, an effective risk appetite framework can
consolidate and reinforce an effective risk culture
with individuals and business heads feeling
reinforced about doing the right thing. National
traditions play a part in this. Some firms from
financial centers where there is traditionally a less
direct link between profit/return and remuneration
report that risk appetite may be an easier “sell” to
staff and business heads.
This self-reinforcing link is explained by one firm in
the following way: “The adoption of a Risk Appetite
Framework did not encounter major resistance from
the organization. This is likely due to (a) the Bank’s
existing strong risk management culture and (b)
the fact that the specific metrics in the ‘measures’
component of the Risk Appetite Framework were
key existing metrics that already had buy-in across
the organization. In many respects, the adoption of
a formal Risk Appetite Framework codified existing
risk culture, principles, objectives, and measures.”
Another firm highlighted that “the risk appetite
framework plays a crucial role in establishing the
desired risk culture across the organization. The
discussions of risk appetite across the Group as
well as the specific content of the Board-owned
Risk Appetite Statement have promoted a strong
risk culture, which is key to success. Business Units
understand what is outside appetite and therefore
do not pursue these opportunities. The Risk
Appetite Statement contains a key section outlining
the principles of the risk culture that the Group
seeks to achieve.”
Appendix III of the December 2009 IIF report, “Reform in the Financial Services Industry: Strengthening Practices for a More Stable System,” provides a
background discussion around the concept, importance, and key impacts of risk culture.
23
|
members with a guide to their own behavior, they
can be the basis on which staff can feel able to
constructively challenge behaviors or decisions of
others, and they can be of real benefit.
institute of international finance
40.The objective of this section is to draw on the
survey and the case studies, as well as discussions
with firms to identify ways in which the principal
challenges identified in the previous section might
be overcome. The point needs to be made at the
outset that the Industry is still some distance from
an identifiable body of sound practices in most of
these areas. What follows, however, is intended to
form the basis of emerging good practices.
45.Given these close links, the practical steps for
getting the culture of risk appetite right are similar
to those for getting overall risk culture right.
Overall, firms report that they know when they
are making progress when references to risk and
risk appetite become a normal part of day-to-day
discourse about the business.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
24
Overall Lessons:
• There needs to be a demonstrable commitment
to explaining—through training and day-today experience—the importance the institution
attaches to risk appetite. This needs to have
the consistent support of the highest level of
management.
• Many staff for whom the benefits of an
effective RAF are not immediately apparent
are unlikely to undergo an instant conversion.
Even after training and assimilation are in
place, it is necessary to operate rigorous
controls and limits.
• It is important to develop measurable indicators
of compliance with risk management norms
that can form a robust basis for promotion
and remuneration. This should include not
only compliance with hard limits but also
with clearly stated behavioral expectations.
Compliance with these more qualitative criteria
can be more difficult to assess objectively
but is critical in establishing the desired
risk culture and is integral to making risk
appetite effective. Rigorous application of
such guidelines is consistent with cultivating a
strong risk culture, provided it is consistent and
relatively transparent.
• Clear communication of risk appetite
parameters and preferences is a prerequisite for
developing the appropriate culture. Individuals
need to feel incentivized to comply with these
and confident in doing so. There can be no
hidden agendas or revealed preferences on the
part of management.
• Consistency of messages and consistency of
senior behaviors with these messages, rewards
and sanctions that are demonstrably consistent
with the messages, and the absence of barriers
to bad news travelling upward are essential
components of a strong culture.
• There is value in measures such as the creation
of a meaningful and non-public statement of
values codifying this. But culture is determined
ultimately by what the leadership does rather
than by what it says.
3.2 “Driving Down” the Risk
Appetite into the Businesses
46.Effective internal communication that makes risk
appetite directly relevant to employees in the
business units is seen as a major challenge by
all participating banks. A variety of approaches
have been taken, but no clear consensus has yet
emerged about how to do this most effectively.
This remains very much work in progress, even for
the leading banks.
47.Two points, however, emerged very clearly in this
regard:
• An effective risk appetite framework should be
pervasive throughout the organization in that
all staff with any significant decision-making
authority should understand the institution’s
stance toward risk and what it means for them.
• Yet the benefits of an effective risk appetite
framework, while very real, are often not
apparent to more junior staff and, indeed, there
may be some initial resistance or skepticism
among these groups.
48. For this reason, communication and training
are essential starting points. The CEO needs
to be personally involved in promulgating the
message about the risk appetite framework
and what it means. There needs to be complete
agreement within the Board and management
on a meaningful and comprehensive definition
of risk appetite, and the concepts need to
be communicated in a straightforward way
without jargon. There also needs to be clarity in
communications about where risk appetite fits
alongside risk capacity or tolerance, that is, how
much risk it is technically possible to take, and
the current level of risk being taken. Finally, there
needs to be clarity regarding the ownership of
risk. The risk function should own the overall
risk framework and the interface with the Board
on risk appetite. However, responsibility for
risk within the business units and for achieving
consistency with the enterprise-wide risk stance
rests squarely with business unit heads.
A cornerstone in the architecture of an RAF and
a key step in its internal communication is the
articulation of a risk appetite statement. While
Annex II (page 65) provides significant examples of
elements included in the risk appetite statements of
firms participating in our survey, some firm-specific
examples are provided below:
i) Limits and metrics consistently monitored
include: ROE; Stress tests; RWA limits;
Capital market measures (e.g. VaR, trading
limits); Liquidity ratios; Single-Name
Concentration; Industry concentration; and
Country envelopes. These limits/metrics
correspond to the Target Rating set for
the Bank.
ii) Qualitative guidelines mainly stem from a
comprehensive set of Risk forums at the
Executive Management level (e.g., Portfolio
decisions: Risk Committee, Strategic Risk
Forums on Countries, Industry/Product/
Sectors, as well as on Capital Market
activities. Key Individual decisions:
Risk committees on one specific
transaction/counterparty; Exceptional
Transaction and New Activity Validation
Committees. Thematic transversal policies:
Credit policies).
•
Another firm has a rather detailed statement
covering the following qualitative and
quantitative elements: 1. To generate
sustainable economic profit commensurate
with the risks taken; capital liquidity &
impairments & expected loss; 2. To be well
capitalised on a regulatory basis and maintain
a long-term debt rating of X; 3. To maintain
a strong Tier 1 ratio comprised of a large
core Tier 1 proportion; 4. To maintain a
well-diversified funding structure; 5. To keep
off the balance sheet vehicles nonmaterial in
size relative to the size of the balance sheet;
6. Risk management to ensure impairments
and losses are managed within the group’s
tolerance; 7. To manage all risk categories
within its appetite; 8. To harness benefits
from business diversification to generate
nonvolatile and sustainable earnings; 9. To
compete in businesses with international
customers where market connectivity is
critical, businesses with local customers where
we have local scale and products where global
scale is critical to effectiveness; 10. To use
robust and appropriate scenario stress testing
to assess the potential impact of the chosen
scenario on the Group’s capital adequacy and
strategic plans.
49. Limits are a necessary part of driving risk
appetite into the businesses. Effective limits are
an essential part of any risk framework, whether
or not the firm embraces a full RAF. Financial
institutions have operated with limits (e.g., for
lending or market transactions) for many years,
without necessarily effectively controlling
aggregate risks within acceptable levels. The
establishment of an effective framework goes far
beyond the simple setting of limits, however. There
is a strong consensus that it is very important
for staff who are subject to limits to understand
both the context and rationale for these and
their implications for revenue, customer service/
satisfaction, and aggregate risks. The objective is
to foster an effective, ongoing dialogue about the
boundaries of acceptable risks and the implications
of these boundaries, including for the optimal
allocation of scarce resources within the firm.
50. In this context, a strong culture of responsibility
for, and open dialogue about, risks in the
businesses is seen as fundamentally important
in effectively embedding risk appetite in the
business lines. Business unit leaders have a strong
leadership role to play in this. Firms that have
made the most progress in implementing risk
appetite have put in place processes designed
to ensure the broad congruence of business and
risk decisions and the overall enterprise-wide
risk appetite. In these firms, business heads are
required to have visible ownership of risk in
their areas and to incorporate risk explicitly in
their business planning. Processes then need to
be put into place to check the consistency of
these—both individually and in aggregate—with
the overall risk appetite. Business unit heads
are responsible for formulating these local
plans. They also have a responsibility to explain
the importance of risk appetite concepts and
boundaries within their business units. Illustrating
the links between specific business initiatives
and day-to-day transactions and the broader risk
appetite helps to make these processes come alive
for staff within the businesses. Some firms have
also found value in a “thematic” approach to risk,
placing a specific focus on aspects of risk—such as
reputation risk—for a specific period.
51.Similarly, staff on risk committees or those who
are involved in the approval of transactions can
link risk appetite concepts to individual policies
and transaction approvals, thereby raising
awareness and understanding of the boundaries
and importance of risk appetite facilitating
25
|
One firm explains that its risk appetite
statement is currently a mix of quantitative
limits/metrics and qualitative guidelines:
institute of international finance
•
dialogue within the businesses about these
boundaries and limits.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
26
52.When this dialogue within and across business
units and with risk and senior management works
well, it facilitates both intelligent challenges to
the risk appetite boundaries and their evolution
over time. In this way, the risk appetite framework
is made dynamic and is able to sensibly
accommodate new business opportunities and
changes to the risk/reward relationships between
different parts of the business.
53.The link between risk appetite as expressed by
the Board and the behavior of mid-level staff
empowered to make local decision is also facilitated
by the integration of the RAF into the business
planning, as further explained in section 3.5.
In some banks the business unit leaders are required
to have primary accountability for preparing and
interpreting their own risk appetite statements to
ensure that they are both properly aligned with
the group risk appetite statements and also welldesigned and effective in communicating to the
staff in their own businesses. For instance, in one
firm the “line of Business (LOB) management is
responsible for executing the strategic and financial
operating plans of the business, optimizing the risk
and reward of the business within limits established
by executive management, and ensuring internal
controls are appropriate. Additionally, each LOB
develops a Line of Business Risk Appetite which
further drives the enterprise Risk Appetite into
the individual Lines of Business. Every employee
understands that it is his or her responsibility to
implement and adhere to the Risk Appetite while
making daily business decisions.”
In addition, other banks seem to rely on an
appropriate interaction among risk culture,
awareness, and policies and procedures. As
explained by one bank participating in our
survey: “The link is based on an awareness of
the qualitative aspects, of expected norms and
behaviors and how decisions impact the operational
groups/enterprise risk appetite. This awareness
is created through learning programs targeted at
mid-level management. Mid-level management
in front-line operations is guided in part by the
simplified statements created by the enterprise. Both
qualitative and quantitative aspects are reflected
through policies and procedures that govern the
activities of mid-level staff. These policies and
procedures provide more detail to the high-level
statements of the risk appetite, including business
practices (for example, reputational risk, regulatory
and legal requirements), risk transparency
requirements (for example, new products and
initiatives) as well as detailed limit frameworks
(market risk, liquidity and funding, credit risk) that
are set at various levels of the organization.”
A few banks highlight a link with business
planning: “The integration of the risk appetite
statement production into the framework of the
business planning process gives a linkage of
the Board’s risk appetite to the decisions and
strategies made by business at that time. This is
also expressed via the Board’s capital plan, where
return requirements, capitalization targets, and
capital allocation resolutions combine with business
volume targets.”
Overall Lessons:
• Communication and education on the benefits
of a risk appetite framework are essential.
Members of senior management need to be
visibly and consistently associated with these.
• Limit setting is a key part of risk management,
whether or not it is part of a wider risk appetite
framework. Business unit and risk management
heads should use the risk appetite framework
as the context for explaining and promulgating
limits and risk policies.
• Business unit heads must own local business
plans, which in turn must pay proper regard to
risk. This, including the link to the wider risk
appetite, should be clearly and consistently
communicated to staff.
• Continuous and open dialogue about risks is
seen as fundamentally important in effectively
embedding risk appetite in the business lines.
Business unit leaders have a strong leadership
role to play in this. When this dialogue about
risks—within and across business units and
with risk and senior management—works
well, it facilitates both intelligent challenges
to the risk appetite boundaries and their
evolution over time. In this way, the risk
appetite framework is made dynamic and is
able to sensibly accommodate new business
opportunities over time.
55.Some firms report that an effective first stage
in the identification of risk appetite has been a
free-ranging and sometimes quite qualitative
discussion of risk with the Board. It is reported
that this can be helpful in avoiding becoming
bogged down either in issues of definition or
quantification. The Board’s preferences are then
subsequently turned into a quantified framework.
56. In some banks there is a clear link between
elements of the RAF and operational risk
management. To the extent that operational risk
management seeks to identify, quantify, and
control less intrinsically quantifiable aspects of
risk, the methodologies developed can be a useful
input to a broader RAF framework. Some firms
indicated that a range of indicators is reported
to the Board as part of regular reporting on
compliance with the risk appetite framework.
Many banks involved in the study were seeking
proxies to help them to understand the manner
in which risks (both internal and external) are
evolving, at least directionally. In this context,
defining risk appetite was described as “an art
around the science.” There was agreement that
around any set of similar metrics one needs to
overlay a good measure of interpretation.
57.However, some clear examples were given that
resulted in a significant change to the risk appetite
for certain businesses. One high-profile example
of this is material changes to the regulatory
landscape (e.g., Lehman minibonds in Hong Kong).
These kinds of changes in the regulatory (and
58.Committee structures, if thoughtfully designed,
can provide an opportunity to draw on
experienced judgment and oversight in areas in
which quantification is inherently weak.
One institution noted that, wherever possible,
estimates are made of the potential impact of
crystallized risks on future earnings capacity.
Examples of this would be the effect of regulatory
changes or sanctions on the revenue from individual
business lines. An effort is then made to compare
these impacts with those of other risks. However,
“this is recognized as being very subjective” and
of very limited value with respect to non-linear
tail risks such as litigation or serious reputational
damage.
Another bank does not go as far in seeking to
quantify risks but does try to estimate the potential
impact of risks on future earnings capacity for
each risk with the object of arriving at an overall
indication of how large or small that risk is
in comparison with other risks. This is more a
question of magnitude rather than precision, as the
objective is to ensure that it carries enough weight
versus other risks.
One firm undertakes a regular assessment of
the perceptions of various stakeholders (clients,
shareholders, employees, and regulators) noting
a) that these legitimately differ and b) that the
objective should be “no surprises.” This approach
is reinforced through the creation of a senior
Reputation Risk Committee comprised of senior
management (CFO, CRO, and heads of Legal and
Compliance). This committee reviews highly
complex or structured transactions that may create
particularly high levels of reputation risk. The basic
purpose is to determine whether this is the type of
business the firm should be doing. Another firm
uses committee structures to assess the broader risk
implications of new product approvals.
27
|
54. Incorporating different risk types into the risk
appetite framework and, more specifically,
capturing risks that cannot easily be quantified,
is a challenging task. There is wide agreement
that the RAF should capture and include all
material risks, including those that are not easily
quantified, such as operational and reputational
risks. However, although 70 percent of the
participating firms stated that their RAF covers
all risks, no real consensus was seen among the
participants about how the risks that cannot be
easily quantified (if at all) should be captured in
the RAF.
political) environment fundamentally change the
level of risk associated with certain businesses
and, subsequently, the risk/reward of the business
proposition significantly.
institute of international finance
3.3 Capturing Different Risk Types
Another firm captures a number of metrics of
varying importance. For example:
• Communications to the central bank/
regulator regarding money laundering
breaches;
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
28
• Penalties from supervisors, inclusive of
the results of investigations and remedial
actions imposed, even where there is no
fine;
• New product activity and de-listing of
products (gives a real flavor of the use test
and how this is affecting “real life”);
• Trading with suspected insider traders; and
• Complaints from customers.
59.The point was also made by many firms that,
notwithstanding a professed “zero tolerance”
for some categories of risk (such as reputation
risk and the risks of legal or regulatory noncompliance) there are, in reality, always tradeoffs,
and zero levels of these risks are not achievable in
practice. The key thing is to recognize these risks
and manage them intelligently.
Overall Lessons:
• To be effective, the risk appetite framework
needs to incorporate all material forms of
risk, including those that are not readily
quantifiable. Zero tolerance is not a very
meaningful or practical concept—all risks need
to be actively managed.
• Firms should make a maximum effort to
quantify such risks, making use of such
innovative approaches as estimates of earnings
foregone.
• Maximum use should also be made of proxies
and other metrics, even where these do not
permit the direct quantification of losses.
Quantification and the development of proxies
need to draw on operational risk frameworks.
• Committee structures to address reputational
or legal risks directly, and the risk implications
of new products can, if well operated, bring
experienced oversight to bear effectively.
3.4 The Benefits of Risk Appetite as
a Dynamic Tool
60.The following two challenges are somewhat linked
and need to be addressed as important steps in
building an RAF: positioning and communicating
the RAF internally as a dynamic tool for shaping
the risk profile of the institution, rather than as
merely a dressed-up, more elaborate process for
setting limits or a source of additional business
constraints, and communicating its benefits.
61.Our investigation has shown that successfully
positioning the RAF internally as a dynamic
tool for shaping the risk profile of an institution
depends critically on how it is embedded in the
businesses and on the quality of the ongoing,
day-to-day dialogue about risk within and across
business units and with risk management staff
and senior management. As discussed in section
3.2, when this dialogue works well, it facilitates
both intelligent challenges to risk appetite
boundaries and their evolution over time. In such
circumstances, the risk appetite framework is seen
and understood to be dynamic by all participants.
62. Risk appetite frameworks and processes of
the kind discussed in this report are relatively
new in many organizations, and take time to
institutionalize. Participating banks agree that
the benefits are not immediately apparent at the
outset; in some banks, there is (or was) active
resistance from some business units that needed to
be overcome.
63. It is obvious that leadership from the top is
important, in terms of stating the reason for
creating the risk appetite framework and associated
processes and explaining the benefits to be gained
from doing this. Nevertheless, from the experience
of some banks it may be necessary to start with an
element of compulsion. Participants reported that
they needed to push quite hard initially to get the
businesses to think about risk appetite, although
after “learning by doing” for a while, many
reported that they have seen the benefits.
64. In general, senior executives appreciate the
benefits of risk appetite more readily than those
lower down in the business. The active dialogue
linked to specific transactions within the business
line was described earlier, and it is key to
educating front-line staff about risk appetite and
the benefits that awareness and understanding of
it bring to the business and the group.
65. In general, participants agreed that there is a
balance to be found between coercion (“this is the
policy/limit, keep to it”) and understanding (“here
is the broader risk context and rationale to help
guide what you do”).
66. As noted previously, business unit leaders must
have the principal responsibility for bringing
risk appetite into their business units and
incorporating it into the regular fabric of their
businesses. Similarly, they have the principal
responsibility for articulating the benefits of
risk appetite in their businesses—and so they
need to be convinced of the benefits themselves.
Some participants reported that initial resistance
in particular business units can be effectively
overcome in many instances by the CEO, CRO,
and other senior leaders actively explaining and
reinforcing the need for business unit staff to
embrace risk appetite and have it become part of
the fabric of the organization.
67. It is important to note that if specific business
units can’t get the needed quantitative information
to see how they are tracking against key risk
appetite metrics, then risk appetite concepts have
less traction and less “bite” in those business
units; in these circumstances the benefits of the
framework and processes are less clear to frontline staff. For this reason, firms should be acutely
aware of the measurement limitations at each
stage of their risk appetite framework evolution.
Overall Lessons:
• Leadership from the top is crucial, in terms
of stating the reason for creating the RAF
and explaining its benefits. Nevertheless, it
may be necessary to start with an element of
compulsion.
• The active dialogue within and across business
units and with risk management staff and
senior management is essential to communicate
the benefits that the implementation of an RAF
brings to the firm. Such dialogue should also
be linked to specific transactions within the
business line in order to effectively involve
front-line staff.
• Education is a key element in raising awareness
about the full benefits originating from a
complete risk appetite framework.
• Business unit leaders must have the principal
responsibility not only for bringing and
incorporating risk appetite into their business
but also for articulating the benefits of risk
appetite in their businesses.
3.5 The Link with the Strategy and
Business Planning Process
69.The establishment of an effective link between
the risk appetite framework and the strategy and
business planning processes is fundamental.
70. A key finding of this study is that such a link has
been effectively established at a number of leading
institutions in recent years. This has been achieved
in several different ways, as the National Australia
Bank (NAB) and Commonwealth Bank of Australia
(CBA) case studies illustrate. There is strong
29
|
Similarly, another bank holds risk appetite
workshops with each of its major businesses to
identify concerns such as implementation and/
or resource issues. These workshops aim not only
at “driving down” the RAF into the businesses
but also at enabling the businesses to understand
the full benefits available from a complete risk
appetite framework, such as an assessment of
limits and financial volatility, that is, the volatility
of a business’s plan, where to focus resources and
capital, alignment to other processes through stress
testing, and gauging the potential of the business
going forward.
68. In making the benefits more visible in the
businesses, it is important to emphasize the return
dimension of risk appetite and the opportunity
for risk/reward optimization and to position risk
appetite as a foundation for active dialogue within
and about the business, as previously described.
The key is to be “real” with the business—it is
important to make the risk appetite measures
and metrics clear and real in the individual
business units to facilitate effective challenge and
discussion. If this is achieved, it is the experience
of the leading participants that the benefits will
become progressively clearer to all stakeholders as
time passes; this is also strongly reflected in the
case studies.
institute of international finance
One participating bank ran a series of workshops
for line staff in selected business units, titled “How
risk appetite affects you.” These proved useful in
raising awareness of the key risk appetite concepts
and received positive feedback from participating
staff, who generally saw why this was important
from an organizational perspective.
agreement, however, that the relationship needs
to be iterative and based on extensive internal
dialogue.
71.The firms that have made the most progress in this
typically followed a process that involved some
variation of the following:
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
30
• The Board set key, top-level principles and risk
parameters for the overall risk appetite at the
group level.
• This may take the form of a fully articulated
risk appetite statement or, sometimes, an initial,
high-level signaling of key risk parameters to
business divisions.
• Use of these guidelines by the business units
in drafting their own, divisional business and
budget plans. In some cases this involves
the creation of local risk appetite statements.
In others it involves the articulation of a
risk “posture” that indicates whether risk is
expected to increase, decrease, or remain
constant in the business unit.
• Ensuring that, whatever the form of the local
plan, it embeds and is fully consistent with the
high-level risk appetite statement or principles.
• Individual and aggregated assessment at the
group level of proposed business and budget
plans and comparison with the group risk
appetite.
• Revision and amendment as appropriate of
divisional level plans and budgets—or, in some
cases, group risk appetite.
72. In some cases the formal planning process, rather
than being wholly “top down,” incorporates a
significant amount of “bottom up” planning at
an early stage, starting at the divisional level.
But in either case, iteration—starting with a
concept of risk appetite
business planning
aggregation
checking back with the risk
appetite framework and adjusting as necessary—
was observed to be the key and an important
method to creating essential alignment between
the divisional and business unit plans and the
group risk appetite statement. This process also
builds common awareness of the interaction and
tradeoffs between key risk appetite constraints
and revenue opportunities. Some firms have found
the use of standardized formats for setting out
strategic plans incorporating mandatory sections
on risk profile and risk appetite to be useful
mechanisms for ensuring that these issues have the
appropriate prominence in the planning process.
73. In general, the process begins with high-level
signaling of risk or key risk parameters. For
instance, NAB, as further explained in the case
study in Annex I, starts its process by discussing
and agreeing the high-level risk posture of each
major business and the group. Another institution
noted that prior to the strategy planning risk
management and/or finance provide indications
of current sensitivities (e.g., leverage, liquidity,
capital objectives or constraints, etc.), so that
the initial business planning process is done
on a more informed basis. There is no uniform
approach for translating high-level risk appetite
decisions into workable parameters for business
units. In some cases an initial effort is made at
translating the high-level statement into metrics
such as RoE, RWA, and/or net funding needs,
which are then fed into the businesses. In general,
however, it is recognized that the process needs to
involve a combination of breaking down the highlevel aspirations into measurable dimensions and
business units formulating their bottom-up plans
in a consistent form, allowing the appropriate
consistency checks to take place.
74.The final stage in the iterative process may involve
changing either aspects of the business plans or
of the overall risk appetite—but if the latter, this
is done on a properly informed basis in order to
create the needed alignment between the two that
has often been missing in many institutions in the
past. The fact that such decisions are made on a
properly measured and informed basis, and within
a formal and robust governance framework, is the
key to ensuring that the risk appetite framework
strikes the right balance between being unduly
rigid—and therefore unable to effectively and
prudently accommodate business and strategy
evolution—and excessively flexible, in which case
it would fail to create the necessary discipline on
the business.
One bank provided an example of when the explicit
consideration of risk appetite in the planning
process led to an increase in a business line/asset
class rather than the imposition of a reduction.
The group had agreed to a firm-wide risk appetite
for a certain asset class, and one business unit
wanted to increase exposure. This led to a risk vs.
return discussion, which led to a shift within the
asset class of increased allocation to the requesting
business unit, but without an increase in firm-wide
risk appetite for that asset class. It was reported
that “not everyone liked the answer, but they
appreciated the openness of the discussion.”
• The creation of a strong partnership between
the group risk management, strategy, and
finance functions, notwithstanding some
initial resistance to this in a few institutions,
because of some concerns about potentially
complicating the planning/budget process.
There was general recognition and acceptance
that formally including the risk management
function in the planning process may make
the process longer and more complicated, but
this was seen by those banks that have taken
this step as well worth it for the resulting
alignment of risk appetite and plans. As the
planning process is repeated, participants
learn by doing and a new process with new
expectations becomes established that becomes
more efficient over time. However, as observed
by NAB in its case study, the language of risk
used by risk management staff can often be
opaque and not closely associated with the
language used by those staff who develop
strategy and business plans. Therefore, it is
important for risk management staff to find
ways to communicate and engage effectively in
the planning process.
• Use of the concept of “risk posture”—a
qualitative expression of whether the
business unit intends to take more, less,
or approximately the same amount of risk
over the next planning period—at both the
divisional and group levels is an effective
approach in moving the discussion forward
and supplements the use of quantitative
metrics. Risk posture is an intuitive, accessible,
and widely understood concept that avoids
technical language and enables extensive
participation by a wide group of participants in
the dialogue and discussion about risk appetite.
The iterative process described above needs
to include an explicit discussion of the risk/
reward tradeoffs. The relevant questions
are: What are we trying to do? and What
• Periodic reviews between risk management,
finance, and each business division to discuss
what is new or growing rapidly, what is
changing, what’s driving those changes, and
what are the emerging risk/capital/liquidity
capacity issues, are a good tool for keeping
the required linkage strong. These reviews also
support the process for the next planning cycle.
• Some firms require that each business head
be able to explain how risk appetite has been
taken into account in local strategy documents
and how key elements of the business unit
strategy are consistent with risk appetite.
What follows is a noteworthy example of how a
respondent firm is achieving the link between its
RAF and strategy and planning:
Links between Risk Appetite and Strategic Planning:
• Line of Business Risk management is
involved from the beginning of the strategic
planning cycle to evaluate and assess how
growth or revenue targets fit with the
Company’s Risk Appetite;
• The Plan is developed to assure Governance
and Control functions are appropriately
aligned and staffed around new growth;
• All plans for growth are aligned around the
Risk Appetite;
• The Chief Risk Officer ensures alignment
of the Strategic Plan to the Risk Appetite.
Risk management has opportunities
throughout the process to challenge any
elements of the plan.
Links between Risk Appetite and Capital Planning:
• The capital framework assesses capital
adequacy in relation to risk and provides a
common currency for measuring business
unit performance;
• The capital management process considers
credit, market, operational, interest rate,
liquidity, country, compliance and strategic
risks in the Internal Capital Adequacy
Assessment Process;
31
|
76.The following have been key factors in building
and reinforcing the necessary links with the
business units:
are the tradeoffs? One firm reported: “This
[risk appetite] approach allows an intelligent
discussion of ‘who we are’ and the optimal
business mix and balance based on risk and
return.” Another said: “getting the Head of
Strategy to recognize and incorporate Risk
Management personnel into planning decisions
was big win for us.”
institute of international finance
75.The value of a stronger link between risk appetite
and business-level planning was summed up
by CBA, “Building of the consideration of risk
appetite into the group’s strategic planning process
has been a significant step forward and has given
both management and Board transparency either
to amend the strategy to align with the existing
appetite or the appetite to allow for the proposed
strategy over decisions.”
• Customer and product profitability are
measured via Customer Level Profitability
Reporting (CLPR), which incorporates
economic capital;
• Capital is represented in the Risk Appetite
statement and measured and monitored as
such.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
32
Links between Risk Appetite and Liquidity
Planning:
• Together with the Chief Financial Officer
Group, Risk Management is involved in
setting and monitoring liquidity risk limits,
guidelines and early warning indicators;
• Risk Management controls include the
analysis of contractual obligations and
utilization of stress modeling to ensure that
excess liquidity is sized appropriately and
aligned with the liquidity risk tolerance of
the enterprise;
• Risk Management incorporates liquidity
risk analysis into new product, business
and investment decisions where applicable,
and works with Lines of Business that have
material contingent funding exposures and/
or require material levels of unsecured
funding;
• Liquidity Risk is represented in the Risk
Appetite statement and measured and
monitored as such.
Links between Risk Appetite and Performance
Management:
• Performance management is tied to
adherence to the Risk Appetite in all areas
of the enterprise, including Risk, Lines of
Business and Enterprise Control Functions.
Overall Lessons:
• There needs to be an iterative relationship
between setting risk appetite and planning at
both the group and the business unit levels.
• This involves a partnership between a group’s
risk management, strategy, and finance and the
business units, with explicit consideration of
risk in business planning.
• Risk posture—a qualitative expression of
whether a business unit intends to take more,
less, or approximately the same amount of risk
over the next planning period—can be a useful
starting point for this discussion.
• The annual planning process should be
supplemented with quarterly reviews by risk
management, finance, and the businesses to
assess how the risk profile and the risk/return
tradeoffs are changing. These reviews should
place a special focus on business activities or
risk concentrations that are new or growing
rapidly and what is changing and what’s
driving those changes, as well as any emerging
risk/capital/liquidity capacity issues.
3.6 The Role of Stress Testing
within an RAF
77. An important issue on which the investigation
has been focused is the potential role of stress and
scenario testing within a risk appetite framework.
Linked to this is the question of how appropriate
levels of risk can be determined for individual
businesses and in aggregate for the group in total
and the relationship between these.
78.Consciously constraining aggregate risks
in advance so as to ensure a firm’s survival
under severe stress scenarios is part of the
raison d’etre and at the heart of setting risk
appetite appropriately. It is essential for senior
management and the Board to carefully analyze
and understand the likely distribution of potential
outcomes that would be experienced over time
under a variety of severe, but plausible economic
and market scenarios and to determine what level
of loss would be tolerated under each of these
scenarios.
79.These assessments are crucial but very complex
and difficult, involving both significant technical
challenges and the exercise of a substantial
amount of judgment. They cannot be reduced
to a series of simple, formulaic steps. This is
because, as the financial crisis has shown, for
large financial groups the aggregate, integrated
risk profile of a firm and the way this evolves is
opaque, to insiders as well as to outsiders, and
difficult for senior management, directors, and
supervisors to properly understand.
80. In this context, leading banks in a number of
jurisdictions are increasingly using a variety of
stress testing processes, which typically feature
a combination of macroeconomic scenarios
and changes in market variables, to understand
financial outcomes for the group, including
potential credit and market losses and the likely
reduction or loss of business revenues under
severe economic and market scenarios. Conducting
such stress tests for all entities across a group
82. An important challenge facing management in
the determination of risk appetite is how much
relative weight should be given to:
• The predicted level or range of aggregate
losses that could be sustained over a defined
time period under relatively likely, less severe
adverse economic and market conditions
(e.g., a “one-in-ten year” economic downturn
scenario), as against
• The much higher predicted level or range
of aggregate losses that could be sustained
over a defined time period under a variety of
relatively unlikely, more severe—but nonetheless
plausible—stress scenarios (including severe
liquidity stress scenarios).
83.The key areas in which management needs to
exercise judgment are therefore:
• The severity of the stresses/scenarios to be
applied. As noted, it is necessary to strike
a balance in establishing scenarios that are
appropriately severe while being not so
implausible as to make it impossible to act
upon them.
• The implications of the stress and scenario
outcomes for losses and how these compare
to what are judged to be acceptable loss levels
within the existing risk appetite. It is also
necessary to ensure that the implications for
capital levels are rigorously assessed.
• The implications of the foregoing for risk
appetite and strategy. Boards and management
need to be equipped to assimilate and act upon
the outcomes of stress tests, even where they
embody relatively low probability events.
84. It would appear that in many banks these
judgments have been made somewhat implicitly to
date, given the considerable technical challenges
involved. These are very subjective but important
questions, and a divergence of views regarding
85. It is nevertheless important to distinguish between
the relatively technical challenges of ensuring
that scenarios are chosen carefully and their
implications properly worked through and the
strategic challenge of ensuring that the outcomes
of stress and scenario tests are acted upon.
Boards and management often report difficulty
in assimilating the implications of relatively
low probability events and pushing through the
necessary adjustments to business models and
strategies. Some report that this will become even
more of a challenge as competitive pressures
reassert themselves as memories of the crisis fade.
86. It is possible to make a tentative observation
that some of the banks that were hit hardest in
the financial crisis are currently taking a more
conservative approach than others that were
impacted less severely. The former are placing
more weight in setting their overall risk appetite
upon the likely losses that would be experienced
under more severe stress scenarios and treating the
results of these stress scenarios as more binding in
the risk appetite process.
87.Some banks participating in our investigation,
including some banks in jurisdictions that were
less affected by the financial crisis, have not yet
built a comprehensive, group-wide stress testing
capability or have not yet fully incorporated stress
testing into their process for setting risk appetite.
For these banks, selected stress tests have been
used to date primarily as a basis for checking and
challenging the reasonableness of quantitative
risk appetite parameters and boundaries that
have been set via other, more subjective means.
Some banks in this category have placed higher
emphasis to date on ensuring a strong risk culture
and effective dialogue about risks at all levels,
and they caution that placing heavy emphasis on
stress testing in the risk appetite–setting process
may risk placing too much focus on “known
unknowns.” Consequently, it is clear from our
investigation that the further development of
stress testing capabilities and the evolution of
the way in which stress testing outcomes are
incorporated into the process and context for
setting risk appetite is an area that many firms are
continuing to develop, as can be clearly seen in
some of the case studies.
33
|
81. In general, banks in national jurisdictions that
were hit hardest by the financial crisis appear
to have made more progress on developing
comprehensive, firm-wide stress testing
capabilities, perhaps in response to Industry-wide
stress testing requirements of national regulators.
They are therefore more likely to use these
capabilities in a more central way in their process
for setting risk appetite.
their treatment was seen among the participating
banks. Indeed, participants reported that it is
common to see a divergence of views on these
questions even within the management teams of
individual banks.
institute of international finance
requires overcoming a number of very substantial
technical challenges and the significant exercise of
management judgment.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
34
One leading firm has developed a comprehensive,
firm-wide stress-testing capability and uses this in a
way that is central to the process of setting its risk
appetite. The bank had originally built its firm-wide
risk appetite framework around a set of statistical
loss measures, which it compared with earnings
and capital metrics. Underpinning the framework
were statistical models for individual businesses
and portfolios, complemented by stress models
targeted toward the idiosyncratic vulnerabilities
of those portfolios (not generally combinable due
to inconsistent scenario assumptions). Limits on a
combination of these stress and statistical model
results were used as operating controls on the
businesses. While several units within the bank
had gained substantial experience in the generation
of macro and market scenarios and the evaluation
of their impacts on their respective businesses,
these had not been integrated to develop firm-wide
scenarios.
During the financial crisis, the firm recognized
the need to adapt its risk appetite framework to
incorporate stress scenarios alongside its statistical
models and to particularly emphasize protection of
its Tier 1 capital as a risk appetite objective. The
period following the Lehman collapse served as a
catalyst and model example for the development
of firm-wide scenarios, since it impacted many
of the bank’s business lines and established an
unambiguous level of severity. Subsequently,
scenarios covering other potential firm-wide
vulnerabilities have been implemented.
Development of scenarios typically begins with
the identification and prioritization of an area of
concern, i.e., a potential economic or market crisis,
through dialogue among risk managers, economists,
and line management. Scenarios are calibrated on
a “how bad could it plausibly get” basis. Based on
a broad outline of the primary scenario drivers,
the firm develop a detailed scenario specification
describing the evolution over 1–2 years of a few
dozen broad macro and market variables such as
GDP growth in major markets, interest and FX
rates, equity markets, credit spreads, inflation,
and housing prices. Both short-term and long-term
behavior must be modeled to evaluate impact on
portfolios at opposite ends of the liquidity spectrum,
i.e., market vs. credit risks. History and stakeholder
input inform the setting of these parameters,
which are updated periodically (at least once a
year) to ensure that scenario assumptions remain
economically meaningful.
In tandem with this, analysis—often making use
of historical data at a granular level—is performed
to identify the key sensitivities of business/
portfolio income with the scenario inputs; where
necessary (i.e., for trading portfolios), the scenario
specification is extended to substantially greater
detail. In some cases, where data analysis does not
lead to sufficient explanatory power, judgment as to
scenario impacts or proxy metrics is applied. The
possibility that causal relationships are mistakenly
identified through analysis of limited data is also
considered. Typically, effects on market and credit
risk portfolios and income of asset gathering
businesses are possible to model more robustly,
while volume-based businesses and operational
risks require more judgment.
Scenario impact on P&L, capital, and RWAs are
evaluated both in absolute terms and with respect
to typical metrics (i.e., Tier 1 ratio). The worstcase scenario of the available set is chosen (along
with the complementary firm-wide statistical
model results) for comparison against risk appetite
objectives. Of these, perhaps the greatest focus
is on maintaining a minimum Tier 1 ratio at all
times, evaluated for each quarter of the scenario.
Additionally, the sufficiency of earnings to cover
potential losses (and the timing of those losses)
is considered. Conformance to risk appetite is
tested and reported to senior management monthly
in the form of a dashboard and commentary,
including detailed review of portfolio and business
losses/performance under the binding scenario.
During the annual planning process, the entire
risk appetite framework is reviewed up to Board
level and business plans are evaluated through
the lens of the framework and its metrics. Firmwide stress scenarios are considered a particularly
valuable component of the framework, because
of the relative ease of describing (and debating)
the causal chain by which losses arise and can
be identified with businesses, portfolios, and risk
drivers. Consequently, it is considered that scenariobased metrics offer advantages of transparency and
avoidance of (some) blind spots relative to statistical
measures.
89.The technical challenges involved in risk
aggregation are numerous and complex. In
practice, most banks use a variety of regulatory
and economic capital measures for risk
aggregation purposes. However, these measures
suffer from a number of important weaknesses
when used for this purpose. These include:
• The inability of capital measures to capture and
reflect non quantifiable risks.
• The challenges of determining the appropriate
treatment of risk concentrations and
diversification within and between risk types.
• The difficulty of directly linking capital
measures to specific macroeconomic stress
scenarios.
• The inability of capital measures to capture
the liquidity dimensions of risk, which are so
crucial for understanding potential losses in
severe scenarios.
• More fundamentally, the non intuitive nature
of capital measures. Experience has shown
that it is difficult to get senior managers and
directors to engage in a meaningful way with
statistical variables and capital measures (e.g.,
Value at Risk at 99% or 99.95% confidence
levels) and use them with confidence in the risk
appetite process. The experience of a number
of firms has been that it can be easier to get
active engagement from senior management
and directors around specific macroeconomic
scenario assumptions.
For these reasons, although certain capital
measures (e.g., Tier 1 capital adequacy) are
the subject of prominent focus in the overall
risk appetite process, it is difficult to robustly
determine an acceptable level of aggregate
risks using capital measures alone. This is one
reason why, in addition to capital and liquidity
measures, leading banks in certain jurisdictions
are increasingly using a variety of stress testing
processes, as discussed in detail above.
35
|
88.One of the significant challenges that firms will
eventually face as they proceed along the risk
appetite journey is the issue of risk appetite
aggregation—that being, once individual
businesses have set their own risk appetite
boundaries, how does an organization decide
whether, in aggregate, these boundaries fit within
the firm’s overall risk appetite? Or, conversely, if
key quantitative aspects of the group’s overall risk
appetite have been determined, how can the risk
appetite of individual businesses be set in such a
way as to ensure alignment with the overall risk
appetite in aggregate? Given that this discussion
includes all risks, some of which are not easily
quantified, a great deal of management judgment
is required to effectively manage this issue, which
is obviously very closely related to the issue of
risk aggregation.
90.While Industry practice is clearly still developing
in this area of risk appetite aggregation, our
investigation has shown that there are certain
practices that have proven effective to date. These
include:
• All risks should be included in the aggregation
process, not just those that are quantifiable,
such as market, credit, and liquidity.
• For risks that are quantifiable, comparison of
the enterprise-level limit framework to the
aggregation of business unit limits—including
single name, Industry concentration limits or
economic and regulatory capital allocation—
is an effective and practical measure of
alignment.
• Attention to the diversity, quality, and stability
of earnings across the enterprise is essential;
• Aggregation should identify areas of excessive
risk concentration. In this regard it is also
important that when aggregating risk,
over-reliance not be placed on a potential
diversification benefit. Recent history has
proved that in times of crisis, diversification of
risk often fails in practice.
• For all risks, the aggregate view of risk
posture (as outlined in this paper) is helpful
in determining how an organization is
approaching risk overall. If, for example, the
individual business units are each willing
to take on more risk in the coming year,
comparison of risk posture at the platform level
is a simple cross-check to determine if senior
management has that same awareness.
• Aggregation of risk appetite should be done on
both a “normal course” and stressed basis.
91. Aggregation of all risks for the purpose of
determining fit within the overall risk appetite of
the organization is an ongoing challenge. As an
industry, some progress is being made but as with
many other aspects of this paper, this will take
time and a great deal of management judgment to
develop.
institute of international finance
Challenges Associated with Firm-wide Risk
Aggregation:
Overall Lessons:
• A comprehensive, enterprise-wide stress testing
mechanism is a key part of a fully effective risk
appetite framework.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
36
• Management needs to develop clear and
consistent criteria for deciding on the severity/
plausibility of the stress and scenario tests
chosen. Firms should generally err on the
side of choosing more, rather than lesssevere scenarios, though this needs to be
balanced against the need for the results to be
operationally useful.
• Once the primary scenarios have been chosen,
economic and markets expertise, together with
informed judgment, are needed to assess the
array of secondary implications for the firm as
a whole.
• Results of stress tests need to be linked to key
objective variables such as P&L, RWAs, and
Tier 1 capital and illustrate explicitly how
outcomes for these would comply with risk
appetite boundaries through time.
• Management and Boards need to feel confident
in assessing the results of the chosen stress and
scenario tests. It is often more meaningful to
present outcomes in concrete terms (“This is
what the following scenario would imply for
Tier 1 capital…”) than in more abstract terms
(“There is a 1 percent probability of a loss of
$X million.”)
• Boards need to ensure that there is a robust
mechanism for holding the line on risk appetite
in light of stress results when faced with
inevitable resistance from the business. If the
decision is to take no action in response to a
stressed scenario, the Board and management
should be able to explain fully why this
decision is defensible.
• The compliance of stressed outcomes with the
boundaries contained within the RAF should be
monitored frequently, and the risk appetite and
stress testing frameworks themselves should be
reviewed at least annually with the Board.
section 4 – Recommendations for firms
Recommendations for Board
Directors
93.One of the main messages from this report
is that a well-functioning risk appetite
framework is one that is pervasive throughout
the organization. Attempts to introduce risk
appetite as a remote and disembodied aspect
of risk management have tended to fail. The
process has been much more successful where it
has been recognized that risk appetite needs to
be intimately bound up with corporate culture,
corporate governance, and strategy and planning
as well as risk. Boards have an integral part to
play in the definition and monitoring of risk
appetite and the interchange with management,
risk management, and the business is crucial in
this. The following are the main implications of
our investigation for Board members. They are
particularly relevant for members of Board Risk
Management Committees.
94. Board members need to be properly equipped
to engage fully with risk and risk appetite. They
need to understand generic risk concepts and the
relevance of these to the business. They also need
to have access to the information and expertise
necessary to enable them to develop a good
understanding of the risk profile of the firm.
They should insist that the material provided to
them strikes the right balance between providing a
comprehensive macro perspective and illustrating
the required level of detail.
95.Board members should be proactive in insisting
on proper support from management and risk
management professionals, in terms of education
on risk concepts and approaches, technical
briefings, and updates on the risk implications of
products and activities.
96.The Board needs to establish the framework for
risk, typically through the articulation of a clear
and meaningful risk appetite statement. This
97.Board members need to ensure that risk appetite
is used in a dynamic and iterative way. A key
conclusion of this report is that an effective RAF
extends far beyond a mechanism that simply
creates limits. Instead, it involves a dynamic or
iterative process in which:
• The Board provides a clear statement or set of
signals regarding its preferred risk/return trade
off.
• This informs an enterprise-wide process in
which, on the basis of extensive dialogue,
business units determine their business models
and strategies and the risk implications of
these.
• The Board then considers whether the
individual and aggregate risk stances and
positions of the business units are consistent
with the firm’s risk appetite.
• If these are not consistent, a conscious and
informed decision is made to change one or
more of the business unit profiles or the overall
risk appetite.
In some cases, the process is more “bottom up”
with the initiative for setting risk taken more at
business unit level. In such cases, the role of the
Board in establishing the parameters for risk and
actively assessing it at both business unit and
aggregate levels is especially important.
98.Operating a risk appetite framework in the dynamic
and iterative way advocated in this report makes
it particularly important that all participants,
37
|
is likely to include a number of key metrics as
well as clear qualitative guidance in respect to
less quantifiable risks. One test of whether the
statement is meaningful might be whether and
how it would change in response to a decision by
the Board that 10 percent more (or less) risk would
be acceptable. Another test would be whether
the statement would provide the basis for an
effective challenge to plans on the part of one or
more business units to move to a markedly more
expansionary mode, with attendant implications
for risk.
institute of international finance
92.This section draws together a number of the main
findings of this report for Board directors, senior
management, and risk managers in firms.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
38
including Board members, risk management
staff, senior management, and business heads,
are clear about their respective functions and
responsibilities. Setting out the initial risk appetite
statement or signaling a set of risk preferences is
just the start of a process of ongoing discussion
and testing. Board members need to challenge
senior management to ensure that the necessary
processes and structures to facilitate this are put
into place and remain effective.
99.Such an iterative approach results in Board
members having other significant challenge
functions. This challenge is essential to
ensuring that the risk appetite framework is
neither stultifyingly rigid nor excessively flexible.
These challenge functions include, but are not
confined, to:
• Making certain that mechanisms are in
place to ensure that new business initiatives,
transactions, or products are consistent with
the enterprise-wide risk appetite, and that the
risk implications of these are fully understood
before the activity proceeds.
• Ensuring that mechanisms are in place to
monitor and manage risks that are not readily
quantifiable—such as reputation and legal
risks—and that their level is consistent with
overall risk appetite.
• Ensuring that stress testing is undertaken in
a rigorous and comprehensive way and that
the Board is able to assess the results in the
context of the risk appetite framework (more
on this below).
100. In general, as this report emphasizes, an effective
RAF is indissolubly linked to the culture of an
institution. There are no simple measures of risk
culture, and it is a key responsibility of Boards
to understand and shape this culture. Experience
has shown that it can be exceptionally difficult
for Boards and supervisors to detect weaknesses
in risk culture in an otherwise performing firm;
in particular, the absence of obvious contraindicators cannot be taken as positive evidence
of a strong culture. Understanding and shaping
the firm’s risk culture involves setting broad
direction and continual challenging of senior
management to demonstrate how their actions and
communications are consistent with this and how
rewards and penalties are visibly and predictably
aligned with the firm’s avowed risk culture. Senior
management should be expected to account for
their behaviors, and Board members may find it
helpful to find opportunities to interact directly
with staff at all levels in an attempt to gauge the
extent to which they are aware of and responsive
to a positive risk culture, and to assess, for
example, the extent to which “bad news travels
upwards”.
101.Even the strongest risk culture needs to be
supported by effective systems and controls.
Board members need to satisfy themselves that
the firm has a clear and consistent set of controls
and limits that support the objectives of the risk
appetite statement and the observance of the
boundaries of acceptable risk embodied within the
risk appetite framework. Board members should
challenge management on the way in which these
systems are used to encourage compliance and
penalize noncompliance. This may, for example,
involve the setting of objective and quantifiable
behavioral norms or objectives that can be used
in determining remuneration or promotion or,
conversely, as the basis for disciplinary action
when necessary. The Board may seek input
from the CRO in regards to any risk cultural or
behavioral issues that the Board should consider
in making incentive payment decisions for
executives.
102.Boards have a key role to play in the evaluation
of stress and scenario test results. Members
need to satisfy themselves that the stress tests
are conducted rigorously, that the stresses and
scenarios strike the right balance between severity
and realism, and that the implications have been
properly evaluated across all businesses in the
group. Boards have a fundamental role in deciding
whether risk appetite needs to be revisited or
adjusted in light of the results. Board members
also need to ask themselves searching questions
about their ability to assimilate and respond to
low-probability but high-impact scenarios. Many
Board members find this very challenging. Boards
need to be aware of their limitations in this regard
and consider carefully whether these are acting as
a brake on effective decision-making.
103. Finally, Boards should subject their own
operations and processes to constant review.
Every effort should be made to identify, on a
continuous basis, areas in which Board procedures
have worked well and not so well and to learn
from mistakes. There should be an annual review
of how the Board interacts with the management
and business heads. Overall, the Board should
have a formal process at least annually for
considering whether and how it has made a real
difference to risk management in the organization.
105.To be effective it is essential that senior
management set the tone and lead the discussion
regarding risk appetite. Senior management
must be seen as taking a leadership role in
articulating the importance and benefit of risk
appetite throughout an organization. This is an
ongoing responsibility and must be continually
emphasized.
106. Recognition that risk appetite and risk culture
are inextricably linked is important, given that
culture derives from leadership and determines
inter alia, how middle-level managers assimilate
and embed risk appetite.
107. Creation of an enterprise-wide RAF is an
iterative process involving the Board, senior
management, and risk management staff. At
the heart of the process is an ongoing dialogue,
and senior management should expect to be
challenged by the Board as to what is being
recommended, including risk/return tradeoffs and
regular close scrutiny and discussion of all aspects
of the firm’s risk profile under stressed conditions.
108. It is an absolute requirement that the business
(and not risk management) take ownership
and drive the development of line-of-business
risk appetite and profile. It must be recognized
that risk appetite does not belong to the risk
management staff and is not simply another way
to set limits and constrain business. Business unit
risk appetite frameworks are the main vehicle for
providing guidance and clarity regarding which
activities and risks businesses can consider and
what would be outside of agreed upon appetite.
109. It is important to recognize that while it is helpful
to have an articulation of risk appetite that can be
used by the Board and all levels of management,
110. Senior management needs to ensure that the risk
appetite framework includes full consideration
of and appropriately reflects business strategy.
It is important that the Board and the market
understand that the senior management takes risks
in areas that are central to its key strategies and
businesses and that losses in those areas, while not
positive, are expected and understood as a likely
outcome in both normal business conditions and
under a difficult market/stress scenarios. Smaller
and more peripheral businesses by contrast should
not be a source of significant losses.
111. It is important that senior management
understands and accepts how the RAF will
apply to its activities and impact any initiatives,
growth plans, or acquisitions that may be under
consideration. The strategic planning process
must include discussions relating to risk appetite
and profile. While risk appetite needs to become
a fundamental driver of strategy and of front-line
business decisions, it should be accepted that it
will take time and effort to get this to a point at
which business unit leaders and risk managers are
comfortable with the process.
112.Business leaders must ensure that risk metrics
adequately capture and reflect all material
risks of their business. These metrics should
be meaningful and pertain to their key business
and risk drivers. Similarly, the businesses are
responsible for putting appropriate controls in
place to effectively manage their risks, so as to
ensure that they do not exceed their defined risk
appetite.
39
|
104. Implementation of an effective risk appetite
framework is highly dependent on visible
support from senior management, including a
bank’s Executive Committee and business leaders.
This includes recognition and acknowledgment
that a clear statement of risk appetite helps drive
risk and governance discussions, is integral to
the strategic and business planning discussions,
and provides assurance to regulators and rating
agencies that the institution has clear parameters
for how much risk it will take on. The following
are the main implications of our investigation for
senior management:
there is no clear need to have the enterprise-level
RAF as a document that middle management
across the enterprise must use. The critical
component is to have a risk appetite framework
that helps drive a clear and comprehensive limit
structure for the various businesses as well as
activities and limits that determine the ability of
middle management to pursue and grow specific
lines of activity that link back to the enterprise
risk appetite framework. Line-of-business risk
appetite frameworks should not be developed
as simple subsets (or even simple “clones”) of the
enterprise framework. While there are linkages to
the enterprise framework, the most useful aspects
of the business-level frameworks are often quite
specific to the line of business, reflecting the
diversity of a firm’s activities, geographic scope, or
regulatory regimes in which it operates.
institute of international finance
Recommendations for Senior
Management
Recommendations for Risk
Management
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
40
113.Development and maintenance of an effective risk
appetite framework is a shared responsibility,
with risk management staff playing an essential
role in the process. It is not uncommon for
risk management to take the lead in building
management support and engaging the Board as
the framework is developed. Similarly, the ongoing
maintenance of a robust framework is heavily
dependent on risk management to provide goodquality reporting of risk metrics to support the
framework and its application. The following are
the main implications of our investigation for risk
management staff:
114. Risk management needs to be actively involved
at multiple levels in the development of the
risk appetite framework. It is incumbent upon
risk management to provide clarity of concept
and definition and support in understanding
the implications of the risk appetite statements
and metrics as they develop. A lack of clarity in
definition often leads to confusing and ineffective
discussion that can frustrate the participants and
extend the process unnecessarily. In this regard,
it is important that risk management provide the
necessary coaching and training to facilitate the
understanding of risk appetite on an enterprisewide basis.
115. An effective RAF covers all risks, and it is
important that risk management work with all
stakeholders in developing the right balance of
appropriate quantitative and qualitative metrics.
Recognizing that the appetite for some risks is
more easily quantified than others, it is important
that risk management lead the discussion and
development of desired behavior and tolerances
for less quantifiable risks such as reputation risk.
116. Risk appetite is an iterative process that requires
perseverance. To that end, the challenges faced
early in the process are different from those
experienced later. At all stages, it is important for
risk management to ensure full engagement by
all key stakeholders, including the Board, senior
management, and risk practitioners.
117. At the same time, risk management must allow
the businesses to take charge of the process of
developing line-of-business–level risk appetite
statements. This means the business unit leaders
themselves, not the embedded risk management
staff within the business units.
118. Risk management needs to provide the
appropriate infrastructure and controls to
support the ongoing maintenance of the RAF.
This includes comprehensive and timely reporting
to senior management and the Board to provide
clear reference to the current risk profile and to
make the framework itself both real and relevant.
Ongoing reporting of the firm’s risk profile relative
to the agreed upon risk appetite—and how this is
changing—and repeated/iterative discussions of
the evolving framework itself, will help to build
both “pattern recognition” and acceptance of the
framework as a useful tool.
119. Risk appetite needs to be viewed in the context
of both normal and stress conditions. Risk
management needs to be capable of providing
both of these perspectives and facilitating the
appropriate discussion at the Board level with
regard to the potential impact on business strategy
and planning.
120. It is critical that risk management engage with
the businesses in the strategy and planning
process to ensure proper alignment between the
enterprise-level statement of risk appetite and those
statements created at the business-specific level.
121. Risk management should be the catalyst
and conduit for effective discussion of risk
appetite between the Board and the businesses
by translating what may be at times high-level
statements of risk preference into effective risk
measures and limits appropriately tailored to each
business.
122. Risk management must ensure that the RAF is
supported by a suite of risk policies that reinforce
and reflect the risk appetite as articulated. This
includes a clear understanding of the process for
dealing with and reporting transactions that may
be approved outside of policy boundaries as well
as excesses to approved risk appetite.
123.Education and communication are areas in which
it is vital for risk management to participate on
an ongoing basis. It is necessary to effectively
communicate the key elements of the design,
implementation, and maintenance of the risk
appetite framework to all stakeholders internally
and externally. It also is important that the Board
be able to address questions raised by shareholders
and regulators alike as to the appropriateness
of the nature and quantum of the risks being
assumed, both individually and in aggregate, and
how senior management is challenged in this
regard.
Section 5 – Implications for supervisors
125.There are, in this context, two overwhelmingly
important messages from this report:
• A properly functioning RAF is pervasive
throughout an organization. Risk appetite
needs to be intimately bound up with corporate
culture, corporate governance, and strategy and
planning as well as risk. Attempts to introduce
risk appetite as a remote and disembodied or
unconnected aspect of risk management have
tended to fail. Supervisors should therefore
look for evidence of an effective risk appetite
framework being reflected in continuous
dialogue throughout firms rather than viewing
such dialogue as a discrete part of the risk
management framework.
• It takes time, together with a good deal of
trial and error, to introduce an effective risk
appetite framework. This is largely a new and
difficult endeavor for which there are few
templates or roadmaps. While it is right that
supervisors should press firms hard on their
planning, implementation, and progress in this
Against this background, the following issues are
likely to be relevant to supervisors in deciding
how to assess firms’ progress in this difficult area:
126.Establishing a risk appetite framework entails
the Board making a clear statement of its
risk preferences and the putting into place of
mechanisms to ensure that risk taking throughout
the business is consistent with these. But the scope
of an effective RAF will be much broader than
this, and the evaluation of effectiveness needs
go far beyond a focus on the one-way traffic
leading from Board instructions to the setting of a
plethora of narrow limits.
127.Board members, or at least members of the Risk
Committee, should be able to say when the
Board last discussed the risk appetite framework
and be able to explain the broad conclusions
of that discussion, giving informed responses
to supervisors’ questions and challenges. They
should be able to report how and with what
frequency management information (MI) is used
to assure the Board that the framework is being
complied with and also be able to give a frank
account of the strengths and weaknesses of the MI
(risk reporting) and how the balance is, and should
be, struck between granularity and providing
an overview. In addition, they should be able
to explain whether the risk appetite process is a
static one in which risk appetite preferences are
transmitted down to be translated into limits, or
more dynamic, with risk appetite preferences or
signals used as the basis for a dialogue and an
iterative process of planning by the constituent
businesses. Moreover, they should be able to give
a thoughtful account of how the Board and senior
management are seeking to make the process
dynamic and iterative.
41
|
area, the fact that progress is taking time
should not in itself be taken as evidence of a
dilatory approach or lack of commitment. The
important thing is that firms make steady and
tangible progress toward the objective, not that
they effect a complete transformation in an
unrealistically short time.
institute of international finance
124. It is not the job of the Working Group to tell
supervisors how they should approach their
task. Instead, the purpose of this section is to
draw together a number of key messages that
have emerged from our investigation that may
assist supervisors in deciding how they should
address this important but difficult subject. Many
of the messages in this report are consonant
with those in the Senior Supervisors Group
report of December 2010. Our objective here
is to go a step further in suggesting ways in
which many of the difficulties in implementing
a risk appetite framework might be overcome
and to suggest a number of factors that may
be relevant to supervisors in evaluating firms’
progress. Checklists and other “binary” criteria
are unlikely to be useful in making judgments
about whether or not an RAF is being successfully
implemented. The suggestions below should be
seen as the basis for what needs to be an extensive
and open dialogue with Board members, senior
management, and staff.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
42
128.Critically, Board members should also be able
to point to tangible examples of where dialogue
among the Board, risk management, and the
relevant business units has made a significant
difference in strategic areas such as the approval
of particular growth or product initiatives, the
adjustment of revenue targets, or the attitude to
risk, either at the enterprise-wide level or in one or
more specific business units.
129.The operation of an effective RAF should
be visible at multiple levels of a firm and
throughout its business units. Individuals with
any significant decision-making authority at
any level should have—and if questioned be
able to articulate—a good grasp of the firm’s
overall approach to risk and how this links to
their operations and policy constraints and the
limits that apply to them. Even if individual
business units do not have formal risk appetite
frameworks, business unit heads should be able to
explain, and respond to challenges on, how their
local strategies and business plans—and the risk
implications of these—fit with the enterprise-wide
risk appetite framework.
130.The effectiveness or otherwise of the risk appetite
framework will also be apparent from the nature
and quality of the dialogue that takes place
throughout the organization. Risk and risk
appetite considerations should be embedded fully
into decisions about strategy and resources, and
this should be the outcome of discussions based
on a shared understanding of risk posture and
concepts rather than being constrained narrowly
by limits. If questioned, individuals throughout
the business should be able to point to multiple
instances of such dialogue. It should be apparent
from such discussions that risk issues are part of
every day discourse throughout the firm and not
something that are either “added on” or seen as
someone else’s responsibility.
131. As extensively discussed in this report, a fully
effective risk appetite framework is integrally
bound up with a firm’s culture. The stronger the
risk culture in a firm, the more secure individuals
will feel in knowing what is expected of them
and the less reliance that will need to be placed
on constraints and coercion. Experience has
shown that it can be exceptionally difficult for
Boards and supervisors to detect weaknesses in
risk culture in an otherwise performing firm;
in particular, the absence of obvious contraindicators cannot be taken as positive evidence
of a strong culture. That said, in recent years
experienced supervisors in some jurisdictions have
increasingly focused on assessing risk culture
in firms, based, for example, on “tone from the
top,” that is, the consistency of messages from
management, the extent to which bad news
travels upward, and the degree to which rewards
and penalties are predictably consistent with
the Board’s and management’s avowed views
regarding risk. These are all highly relevant to the
establishment and maintenance of an effective
risk culture. Efforts made by firms to develop
and quantify legally robust risk-based norms
and codes of behavior that may be used on a
consistent and transparent basis for rewarding and
penalizing staff may also be significant indicators
of culture in some instances.
132.Even the strongest culture has to be supported
by effective systems and controls. In the early
stages of introducing a risk appetite framework,
it may sometimes be hard to get individuals at
all relevant levels to see or buy in to the benefits
of these. Even where an effective RAF is well
embedded, it requires the support of effective
systems, controls, and limits. Where appropriate,
supervisors may wish to investigate the degree to
which such systems support or substitute for an
effective culture by seeking examples of how this
works in practice and determining whether the
relationship is changing over time.
133. A common problem with all risk appetite
frameworks is that some key risks are inherently
unquantifiable, which in turn, leads to problems
of aggregation. In evaluating the effectiveness of
a risk appetite framework, supervisors may wish
to assess a) the extent to which risks that are not
easily quantified can nevertheless be identified
and assessed; b) how such risks are assessed
within the context of the risk appetite framework,
perhaps involving committee structures or other
means of subjecting them to formal scrutiny; and
c) the means used to arrive at an aggregation of
risks, for risk appetite purposes.
134. Stress and scenario testing plays a critical role
in any effective risk appetite framework. Boards
and management need to assess the implications
of severe but plausible scenarios for risk and risk
appetite. Aside from periods of acute system-wide
stress, there is no consensus in the Industry that
standardized stress tests designed or conducted
by the authorities are beneficial. In a more
normal risk management context, the conduct
|
43
institute of international finance
and strategic response to stress tests are matters
for management, with supervisors having a key
role in pressing Boards and management to fully
face up to their responsibilities to ensure a) that
the stresses and scenarios are carefully chosen
to balance severity and realism; b) that the tests
are rigorously conducted, with the full range of
implications for the business considered; and c)
that the findings are understood and acted upon.
This last consideration is at least as important as
the others; supervisors are encouraged to engage
Boards and management (as appropriate) in a
dialogue regarding what the stress tests showed
and what the strategic response was. If the decision
was to make no adjustments to business strategy,
risk or risk appetite, the Board and management
should be able to account fully for this.
annex I: case studies
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
44
Developing a Risk Appetite Framework at RBC
May 2011
About RBC
Royal Bank of Canada (RY on TSX and NYSE) and its
subsidiaries operate under the master brand name RBC.
We are Canada’s largest bank as measured by assets and
market capitalization, and among the largest banks in
the world, based on market capitalization. We are one
of North America’s leading diversified financial services
companies, and provide personal and commercial
banking, wealth management services, insurance,
corporate and investment banking and transaction
processing services on a global basis. We employ
approximately 79,000 full- and part-time employees
who serve close to 18 million personal, business,
public sector and institutional clients through offices
in Canada, the U.S. and 50 other countries. For more
information, please visit rbc.com.
Initial Planning and Development of RBC’s Risk
Appetite Framework
Work to formalize RBC’s enterprise risk appetite began
in 2006, as part of the annual process to benchmark
and refresh credit risk and market risk limits. An initial
presentation on risk appetite was made to the Risk
Committee of our Board of Directors to gain feedback
on the approach to articulating RBC’s risk appetite, and
confirm areas of priority.
Initial statements of RBC’s risk appetite were
derived from a review of decisions made by senior
management and the Board that yielded explicit
statements about what risks were acceptable, and what
risks we wanted to avoid. We identified to the Board
areas we intended to enhance, as well as a plan to
develop a comprehensive Risk Appetite Framework. The
global financial crisis of 2008 then triggered further
prioritization of risk appetite for financial services
institutions.
The Chief Risk Officer and Group Risk Management
(risk management corporate function) acted as a
catalyst to define and communicate the value of risk
appetite. Our Board of Directors was engaged primarily
through the Board Risk Committee, and this committee
provides feedback and challenges the risk/return tradeoffs implicit within risk appetite. It was understood
that our Risk Appetite Framework would be expanded
and refined over time, and that we were learning as we
progressed through the development process.
RBC’s Risk Appetite Framework was created through
an iterative process. We faced an early challenge to
reach consensus on a single management view of
self-imposed constraints or other specific parameters
to put forward to the Board for feedback and approval.
We gradually gained senior management buy-in, yet
had to remain focused on building senior management
understanding and acceptance of how the Risk Appetite
Framework would apply to the key activities and
decisions they faced within their business segments.
Buy-in to the Risk Appetite Framework also had to
be built within our Group Risk Management function.
We needed to create a forum for the various specialist
groups within Risk to shape the framework, and we
now rely on these teams to communicate and reinforce
the framework.
Central to our framework is the consideration of
business strategy, and the concept that not all losses are
created equally. This pertains to our ongoing intention
to take risks in areas that are central to our key
strategies and businesses, and that losses in those areas,
while not a positive, are expected and understood as a
likely outcome in difficult market and stress scenarios.
Smaller and more peripheral businesses by contrast
should not be a source of significant losses.
Risk Appetite Framework
Risk appetite is now a fundamental part of RBC’s
Enterprise Risk Management Framework, which is our
enterprise-wide program for identifying, measuring,
controlling and reporting of the significant risks faced
We define risk appetite as the amount and type
of risk we are willing to accept in the pursuit of our
business objectives. RBC’s Risk Appetite Framework
provides a structured approach to:
• Regularly measure and evaluate our risk profile
against risk limits and tolerances, ensuring
appropriate action is taken in advance of risk
profile surpassing risk appetite
RBC’s Risk Appetite Framework is composed of four
major components:
• Establish and regularly confirm our risk appetite,
defined by drivers and self-imposed constraints
Regulatory
Constraints
Financial
Drivers &
Self-Imposed
Constraints
Regulatory
Financial
Risk &
Tolerances
Regulatory
Financial
Risk
Profile
Regulatory
The largest circle represents the regulatory constraints RBC faces. RBC’s regulatory
constraints are classified as:
1) Financial – Tend to be quantitative in nature and therefore easier to interpret.
Capital ratios and liquidity metrics are examples of financial regulatory
constraints.
2) Other – Tend to be predominately qualitative in nature and therefore require
judgment in interpreting requirements and assessing compliance. Examples
include maintaining compliance with legislative and regulatory requirements,
and adhering to privacy and information security regulations.
The darker center circle represents RBC’s risk appetite as defined by
1) Drivers – These are business objectives that imply risks RBC must accept to
generate the desired financial return. Examples include revenue growth and
earnings per share.
2) Self-imposed constraints – Quantitative and qualitative statements that
Reputational
restrict the amount of risk RBC is willing to accept. Examples follow
on the next page.
The center circle refers to our risk limits and tolerances that we translate from
risk appetite:
1) Risk limits are quantifiable levels of maximum exposure RBC will accept. They
are established only for risks that are financial and measurable, such as
credit risk and market risk.
2) Risk tolerances are qualitative statements about RBC’s willingness to accept
risks that are not necessarily quantifiable and for those risks where RBC does
Reputational
not have direct control over the risk we accept (such as legal risk and
reputational risk).
We communicate risk limits and tolerances through policies, operating procedures and
limit structures.
The striped oval represents the organization’s risk profile at a given point in time.
Reputational
45
|
• Translate our risk appetite into risk limits and
tolerances that guide businesses in their risk taking
activities
• Define our risk capacity by identifying regulatory
constraints that restrict our ability to accept risk
through which we have chosen to limit or otherwise
influence the amount of risk undertaken
institute of international finance
by the organization. Integral to our Enterprise Risk
Management Framework is our strong risk culture,
which is both a prerequisite to and reinforced by risk
appetite. Used effectively, risk appetite aligns business
strategy, people, processes and infrastructure.
A key element of RBC’s Risk Appetite Framework is
self-imposed constraints and drivers in which we have
chosen to limit or otherwise influence the amount of
risk undertaken. We have seven key categories of selfimposed constraints:
• Maintain a “AA” rating or better
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
46
• Ensure capital adequacy by maintaining capital
ratios in excess of rating agency and regulatory
thresholds
• Maintain low exposure to “stress events”
• Maintain stability of earnings
• Ensure sound management of liquidity and
funding risk
• Maintain a generally acceptable regulatory risk and
compliance control environment
• Maintain a risk profile that is no riskier than that of
our average peer
For each category of self-imposed constraints
we then have a set of quantitative and qualitative
key measures. Our self-imposed constraints and key
measures are regularly reviewed and updated, and
approved by the Risk Committee of our Board of
Directors.
Application of RBC’s Risk Appetite Framework
Beginning in 2008, two pilots were conducted to
determine if the Risk Appetite Framework used to
determine enterprise level self-imposed constraints
could be applied at the business segment level. The
heads of risk with direct responsibility for business
segment risk management facilitated the interpretation
of the enterprise framework to each business segment
context. This led to the development of business level
constraints that aligned to the seven key categories
of enterprise self-imposed constraints. Businesses also
chose to incorporate several key specific constraints to
businesses which they manage.
We have made significant progress building out
comprehensive statements of risk appetite for each
business segment. Risk appetite and risk profile were
applied in this year’s business segment strategy
development process more explicitly than in previous
years. Activities continue to enhance business segment/
unit risk appetite, and communicate risk appetite
concepts to broad employee audiences.
We observe an increasing number of discussions and
proposals framed within the context of risk appetite. We
see our organizational capability improving to ensure
that risk appetite considerations are well incorporated
into growth initiatives and business planning overall.
Group Risk Management will continue to facilitate and
oversee enhancements to business segment risk appetite
and related reporting.
Reporting
Risk profile relative to risk appetite is reported
quarterly to senior management and the Board of
Directors. An Annual Enterprise Risk Presentation
is also made to the full Board of Directors. We have
found that a comprehensive and balanced set of our
most meaningful metrics, connected with external
developments, has yielded effective discussion and
decision making. Reporting has been a key component
in building understanding of the framework and its
application.
Success Factors
An important success factor has been strong support
of our Board of Directors, Chief Executive Officer, and
senior management. Our emphasis on risk appetite as
an enterprise priority has been framed and accepted as
a critical element to advance our strong risk culture.
Repeated iterations with stakeholders were helpful
in gradually building pattern recognition, senior
management buy-in, Board of Directors’ support, and
confirmation of the central components of our Risk
Appetite Framework.
Risk appetite development has been led by our
CRO, with ongoing facilitation by senior executives
in Group Risk Management and engagement with
business segments. We began to build business segment
ownership of business segment–level risk appetite
by integrating risk appetite with business strategy. A
flexible approach was required because one method
would not fit for all businesses and stakeholders.
Our risk frameworks contain straightforward
terminology and can be generally understood by all
stakeholders. We avoid overly technical and complex
discussions about risk with our Board and senior
management, and focus discussion within the context of
real and current issues for our institution. In this vein,
our business segment statements of risk appetite are
quite focused and business driver specific, for example,
concentration risk for certain sectors, acceptable
earnings volatility and levels of capital at risk.
Challenges
It was initially challenging to achieve clarity on
what risk appetite means and how it is used to drive
management decisions. Board and senior management
decisions implied a high level risk appetite; however,
We also needed to demonstrate the value of a risk
appetite framework in some instances, before the
businesses (and not Group Risk Management) would
take ownership and drive the development of business
segment risk appetite. There were some early concerns
that risk appetite and risk profile reporting was one
more mechanism to impose limits or constrain growth
plans.
Lesson Learned and Key Benefits Achieved
By articulating risk appetite at both an enterprise
and business segment level, we have an effective
combination of top-down constraints and business
specific risk drivers. The linkage between the enterprise
level constraints and the actions of businesses to grow
or change risk profile is now fairly clear. Ownership of
issues is also now clearer.
Risk appetite and risk profile are effective
communication tools. Increased transparency and
reporting on these matters has facilitated internal
alignment among business and functional leaders,
and supports effective decision making. Our enterprise
risk profile provides a consolidated view of risk
concentrations and deficits to ensure alignment
between actual risk exposure and target risk exposure.
Risk appetite is increasingly integrated into our
business strategies and planning processes, so that
strategies are developed and approved in the context
of risk appetite. We are embedding into our annual
strategic planning process analysis of how growth
objectives, degree of planned change and “risk
posture” may impact business segment risk profile
and risk appetite. In addition, our annual process
where the Board approves delegation of authorities to
management and the associated limit structures is now
put forward with direct linkage to risk appetite.
Moving Forward
Our enterprise Risk Appetite Framework is updated
at least annually, focused on continued development
of self-imposed constraints. For example, we are
enhancing constraints pertaining to low exposure to
stress events, operational risk and qualitative measures
for non-financial risks. Other areas of focus are to
create more forward looking metrics, and achieve
the right blend of qualitative and quantitative key
measures.
As mentioned, we will continue to enhance
articulations of risk appetite for our business
segments and key lines of business. Compensation risk
management is another practice that we are integrating
into our risk frameworks.
It is also our objective to cascade risk appetite
concepts to broader employee audiences, to create
a general understanding of risk appetite and instill
ownership of risk. Consistent with our industry peers,
we have made significant progress in the area of risk
appetite, and there remains work to be done to achieve
full business engagement and integration into all
relevant management processes.
47
|
It also took time to gain traction building business
segment articulations of risk appetite because it
was not possible for business segment frameworks
to be developed as simple subsets of the enterprise
framework. While there are distinct linkages to the
enterprise framework, some of the most useful aspects
of the business level frameworks are often quite specific
to the business segment or business line.
Our Risk Appetite Framework and risk profile have also
been very helpful in conversations with our Board,
regulators and rating agencies.
institute of international finance
it was initially challenging to gain consensus and
concisely articulate risk appetite for the enterprise.
Iterative discussions on the framework and ongoing
reporting of risk profile helped improve our definition
of risk appetite, and build understanding and
acceptance with senior management and the Board.
Risk Appetite within National Australia Bank: An ongoing journey
Overview—where we are on the journey
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
48
The setting of risk appetite within National Australia
Bank currently manifests itself in two key ways. Firstly,
the framework by which we determine our risk posture
is strongly aligned to, and informs, the planning
process. Secondly, the statement of risk appetite (the
Risk Appetite Statement (RAS)) and its three elements
(“posture,” “budget” and “settings,” described below)
sets out our capacity for taking on risk and the settings
associated therewith.
Our current capability, in terms of risk appetite,
reflects an ongoing journey over a number of years and
will continue to evolve as our thinking develops. As
with most large organisations, the pace of change is a
function of the ability of the organisation to absorb that
change. As such, our strategy for improving the risk
appetite has been measured, rather than dramatic, so
as to ensure understanding, acceptance and use as we
progress. This has allowed us to approach the task with
a longer term vision, introduce change progressively,
reflect on the responses and then refine our thinking.
The risk appetite framework (RAF) is grounded in:
• strong engagement between key stakeholders,
including Board and Executive, in setting the
planning envelope for the business; and
• an interactive process over the planning period that
sees agreement on the risk reward tradeoffs that are
required for the plan.
The framework results in a statement on risk
appetite, the RAS, which encompasses:
• a “risk posture” that seeks to qualitatively describe
our capacity and willingness to take risk at
any point considering the internal and external
circumstances and a forward view;
• a “risk budget” expressed as an economic capital
limit within which the Group must operate; and
• “risk settings” that express key operational limits.
Through a combination of a framework strongly
integrated into the plan, and the production of a RAS as
the embodiment of risk appetite, we seek to effectively
communicate this appetite throughout the organisation.
Modest beginnings
The development of our RAS and associated framework
has been, and continues to be, iterative. As described
below we are currently up to the 3rd generation RAS.
Our current capability owes much to the learnings,
insights and persistence of those tasked with earlier
efforts.
We have been preparing RASs for a number of years
and well before it was becoming an explicit regulatory
expectation. The RAS was created under the leadership
of the Board Risk Committee and the sponsorship of
the CFO and CRO. Whilst rigorous and well-grounded
in principles of corporate finance, the emphasis was on
quantitative risk and capital metrics and not enough on
qualitative discussion or actual risk settings, limits and
policies. For this reason the RAS remained a centrally
managed document with little visibility or traction
beyond the Board and Group Executive.
Our “second-generation” RASs set out to respond to
these identified gaps by incorporating clear, explicit and
detailed risk settings, limits and triggers. The drawback
of these RASs was that whilst there was a lot of detail
around risk settings, it became inaccessible to readers
given its complexity. More important, the Board and
the executive felt that the detail made it hard to “see
the wood for the trees” and were of the view that links
between the RAS and overall business strategy were
unclear.
This issue of the lack of strategic relevance for
the RAS was compounded by the absence of a fully
integrated role for the Risk function itself within
the planning process. Whilst Risk had a clear role in
matters such as the validation of forecasts on loan
loss provisioning or expectations about the movement
in asset quality, it had a minimal part in framing the
initial risk envelope in which the business strategies
and financial plans were to fit.
Why was this the case? Apart from the wellaccepted view that Finance “ran the planning process,”
Risk lacked both a platform to effectively communicate
its views and a framework to meaningfully participate
in the planning process. In particular, Risk was not
successful in identifying a language that readily
conveyed its position and views. Unlike Finance,
whose language is encapsulated in metrics that are
well understood, the language of risk is somewhat
opaque and not broadly identified with by those tasked
to develop and execute strategy and plan—that is, the
businesses. Finding ways for Risk to communicate and
engage in planning was thus critical to the development
of risk appetite.
By 2009, we found ourselves at a crossroads. Thinking
around risk appetite was relatively basic and the RAS
was seen by many as having limited relevance or
influence.
Despite our best efforts it focused primarily on
economic capital (a measure not widely understood in
the business), was prepared after the annual planning
and strategy process was complete (hence merely
reflecting what was to be done) and was widely seen
as uninformative in terms of strategic and business
decisioning (and hence of little strategic use).
The Group CRO and the Board Risk Committee
continued to push for further improvements in the
thinking behind, and delivery of, the RAS, highlighting
areas that could be improved to assist the Group in its
understanding and application around risk appetite. At
this stage, responsibility for the RAS changed hands yet
again, and was given to a designated owner within Risk.
We created a new position—Head of Risk Appetite, who
reported through the General Manager Credit Strategy to
the Group Chief Credit Officer. A dedicated risk appetite
function was an important step in the journey, taken to
lift the relevance and influence of risk appetite concepts
and methodology in the Group. For the first time, it had
an owner whose principal role was to not only prepare
the RAS but to develop our thinking around how best to
embed risk appetite into the business.
Given this structural change, the risk
appetite team embarked on developing the
“third-generation” RAS by starting with
a clean slate and spending time thinking
more explicitly about what we were
looking to achieve.
After defining this “risk posture,” it became easier
to debate where we should be, or wanted to be, in
terms of a risk stance. This debate could be had at both
the Group level and at each business unit recognising
differing market positions, strategic capability and
priority and external conditions which vary markedly
across our Group. It provided a framework for the
Executive to do this in a manner that was more
readily understood without reversion to the traditional
language of risk (limits, metrics, etc.). As such, it
elevated the richness of the discussion and gave new
impetus to the role and purpose of risk appetite. By
forcing this discussion around the appropriate posture,
given both the subsisting circumstances and our
capabilities and constraints, the linkage to the plan
was more easily understood. It also ensured that once
a particular posture was agreed upon, risk appetite and
settings could be more explicitly linked to the strategy.
For 2009 the initiative around risk posture was
“after the event” as the plans were by then already
substantially completed. Since then, we have sought to
set the risk posture (and associated guidelines) ahead
of the planning process so as to provide the businesses
with appropriate direction.
Importantly, we seek to describe the risk posture for
each line of business and bring these together to reflect
the overall Group position. Debate around posture occurs
conservative
neutral
business unit 1
The challenge was to give life and
meaning to risk appetite so that there was
one agreed [upon] view that was used and
understood throughout the Group.
The major breakthrough was the
decision to describe the “risk posture” for
the Group, and separately each business
unit, in terms of three broad settings
linked to directional benchmarks. These
settings were qualitative, and conveyed
how the Group would position itself over
the plan period, having regard to the
expansionary
business
unit 2
BB
bus
CYB
unit 3
key
sgA
Group:
$x bn
equity
past postures
current posture
49
|
Our first steps—dedicated resources and
defining “risk posture” qualitatively
internal and external environment. It effectively sought
to provide direction on whether we were prepared to
take more or less risk. By describing this posture, both
in language and visual form, we provided an anchor
point from which to develop the Risk engagement with
the business units about the respective risk appetite.
institute of international finance
On top of all this, responsibility for preparing the
RAS frequently changed hands between teams in either
Risk or Finance, which made it difficult to establish a
long-term vision or change agenda for risk appetite.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
50
both when we start planning (to signal direction) and
when planning is finalised (to assess whether plans
reflect the agreed upon posture). This debate occurs
between all stakeholders, including the Board, and can
best be described as interactive and iterative. There are a
number of stage gates during the planning process where
we revisit the posture assumptions and positioning. More
formally, we submit three RASs a year to the Board, each
showing changes in the posture relative to prior periods
(for both the businesses and the Group).
As we evolve our thinking on posture, we see
opportunity to further enhance and enrich the
discussion. To this end we are trialling whether the
description of a risk posture statement for key risks
(e.g., credit, operational, market, reputation, etc.) and
for major business activities would enhance messaging.
A direct benefit in developing this thinking is that it
forces broader engagement with all stakeholders and
raises awareness around risk appetite.
Along the path—completing the picture
Whilst describing a risk posture was a catalyst for
increased debate at Executive and Board level, and
one that has seen the quality of discussion around
risk appetite increase throughout the Group, other
developments have also been important.
A key development has been increased engagement
by Risk with the Strategy and Finance teams in
the development of the strategic, financial and risk
parameters established for the planning process.
This has allowed us to more effectively integrate risk
appetite into the planning process, as businesses see the
three key Group functional stakeholders (in risk, finance
and strategy) more closely aligned and linked in their
messaging around the drivers of financial outcomes.
From a Board perspective, increased engagement
between the Group functions has provided comfort that
the strategies and business plans more effectively reflect
a risk lens.
This has also allowed for more effective review
and challenge throughout the planning process (over
some 6–8 months) in order that plan outcomes reflect
not only the financial expectations but also the risk
appetite. Where they are outside this, adjustments to
either the plan or the risk appetite are made.
This integration and the role of the RAF in the
planning cycle are shown below in Exhibit 1.
As discussed above, the concept of a risk posture
has allowed Risk to more effectively communicate with
strategy and finance. We have also developed the concept
of “key risk themes” within the RAS, which are the
most important risks (or “categories” of risk) facing the
Group at any time. They complement thinking around
Group strategies, form a basis for identifying the most
relevant points of vulnerability in the plan and provide a
framework for thinking about risk mitigation. In addition,
because they are described in common language rather
than technical terms, they provide a more broadly
understood link for those outside the Risk community.
Having established the role of “risk posture” (a
qualitative risk setting description) in risk appetite we
have also sought to enhance our thinking around the
more quantitative aspects of the RAS, in particular:
• setting a “risk budget” in terms of economic
capital; and
• describing operational “risk settings” to further
enhance the communication with bankers.
The “risk budget” is described in economic capital
terms and sets our maximum risk taking capacity.
Reflecting the posture, it establishes a limit in advance
on the use of our available risk capital to support
business activity. Allocated to the businesses by risk
class (e.g., credit, market, operational
risk, etc.), it provides a quantitative
Exhibit 1: Risk appetite in the planning cycle
boundary for planned activity. Actual
use of economic capital is then measured
Risk Appetite
against these limits. This approach has
• Economic capital
• Posture
served as a trigger to review increased
• Limits
• Scenarios & stress tests
business activity in certain areas where
The
• Trade -offs
development of
economic capital limits were likely to
RiskRisk
Appetite,
Financial Plan
Appetite,
andFinancial
StrategyPlan
are integrally
be insufficient to support the proposed
connected
and Strategy is
Financial
activity.
iterative
Group
Strategy
plan
All three communicate risk /
planning • P&L
• Target markets /
reward ‘trade-offs’ to be
In the past, economic capital would
segment
• Action plans
• Trade -offs
• Balance sheet
• Capital & funding
• Trade -offs
made, though with different
language
not have acted as such a constraint as it
had always been an outcome of the plans
(i.e., the agreed upon plan used “this”
amount of economic capital) and as such
was not seen as a limit on activity or as a
trigger point for a decision.
Whilst the framework for the RAS and risk appetite
was evolving, we were conscious that communication
through to bankers remained a challenge. The language
of the RAS is targeted at the Board, Executive and
Senior Management. Beyond this, the language is less
appropriate for day-to-day activity. Notwithstanding, it
is clear that effective communication to bankers needs
to occur in some form if the RAS is to fulfil its role of
“Board to Banker” understanding of risk appetite.
To this end we have sought to engage businesses
in preparing their own “risk-setting statements”
(RSSs) that can be more granular and effective in
communicating messages to all levels of the business.
Whilst these clearly need to align to the RAS, they
provide more latitude to effectively communicate to a
broader audience. Although some progress has been
made, this remains a work in progress.
The developments described above have been
interactive with enhancements to both the RAS and the
framework occurring as we progressed. In the course of
our journey, the absence of an “off the shelf” solution
has meant we have spent significant time discussing
what works and what doesn’t. Our approach has always
been to demonstrate ongoing steady improvement
rather than coming up with the “complete solution.”
Given the uniqueness of the issue, the multifaceted
nature of the challenge and the relative interest and
needs of stakeholders, we have concluded that this
is not achievable. Rather, ongoing development and
refinement will lead to better outcomes.
Against this backdrop, there are lessons we have
learnt along the way that have shaped, and continue to
shape, our thinking.
The things that have led to significant improvement
for us include:
• fostering leadership of the debate on risk appetite
from the CEO, the CRO and the Board Risk
Committee;
• fostering a receptive internal environment. The
organisation has worked hard on its culture over
time and has a strong emphasis on teamwork,
Exhibit 2: From risk posture to risk budget and actual risk settings
Risk settings
Existing
franchise
Outlook
Customer
needs
Controls
•
•
Potential
rewards
Confidence in
capabilities
•
Models
Trading
limits
Op. loss
tolerance
•
•
•
Risk
posture
Hurdles
(e.g. x-sell,
return, LVR,
etc.)
Policies
Audits
Limits
Risk
budget
•
•
•
•
Expectations
for return
Industry
Country
Market
IRRBB
•
•
•
•
Equity
Product
Liquidity
etc.
Processes / procedures
•
•
Risk-taking
capacity
Regulatory
constraints
Legacy
assets /
liabilities
Making
decisions
Product
exposure
monitoring
•
•
Customer
onboarding
Training
Messaging
Not all risk settings are in the RAS–but all are consistent with it
51
|
This approach to the RAF is shown below.
Lessons learned—successes and challenges
along the way
institute of international finance
Having set a “risk posture” (qualitative) and a
“risk budget” (quantitative), we then establish “risk
settings” to further provide guidance as to the risk
tolerances within which the Group should operate.
These risk settings are represented by limits, policies
and procedures and other setting statements and are
more operational in nature. They are at different levels
of granularity depending on the messaging required.
collaboration and enterprise thinking. This,
alongside the wake-up call issued to all parties
associated with the financial services sector (arising
from the global financial crisis and its aftermath),
has enabled more sophisticated and planned
discussions and analysis on the forward outlook for
risk and the environment and our response through
posture, appetite and strategy;
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
52
• identifying a single, dedicated team with
accountability for the RAS and the broader
framework has allowed us to attain consistency in
approach and provide the impetus for innovation;
• separating discussion of risk appetite into three
parts, each of which are linked but serve a different
purpose: risk posture, risk budget and risk settings;
• integrating the risk appetite and RAS with the
strategic and financial planning process;
• increasing the dialogue with the business units
around their view of risk posture;
• delivering three RASs to the Board with the cycle
and content linked to the planning process. This
has allowed for more regular Board discussion on
risk appetite and has reinforced the link between
risk appetite and the business strategies and plans.
The Board now sees more careful consideration of
the implications of proposed actions and activities
on the Group risk profile and its relation to the
Group Risk Appetite and evidence of risk appetite
thinking in its discussions with management;
• supplementing the RAS and associated discussion
with risk workshops and targeted risk papers
for the Board, has assisted the Board in linking
risk appetite to the business activities and the
portfolios;
• engaging with our Regulator;
• identifying key stakeholders in the business to
champion risk appetite discussion; and
• maintaining the ongoing commitment of key
stakeholders such as the Board and senior
executive.
Most important, we can already say that in the past
few years the outcome of a number of material strategic
decisions taken by the Group were significantly
influenced by the framework described above.
As there are diverse views around the approach to
risk appetite (and the RAS) our journey has not been
without challenges. Some of the more significant
challenges have been:
• balancing the desire for quantitative or prescriptive
criteria to define risk posture with the flexibility
and generality that qualitative, “principlesbased” definitions provide. We have responded by
developing a number of quantitative metrics which
are “indicative” of risk posture whilst avoiding the
trap of attempting to define it formulaically.
• choosing the appropriate metric for each
application. For example, economic capital is the
metric for risk “budgeting” across the Group, but
other metrics are more useful for other applications,
such as exposure limits, trading desk limits,
industry or country credit exposure limits, etc. Our
response has been not to promote a single allencompassing risk metric but rather to identify the
most appropriate risk metrics for each purpose.
• whilst used as the measure of risk budget, the use
of economic capital still remains a challenge. We
continue to use it given its historic link to past
RASs, ICAAP and the fact that most measured risks
can be quantified in economic capital terms (albeit
there is always debate as to the voracity of the
number). Notwithstanding this, most stakeholders
still have little engagement with economic capital
as a meaningful metric to measure risk performance
against. The proper place and purpose of economic
capital as a useful tool in the RAF continues to be a
focus.
• never allowing the sole use of “risk adjusted”
metrics (like economic capital, RWAs and VaR) to
lead us to lose sight of the underlying nominal
exposure behind each risk. Banks lose dollars, not
economic capital—and the same can be said of
shareholder dividend payments—so we always seek
to ensure visibility of unadjusted exposures when
discussing any risk.
• integrating meaningful stress testing into the risk
appetite and planning framework, including setting
limits more systematically and drawing insights
from the results, which is a task that is still a work
in progress; and
• balancing coverage of credit risk (our largest
single risk type), with other material risks (such as
operational or reputation risk), which are less easily
quantified or described. As with stress testing, this
is still a work in progress.
Where we go from here—further increasing the
value of the Risk Appetite Framework
The journey never ends. Whilst we have made progress,
we are of the view that further enhancements can
be, and will be, made to our RAF to increase its
effectiveness within the Group. In recent discussions
with stakeholders, including Board members, a range of
• continuing to complement the use of economic
capital with consideration of other key measures
such as regulatory capital and simple, unadjusted
exposure;
• enhancing how the risk appetite shapes portfolios
from a top-down perspective, with analysis on
why such decisions would be taken—e.g., matching
external risks with portfolio shape and defining
“where we want to be” from a risk portfolio
perspective, not just our limits, budget and
tolerances;
• further linking the “return-on-risk” (as opposed to
return-on-capital) with the risk appetite;
• using the RAS to further enhance transparency
around trade-offs in respect to choices between
strategic priorities, investments and risk levels we
are prepared to accept;
• continuing to develop the framework for defining
“risk-setting statements” (RSSs) within the
businesses; and
• explicitly linking changes in external environment
to changes in risk appetite.
Conclusion—reflecting on the journey
The key for National Australia Bank in advancing the
RAF has been:
• identifying dedicated resources for accountability;
• developing a standardised risk language around
posture, appetite, settings;
• fully engaging Risk as key participant in the
planning process;
• continuing to develop thinking around the RAF by
engaging with the key stakeholders; and
• seeking ways to broaden the view and
understanding of risk appetite so others feel more
engaged in its development.
The benefits from the advancement of our RAF
and the alignment on issues of strategy, finance and
risk have elevated the quality of debate around risk
profile and the linkages with the current and targeted
risk profile. Our approach has been to develop our
risk appetite framework in a manner which meets our
organisational needs, reflecting our experiences and
our level of maturity. We have taken an evolutionary
approach to ensure we bring the organisation along at
a pace that will more deeply embed the RAF into our
organisational culture and processes. We know that if
we pushed the pace of change too rapidly, and without
the appropriate engagement and consultation with the
business units, our efforts would not be as successful.
We know this because we hear and observe many
more discussions and debates around risk appetite
today than in the past. Our internal culture has aided
the development of the Risk Appetite framework and
at the same time, the Risk Appetite framework assists
in continuing to define, describe and shape our risk
culture. The challenge is to remain vigilant to ensure
that we continue to learn and adapt our thinking
reflecting where we are at and where we want to be.
We cannot be complacent.
53
|
• further progressing the discussion around stress
testing, scenarios and responses and incorporating
this more robustly into the planning process;
• aligning Risk with Strategy and Finance;
institute of international finance
issues have been identified that would further enhance
the impact of the RAS and associated framework
including:
Scotiabank—A Canadian Experience in Setting Risk Appetite
May 2011
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
54
The year 2008 marked a strategic inflection point
for the world’s view on “risk.” The financial crisis
compelled the Risk Management discipline in global
financial institutions to re-assess every method and
assumption embedded in their processes. Three years
later, we can all reflect on how financial institutions
have evolved their risk frameworks, including,
to various degrees, a deliberate, robust and clear
expression of “risk appetite.”
large extent, siloed by risk type. The inter-connectedness
of risks was only beginning to be aggregated. And
various dimensions of financial performance and
strength were not consistently being viewed through a
risk lens. Risk managers across the industry began giving
more consideration to defining risk appetite as a guide
for decision-making—to frame how much risk their firms
were willing to take on in the context of executing their
business strategies and in the drive for value.
This case study captures the challenges and lessons
in the design and implementation of a Risk Appetite
Framework at Scotiabank (the Bank). Today Scotiabank
considers implementation of their Risk Appetite
Framework to have been successful. For perspective,
however, Scotiabank was not starting at the beginning.
It already had a risk appetite position embedded in its
strong risk culture that had served it well through the
financial crisis. Nonetheless, Scotiabank recognized the
potential value of a more clearly defined, comprehensive
Risk Appetite Framework based on governing financial
objectives, risk principles and risk appetite measures.
Scotiabank integrated these key dimensions into an
enterprise-wide framework, strengthening its overall
approach to governing risk-taking activities. The Risk
Appetite Framework was approved by the Bank’s Board
of Directors in early 2010. The journey of evolving that
Framework continues.
At the time, Scotiabank participated in a Canadian
benchmarking survey, conducted by Deloitte, as one
input to defining appropriate practices. The study
confirmed that risk appetite was an active area of
focus for the banks and that formalization would take
the form of a Board-approved framework with ties to
capital management and other management activities.
Enterprise Risk
In 2006 the Bank created an Enterprise Risk function
with a mandate of linking capital capacity, revenue
and risk-taking across the various risk types (e.g.,
credit, market, liquidity, operational risk, etc.). The
first priority of the new team was the development of
appropriate and actionable risk metrics. From there, a
comprehensive information package was developed for
regular reporting to senior management and the Board
on all risks spanning the entire Bank against key Boardapproved risk limits, globally, creating a clear picture of
the Bank’s risk exposures. Additional priorities included
further development of the Bank’s credit risk strategy.
With these developments, the Board was more informed
and could become more engaged. Together, these risk
limits, and various risk reporting aspects, helped senior
management articulate to the Board the amount of risk
being taken at the institution.
By 2008 it was evident that a broader strategy was
required. Risk Management at the Bank was still, to a
There is general industry consensus on the meaning
of “risk appetite” and the importance of distinguishing
it from risk capacity. The broadly held view is that
risk appetite is an expression of the desire to take
risk and, implicitly, a statement of how returns will be
earned against that risk. It is, in effect, a key part of the
contract between senior management and the Board …
and the shareholders they represent. Risk appetite is
clearly distinct from risk capacity, which is the ability
of the firm to withstand risk events. However, that
seems to be where the industry consensus ends. To date
there is no common approach beyond definitions and
key elements of a framework at the corporate level.
Setting Context
The Bank’s most senior executives were actively
engaged in industry discussions relating to risk,
implications of the global crisis and the subsequent
way forward for the industry. Senior executives became
involved in IIF benchmarking efforts, supported by a
broad cross-section of management.
The Enterprise Risk mandate was expanding in
several ways. In addition to becoming central support
for the IIF benchmarking analysis, the team began
integrating risk measures from across the firm. They
started to serve as a clearinghouse for all types of risk
information, and as a risk communications channel
for senior management and the Board. Without a more
defined Risk Appetite Framework, however, the risk
reporting lacked context. So the team conducted an
internal assessment of what was in place and confirmed
the following:
• Existing limit structures were, in effect, a network
of contracts already in place between Risk
Management, the Business Lines and the Board on
what risks could be taken, or not; and
• Business lines clearly owned risk, complemented
by highly centralized decision-making on risk
policy setting and significant transactions through
executive committees.
However,
• The existing limit structure was complex and not
codified in any way that made it straightforward to
combine and report the total risk taking activities
to the Board; and
• There was no explicit statement of the objectives
and principles that governed the Bank’s decisions
for risk-taking.
Most experts on “risk appetite” acknowledge that
the development of a framework should engage senior
management in the Risk Management function and in the
Business Lines, as well as the Board. However, the biggest
obstacle to developing the framework and implementing
it can be the lack of consensus on what risks are
appropriate for the firm and the extent of controls
needed to mitigate the risks. So, when there is broad
appreciation of an established risk culture along with
specific risk-based contracts already in place between the
stakeholders, the task of designing and implementing a
risk appetite framework is already well advanced.
Diving In
Development of the next iteration of the Framework
focused on a few key areas:
• The context of the Bank’s governing financial
objectives and strategic principles;
• Articulation of Risk Management principles
(qualitative attributes) that would guide the Bank’s
overall approach in risk-based activities;
• Bringing into focus a limited number of risk
measures that were considered essential objective
expressions of the Bank’s risk profile, along with
corresponding target ranges; and
• Establishment of monitoring and reporting
structures.
Development of the Risk Appetite Framework was
driven by Risk Management in collaboration with a
broad range of stakeholders. Finance was a pivotal
partner in the work as they had overall management of
the Bank’s Balanced Scorecard (more recently moved to
the Strategic Planning Office). As well, Global Human
Resources ensured that employee incentives are linked
to performance, and that risk performance is taken
into consideration. Engagement of senior management
in the Business Lines was a key part of the review
and approval process. The Bank’s Asset & Liability
Committee served as the forum for review prior to
presentation to the Executive Management Committee,
and ultimately the Board.
The approach could be relatively expedient based on
a few factors:
• The well-established risk culture;
• The independence of the Risk Management
oversight function; and
• The specific limits to be brought into the
Framework could be largely to be drawn from the
network of existing controls.
The Framework that emerged from the discussions
had two sides: a qualitative, principles-based
component, and specific risk measures in key risk
disciplines. More specifically, the structure was
underpinned by sound risk governance, followed by
55
|
The first iteration of the Risk Appetite Framework
involved selection of existing quantitative metrics
(covering Board-approved risk limits, performance
targets and capital targets) as key indicators of the
Bank’s risk appetite and actual risk profile. The
indicators were consolidated and incorporated into
the Capital Management Policy. By the end of 2008,
however, it was evident that a more complete policy
was needed.
institute of international finance
• The Bank already had an implicit risk appetite
embedded in its strong risk management culture. At
Scotiabank, the risk culture is anchored in a long
history of who we are as a lender, from our early
days of financing North American Eastern Seaboard
trade to the launch of our first personal loans in
1958, and continuing today with market leading
financing programs around the world. Our deep
experience in lending has embedded a focus on
capital preservation that spans the full spectrum of
risk … making risk management a strategic priority
shared by all employees. Today, a key aspect of
this culture is to be well-diversified across business
lines, countries, products and industries. Another
key element of the culture is the relatively long
tenure of employees. For example, of Canadianbased managers—people in decision-making
roles—over one-third have been with the Bank more
than 20 years. And the Executive Management
Committee’s tenure is even longer. Based on that
deep experience, senior management has a strong
sense for what would be “offside” relative to the
cultural norms established over almost one hundred
and eighty years;
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
56
the Risk Appetite Framework itself. The use of risk
management techniques was considered to be another
key component, including the strategies, policies, limits,
processes, measurement and monitoring tools which
Risk Management implements. These risk management
techniques are deployed across the spectrum of risk
disciplines covering credit, market, liquidity, operational
and reputational risk. Finally, the entire structure is
underpinned by the Bank’s strong risk culture.
Operationalizing the Framework
With the Framework generally agreed upon, the risk
measures were operationalized through quarterly
monitoring, including comprehensive Board reporting.
This practice helped to consolidate risk reporting and
to bring into focus the Bank’s performance on the risk
contract between management and the Board.
Functionally, the Bank implemented the principles
component of the Framework by referencing the
Framework in policies such as the Capital Management
Policy and by communicating the risk appetite
principles to the Board, Executive, Senior Management
and shareholders via the “Management’s Discussion &
Analysis” section of the Annual Report.
Through established policy groups, the Framework
was cascaded to major international subsidiaries.
The Framework was initially socialized externally
with local regulators and at a “College of Supervisors”
and was included in presentations with rating agencies.
By 2010, formalized processes were being put
into place for ongoing internal discussion. Annually,
the Framework is now shared with the senior
team responsible for Bank-wide strategic planning
development—the Strategy Working Group—which is
made up of Senior Vice Presidents and CFOs for the
Business Lines and Corporate Functions.
As well, the Framework has become a lens
for reviewing the strategic plans of each
Business Line in the Executive Management
Committee’s annual strategic planning
process.
Evidence of Change
The value of formalizing the Risk Appetite
Framework is best illustrated by the
change in Scotiabank’s Annual Report to
shareholders. Prior to 2008, there had been
no discussion of risk appetite. By 2010,
the Annual Report contained several pages
directly connected to the new Risk Appetite
Framework, captured here:
In discussing Scotiabank’s overarching Risk
Management Framework, the Bank is now more able
to enunciate the relationship of risk governance,
risk appetite and risk management techniques and
the foundation of these in the Bank’s strong risk
management culture.
2010 Annual Report
The Report notes that the Risk Appetite Framework
consists of four components and elaborates on each:
1.
Risk Management Principles provide the
qualitative foundation of the Risk Appetite
Framework. These include:
• promotion of a robust risk culture,
• accountability for risk by the Business Lines,
• independent central risk oversight,
• avoidance of excessive concentrations, and
• ensuring that risks are clearly understood,
measurable and manageable.
2.Strategic Principles provide qualitative
benchmarks to guide the Bank in its pursuit of
the Governing Financial Objectives, and to gauge
broad alignment between new initiatives and the
Bank’s risk appetite. Strategic principles include:
• placing emphasis on the diversity, quality and
stability of earnings;
• focusing on core businesses by leveraging
competitive advantages; and
• making disciplined and selective strategic
investments.
3.Governing Financial Objectives focus on longterm shareholder value. These objectives include
Risk
Governance
Risk Appetite
Governing Financial
Objectives
Strategic Principles
Risk Management Principles
Risk Appetite Measures
Risk Management Techniques
Strategies Policies & Limits
Guidelines Processes & Standards
Measuring Monitoring & Reporting
Risks
Credit Market Liquidity Operational Reputational Environmental
Strong Risk Culture
Risk Appetite
Framework
Governing Financial
Objectives
Risk Appetite
Measures
sustainable earnings growth, maintenance of
adequate capital in relation to the Bank’s risk
profile and availability of financial resources to
meet financial obligations on a timely basis at
reasonable prices.
4.
Risk Appetite Measures provide objective metrics
that gauge risk and articulate the Bank’s risk
appetite. They provide a link between actual
risk-taking activities and the risk management
principles, strategic principles and governing
financial objectives. These measures include
capital and earnings ratios, market and liquidity
risk limits and credit and operational risk targets.
Strategies, Policies
& Limits
Guidelines, Processes
& Standards
Risk Management
Techniques
Measurement,
Monitoring
& Reporting
•
Risk management techniques are regularly reviewed and
updated to ensure consistency with risk-taking activities, and
relevance to the business and financial strategies of the Bank
Key Benefits, Challenges and Future
Considerations
The Framework is envisioned as a living document
that will undergo periodic review and update. The
Bank considers it to be an evolving guideline that will
continue to be disseminated internally and which will
The biggest benefits of defining the Risk Appetite
Framework for Scotiabank have been that it provides
greater transparency of the key objectives, principles
and measures defining the Bank’s appetite for risk
in the pursuit of value, and it has enabled greater
awareness and more effective communication with
internal risk decision-makers and external stakeholders.
This “case” captures how the development of a
strong and functioning Risk Appetite Framework can
be accomplished in the setting of a strong, existing risk
culture where there is a deep network of established
controls, limits and risk oversight structure. The
development of the Framework was the straightforward
part. Work continues on key challenges around
implementation and further alignment.
The key challenge continues to be a combination of
1) awareness and application of the Framework within
the Business Lines, and 2) finding the right balance
between broad principles and granular guidance for
day-to-day decision-making with line management
throughout the Bank.
In terms of awareness, the program was launched
with “road shows,” but more communication work
needs to be done to evolve from reliance on the culture
and norms, to embedding the Framework as the more
clearly defined and rigorous context for decisionmaking.
As for “the right balance,” there still needs to be
linkage between the high-level principles and metrics
as expressions of risk appetite at the top of the Bank
and the risk indicators and limits deployed at a
business unit level. While some measures of credit and
market risk have been allocated to businesses, others,
including most measures for operational risk are not
easily aggregated, nor divided. As such, the Bank (and
the industry) continues to work at an effective way to
link certain “top of the house” measures with business
specific risk performance measures.
Additional work also remains to further integrate the
Risk Appetite Framework with other risk policies and
the enterprise-wide stress testing program.
Ultimately, Scotiabank’s test of an effective Risk
Appetite Framework is that it fits the organization;
the Board understands it; management is having good
discussions reflecting both qualitative and quantitative
measures; decisions are made and action is taken; and
sustainable long-term earnings growth is achieved.
57
|
Strategic Principles
institute of international finance
Risk Management
Principles
find expression in additional policies, strategies and risk
management practices in the future.
Risk appetite framework development at the Commonwealth
Bank of Australia
Background
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
58
Within the Commonwealth Bank of Australia (CBA)
Group, risk appetite had always been part of the risk
vocabulary. However, historically there has been little
documentation of a formal framework. During the
mid-2000s some attempts had been made to define
the framework but it was not until the appointment
of the new Group Chief Risk Officer in 2008 and the
actions of an energetic Board Risk Committee chairman
that the need for a formal, Board-owned risk appetite
foundation gathered real traction. Consequently, a
project to develop a risk appetite framework was
launched at the start of 2009 and this case study covers
the various stages of its development to date.
What do we mean by risk appetite?
The first challenge was to understand what was meant
by risk appetite. Internal discussions revealed many
different interpretations of what was meant by risk
appetite. Furthermore, publicly available disclosures
from banks and financial institutions around the world
also appeared to use the term in different ways. Annual
Reports often referred to “acting in accordance with risk
appetite,” but nowhere was the risk appetite defined.
We felt that part of the reason for the lack of
traction in previous attempts to establish a risk appetite
framework was the lack of a common definition of
“in what terms” risk appetite was defined. A clear
conceptual definition was therefore required.
This led us to define risk appetite as: “The types
and degree of risk the Group is willing to accept for its
shareholders in its strategic, tactical and transactional
business actions.” That is, appetite was expressed as a
boundary on risk taking activities that defines where
we do not want to be, rather than where we want to be.
We liken it to the outer boundary markings on a sports
field—we don’t mind where you play as long as you
don’t go outside of this boundary.
This contrasts with the amount of risk you are
able to take (a capacity for risk taking), the amount of
risk you wish to take (a target for risk taking) and, of
course, the actual risk profile (the amount of risk you
are actually taking). All these alternative expressions
add characterisation to our risk taking capabilities and
exposures.
If the role of risk management is thought of in terms
of both protecting the organisation from unwanted
outcomes and advising the organisation on how to
optimise its risk/return outcomes, then risk appetite is
supporting the protection role of risk management; the
optimisation of risk and return is part of the advisory
role of risk management and is addressed by assisting
business set their target risk profile.
Monitoring risk levels then becomes one of
monitoring the actual risk profile against target levels
that have been set to optimise risk-adjusted returns
within the risk appetite boundary. This is illustrated in
Figure 1.
The Group actively uses these types of “spider”
diagrams in its business unit and Board dashboards to
good effect.
With a clear concept established, we could turn
attention to the terms in which we should express the
risk appetite boundary and, just as important, how we
could establish the Board’s views on this.
Board and management engagement
The Group’s risk appetite needs to be owned by
the Board. We were aware that getting effective
engagement and ownership of the Board depended on
us taking the Board along the development road with
us rather than either presenting a document for them
to rubber stamp or other actions that lowered Board
member personal investment in the outcome.
Our approach was to have a series of structured
conversations over a period of months with the Board.
The first of these was conducted as an interactive
voting session to gather anonymous views from all
Board members on a number of key questions regarding
outcomes for the Group that they would be least willing
to accept. This involved selecting various absolute
Risk Appetite Concept
Figure 1: The Risk Appetite ConceptininCBA
CBA
Dimension 1
Spare Risk
Capacity
Dimension 5
Risks actively
sought
Dimension 2
Incr
easi
Actual Risk
Profile
Dimension 4
ng R
isk
BOUNDARY
(APPETITE)
Target Risk Profile
(Strategy)
Dimension 3
© CBA Group
Armed with this base input we were able to translate
the Board’s views into what we believed was the risk
appetite that they had expressed. This was written up
and presented back to the Board as a draft Risk Appetite
Statement for their further discussion and refinement
over a series of further Board meetings. In the latter
stages nuancing of the words became more and more
prevalent, but by starting the Board engagement
without a draft document the initial conversations had
concentrated on the concepts rather than the words.
The same interactive voting session was first trialled
with a subset of the Group’s management Executive
Committee. Interestingly, the views of management
were less well aligned than they were amongst the
Board members.
Content of the Group Risk Appetite Statement
At CBA the risk appetite is defined by a combination
of the Group Risk Appetite Statement (RAS) and the
supporting Group-level risk policies, such as the credit
concentration policies, which define specific limits
aligned with the RAS principles and metrics.
The RAS covers three important areas:
• The conceptual definition of risk appetite for the
Group;
• Risk Culture; and
• The risk-taking boundary—specific boundaries
(expressed in both quantitative and qualitative
terms) for major risk drivers, together with
expressions on how particular risk types are
controlled.
Having an appropriate “Risk Culture” is viewed as
absolutely key to effective risk management. The RAS
sets down a high-level statement of intent with regard
to risk, i.e., what we stand for in risk terms (e.g., the
business, not Risk, manages and own the risks), and the
expected behaviours of employees with regard to risk.
The aim is to ensure that the right people own the risk
and support the desired risk outcomes.
The approach to defining the culture was no
different to the other content in the RAS – we asked
In order to embed the desired culture there was a
need to link it to the remuneration system and this has
been addressed in two main ways:
The Board asked, as one element of aligning with
the regulator’s requirements, that risk management
opine on compliance with these principles for their
consideration in setting executive incentive awards; and
The Group’s internal staff performance review
system opens with the requirement to consider whether
an individual’s key performance has been achieved
by operating within the culture and boundaries of the
Group’s and the relevant business units’ RAS.
The risk-taking boundary includes qualitative
expressions of “risks to which the Group is intolerant”
together with more quantitative limits for key financial
outcomes for the Group.
The “intolerant” concept arose from conversations
with the Board and management about incentives and
consequences of operating outside of appetite. If we
were to say that we had zero appetite for particular
risks (e.g., fraud) and we aligned performance
assessment and incentives to operating within appetite,
then a fraud incident should have remuneration
implications. This could create the wrong behaviours
(either spending disproportionately on preventing fraud
or non-reporting of fraud incidents) and so, rather than
talk about zero appetite, the concept of intolerance
was developed. These are exposures/outcomes that we
do not wish to experience but recognise are not 100%
preventable. Where they arise the RAS commits us to
take rapid and comprehensive action to minimise the
chance of reoccurrence.
Having developed the content of the Group RAS
with the Board, an important second step was to
validate the alignment of the existing Group-level risk
policies, and in particular the limits contained within
those policies, to the RAS. These policies complete
the definition of the overall risk appetite. The RAS
metrics are now one of the key drivers of the limits
that are included in risk policies, for example, the
counterparty, industry and country limits within the
credit concentration policy framework.
59
|
the Board questions about the culture and behaviours
they expected and then drafted content that we thought
reflected their responses. The result was a single page
containing around 10 cultural and 6 behavioural
principles relating to risk, which was edited based
on Board responses to it. Examples of the types of
topics that we cover are the need to understand and
appropriately price for risk and a culture where it is safe
to call out mis-management of risk by others.
institute of international finance
measures as well as ranking various potential outcomes.
Where answers were not well aligned between Board
members a staff-facilitated discussion was used to
arrive at an acceptable consensus view. We found that
questions requiring ranking of choices added clarity
of insight on Board appetite. A fear by staff that the
Board would collectively adopt a highly conservative
risk outcome did not happen, but we prepared the
Board by talking about appropriate risk-taking as key to
profitable growth.
Cascading of the risk appetite
By necessity, the Group-level risk appetite is high
level and requires translation into more specific and
meaningful terms for a particular business unit.
Board members read these documents to test their
specificity to the activities of the business unit, and also
as a lens through which to view the strategies presented
by businesses.
Figure 2: Risk appetite components and
cascading
Figure 3: The critical link between appetite
and strategy
Bedding RAS in...
Links it to other critical elements in a risk framework
CBA Group Vision and Values
Group Strategic Plan
Bedding in RAS
Lower level articulation
r e qu i r e s c a s c a di n g
Principles
Supporting limits
Group
Risk Appetite Statement
(RAS)
Group Risk
Policies &
Tolerances
Business Unit
RAS
Business Unit Risk
Policies & Tolerances
Line Of Business
(“LOB”) RAS
“LOB” Operating
Policies & Procedures
Validate or challenge
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
60
The approach to this was to make the head of
each business unit—not the Chief Risk Officers of
the business units—accountable for developing an
equivalent RAS for their business unit. The RAS would
need to be both aligned with the Group risk appetite but
also specific to the characteristics of their businesses.
This responsibility was an important part of the cultural
change, with the business themselves rather than Risk
Management being responsible for the risks being taken
on and for their outcomes.
The building of the consideration of risk appetite
into the Group’s formal strategic planning process has
been a significant step forward. However, it is not just
in a formal way that risk appetite has impacted decision
making across the organisation. The referencing of
decisions as being aligned with or outside risk appetite
is now becoming part of the everyday conversations
around the bank. Even more gratifying is to hear people
often talk of the need to reassess the risk appetite in
light of opportunities that are presented, which creates
an evolving and productive challenge to current RASs—
leading to keeping RASs fresh and appropriate.
Link to strategy
A major element of the overall risk appetite framework
is the interaction between risk appetite and strategy.
The formal alignment and interaction of these two
elements had not previously been built into the
operations of the Group.
The first point of connection is that both appetite
and strategy should be aligned with the Group’s
vision and values. Beyond that the appetite is setting
boundaries on risk taking activities while strategy
is seeking optimal use of the Group’s resources in
response to the evolving environments in which we
operate. Each should be challenging the other. Equally,
reading one should give knowledge of the other. These
concepts are illustrated in Figure 3.
BU
Strategic
Plans
BU1
BU2
BU3
BU4
Assess
&
Revise
Group Risk Appetite
Statement/Policies
BU RA
Business Unit (BU) challenges
RA
Risk Appetite
Group
Statement/Policies
Successes to date
There have been several aspects of the development of
risk appetite that have worked well and translated into
meaningful benefits for the Group:
• Firstly, the approach to engaging with the Board
led to a strong sense of ownership and a depth of
understanding of risk appetite by the Board that
would not otherwise have been achieved.
• By setting clear Risk Culture expectations in the
Group RAS and putting ownership for developing
business unit RASs on the heads of the business
units (rather than the business unit risk teams),
there has been a cultural shift in the ownership
of risk from Risk Management to the businesses.
Business units now act with clearer responsibility
(ownership) for the risk they take on.
• The incorporation of the review of risk appetite
as part of the strategic planning process, and
the presentation of strategic plans, formally
accompanied by recently agreed upon risk appetite
statements, to both management and Board has
brought risk appetite considerations formally
into key decision making and strategy setting
discussions.
• By establishing clear boundaries, Business units
understand what is outside appetite and therefore
do not pursue these opportunities, leading to a
reduction in both wasted effort and frustration.
• By bringing the requirement to operate into
alignment with the Group and local risk appetite
statements into the performance management and
remuneration framework, risk appetite has achieved
a high level of awareness and influence on
behaviours. Key behaviours are found in the Group
RAS, e.g., responsibility to raise issues, protection
for doing so and “no harm” to people who raise
false-positive issues.
Continuation in the evolution of risk appetite
Although considerable success has been achieved in the
risk appetite journey so far, we are cognisant that there
is more to be done in developing the maturity of risk
appetite across the Group.
• By necessity, the Group RAS is high level and
principle based in nature. The challenge is in
cascading this to lower levels in a way that makes
it meaningful in day-to-day decision making on
the front line. Business units are developing risk
parameters for lower level portfolios/products that
will translate the limits/principles established in
the Group and business unit RASs into meaningful
limits for staff working in these areas. This
will allow a more granular inclusion of RAS
consideration into performance assessments and
incentive payment outcomes.
• Further development is ongoing in adding clarity
to business unit RASs and strategies so that they
become more overtly complementary and aligned.
• The incorporation of stress testing outcomes into
the contextual setting of risk appetite is an area
that we continue to develop.
Summary of key lessons learned
As the risk appetite has been developed a number
of lessons have been learned, the foremost of which
include:
• Without sponsorship from the top it is difficult
to get traction in developing a risk appetite
framework.
• Without a clear conceptual definition of risk
appetite there are many confusing and ineffective
discussions about risk management and we fail to
get business buy-in to the framework.
• The conversations around risk appetite are equally
as important and beneficial as the actual Risk
Appetite Statement document produced from them.
• Culture is a fundamental part of risk appetite and
to the success of embedding risk appetite in the
organisation. Taking the time to craft descriptions
of what risk appetite the Group and business units
have for variance in risk culture breathes life into
risk culture.
61
|
• There has been some initial reluctance by some
business units to set the hard quantitative
boundaries required to help define risk appetite.
This may be partly due to the presence of a formal
policy limit setting framework, plus a previously
held view that once set, RAS quantitative
boundaries would be difficult to change. (The
Board actively assists in this matter by engaging on
proposed changes out of cycle to the annual RAS
review process.) Further work is needed to include
more specific quantitative boundaries for these
businesses.
institute of international finance
• The understanding of the interaction of strategy
and risk appetite has changed previously held
views that risk appetite was a barrier to progress,
and in particular that it could not be challenged or
changed. A lot of work has gone into explaining
the connection between strategy and appetite and
the important way that they are brought together in
strategic planning, to give both management and the
Board transparency over decisions either to amend
the strategy to align with the existing appetite, or
the appetite to allow the proposed strategy. The joint
consideration and refinement of strategy and risk
appetite is now part of business as usual. (See the
“Assess & Revise” arrows in Figure 3.)
Annex II: Summary of the responses to
the Survey
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
62
Introduction
As discussed in the report, in mid-2010 the IIF Steering
Committee on Implementation (SCI) established
a Working Group on Risk Appetite (WGRA), with
the objective of identifying the key stages and the
technical and cultural challenges in the journey toward
designing, implementing, and monitoring adherence to
a sound risk appetite framework (RAF), and to bring to
bear Industry expertise and sound practices to examine
how these challenges can be addressed.
As a key first step, the WGRA has carried out a
survey among key industry participants to understand
better the key challenges that must be confronted
and addressed in a firm-wide implementation of risk
appetite. The survey aimed at capturing the interactions
and different perspectives among the Board, business/
senior management, and risk management in the
implementation of risk appetite framework.
An overview on the key messages emerging from the
survey is provided in the sections below.
Objectives and Design of the Questionnaire
A key objective of the IIF WGRA activities, and of the
survey in particular, has been to better understand the
challenges involved in a firm-wide implementation of
an RAF and to identify and analyze those approaches
and tools that have been used effectively and
successfully to address issues and overcome obstacles.
In fact, this is a fundamental step in developing
guidance on how the hardest challenges might best be
overcome, while taking fully into account—as confirmed
by the results of the survey—that there is no uniquely
correct detailed “model” for what a risk appetite
framework should look like.
The survey gathered views from different parts of the
firms, with a number of sections of the questionnaire
specifically designed to elicit views from Board
members, senior management, and senior members of
the risk management function. In fact, risk appetite
is largely about an interaction among the Board,
1
business management, and the risk management, and
these groups are likely to have different perspectives,
expectations, and objectives on the issue.
The survey was structured as follows:
• An assessment of the experience to date in
implementing a risk appetite framework: This
section aimed to identify the stage of development
of the RAF in each respondent firm as well as the
challenges that the firm had not yet addressed.
• The structure and conceptual elements of the
RAF: This section covered the key conceptual
and operational issues in the design of an RAF;
the kinds of risk appetite statements in use in the
firm; the interactions between the key internal
stakeholders (Board members, senior management,
the risk management function, business line heads);
the most relevant inputs that drive the shaping
of the firm’s risk appetite; and the risk appetite
metrics.
• The challenges that are being/have been faced in
putting into place a risk appetite framework: This
part of the questionnaire elicited views from the
key players (Board members, senior management,
the risk management function, business line heads)
on their specific challenges, achievements, and
benefits as well as the next steps.
Characteristics of the Respondents: Overview
• The survey was carried out during the end of 2010
and the beginning of 2011 and targeted a very wide
and diverse range of IIF members. The high level of
participation is testimony to how much the Industry
is interested in making progress in this area: the
questionnaire was sent to 79 firms, and 73 responses
(reflecting different perspectives within a firm) from
40 firms were received (Chart 1).1
• The responses have provided very high-quality
information, offering a broad and diverse view over
the Industry in terms of size, geographic presence,
business models, and stage of development of the
Alpha Bank, ANZ Banking Group, Barclays, BBVA, BMO, BNP Paribas, Bank of America, Bank of Ireland, Commonwealth Bank [of Australia],
Commerzbank, Credit Suisse, Danske Bank, DBS Group, Deutsche Bank, Erste Bank, FirstRand, Handelsbanken, HSBC, ING, Itau, Macquarie, Mercantil,
Mizuho, Mitsubishi UFJ Financial Group, National Australia Bank, Nordea, Norinchukin Bank, RBC, RBS, Santander, Scotiabank , SEB, Société Générale,
State Street, SunCorp, SwissRe, UBS, UniCredit, WellsFargo, and Westpac.
Chart 2: Respondent Role
4
30%
HQ Location
23%
5
Number of firms
EMEA
22
Asia & Oceania
10
The Americas
8
Activities undertaken
3
13
6
10
$0 –
$25 bn
$25 –
$50 bn
6
7
4
$50 –
$75 – $100 bn
$75 bn $100 bn
+
6
47%
8
Balance Sheet Size
32
76%
87%
89%
Investment Commercial/ Retail/
Bank
Corporate Private
Bank
Bank
50%
Insurance
Number of employees
9
Multiple countries within single continent
Global (Presence on all 5 continents)
Chief Risk Officer
Member of the Risk Committee of the Board
14
11
8
11
8
7
6
8
Member
of the
Management
Board 7 CRO direct report
$0 –
$500 –
$1000 – $2000 bn
0 – 25k
50 –
75 – 150k +
Other
Member of the
Board25of–Directors
$500
bn $1000
bn $2000 bn
+ President and/or CEO50k
75k
150k
Business
area leader
Multi-continent
Chart 3: Characteristics of Respondent Firms
Market Capitalization
Activities undertaken
mber of firms
22
10
8
13
6
$0 –
$25 bn
$25 –
$50 bn
10
7
4
76%
Balance Sheet Size
14
$0 –
$500 bn
11
7
11
8
7
6
8
0 – 25k
25 –
50k
50 –
75k
75 –
150k
150k +
25
20
15
10
5
2
Not embarked
on the process
1
Little
Progress
50%
Insurance
$2000 bn
+
Chart 4: Assessment of Experience to Date
0
89%
Number of employees
8
$500 –
$1000 –
$1000 bn $2000 bn
87%
Investment Commercial/ Retail/
Bank
Corporate Private
Bank
Bank
$50 –
$75 – $100 bn
$75 bn $100 bn
+
4
Some
Progress
23
7
Good
Successful
Progress implementation
63
|
Market Capitalization
institute of international finance
Chart 1: Respondent Firms
risk appetite framework (Chart 3). This has required
a careful processing of the responses, which has
been done with support from Ernst & Young and
PwC, in order to provide a solid foundation for the
further work and analysis from the IIF Working
Group on Risk Appetite and for this report.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
64
bilateral discussions and other forums suggests
that, in general, progress in risk appetite across the
Industry and in a number of specific jurisdictions
substantially lags the progress reported by the
group of survey respondents.
I. Assessment of the Experience
to Date in Implementing a Risk
Appetite Framework
A significant minority is confident about what has
been achieved: more than 15 percent of the respondent
firms consider that all of the major challenges have
been overcome and that the implementation of the RAF
has been a success. These firms are essentially where
they want to be on risk appetite and feel they have also
achieved many benefits. In particular, the successful
implementation process and the debate around the RAF
has taken the risk discussion to a much more strategic
level and has resulted in business management at every
level having a more robust discussion around the risks
and the appetite for stress and adverse conditions,
rather than only focusing on performance measures.
Overall Assessment of Experience in
Implementing a Risk Appetite Framework
Four firms have responded that they have made some
progress, while only three survey respondents have made
little progress or have not embarked on the process.
• The questionnaire was completed by senior
executives in the firm, and in many cases feedback
from multiple executives was provided. Not
surprisingly, a significant share of the responses
(more than 40%) was provided by CROs. However,
the participation of Board members was significant
(Chart 2).
• When assessing the overall experience to date,
a large majority (almost two thirds) of the firms
participating in the survey stated that they are
making good progress in implementing an RAF,
according to their own self-assessment; at the same
time, they also recognize that a comprehensive and
successful implementation of the RAF will require
moving the approach deeper into the business,
work that these firms consider as still underway.
Similarly, in a number of cases, these firms
highlight that, despite the good progress achieved,
their RAF needs to reflect a more deeply embedded
culture of risk within the wider business and to
develop a deeper link with the strategy and the
planning activities (Chart 4).
• Participating firms also recognize that, even when
good progress has been achieved, much work is
still needed. Chart 5 shows firms’ key priorities and
objectives in their next steps on the implementation
journey. These results are consistent with the key
challenges highlighted by firms and presented in
the next section. Consistent with what emerged
in terms of the key challenges highlighted by
firms and presented in the next section, the key
next steps most frequently mentioned by firms as
their next priority in the implementation journey
were: continue embedding the RAF within the
business and cascade it to all levels, functions,
lines of business, and risk categories; build a robust
measurement and monitoring mechanism; and
achieve a stronger integration between the RAF and
strategic planning.
• At this point, it must be emphasized that while
good progress in general is being self-reported
by the respondents as a
group overall, this group
Chart 5: Key Priorities and Objectives
most likely represents
0
2
some of the more
Integrate risk appetite into ongoing management 16
of the business
advanced practitioners
in the area of risk
Establishment of robust measurement
9
and monitoring framework
appetite, and it should
Integration of Risk Appetite into strategic planning 8
not be assumed that the
remainder of the Industry
Development of stress testing (including
5
better integration with risk appetite)
is at a corresponding
stage on the risk
Improve IT/data quality to support risk appetite 4
appetite journey. Indeed,
Further develop & embed risk culture 3
anecdotal evidence
from a large number of
Comprehensive overview covering
business, strategic & operational risks
3
4
6
8
10
12
14
16
18
Risk Appetite Objectives and Statements
The survey shows that a majority of firms are taking
a comprehensive view of all risks across the firm, not
just risks that can be easily measured, and are using a
combination of qualitative and detailed quantitative
elements in their statements (Chart 7).
II. The Structure and Conceptual
Elements of the RAF
Key Challenges to a Successful Application of
an RAF
Chart 7: Types of Risk Appetite Statements
• As already mentioned, a key stage toward a
successful and effective firm-wide implementation
of an RAF is the identification and analysis of the
challenges involved in such a process. The chart
presented at the beginning of Section 2 highlights
the top challenges emerging from the survey. A
dimensional breakdown is presented in Chart 6.
0
5
10
15
A combination of qualitative and detailed 14
quantitative outcomes
Only high level quantitative outcomes 9
A combination of qualitative and 7
high level quantitative outcomes
Only detailed quantitative indicators for 3
the business
Only a qualitative indication of preferred 3
outcomes
• We refer to Section 2 of the Report for a more
complete description of the key challenges
highlighted by firms participating in the survey.
Chart 6: Key Outstanding Challenges
0%
10%
20%
30%
40%
50%
60%
70%
80%
Effectively cascading the risk appetite statement through the operational
levels of the organization and embedding it into operational decision
making processes
Larger firms appear to
have a better handle on
dealing with different
risk types
How to best express risk appetite for different risk types, some of which
can be quantified in generally accepted ways, and some of which cannot
be easily quantified
Using the risk appetite framework as a dynamic tool for managing risk
rather than another way of setting limits or strengthening compliance
Using the risk appetite framework as a driver of strategy
and business decisions
Achieving sufficient clarity around the concept of risk appetite
and some of the terminology used (e.g. difference between
risk appetite and risk limits)
How to effectively relate risk appetite to risk culture
How to make best use of stress-testing in the risk appetite process
Utilising stress testing and
effectively aggregating are
more of a challenge for
the largest banks
How to most effectively aggregate risks from different business units
and/or different risk types, for risk appetite purposes
$0 – $500 bn
$500 – $1000 bn
$1000 – $2000 bn
$2000 bn +
65
|
• Once a firm has determined how much risk it is
able to take, strategic decisions are made regarding
how much risk it will take on to meet business
goals. In this process, a key step is the articulation
of the risk appetite statement, which represents
a cornerstone in the architecture of the RAF.
The statement takes into account management’s
objectives and preferences on capital and resource
allocation, as well as views on the distribution of
exposure across activities and portfolios.
institute of international finance
• The overall assessment shows different stages of
development and a wide range of approaches.
While in a number of cases an early version of
the RAF has been in place for several years, the
survey responses reveal clear evidence that the past
24 months have witnessed a substantial increase
in the resources devoted to the articulation and
implementation of an RAF. In many cases, this has
meant the establishment ex novo of a risk appetite
strategy or, when already present, a substantial
review of that strategy.
• Qualitative outcomes. The following are a few
significant examples of qualitative outcomes that
were included in the risk appetite statements of one
or more responding banks:
•
Managing the business to a target credit rating
or better
•
Target Tier 1 and core Tier 1 ratio levels
•
Economic capital per risk type
•
Ensuring capital adequacy
•
Return on equity
•
Maintaining low exposure to “stress events”
•
Earnings per share growth
•
Sustaining a current shareholder dividend
•
Earnings volatility
•
Meeting regulatory requirements and
expectations
•
Stress tests
•
Ensuring sound management of liquidity and
funding risk
•
RWA limits
•
Liquidity ratios
•
Requiring assessment for fit to risk appetite for
significant projects, new products, and entry
into new markets
•
Limitations of client exposure
•
Industry concentration
•
Country envelopes
•
Rate of return required from our businesses
•
Value at Risk for trading portfolios
•
Loan loss ceilings for loan portfolios
•
Assets-to-Capital Multiple
•
Operating leverage
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
66
when trigger levels are exceeded. The following
are a few significant examples of high-level
quantitative outcomes included in the risk appetite
statement of one or more responding banks:
•
Creating statements concerning
nonquantifiable risks (e.g., reputational risk)
•
Creating statements of general market
sentiment, of the overall macro environment,
and of broad areas for business growth
•
Maintaining minimum dividend payout levels
under severe but plausible stress levels
•
Maintaining sustainable economic profit
commensurate with the risks taken
•
Maintaining a well-diversified funding
structure
•
Keeping off the balance sheet those vehicles
nonmaterial in size relative to the size of the
balance sheet
•
Harnessing benefits from business
diversification to generate nonvolatile and
sustainable earnings
•
Using robust and appropriate scenario stress
testing to assess the potential impact on the
group’s capital adequacy and strategic plans
•
Avoiding significant losses from small and
more-peripheral businesses that are not central
to the key strategies (non-core risks)
•
Restricting business to activities that are
understood and that can be adequately priced
(e.g., without “look-through” analysis)
• High-level quantitative outcomes. Qualitative
statements are normally combined with a
reasonable number of quantitative metrics in order
to be able to monitor and take adequate actions
A wide range of detailed quantitative measures,
often at the business level, are also included in the
statements:
•
Maximum total exposure to indicate to market
valuation fluctuations in the trading book as
measured by a maximum Value at Risk over a
certain time horizon
•
Maximum economic value risk from market
value movements stemming from interest rate
and FX mismatches in the banking book as
measured by delta 1% and aggregated nominal
FX mismatch
•
Minimum quality standard for large single
name exposures as measured by average
internal risk grade of the top 20 counterparty
groups, banks, and corporates separated
•
Credit portfolio quality statements;
quantitative statements on credit risk,
including loan losses and concentrations;
market risk, including use of capital and
maximum losses
•
Clear guidelines regarding maturities and size
of trades
•
Quantitative measures applied to
nonquantifiable risks (e.g., data from customer
polls, investors polls, employee sentiments,
media coverage, interactions with regulators)
Key Interactions
• The successful implementation of a risk appetite
framework is critically dependent on effective
interactions among many key participants: Board
members, senior management, the risk management
function (embodied in the CRO), and business
line heads.
• The survey shows that in the large majority of
firms, the initiative for setting the risk appetite was
taken by senior management, and the proposed
framework was approved by the Board after a
challenge process. This great degree of convergence
on the process reflects the key oversight role of the
Board. In a few cases, however, this initiative has
not yet been subject to substantive challenge from
the Board (Chart 8).
discussions with Working Group members revealed
that the regular, daily dialogue that occurs in risk
committees and with risk staff, including those
involved in credit approvals, play an important role
in communicating risk appetite concepts to frontline staff and making these concepts “real” on a
day-to-day basis.
Chart 9: Method for Linking Statements
with the Behaviour of Staff
0
5
10
15
20
67
|
Hurdle rates for performance measures (RoE,
RoRAC)
25
Translated into limits 24
Strong Risk Culture 7
Policies/Procedures/ 6
Guidance
Committees 5
Risk-adjusted performance 4
measures
Code of Conduct/Rules 4
New Product/Deal Approval 2
• As to the link with strategy and planning, we
previously highlighted that a significant number of
firms (more than one third) feel that the RAF and
the business strategy and planning
are already somewhat linked.
Chart 8: Process to Agree on the Risk Appetite Statement
The following are examples of
0
5
10
15
20
25
30
practices for establishing this link:
Senior management take the initiative and
the Board agrees this by means of a challenge process
27
Senior management take the initiative and the Board
largely endorses this without substantive challenge
8
The Board/Risk Committee
takes the initiative
2
An offsite/workshop(s) or series of meetings
are conducted with all participants and the risk appetite
is agreed as a result of multiple, iterative discussions
2
• In exploring the key interactions, two aspects are
of crucial importance and—as seen in previous
paragraphs—are particularly challenging when
implementing an RAF: the establishment of
actionable guidance at the business level and
the linkage of risk appetite, business strategy,
performance, and other enterprise planning
processes.
• As to the first aspect, the survey results,
summarized in chart 9, show that the main method
used for linking Board-level risk appetite with the
behavior of mid-level staff is its translation into
limits. The active development of a strong risk
culture also plays an important role in developing
awareness about the link between the RAF and
business decisions. It is important to highlight that
The risk appetite is
incorporated into the annual
strategy process. Businesses are
asked to qualitatively discuss
risk changes during the strategy
process, and the Board reviews the
overall risk appetite test at that
time.
Risk-return analysis is a key element of the
risk appetite framework and a key input into
performance measurement.
The strategic planning process makes use
of templates and standardized formats
that include mandatory sections relating
to risk profile and risk appetite that force
consideration and documentation of risk
appetite issues.
The Drivers of Risk Appetite
• Firms were asked to identify the three most relevant
inputs that drive the shaping of their risk appetite.
As shown in Chart 10, capital capacity is seen as
the major driver for the overwhelming majority of
firms. Budget targets are also considered a relevant
institute of international finance
•
input by many firms. Other topical areas, such as
liquidity and stress test results, are high on the list,
likely as a result of recent experiences during the
crisis. Although not captured in Chart 10, several
firms have stressed that the firm’s overall strategy
and financial objectives should be considered as
a key input. Only one responding firm mentioned
earnings volatility as an input in this question.
Chart 10: Most Relevant Drivers of RA
0
10
20
30
40
50
60
Capital Capacity 50
All surveyed firms use specific and quantifiable
metrics in the articulation of their risk appetite
frameworks. About two thirds of them specifically
reference both growth and return metrics in the risk
appetite statements agreed upon by the Board.
Chart 11 shows the specific parameters used as part
of the risk appetite framework in the specification of
risk appetite and/or in monitoring compliance with risk
appetite.
• As to the optimum number of parameters
that strikes the right balance between being
comprehensive and comprehensible, a wide range
of answers has been gathered; however, typically
no more than 10 measures are considered at the
Board level with increasing detail to support at
business and operational levels.
Budget Targets 28
Liquidity or other 26
market constraints
Culture 16
Shareholder input 16
and perspectives
Stress Test Results 16
External market 10
dynamics/considerations
• The risk appetite process is seen by firms as
dynamic, where risk taking can be re-aligned on
an ongoing basis. In the vast majority of cases,
this is achieved through an ongoing monitoring—
including Board reporting—of risk appetite elements
(e.g., performance against risk metrics) and
adjustment as needed.
Risk Appetite Metrics
• The survey explored the metrics that have an
important role to play in establishing and operating
an effective risk appetite framework, namely those
metrics that are routinely used in interactions
between the Board and the management when
• In the large majority of cases, such measures tend
to focus mainly on the enterprise level only and
reflect Board-level approved limits and objectives.
However, it is quite common to see also a number
of more specific (e.g., business-level) metrics that
operate at division or business unit level.
• Stress testing and stress metrics play a role in the
risk appetite framework of almost all respondents
(only one firm stated that they are not used). The
use of stress testing varies: some banks are putting
stress tests at the center of the appetite setting
process, whereas others are using stress tests to
“sense-check” or challenge their risk appetite
settings. Chart 12 summarizes the role that stress
testing and stress metrics play in the risk appetite
framework.
Chart 11: Specific Parameters Used for Setting and Monitoring RA
25
20
15
10
Return
Specifying risk appetite only
Capital
Monitoring compliance only
Risk Monitoring and Control
Both specifying and monitoring
Provisions
EL
Internal ratings
Cost of risk
Limits
Concentration limits
VaR
RAROC
RWA
EC
Stress Testing
Capital Ratios
Growth measures
EPS
0
Earnings Volatility
5
ROE
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
68
the RAF is being discussed and to establish and
monitor compliance with it.
Effect on capital adequacy
2
4
6
8
10
12
14
12
A risk appetite measure 9
Results compared against 9
risk appetite
Used in limit setting 8
Used to set risk appetite 5
Used in developing 3
business plans
• Around 70 percent of participants report that their
RAF covers the whole range of risks facing the
firm, including a number of nonquantifiable risks
(e.g., legal and reputational), while the remaining
respondents say that their RAF covers only those
risks that are readily quantifiable. Large banks or
firms that have a global presence are more likely to
have all-encompassing risk appetite statements and
frameworks.
Chart 13 shows that while some firms are
comfortable managing qualitative risks with qualitative
measures, others are determined to quantify as much as
possible (e.g., through proxy measures).
Chart 13: Approach on Nonquantifiable Risks
0
1
2
3
4
5
6
7
8
Qualitative management 8
assessment/guidelines
Non-quantitative measures 5
are not considered yet
Developed proxy measures
3
Not considered - covered 3
by policies
Captured under “Business Risk” 2
Some risks cannot be followed 1
through metrics
Developing KPIs for 1
Reputational Risk
Consider Risk to Market 1
confidence
• There seems to be no uniform process for
translating high-level risk appetite indicators into
more specific measures such as risk limits and
tolerances. However, the following techniques were
often mentioned in the responses:
The budget and planning process cascade
metrics, such as RoE, net funding needs, and
RWAs, at a more granular level.
The key risk forums in which strategy is
discussed in the light of risk, liquidity, and
capital considerations translate high-level risk
appetite indicators into more specific measures.
Translating high-level risk appetite metrics into
business related measures is a combination of
top-down and bottom-up processes: first, most
key figures are broken down to the businesssegment level. For monitoring these indicators
at the business level, a bottom-up process
is used, ascertaining the specific needs of
business segments.
• In the majority of the cases, risk appetite metrics
are monitored throughout the year with trigger
points for formal management action, and firms
state that a contingency plan/escalation procedure
is triggered when risks appetite metrics are
exceeded. Contingency plans are generally linked
only to specific metrics without covering all
eventualities.
The following box provides a noteworthy example of
this approach in a respondent firm:
When an enterprise-level Risk Appetite metric is
exceeded, the Risk Executive will notify the Chief
Risk Officer and the related Line of Business
Executive. The Global Risk CRO will notify the Chief
Executive Officer, Chief Financial Officer, Chair of
ALMRC and Chair of ERC of the limit excess. This
notification includes a plan of risk reduction.
Additionally, Action Triggers are set to
alert management when a metric is nearing an
enterprise-level Risk Appetite limit. When an
Action Trigger is exceeded, the Risk Executive will
be required to acknowledge/approve the excess.
The Risk Executive will notify the CRO and Head
of that particular LOB of the Trigger breach. The
CRO will notify the Chief Executive Officer and
Chief Financial Officer. This notification includes
a plan of action developed by the LOB and Risk
Management to cure the breach in a timely manner.
All excesses of both limits and triggers are
reported on the Summary Risk Report to executive
management and the Board.
• In a few cases, it would be more accurate to
characterize the process for dealing with limit
breaches as a “comply or explain” one, including
69
|
0
The risk appetite is set at the enterprise level
and cascaded down into the lines of business
via specific line-of-business risk appetite
statements and other key risk indicators set at a
more granular level that ensure that individual
portfolio performance is within defined
tolerances.
institute of international finance
Chart 12: Role of Stress Testing and
Stressed Metrics
procedures for granting exceptions, while
contingency planning plays a role only in the more
serious cases. A number of firms explicitly link this
process with their work on recovery and resolution
planning.
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
70
Board Risk Committee members, with risk
issues is fundamental. A large number of
firms report that the time and frequency
devoted to risk issues has been increased.
Moreover, those firms that do not have a formal
contingency plan for being outside the risk appetite (an
event that should be a very rare occurrence) state that
this would certainly cause a management review and
Board Risk Committee discussion.
• Other important and relevant issues in the area of
metrics that were often mentioned by respondent
firms include the need to focus on simple metrics
that can be easily managed and understood and
that are suitable for operational breakdown; the
need to strike the right balance between a limited
number of synthetic metrics and keeping them
exhaustive, comprehensible, and actionable; ease
of communication; “less numbers, more common
sense”; and sufficient robust to volatility (internal
and external).”
III. Implementation Issues
While confronting the challenges, Board
members have a clear view of the benefits
that firms have derived from the risk appetite
process. The benefit that is most frequently
mentioned is the integration of the RAF into
the strategic and business plans and a more
coherent understanding of the linkages with
strategy. Equally important is the improvement
of the overall understanding of risk issues at
the Board level.
• The perspective of the business/senior management
(other than risk management):
The Perspective of the Key Stakeholders
From the perspective of the senior managers
(other than risk managers) the main challenges
highlighted by respondents have been, on the
one hand, the difficulty of using the enterprise
RAF as a tool for developing or influencing
strategy and the business model, and, on the
other hand, the ability to ensure that business
unit performance targets are consistent with
the approved risk appetite.
• The purpose of this section is to better understand
the challenges that are being/have been faced in
putting in place a risk appetite framework, looking
at them from different perspectives within the
organization.
• The perspective of the Board members:
From the perspective of Board members, the
fact that risk appetite is/was a relatively new
issue in the Board’s agenda required them to
learn more about, or change their previous
approach to, risk and risk appetite.
In addition, considerable effort is needed to
effectively connect the RAF to the strategic and
business planning. It is generally considered
a key challenging issue to develop an RAF as
a dynamic management tool rather than as
another regulatory driven form of setting limits
or monitoring compliance.
These challenges have required a number of
actions to overcome them and facilitate a
robust discussion of risk appetite. Participant
firms have highlighted the following actions as
particularly effective in this regard:
• Promotion of the strong knowledge and
experience of Board members: A great
familiarity by Board members, especially
• Separate meetings focused on risk: Fluent
communication on risk appetite between the
Board and senior management, including
some workshops for Board members, and
creation of a Board-level forum dedicated
to risk with frequent meetings and effective
reporting of risk committee discussions to the
full Board.
Another challenging issue, which is linked to
the ones above, has been a perceived lack of
clarity around what is “soft dialogue” and what
are “hard limits” in the context of risk appetite.
More generally, a significant share of
respondents considers that a meaningful
translation of the RAF at the business and line
management level has not been achieved yet.
Where these challenges have been effectively
overcome, the following actions seem to have
played a positive role:
• A strong and effective partnership between
the CRO and the CFO.
• A review of compensation and staff reporting
arrangements and regular engagement and
communication to all divisions in the bank in
order to foster a cultural change.
• Enhanced clarity in risk statements.
• More efficient use of risk and capital.
• Clearer view on the strategy and risk appetite
offered to all stakeholders, including external
stakeholders.
• Clearer idea of how the risk profiles and
strategic issues in the businesses come
together to create the risk profile for the firm
as a whole.
• Provision of additional support and
validation of group processes, which gives
confidence that the group processes are
robust, efficient, and effective.
• Establishment of a consistent risk
management framework in all portfolios that
are built from the various businesses within
the firm.
• The perspective of the risk management:
From the perspective of the risk management
function, the main challenges in embedding
risk appetite and establishing it as a key part of
the risk management apparatus is the fact that
the RAF was seen by many as another way of
setting limits and managing compliance, and
not seen in the broader context of balancing
risk, reward, and opportunity. This issue has
been highlighted by the vast majority of
responding risk managers.
Many respondents have also stressed the
difficulty in translating Board preferences into
operational guidelines, as the risk statements
contain high-level guidance or sometimes lack
clarity.
2
Additional key implementation issues
mentioned by respondents often focus on
the relationship with their colleagues in the
businesses. First of all, risk managers perceive
difficulty and some degree of resistance to
The following key factors have been important
in facilitating a robust discussion on risk
appetite and in overcoming some of the
difficulties mentioned above:
• Board support, particularly from the members
of the Risk and Capital subcommittees.
• Regular meetings of the CEO, CFO, and CRO
to check on progress support discussions on
the risk management level as well as on the
committee level.
• Cross-divisional communication.
• Establishing stable process and reliable
numbers.
• Understanding by senior management of the
purpose and benefit of the framework.
• Empowerment of the CRO role/risk
management function.
Risk managers have indicated a number of
benefits that are resulting from the RAF.
The influence exerted by the risk appetite
process over the business plans and strategy
is the benefit most often highlighted. Also
of considerable importance seems to be a
strengthened quality of conversation and
engagement around risk issues. Moreover,
the risk appetite process is seen as providing
an effective framework for discussing
business decisions and reporting to the Board.
In addition, risk managers feel that risk
management organization and leadership has
been strengthened and empowered as a result
of the implementation of the RAF.2
• Chart 14 provides an aggregated overview of the
key challenges to implementing an effective RAF:
The empowerment of the CRO was a key finding and recommendation of the July 2008 report of the IIF Committee on Market Best Practices.
71
|
achieving buy-in from the business. Second,
the business level often prefers to deal with
risk appetite issues as they arise, as opposed to
having a policy set down in advance. Finally,
businesses sometime feel that the application
of risk appetite concepts and policies is too
subjective or even applied unevenly/unfairly.
institute of international finance
Senior managers have indicated a number of
benefits derived from the RAF at the business
level. The following are some representative
examples:
Biggest Achievements,
Benefits, and Key Next Steps
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
72
• Respondent firms are at
different stages of developing
their RAFs, and their business
models are characterized by
different degrees of complexity.
However, there seems to be a
significant convergence toward
two main achievements to date
on the following two key steps,
which have been underlined
by the majority of respondent
firms (Chart 15). The first
important achievement is the
development of a robust and
comprehensive Board-approved
risk appetite statement as
a cornerstone of the wider
risk appetite strategy. The
second equally frequent and
important achievement is
the identification and design
of a clear, comprehensible,
and agreed upon intellectual
framework to integrate risk,
strategy, and capital allocation.
• As to the key benefits identified
by firms as a result of their
risk appetite process, there is
a strong convergence toward
the fact that the RAF is
allowing the Board and senior
management to have a more
informed discussion of the
risks involved in the business
plan and strategy. This benefit
has been consistently ranked
as the most important by the
majority of surveyed firms. Also
considered very important is the
impact of the RAF in fostering
a more robust risk culture and a
stronger awareness throughout
the organization. Linked to
this are two additional benefits
mentioned by a large number
of respondents: a stronger
integration of risk consideration
into the strategic and business
plan and more effective risk/
reward decision-making across
the organization (Chart 16).
Chart 14: Implementation Challenges
0
2
4
6
Establishing effective risk culture
at all levels in the bank
12
2
Translating high level objectives into
meaningful business level guidelines
2
16
1
4
6
7
4
7
Integration of risk appetite into
strategic/business plans
4
2
Achieving clarity of concepts
4
2
1 1
14
5
8
Improving information systems (either to
calculate risk or improve risk reporting)
1st Achievement
10
9
Establishing consistent approach to risk
across all business/products
Balancing risk/reward
8
2
2
2nd Achievement
3rd Achievement
Chart 15: Biggest Achievements to Date
0
2
4
6
Agreeing on a Risk Appetite
Statement approved by the Board
12
3
1
4
Established appropriate governance, monitoring
and review for risk appetite framework
1
4
2
Embedding a culture of risk appetite 1
within the wider business
Cascading of risk appetite to business unit level
2
6
Better definitions (and calculations) of
different types of risk
16
2
7
1
14
1 1
9
Obtaining Board and Senior Management
‘buy-in’ to the process
1st Achievement
10
12
Clear and agreed framework to integrate risk,
strategy and capital allocation
Integration of risk appetite into strategic plans
8
4
4
5
2
6
2nd Achievement
3rd Achievement
Chart 16: Biggest Benefits from Having an RAF
0
5
10
Strategic risk conversations at
Board and Senior level
15
Foster culture of risk appetite
throughout organisation
6
5
7
More effective risk/reward decision
making across organisation
4
3
Consistent language of risk across all levels
3
1 2
Risk Management have greater role in working
with business units to set strategy and plans
5
Improved enterprise risk management
throughout organisation
4
Being able to report and explain the firm’s
risk profile against agreed
benchmarks/risk appetite metrics
4
1st Achievement
20
2
7
Integration of risk appetite into
strategic/business plans
Establishing consensus on how much
risk we can afford
15
4
5
7
3
2
2 1
2nd Achievement
3rd Achievement
3
25
Project Team
For the Institute of International Finance:
•
Andres Portilla, Director, Regulatory Affairs
•
Stefano Mazzocchi, Policy Advisor, Regulatory
Affairs
Production:
•
Natalia Rocha, Staff Assistant, Regulatory Affairs
73
|
Paul Wright, Senior Director
institute of international finance
•
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
|
74
Design by www.katetallentdesign.com
Institute of International Finance
1333 H Street, NW, Suite 800 East
Washington DC 20005-4770
Tel: 202-857-3600 Fax: 202-775-1430
www.iif.com