Financial services firms are in the business of taking risks. Although these risks are mainly financial, there are others too, ranging from day-to-day operations, to the companies’ broader strategic moves into new markets or new products. As such, every organization has a risk appetite, whether articulated or not.
Regulators providing oversight to the financial services industry now want firms to define their risk appetite in a written statement, approved by the board of directors. This has proven difficult for many financial services firms. One reason may be that many companies tend to think of risk appetite as a one-time determination, and so have a hard time defining what that is in light of a constantly changing risk landscape. Instead, risk appetite is better viewed as an ongoing, dynamic conversation between the board of directors, management and the operational units in the organization.
Even more important, for companies that have grasped the concept of an evolving risk appetite statement (RAS), driving the RAS through the organization by translating it into clear, understandable guidelines and metrics for business units and operations personnel is turning out to be a formidable challenge.
How, for example, does a bank with multiple lines of business (LOBs) and many complex products and services make its board-level RAS meaningful to its various practices, from real estate to mortgages, many of which are completely separate and operate with their own frameworks, defense lines and understanding of risk appetite?
The answer may disappoint you: No elusive “magical metric” exists that will enable banks to integrate their risk appetite statements once and for all and call it a day. This is also the message from Protiviti’s latest white paper, Driving Risk Appetite: A Pragmatic Approach to Implementing a Broad and Effective Framework. The paper does not offer a magic bullet; nevertheless, it provides plenty of practical advice for firms on how to establish a risk appetite framework (RAF) to assist with this integration.
Here are some of the key points:
- To be useful, the RAS needs to articulate motivations for taking on or avoiding certain types of risks, and include risk metrics that can be translated into risk limits applicable to the business lines.
- To put the RAS into action, firms need to develop a risk appetite framework (RAF), which will help push the RAS down into the LOBs and the various support functions. A key component of the RAF are risk appetite metrics, enterprise key risk indicators (KRIs) and business-unit KRIs, all of which have defined tolerances and thresholds that are monitored frequently.
- The development of risk appetite metrics needs to be collaborative among top management, independent risk management and front-line units. A top-down, didactic approach to developing these metrics without business unit participation will result in a disconnect at the front-line level, making risk appetite a mere check-box exercise.
- To drive risk appetite effectively, organizations must also be consistent in promoting good risk culture with ongoing education and dialogue. A well-operating risk management framework should enable an ongoing, enterprisewide conversation about risk, while maintaining focus on how risk management objectives are achieved.
- Finally, even though a RAS is a dynamic position, flexible enough to respond to changes in the business environment, the assertions in the RAS must be viewed as authoritative benchmarks, and any move away from them has to treated as a deliberate decision to move outside of previously established boundaries.
I recommend reading the entire paper. It is clear and concise and offers some highly practical recommendations for firms struggling to integrate their risk appetite statements into the enterprise. I think it is timely too. It is only a matter of time before regulators, having made clear the importance of having a RAS, begin to scrutinize firms’ successes in pushing this RAS down to the business lines – or what would be the point of having a RAS at all?