Banks and financial services firms need to decide how much risk they are willing to take. This concept is known as Risk Appetite.
The Institute of Risk Management (IRM) defines risk appetite (and tolerance) in the following way:
Risk appetite can be defined as ‘the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives. Organisations will have different risk appetites depending on their sector, culture and objectives. A range of appetites exist for different risks and these may change over time.
Risk appetite and tolerance need to be high on any board’s agenda and is a core consideration of an entreprise risk management approach. IRM’s guidance provides practical direction, advice and information to support boardroom debate.
While risk appetite will always mean different things to different people, a properly communicated, appropriate risk appetite statement can actively help organisations achieve goals and support sustainability.
Firms must also make sure that the defined and agreed risk appetite is not exceeded. As explained in IRM’s definition, the risk appetite of the organisation must be determined by the board of directors – risk appetite is therefore part of the risk culture which is defined by the same board of directors. There is a very close relationship between the risk culture and risk appetite since the latter will depend a lot of the type of culture existing in the organisation. Organisations may range from conservative to strongly on-risk (also depending on the type of business they operate). The following factors are very important to enable the risk appetite in a firm:
- use of formal and robust risk controls, tested reviewed and tested regularly
- high quality and accurate management information reporting
Risk appetite will need to be expressed in different ways for different risk types and different business areas. This will allow the determination of easily defined metrics to assign probabilities to the losses caused by each business area.
For example, for more easily quantifiable risks, the risk appetite statement may include:
- a limit for direct financial losses
- specific risk measures, such as credit or market risk Value-at-Risk (VaR) metrics
- other specific tolerance levels or limits (e.g. 5% stop loss in a single instrument name)
For more subjective risks which are more difficult to quantify, the risk appetite statement might specify less quantifiable, non-financial statements, such as, for example:
- Recovery times objectives (RTO) agreed for business continuity management purposes
- Process related restrictions e.g. “all external communications must be approved by the COO”
If the organisation operates different business lines the board of directors must define separate risk appetite statement documents for each of these business lines. This will help improve the formality and control environment around the potential risks. The firm will then need to tie its overall risk profile, to its level of available risk capital. It is very common to see the risk appetite statement as part of capital adequacy processes, such as the Internal Capital Adequacy Process (ICAAP), being that the risk appetite statement is one of the outcome delivery documents of this process.
Setting a risk appetite tends to be an iterative process, and often needs both a top-down and a bottom-up approach: the top-down approach involves the board and senior management and involves:
- identifying threats to the firm’s objectives
- relating these threats to the available firm’s capital
- using scenario analysis and stress testing to have the most appropriate responses for each possible risk
The bottom-up approach requires line management to adopt:
- an agreed set of acceptable capital losses (e.g. occuring from trading errors)
- a robust and formal set of key risk indicators which can be tracked against pre-defined tolerances – these tolerances must be defined with the risk owners
- the escalation process for tolerance or limits breaches must also be defined so that there is a clear path from the bottom-up approach (i.e. business strategy) to the top-down (i.e. risk takers)
Our recent articles about Risk Appetite
- INFOGRAPHIC: A Look at Top Banking Trends in 2016
- VIDEO: Risk Management Webinar - Theory vs Reality
- 5 Essential Rules for Trading with Futures
- INFOGRAPHIC: What is the Greatest Cybersecurity Threat?
- KPMG 2017 Global Audit Committee Pulse Survey