CRO Outlook
Friday, February 17, 2023
By Clifford Rossi
In financial markets rife with uncertainty and volatility, figuring out how to create and properly use a risk appetite statement (RAS) is a daunting task. The traditional process for addressing this challenge is outdated and flawed. So, how can an organization enliven its risk appetite statement, to help foster a firmwide culture of risk awareness and to improve risk-adjusted return?
Setting enterprise-wide risk appetite is a necessary step that enables a board to identify a firm’s key risks – and to set limits for those threats. However, to be effective, risk appetite statements must be developed in ways that are directly actionable for business and risk teams.
We’ll get to best practices for risk appetite statements in a minute, but we first need to understand their current drawbacks.
What’s Wrong?
Risk appetite statements have become the norm in banking – but there remains considerable variation in the implementation of these statements across the financial services industry.
To better understand the purpose of RAS, we can use a submarine analogy. Modern submarines are equipped with a depth gauge that identifies the maximum depth to which a sub can plunge under normal operating conditions. The “never-exceed” depth that we often see depicted in movies when the hull starts to groan under enormous pressure represents the firm’s risk tolerance, beyond which is “crush depth.”
Clifford Rossi
Figuring out how to align quantitative expressions of risk appetite and tolerance with business outcomes is a significant obstacle facing those tasked with creating modern risk appetite statements. After all, the long-term viability of any firm depends not on managing risk and return in isolation, but on managing risk-adjusted return. Finding linkages to express risk appetite in ways that speak to how the company balances risk and return is therefore critical to developing a risk-return equilibrium.
Translating risk appetite statements into action is another obstacle. Key risk indicators (KRIs) establish risk guideposts throughout the year, but those metrics can at times be disconnected from the risk appetite statement.
To improve a firm’s ability to manage the business to its desired risk appetite, and to avoid exceeding risk tolerance, a well-constructed risk appetite statement should enable companies to sync risk tolerances with business objectives, KRIs and incentive compensation plans.
The Elements of a Well-Crafted RAS
Determining what type of business is allowable from a risk standpoint is a crucial first step in setting the firm’s risk appetite. Criteria to assist in that process include data availability and reliability, product expertise, and the level of infrastructure quality and controls available to manage the product.
If the data, infrastructure or expertise to understand a specific product’s risk isn't available, then the risk appetite statement should prohibit a firm from developing, marketing and managing that product. Had such criteria been in place before 2008, for example, it might have greatly reduced risk-taking in subprime and nontraditional mortgage products by many firms that exceeded their risk tolerance.
Many risk appetite statements I see today are too focused on cataloguing each major risk type, rather than on recognizing interactions across risks. Conveying risk at the enterprise-level is certainly important, but a bottom-up and integrated risk approach to developing a risk appetite statement is preferable.
Specifically, each line of business or profit center should have its own risk appetite statement. Major risks in the enterprise risk taxonomy should be featured, as appropriate, with concrete, qualitative descriptions of each profit center’s specific risks. Moreover, for each risk, KRIs and quantitative expressions of risk tolerance should also be employed.
Quality-control defect rates and/or credit exceptions could be ideal KRIs for managing front-end credit risk, while various servicing metrics could serve as KRIs for managing back-end risk.
Developing risk appetite and tolerance also needs to be imbued with a sense of pragmatism. Nonfinancial risks, for instance, remain one of the thorniest areas of risk management to quantify.
Even the Bank for International Settlements relented on requiring the largest banks to develop sophisticated operational risk-based capital models in its Basel III capital requirements. Fortunately, there are methods banks can use to approximate their required amount of operational risk capital.
Even more problematic are other nonfinancial risks, including legal, reputational, and regulatory and compliance. In theory, a firm’s risk appetite for these risks should be zero – but, realistically, some level of losses are to be expected.
There are, however, ways for a firm (or for an individual business unit) to establish a quantifiable risk appetite for these types of non-financial risks. Defining a risk tolerance based on a historical average of key events and/or losses for these risks is one logical approach that would provide a justifiable, concrete anchor for the “never-exceed” depth rule.
Bringing the Risk Appetite Statement to Life
Deficient processes and controls can lead to higher credit and market losses at times, while poor models can lead to under- or over-estimation, yielding adverse consequences for both risk and return. This is where a proper risk appetite statement can come in particularly handy.
For credit and market risks, economic capital and risk-adjusted return on capital (RAROC) are useful metrics for setting risk appetite. Just as in our submarine analogy for setting the test depth with a built-in margin of error, the risk appetite should incorporate factors for model and operational risks that can amplify actual credit and markets risks.
While risk appetite for credit and market risk should be based largely on economic capital, it should also incorporate the firm’s RAROC hurdle rate. The board might set its credit risk appetite to be, for instance, the 99th -percentile-worst credit loss that meets or exceeds the RAROC hurdle rate; the risk tolerance could be similarly defined to align to the lowest acceptable RAROC.
Firms that do not have an ability to set economic capital easily can instead use regulatory guidelines. A firm’s operational risk appetite, for example, can be established by leveraging the Basel III standards for risk-based capital, which draw on financial statement proxies and loss indicators. Meanwhile, an operational quality score can be used to weave individual subcategories of operational risk (such as technology risk) into the RAS.
Parting Thoughts
Risk appetite statements can foster a true culture of risk awareness at an organization – but only when they are relatable to clear business objectives and balanced between risk and return. Otherwise, they’ll be perceived by business heads as mere exercises in risk mitigation.
When developing risk appetite statements, financial institutions that use metrics like economic capital and RAROC, and that consider the risks faced by their individual business units, will have a leg up on their competitors.
To ensure everyone in the organization is focused on managing risk, risk appetite must be linked to KRIs and incentive compensation.
Clifford Rossi (PhD) is a Professor-of-the-Practice and Executive-in-Residence at the Robert H. Smith School of Business, University of Maryland. Before joining academia, he spent 25-plus years in the financial sector, as both a C-level risk executive at several top financial institutions and a federal banking regulator. He is the former managing director and CRO of Citigroup’s Consumer Lending Group.
•Bylaws •Code of Conduct •Privacy Notice •Terms of Use © 2024 Global Association of Risk Professionals