A consortium of global senior regulators, including the SEC, the Fed, BaFin, and the UK and Japanese FSAs, have concluded that financial firms that most effectively implement a risk appetite framework are those that create a strong corporate governance culture involving the engagement of the board and senior management and distinctive mandates and duties at each stage of governance. A risk appetite framework is an explicit effort to describe the boundaries within which management is expected to operate when pursuing a firm’s strategy. It codifies which types of risk the firm is willing to bear and under what conditions, as well as which risks the firm is unwilling to assume. In turn, the group defined risk appetite as the level and type of risk a firm is able and willing to assume in its exposures and business activities, given its business objectives and obligations to stakeholders.
Risk appetite is generally expressed through both quantitative and qualitative means and should consider extreme conditions, events, and outcomes. In addition, risk appetite should reflect potential impact on earnings, capital, and liquidity. The report was issued by the Senior Supervisory Group, which also includes the Canadian Superintendent of Financial Institutions, the Netherlands Bank, and the Swiss Financial Markets Supervisory Authority.
The report also found that, while most firms have made progress in developing risk appetite frameworks, considerably more work to do in order to strengthen these practices. In particular, the group said that the aggregation of risk data remains a challenge for institutions despite its critical importance to risk management.
The most effective risk appetite frameworks were found in firms with highly engaged boards working closely with senior officers, including the CFO and the chief risk officer. Active engagement by directors and senior management was observed to be critical in securing the financial and human capital necessary to implement IT infrastructure projects. In particular, this level of management support was seen as critical for IT projects aimed at improving the aggregation of risk data.
In addition, the role of the chief risk officer and its relationships with others is particularly notable, because the chief risk officer leads risk discussions among the board, the senior management team, and the business line leaders. Strong communication among these individuals allows the management team to effectively translate the board’s expectations of risk appetite into the firm’s day-to-day operations.
While risk limits set boundaries, noted the regulators, they do not by themselves offer enough accountability for operating within the risk appetite framework. Thus, the SEC and other regulators suggested that creating a risk culture consistent with a risk appetite framework would require positive incentives, such as career advancement and compensation, for individuals demonstrating strong risk management abilities.
A threshold element of a risk appetite framework is a risk appetite statement, which should be driven by the board and supported and implemented by senior management. The risk appetite statement is essentially a risk philosophy or a mission statement for risk that gives senior managers both guidance and constraints as they pursue the firm’s strategy. Risk appetite statements should contain the acceptable trade-off between risk and reward, the tolerances for volatility, and capital thresholds (including regulatory capital and leverage ratios). A useful risk appetite statement is relatively simple,easily communicated, and resonates with multiple stakeholders.
While the board or its risk committee cannot be expected to monitor every facet of a firm’s risk profile, said the report, boards that invest a significant amount effort in articulating a firm’s risk appetite statement will have a greater stake in ensuring that the framework is implemented and guides decision making throughout the firm. Directors should challenge management until they are comfortable that management both understands the risk profile and is running the business in a manner consistent with the risk appetite framework.
The global regulators describe risk profile as a point-in-time assessment of actual aggregate risks associated with a firm’s exposures and business activities, through the use of several tools and measures. Generally, a firm should aim to have its risk profile remain within its stated risk appetite and should ensure that its risk profile does not exceed its risk capacity, which is the full level and type of risk at which a firm can operate and remain within constraints implied by capital and funding needs. Risk capacity is a maximum measure, emphasized the regulators, and is not necessarily intended to be reached, meaning that a firm might set a buffer between risk capacity and risk appetite and manage that on an ongoing basis.