General Information & Client Services
  • Americas: +1.212.553.1653
  • Asia: +852.3551.3077
  • China: +86.10.6319.6580
  • EMEA: +44.20.7772.5454
  • Japan: +81.3.5408.4100
Media Relations
  • New York: +1.212.553.0376
  • London: +44.20.7772.5456
  • Hong Kong: +852.3758.1350
  • Tokyo: +813.5408.4110
  • Sydney: +61.2.9270.8141
  • Mexico City: +001.888.779.5833
  • Buenos Aires: +0800.666.3506
  • São Paulo: +0800.891.2518

Connecting an enterprise-level risk appetite statement tangibly to business strategies and risk limits can be very challenging. In fact, 65% of respondents in the IACPM / PWC Survey cited integration of risk appetite into decision-making process as the biggest challenge in RAF implementation.1

For large firms, regulators have an expectation that capital distribution decisions are informed by risk identification and management processes that tie to a firm’s overarching risk appetite. While many firms may have strong risk management processes in place for specific risk discipline they struggle to develop a robust firm-wide process that is transparent to a third party.

This article is the first in a series that will analyze this topic. In it we provide an overview of some common problems organizations face and introduce a solution to develop an integrated, transparent, measurable, and actionable Risk Appetite Framework.

Introduction

Senior management and Boards of large financial firms are confronted with the challenge of taking the concept of a universal risk appetite statement and translating it into a meaningful framework for managing their businesses. Both Board members and senior management have important roles to play in this process. The Board must develop the overall risk appetite for the organization and make certain there is a governance process in place to ensure the business does not take unacceptable risks to meet profitability targets. Senior management is responsible for developing and implementing a process that aligns business strategies and risk management with the Board’s stated risk appetite. It is imperative that these senior leaders work together to develop a process that accurately represents the risk appetite of the firm.

Financial services companies are facing business complexities in a rapidly changing industry which often leads to a fragmented, opaque view of risk at the enterprise level. Often, this is compounded by lack of quality internal data, changing market dynamics, and the seemingly continuous change in regulatory expectations. This amalgamation of circumstances has hindered many organizations from developing a comprehensive, clear picture of the risks they face. In this article, we describe some common problems and set forth an overarching roadmap to develop a robust Risk Appetite Framework.

Assessing the problem

The supervisory expectation for large financial firms is for them to develop and maintain a comprehensive Risk Appetite Framework that is integrated, transparent, measurable, and actionable. However, there is no clear guidance for what actually constitutes an acceptable process. For example, an expectation outlined by the Federal Reserve in the 2015 CCAR instructions is as follows: “… large BHCs are to have thorough and robust processes for managing their capital resources, and that the processes are supported by effective firm-wide risk-identification, risk-measurement, and risk-management practices.2 The expectation is outlined clearly, but the path to success is left up for very broad interpretation.

While firms have strong risk management in place for individual material risks, most struggle to provide a compelling narrative of how they have an effective firm-wide process to their regulators. This is true globally, as noted by the Financial Stability Board: “… effective Risk Appetite Frameworks (RAFs) that are actionable and measurable by both financial institutions and supervisors have not yet been widely adopted.3

The key impediment is lack of a holistic view of a firm’s risk position that incorporates all material risks. No one risk measure or model does an acceptable job of considering all material risks for a firm. However, using a variety of lenses to view risk enables senior leaders to view specific risks with a reasonable amount of depth and to view risks broadly and assess their interdependencies and impact on pro-forma financial results. Most firms can leverage a group of complementary risk tools to construct a mosaic that encompasses key risks and conveys an effective enterprise-wide process. Despite an industry-wide effort, few, if any, firms have developed a robust process that is transparent to a third party, repeatable and easily auditable. In most cases, the end result is a qualitative process that combines a multitude of reports together in an ad-hoc fashion to appease regulators.

Figure 1. Comprehensive Risk Appetite Framework
Comprehensive Risk Appetite Framework
Source: Moody's Analytics

Step 1: Establishing a foundation

Risk measurement and management generally continues to be fragmented along the lines of risk buckets outlined by the Basel Committee (credit risk, market risk, and operational risk). The factors that led to this current state include limitations of legacy risk measurement systems, siloed organizational structures and fragmented regulatory oversight. Advancements in technology and revised supervisory expectations are now enabling (and forcing) these historical barriers to be broken down. This enables senior leaders to apply the tenents of a robust Risk Appetite Framework including a comprehensive risk identification process, a wide-ranging risk calibration process, and a risk measurement and management structure that supports and reinforces the firm’s overarching risk appetite statement. Adopting this framework allows a firm to tangibly link enterprise-level risk appetite statement to business strategies and associated risks.

The first step in developing a robust Risk Appetite Framework is to get a comprehensive understanding of the risks that are faced by the firm, commonly referred to as an organization’s risk identification process. The risk identification (or Risk ID) process should highlight risks and relationships in multiple dimensions and ultimately inform decision-making of the senior leaders of the organization. To adequately support the Risk ID process, the organization must develop an overarching structure that incorporates a common risk taxonomy, specified roles, responsibilities and ultimate accountability for identifying and assessing the materiality of the first and second order risks that impact the firm. An effective Risk ID framework combines multiple quantitative tools with qualitative processes to enable a firm to see risks that span many traditional risk buckets and can provide the depth of information needed to assess specific risks in detail. This requires a suite of tools used throughout the business lines, from which outputs can be aggregated to provide a robust picture of how risks can impact the firm.

To accomplish the goal of corralling risks across business lines into a central repository an organization needs a platform that provides a consolidated view to ensure all material risks are identified. Developing a process that is transparent, repeatable, and manageable is paramount to ensuring it is adopted across the various business lines of the organization. Transparency enables individuals throughout the organization to understand how their input is used to inform the “bigger picture” of risk at the organization. A Risk ID process will only be successful if a repeatable feedback loop is established to ensure the risk inventory is accurate and dynamically updated to include emerging risks and changes in market conditions. Finally, the process must be manageable to make it a complement that adds value to business decisions, as opposed to being considered a compliance exercise.

Step 2: Developing a strategy

Once a Risk ID process is established, the next step is to calibrate business strategies and the associated risk limits to ensure they meet their goals without taking undue risk in the process. While business strategies are not often discussed in the context of risk limits, it is critical for an organization to consider them in tandem when making strategic decisions. This “calibration” of risk limits in the context of business strategies must be somewhat dynamic, and must consider internal factors such as credit underwriting standards, portfolio concentration risk or any emerging risks that may be a result of entering a new product line, while also keeping sight of macro trends related to economy or competition in specific market segments.

The preceding requires integration of multiple tools into a flexible enterprise software platform to calibrate a firm’s risk appetite effectively. The concept of tying an assertion of ‘risk appetite’ to formalized strategies and limits that can be expressly measured is not easy. The framework needs the structure to develop and formalize the process. A consolidated aggregation platform also creates a much more transparent and auditable process. It establishes a ‘corporate memory’ for the governance of the Risk Appetite Framework.

To be able to calibrate the risk appetite of an organization, initially the Board must define specific metrics that can be used to anchor the process. This expression of the firm’s risk appetite must include units of measure that include both magnitude and a stated time horizon. A risk appetite statement should include multiple metrics that articulate the amount of risk the organization is willing to take to meet specified goals. To do this a firm may couple explicit earnings loss limits over a one-year horizon with an average return on equity ratio over a five-year horizon. For example, the goal may be to limit total losses over a one year time horizon to less than 1.5 times the previous year’s earnings, as long as the average five-year return on equity exceeds 8%.

There are a multitude of factors that can influence the financial performance of an organization, including asset quality deterioration, market shocks and liquidity events. Unfortunately, these factors do not usually occur in isolation and require management to consider a few key items when formulating a risk limit framework. Initially, a firm should implement a process of collecting relevant risk specific information from models and processes throughout the organization. Firms should ensure that both quantitative and qualitative information is collected to enable senior leaders to form a rudimentary, yet coherent picture of the firm’s risk position. This collection process should include a wide range of elements, such as operational key risk indicators, credit portfolio metrics, reputational risk concerns, market and liquidity risk metrics as well as anecdotal information from each line of business. This, in turn, requires cultivating a culture of risk awareness throughout each group within the organization.

Figure 2. Risk appetite calibration
Risk appetite calibration
Source: Moody's Analytics

Next, current and future business strategies as well as external market conditions need to be evaluated to help establish a comprehensive set of risk limits that include input from processes used to evaluate specific risks such as credit, liquidity, and business risk. Once specific risk limits are solidified, an organization should assess the impact of multitude of risks on the firm’s performance through the stress scenario design process and apply additional risk limits that capture elements that were not evident through the evaluation of specific risks. This approach is primarily accomplished by taking a broad view of risks through a set of deterministic scenarios that incorporate both macroeconomic and idiosyncratic factors and should be developed with input from a suite of models paired with expert judgment.

Once this process is established it is important to ensure effective governance is put in place. To ensure that business strategies and risk limits remain in sync with the firm’s risk appetite, a firm should identify key assumptions that could impact the effectiveness of the framework to senior leaders. Finally, this process should be repeated frequently to ensure business strategies and risk limits remain effective and aligned with the stated risk appetite.

Step 3: Measurement and management

After the firm’s risk appetite is calibrated to its business strategy and associated risk limits it is critical that an effective risk measurement system is put in place. The risk measurement component is critical to establishing a strong feedback loop to solidify the Risk Appetite Framework. Dynamic risk measurement begins with a robust scenario design process. Stress scenario analysis is typically completed on a relatively small number of future "states of the world," so developing meaningful scenarios is critical. Many firms rely on a combination of internal and external sources to develop stress scenarios. While most have developed an effective process to consider macro factors and their impact on the organization, some fall short of fully incorporating information provided by other risk tools and strategic plans into the scenario design process. For example, firms can leverage information from credit portfolio models (e.g., economic capital models) that use a robust simulation approach to identify additional idiosyncratic and emerging risks to support the scenario design process. This enables senior leaders to strategically assess the impact of current portfolio construction and future business strategies to ensure profits are maximized for the level of risk taken by the firm.

Identifying the risk metrics of an effective risk measurement system is needed to ensure risk managers have the information needed to take prompt action when needed. Risk metrics should include various measures that take into account the timing and accounting impacts of deterministic scenarios over a specified time horizon(s) and the interaction of multiple risks on the consolidated income statement and balance sheet. Additionally, profitability and in-depth portfolio risk metrics using advanced techniques that consider many possible outcomes must be included to ensure exposures that may not be revealed in deterministic stress scenario analysis are linked to the Risk Appetite Framework.

Looking into the future

“Firms that tended to deal more successfully with the ongoing market turmoil through year-end 2007 adopted a comprehensive view of their exposures. They used information developed across the firm to adjust their business strategy, risk management practices, and exposures promptly and proactively in response to changing market conditions.”4

The quote above from the Senior Supervisors Group report in 2008 suggests that regulatory attention to risk appetite and risk identification is not going to abate. Thus, while linking the firm’s risk appetite statement to meaningful risk limits is a difficult task, it is an imperative. Hundreds of full-time resources already dedicated to regulatory compliance and ongoing investments in the tens of millions of dollars create an opportunity to create next-generation business-as-usual risk management practices. Dynamic Risk Appetite Framework that connects risk tools with firm’s business strategies is a foundational step. The framework should be further informed by enterprise stress scenario analysis to ensure the framework is comprehensive and is explicitly linked to the capital and liquidity planning processes.

The three step approach outlined in this paper is the baseline for establishing a framework that is integrated, transparent, measurable, and actionable. Distilling the process down to three interlocking sections allows stakeholders throughout the organization to easily understand how their contributions fit into the process. This paper was designed to outline a high-level concept that can be used as a blueprint to link a firm’s risk appetite to their day-to-day business activities. However, as with any high-level concept, the devil is in the details. In follow up papers, we will explore practical applications of existing technologies to this framework to align business strategies and risk to a Board’s stated risk appetite.

Sources

1 Risk Appetite Frameworks Insights into evolving global practices, An IACPM/PwC Study, November 2014.

2 CCAR 2015 instructions Federal Reserve, October 2014.

3 Principles for an effective Risk Appetite Framework, Financial Stability Board, November 2013.

4 Observations on risk management practices during the recent market turbulence, Senior Supervisors Group, 2008.

SUBJECT MATTER EXPERTS
As Published In:
Related Insights

CECL Methodologies Q&A

American Banker spoke with Anna Krayn from Moody's Analytics about CECL, the new FASB accounting standards on current expected credit loss.

February 2017 Pdf Anna Krayn

Getting Ready for CECL

The FASB’s new impairment standards won’t take effect until 2020, but institutions should start planning now. This webinar outlines key considerations for early CECL preparation, including: main challenges; expectations of auditors, regulators, and investors; planning in firms of varying sizes; and how to get started.

October 2016 WebPage Anna KraynEmil Lopez

CECL: The Road to CECL

In this webinar, we discuss what the new CECL standard is and why the FASB is changing Impairment Accounting. Key topics include the timeline for implementation, key differences are in the new impairment models compared with the existing ones, and how the allowance calculation process is likely to change.

September 2016 WebPage Anna KraynEmil Lopez

CECL Spotlight with Anna Krayn

As firms begin their implementation process for CECL, there are still more questions than answers as firms are beginning to plan for eventual implementation. However, there are some key benefits to early CECL adoption. In this live interview, Anna Krayn gives her perspective and recommendations.

September 2016 WebPage Anna Krayn

CECL: Disclosures and Timelines

In this webinar, we explore the implications of new disclosure requirements and the effective dates for CECL implementation. We explain why banks should start preparing for CECL now and what are the advantages to early implementation.

September 2016 WebPage Anna KraynEmil Lopez

The Long Road to CECL: Implementation Considerations

In this video cast, we will discuss the implications of the final CECL standard and approaches to implementation.

September 2016 WebPage Anna KraynEmil Lopez

The Long Road to CECL: Implementation Considerations Presentation Slides

As firms prepare for CECL, there are still many questions about the best approaches to implementation and how the regulatory requirements will impact adoption. In this webcast, we answer practitioners questions and provide suggested approaches for implementation.

September 01, 2016 Pdf Anna KraynEmil Lopez

Implications of the FASB's New Credit Loss Impairment Standard

On June 16, FASB issued the much anticipated financial instruments impairment standards update. The implications of this standard are significant and will change the way credit losses are measured for most financial assets (e.g. receivables, debt securities and loans).

June 2016 WebPage Anna KraynChristian Henkel

DFAST Quick Takes: Looking Toward CCAR Results

This article outlines recent approaches to managing credit risk when facing regulatory capital requirements. We explore how institutions should best allocate capital and make economically-optimized investment decisions under regulatory capital constraints, such as those imposed by Basel or CCAR-style rules.

June 2016 WebPage Anna KraynDavid LittleEd Young

Reading the Tea Leaves of Recent Regulatory Guidance

In this article, we review the common themes reflected in recent regulatory guidelines released by the Federal Reserve and the BCBS.

June 2016 WebPage Anna KraynDavid LittleEd Young

Making Risk Appetite Stick: How Data and Analytics Can Help

In this webinar, we discuss how institutions can overcome challenges to ensure that risk appetite can be monitored as well as key analytic metrics which can be leveraged for strategic decision-making.

April 2016 WebPage Nihil PatelEd Young

Reading the Tea Leaves of Recent Regulatory Guidance

December 2015 was a busy month for regulatory agencies and global standard setters. Throughout the year the industry has been waiting for additional guidance on high impact topics including capital planning and allowance methodologies, and in the final stretch of 2015 both the Federal Reserve and the Basel Committee on Banking Supervision (BCBS) complied. This paper will primarily focus on common themes in the two releases.

January 2016 Pdf Anna KraynEd YoungDavid Little

From the Editor

Post-crisis regulatory drivers are giving rise to better risk management practices that will provide a competitive advantage. With this in mind, this edition of Risk Perspectives looks at the future of risk management, and the best practices of today that will form the successful risk management practices of the future.

December 11, 2015 WebPage Anna Krayn

Learnings from CCAR 2015 and Beyond

In this webinar, Moody's Analytics experts revisit the CCAR 2015 scenarios, review industry results and discuss how to identify and quantify Systemic Risk.

April 2015 WebPage Mark Zandi, Anna KraynDr. Samuel W. Malone

Comparing DFAST 2014 Estimates for CCAR Banks Under the FRB's Severely Adverse Scenario

This quantitative analysis of CCAR 2014 Severely Adverse scenarios, Moody's Analytics finds that the Federal Reserve Bank's (FRB's) and banks' own modeled estimates of capital ratios, revenue, net income, and loan credit losses are generally well aligned, although variations in all measures and across all banks are evident. In addition, the FRB's estimates are generally more conservative than those of the individual banks, reflecting differences in the FRB's industry-based models vs. the banks' portfolio specific models, treatment of missing or invalid data in the FRB's modeling approach, and assumptions about projected balance sheet volumes. The wide variation among bank modeled estimates and their overall alignment with FRB modeled estimates argues against banks targeting general industry benchmarks (such as average loss rates) and in favor of building models around their own business models and portfolio characteristics.

July 2014 Pdf Danielle Ferry, Daniel BrownAnna Krayn

Learn the Fundamentals of Managing Liquidity Under Basel III Presentation

Changes to liquidity management regulations present significant challenges for organizations based in the United States. In this presentation, our experts discuss key aspects of the planned US Basel III liquidity regulations, critical challenges in implementing these regulations, and a best practice framework for delivering compliance with the US Basel III directive.

May 2014 Pdf Anna Krayn

Learn the Fundamentals of Managing Liquidity Under U.S. Basel III Webinar

In this webinar, recorded on May 1, 2014 Anna Krayn and Olivier Brucker discuss key aspects of the planned US Basel III liquidity regulations, critical challenges in implementing these regulations, and a best practice framework for delivering compliance with the US Basel III directive.

May 2014 WebPage Anna Krayn

When CCAR Met Basel

In this article, we discuss where CCAR and Basel III intersect, with a particular focus on the data, analytics, and reporting layers of a sound CCAR/Basel III IT architecture, and why banks should address both within an integrated platform to meet, and go beyond, regulatory compliance.

November 2013 WebPage Anna Krayn, Michael Richitelli

Modeling Credit Losses to Meet Stress Testing Requirements

This article discusses two conceptual approaches for modeling stressed credit losses: top-down and bottom-up. It highlights the benefits and challenges of using each approach and regulatory expectations.

November 2013 WebPage Thomas Day, Anna Krayn

Beyond the Regulation: Exploring an Innovative Tool to Gauge Counterparty Credit Risk

In this article, we highlight a new network-based toolkit that helps firms deal with associated regulatory requirements related to single-counterparty credit limits.