Using a Risk Appetite Framework to Align Strategy and Risk

Connecting an enterprise-level risk appetite statement tangibly to business strategies and risk limits can be very challenging. In fact, 65% of respondents in the IACPM / PWC Survey cited integration of risk appetite into decision-making process as the biggest challenge in RAF implementation.¹

For large firms, regulators have an expectation that capital distribution decisions are informed by risk identification and management processes that tie to a firm’s overarching risk appetite. While many firms may have strong risk management processes in place for specific risk discipline they struggle to develop a robust firm-wide process that is transparent to a third party.

This article is the first in a series that will analyze this topic. In it we provide an overview of some common problems organizations face and introduce a solution to develop an integrated, transparent, measurable, and actionable Risk Appetite Framework.

Senior management and Boards of large financial firms are confronted with the challenge of taking the concept of a universal risk appetite statement and translating it into a meaningful framework for managing their businesses. Both Board members and senior management have important roles to play in this process. The Board must develop the overall risk appetite for the organization and make certain there is a governance process in place to ensure the business does not take unacceptable risks to meet profitability targets. Senior management is responsible for developing and implementing a process that aligns business strategies and risk management with the Board’s stated risk appetite. It is imperative that these senior leaders work together to develop a process that accurately represents the risk appetite of the firm.

Financial services companies are facing business complexities in a rapidly changing industry which often leads to a fragmented, opaque view of risk at the enterprise level. Often, this is compounded by lack of quality internal data, changing market dynamics, and the seemingly continuous change in regulatory expectations. This amalgamation of circumstances has hindered many organizations from developing a comprehensive, clear picture of the risks they face. In this article, we describe some common problems and set forth an overarching roadmap to develop a robust Risk Appetite Framework.

The supervisory expectation for large financial firms is for them to develop and maintain a comprehensive Risk Appetite Framework that is integrated, transparent, measurable, and actionable. However, there is no clear guidance for what actually constitutes an acceptable process. For example, an expectation outlined by the Federal Reserve in the 2015 CCAR instructions is as follows: “… large BHCs are to have thorough and robust processes for managing their capital resources, and that the processes are supported by effective firm-wide risk-identification, risk-measurement, and risk-management practices.”² The expectation is outlined clearly, but the path to success is left up for very broad interpretation.

While firms have strong risk management in place for individual material risks, most struggle to provide a compelling narrative of how they have an effective firm-wide process to their regulators. This is true globally, as noted by the Financial Stability Board: “… effective Risk Appetite Frameworks (RAFs) that are actionable and measurable by both financial institutions and supervisors have not yet been widely adopted.”³

The key impediment is lack of a holistic view of a firm’s risk position that incorporates all material risks. No one risk measure or model does an acceptable job of considering all material risks for a firm. However, using a variety of lenses to view risk enables senior leaders to view specific risks with a reasonable amount of depth and to view risks broadly and assess their interdependencies and impact on pro-forma financial results. Most firms can leverage a group of complementary risk tools to construct a mosaic that encompasses key risks and conveys an effective enterprise-wide process. Despite an industry-wide effort, few, if any, firms have developed a robust process that is transparent to a third party, repeatable and easily auditable. In most cases, the end result is a qualitative process that combines a multitude of reports together in an ad-hoc fashion to appease regulators.

Figure 1. Comprehensive Risk Appetite Framework

Source: Moody's Analytics

Risk measurement and management generally continues to be fragmented along the lines of risk buckets outlined by the Basel Committee (credit risk, market risk, and operational risk). The factors that led to this current state include limitations of legacy risk measurement systems, siloed organizational structures and fragmented regulatory oversight. Advancements in technology and revised supervisory expectations are now enabling (and forcing) these historical barriers to be broken down. This enables senior leaders to apply the tenents of a robust Risk Appetite Framework including a comprehensive risk identification process, a wide-ranging risk calibration process, and a risk measurement and management structure that supports and reinforces the firm’s overarching risk appetite statement. Adopting this framework allows a firm to tangibly link enterprise-level risk appetite statement to business strategies and associated risks.

The first step in developing a robust Risk Appetite Framework is to get a comprehensive understanding of the risks that are faced by the firm, commonly referred to as an organization’s risk identification process. The risk identification (or Risk ID) process should highlight risks and relationships in multiple dimensions and ultimately inform decision-making of the senior leaders of the organization. To adequately support the Risk ID process, the organization must develop an overarching structure that incorporates a common risk taxonomy, specified roles, responsibilities and ultimate accountability for identifying and assessing the materiality of the first and second order risks that impact the firm. An effective Risk ID framework combines multiple quantitative tools with qualitative processes to enable a firm to see risks that span many traditional risk buckets and can provide the depth of information needed to assess specific risks in detail. This requires a suite of tools used throughout the business lines, from which outputs can be aggregated to provide a robust picture of how risks can impact the firm.

To accomplish the goal of corralling risks across business lines into a central repository an organization needs a platform that provides a consolidated view to ensure all material risks are identified. Developing a process that is transparent, repeatable, and manageable is paramount to ensuring it is adopted across the various business lines of the organization. Transparency enables individuals throughout the organization to understand how their input is used to inform the “bigger picture” of risk at the organization. A Risk ID process will only be successful if a repeatable feedback loop is established to ensure the risk inventory is accurate and dynamically updated to include emerging risks and changes in market conditions. Finally, the process must be manageable to make it a complement that adds value to business decisions, as opposed to being considered a compliance exercise.

Once a Risk ID process is established, the next step is to calibrate business strategies and the associated risk limits to ensure they meet their goals without taking undue risk in the process. While business strategies are not often discussed in the context of risk limits, it is critical for an organization to consider them in tandem when making strategic decisions. This “calibration” of risk limits in the context of business strategies must be somewhat dynamic, and must consider internal factors such as credit underwriting standards, portfolio concentration risk or any emerging risks that may be a result of entering a new product line, while also keeping sight of macro trends related to economy or competition in specific market segments.

The preceding requires integration of multiple tools into a flexible enterprise software platform to calibrate a firm’s risk appetite effectively. The concept of tying an assertion of ‘risk appetite’ to formalized strategies and limits that can be expressly measured is not easy. The framework needs the structure to develop and formalize the process. A consolidated aggregation platform also creates a much more transparent and auditable process. It establishes a ‘corporate memory’ for the governance of the Risk Appetite Framework.

To be able to calibrate the risk appetite of an organization, initially the Board must define specific metrics that can be used to anchor the process. This expression of the firm’s risk appetite must include units of measure that include both magnitude and a stated time horizon. A risk appetite statement should include multiple metrics that articulate the amount of risk the organization is willing to take to meet specified goals. To do this a firm may couple explicit earnings loss limits over a one-year horizon with an average return on equity ratio over a five-year horizon. For example, the goal may be to limit total losses over a one year time horizon to less than 1.5 times the previous year’s earnings, as long as the average five-year return on equity exceeds 8%.

There are a multitude of factors that can influence the financial performance of an organization, including asset quality deterioration, market shocks and liquidity events. Unfortunately, these factors do not usually occur in isolation and require management to consider a few key items when formulating a risk limit framework. Initially, a firm should implement a process of collecting relevant risk specific information from models and processes throughout the organization. Firms should ensure that both quantitative and qualitative information is collected to enable senior leaders to form a rudimentary, yet coherent picture of the firm’s risk position. This collection process should include a wide range of elements, such as operational key risk indicators, credit portfolio metrics, reputational risk concerns, market and liquidity risk metrics as well as anecdotal information from each line of business. This, in turn, requires cultivating a culture of risk awareness throughout each group within the organization.

Figure 2. Risk appetite calibration

Source: Moody's Analytics

Next, current and future business strategies as well as external market conditions need to be evaluated to help establish a comprehensive set of risk limits that include input from processes used to evaluate specific risks such as credit, liquidity, and business risk. Once specific risk limits are solidified, an organization should assess the impact of multitude of risks on the firm’s performance through the stress scenario design process and apply additional risk limits that capture elements that were not evident through the evaluation of specific risks. This approach is primarily accomplished by taking a broad view of risks through a set of deterministic scenarios that incorporate both macroeconomic and idiosyncratic factors and should be developed with input from a suite of models paired with expert judgment.

Once this process is established it is important to ensure effective governance is put in place. To ensure that business strategies and risk limits remain in sync with the firm’s risk appetite, a firm should identify key assumptions that could impact the effectiveness of the framework to senior leaders. Finally, this process should be repeated frequently to ensure business strategies and risk limits remain effective and aligned with the stated risk appetite.

After the firm’s risk appetite is calibrated to its business strategy and associated risk limits it is critical that an effective risk measurement system is put in place. The risk measurement component is critical to establishing a strong feedback loop to solidify the Risk Appetite Framework. Dynamic risk measurement begins with a robust scenario design process. Stress scenario analysis is typically completed on a relatively small number of future "states of the world," so developing meaningful scenarios is critical. Many firms rely on a combination of internal and external sources to develop stress scenarios. While most have developed an effective process to consider macro factors and their impact on the organization, some fall short of fully incorporating information provided by other risk tools and strategic plans into the scenario design process. For example, firms can leverage information from credit portfolio models (e.g., economic capital models) that use a robust simulation approach to identify additional idiosyncratic and emerging risks to support the scenario design process. This enables senior leaders to strategically assess the impact of current portfolio construction and future business strategies to ensure profits are maximized for the level of risk taken by the firm.

Identifying the risk metrics of an effective risk measurement system is needed to ensure risk managers have the information needed to take prompt action when needed. Risk metrics should include various measures that take into account the timing and accounting impacts of deterministic scenarios over a specified time horizon(s) and the interaction of multiple risks on the consolidated income statement and balance sheet. Additionally, profitability and in-depth portfolio risk metrics using advanced techniques that consider many possible outcomes must be included to ensure exposures that may not be revealed in deterministic stress scenario analysis are linked to the Risk Appetite Framework.

“Firms that tended to deal more successfully with the ongoing market turmoil through year-end 2007 adopted a comprehensive view of their exposures. They used information developed across the firm to adjust their business strategy, risk management practices, and exposures promptly and proactively in response to changing market conditions.”⁴

The quote above from the Senior Supervisors Group report in 2008 suggests that regulatory attention to risk appetite and risk identification is not going to abate. Thus, while linking the firm’s risk appetite statement to meaningful risk limits is a difficult task, it is an imperative. Hundreds of full-time resources already dedicated to regulatory compliance and ongoing investments in the tens of millions of dollars create an opportunity to create next-generation business-as-usual risk management practices. Dynamic Risk Appetite Framework that connects risk tools with firm’s business strategies is a foundational step. The framework should be further informed by enterprise stress scenario analysis to ensure the framework is comprehensive and is explicitly linked to the capital and liquidity planning processes.

The three step approach outlined in this paper is the baseline for establishing a framework that is integrated, transparent, measurable, and actionable. Distilling the process down to three interlocking sections allows stakeholders throughout the organization to easily understand how their contributions fit into the process. This paper was designed to outline a high-level concept that can be used as a blueprint to link a firm’s risk appetite to their day-to-day business activities. However, as with any high-level concept, the devil is in the details. In follow up papers, we will explore practical applications of existing technologies to this framework to align business strategies and risk to a Board’s stated risk appetite.