By Darrell King and Hermes Peraza, PA financial services experts
The global financial crisis exposed a sizeable gap between the level of risk that banks perceived they were taking, and the level of risk they were actually taking. Since then, regulators have focused on ensuring banks adopt effective risk appetite frameworks (RAF) that more accurately reflect the risk they are willing to accept.
Although common ground has been found for the concepts, scope and features of effective RAFs, there remains no consensus on what ‘good looks like’. It is unlikely that regulators will define this, as it largely depends on each institution’s business model and strategic aims, and yet scrutiny continues to mount. In 2013, for example, the Financial Stability Board issued Principles for an Effective Risk Appetite Framework after finding that effective RAFs “had not yet been widely adopted”.
What is clear is that simply adopting and setting limits, buffers and controls is not enough. In the same way that a business strategy both identifies target returns and establishes how to achieve them, an effective RAF must define boundaries while outlining how these will be maintained. In effect, it needs to show that it has established a firm-wide approach to monitoring and preventing breaches. And, to achieve this, banks need principles, guidelines, governance structures, systems and monitoring and review mechanisms that underpin their risk management strategy and culture while aligning with wider business strategy.
Drawing on our experience of working with regulators, as well as a range of top-tier European banks and insurers, we believe banks should consider the following four steps while developing their RAF.
Firstly, you need to determine your risk profile (ie the risks you face as a result of your business activities) before setting your risk objectives and appetite (eg tolerances, buffers and limits). Typically, your risk profile needs to be sufficiently detailed and categorised by type of risk to enable aggregation across business lines or legal entities.
It is essential that you also determine meaningful quantitative and qualitative metrics, all of which need to be properly reflected in your risk appetite statement in a simple and clear way. All those definitions will only be of use if they can be measured accurately, monitored constantly and communicated periodically to the relevant stakeholders. You should be able to compare against those predefined parameters to provide assurance, understand risk priorities and determine any remediation activity.
In short, your risk strategy should be defined by the overall business strategy, as well as being clear, tangible, accurate, measurable, reportable and, most importantly, actionable.
Through our regulatory work, we recognise that it’s increasingly important not only to eliminate data management silos, but also to direct efforts to manage these programmes in an integrated manner, as part of a single management information (MI) and IT change programme. For RAFs, it’s no different. Data quality, consistency and integrity are imperative, as are tailored reporting templates.
In addition, your IT needs to be able to aggregate risks, assess correlations, identify concentrations and plan for the future. This needs to happen quickly and accurately, at group level, across business lines, between legal entities, and by type of risk. As this data will feed into determining your risk profile, it must be reliable, available in a timely manner and provided in all combinations, from the most granular to the most aggregated.
RAFs cannot be planned in isolation. Just as your business strategy depends on being adopted and executed by people in the firm, your risk strategy needs to play a role in every part of the business. To achieve this, the risk appetite must not only be communicated throughout the firm; more importantly, it should also support an environment where spotting and mitigating risks is fostered and encouraged by reward schemes at every managerial level.
The idea is that risk and reward-based decision making is embedded when defining processes, activities and controls, which should be welcomed and recognised throughout the business.
The whole idea of risk management is to be proactive rather than reactive. By anticipating risks (eg using a ‘regulatory radar’), preparing for them and addressing them before they become real, you enhance your ability to fulfil business objectives. As evidence suggests, this can help you consistently outperform your peers. The link is twofold: on one hand you can minimise losses both now and in the future; on the other, you can identify areas where additional controlled risks can be taken. This enables you to optimise your risk/reward relation by rebalancing your business mix.
Our experience in risk, governance and compliance includes supporting major European banks and insurance firms. We also have extensive regulatory and assurance expertise derived from working with UK regulators.
To find out more about achieving an effective risk approach for your business, contact us now.