Risk Appetite – Framework & Approaches

Introduction

For banks or financial institutions, risk appetite is a particularly important component of an end-to end risk management framework. It needs to be supported by other risk management components, such as a comprehensive risk taxonomy, robust risk identification and assessment processes, data and analytics capabilities, and a risk aggregation and prioritization logic based on risk materiality. Risk appetite needs to be integrated into risk governance and oversight, reporting, and risk decision making and mitigation actions.

While there is general industry agreement regarding the usefulness of risk appetite frameworks, there is no industry consensus on what it actually means to establish and embed a proper risk appetite framework. Setting enterprise-wide risk appetite is a necessary step that enables a board to identify a firm’s key risks – and to set limits for those threats. However, to be effective, risk appetite statements must be developed in ways that are directly actionable for business and risk teams. This is likely why the risk appetite statement is generally considered the hardest part of any Enterprise Risk Management implementation. Further still, translating risk appetite statements into action is another obstacle. Limits or Key risk indicators (KRIs) establish risk guideposts throughout the year, but those metrics can at times be disconnected from the risk appetite statement.

Another important challenge to note is that, at banks or financial institutions, setting risk appetite for financial risks is an extensive, regulatory-driven practice to manage risks to the balance sheet, profit-and-loss statement, and cash flows. The objective is to limit the credit, market, and liquidity risk capacity of financial assets and liabilities in relation to capital and funding. At the same time, executives need to trade off allocation of scarce capital and funding with risks to optimize returns, which are measured by the return on equity and risk-adjusted capital. For non-financial or operational risks, setting risk appetite is a much more elusive and theoretical concept than for financial risks. This is because operational risk is pervasive, managed across the organisation and is often just a consequence of operating the business. In addition, operational risk has been more difficult to quantify than market and credit risk, and besides (imperfect) capital measures there is no ‘common currency’ for operational risk. As a result, senior management teams are frequently challenged by the mandate to define and express operational risk appetite in a way that is understood and accepted across the organisation and can be used to guide business decisions.

Given the challenges in the foundational elements of risk appetite, it is immediately evident that prescribing or allocating limits in a group wide structure will be no easier feat. The purpose of this paper is therefore the following:

  • To revisit the concept of risk appetite
  • Establish clear terminology and understanding of important definitions
  • Describe a risk appetite framework
  • Explain the purpose of Risk Appetite Statement
  • Outline the principles and content of a consistent framework
  • Consider different approaches to aggregation
  • Provide suggestions to cascade risk tolerances and limits
  • Present case studies of examples used by leading financial institutions

Furthermore, without clearly defined, measurable tolerances or limits the whole risk cycle and any risk framework is arguably at a halt

Risk appetite statements have become the norm in banking – but there remains considerable variation in the implementation of these statements across the financial services industry.

What is Risk Appetite

The Financial Stability Board (FSB) defined risk appetite succinctly as an articulation of “the aggregate level and types of risk that a financial institution is willing to accept, or to avoid, in order to achieve its business objectives…It should also address more difficult to quantify risks such as reputation and conduct risks as well as money laundering and unethical practices”.

A clear risk appetite statement is crucial for effective enterprise risk management (ERM) as it provides guidance and parameters for decision-making and risk-taking within an organisation. Furthermore, it is a key component in a proactive and adaptable corporate strategy. Organisations can navigate uncertainty more effectively by using risk appetite as a guiding set of principles as they make strategic decisions that position them for success in today’s unpredictable world.

Clearly defining risk appetite enables an organisation’s leaders to identify and prioritise potential risks, establish limits and thresholds, and allocate resources effectively.

The Risk Universe

Risk appetite is closely related to other concepts and components within an organisation’s risk universe:

  • Risk profile — Snapshot of an organisation’s risk portfolio at a specific point in time. It is crucial for the risk profile to align with the business model and strategy of the organisation.
  • Risk capacity — Quantifies the maximum amount of risk an organisation can prudently handle, given its resources and financial capabilities. The organisation will not be able to sustain losses beyond its capacity, as it will become insolvent. It is the absolute maximum loss a company is able (not just willing) to take on.
  • Risk tolerance — The quantitative expression of risk appetite but expressing the same level of risk taking applied to specific risk categories, business units or products. Certain risk tolerances are policy limits that should not be breached (hard limits) while other risk tolerances are trigger points for risk reviews and mitigation (soft limits). Whereas risk appetite is a strategic determination based on long-term objectives, risk tolerance can be seen as a tactical approach to manage risk within established parameters. Risk tolerance is defined within the context of the related objective using the metrics in place to measure performance against that objective. Term is used interchangeably with risk limits.

When taken together, these elements align strategic aspirations with risk-taking capabilities to create a comprehensive framework that guides an organisation’s approach to risk management.

Risk Appetite Framework

The Risk Appetite Framework (RAF) is the overall approach, including policies, controls and systems, through which risk appetite is established, communicated and monitored.

A RAF should generally be composed of four main parts:

  • Risk Spectrum: A consistent expression of the scale of risks. Defining and interpreting appetite both in terms of approach (averse, neutral, tolerant etc.) and aligning appetite with impact.
  • Risk Appetite Statement: The Risk Appetite Statement is the Output. It describes the organisation and/or business unit’s risk appetite for each principal risk type separately. (N.B. a Risk Appetite Statement is only needed for important/critical risks. It is not a laundry list.) This is a combined qualitative and quantitative statement where possible. Note that it is important to assess regulatory requirements and expectations which would typically serve as minimum criteria. Furthermore, risk appetite statements are typically communicated at the Level 1 Category.
  • System for risk limits and triggers: The risk quantification & limit system is the methodical core of risk management that defines the way in which all risk types can be assessed in a consistent and aggregated manner, which perspectives (in which dimensions) must be considered, and which KPIs are used to translate risk appetite into operational limits and/or triggers. Common tools are KRIs (qualitative and quantitative), Limits (qualitative and quantitative), and Losses (quantitative – post risk materialisation). KRIs and control requirements can be set at a Level 2 Category as these are more specific and more adapted to quantitative limits and restrictions.
  • Governance system: A governance system assigns clear responsibilities for adjusting risk appetite and limits, as well as for monitoring, reporting and escalation. As a result, the organisation is able to respond proactively to potential changes and adjust its own risk appetite accordingly.

The development and establishment of an effective RAF is an iterative and evolutionary process that requires ongoing dialogue throughout the financial institution to attain buy-in across the organisation.

The Senior Supervisors Group (SSG) outlined key principles and success factors for the RAF, which include:

  • Risk appetite should be aligned to strategy and considered a forward-looking view of an organisation’s desired risk profile in a variety of scenarios
  • Board and senior management should be actively involved, and strong accountability structures and clear incentives and constraints should be in place
  • Risk appetite statements should be operationalised through use of the right level and type of information, fostering strong internal relationships, and establishing risk limits with actionable input for risk/business managers
  • The need for a strong risk culture and “tone at the top”; linkage among the strategy, business plans, and risk appetite; collaboration between risk management, finance, strategy, and business units; and the regular assessment of the organisation’s risk profile against risk appetite.

Designing a Successful Risk Appetite Framework

There is no one universally defined template that will work for all. Below are typical features of risk appetite frameworks from best practices across different sectors and from organisations of different scales to illustrate possible formats:

  • A set of key risk categories that encompass an organisation’s entire risk universe — what it is facing today and what may occur in the short to medium term.
  • A clear link to business objectives.
  • Scales used are the same as the organisation’s risk matrix and are clear on the impact categories (e.g., financial, reputational, or regulatory).
  • Quantification of risk appetite per key risk category, when possible.
  • description of the risk appetite, per key principal risk category, which explains the quantification and the broader organisational context.
  • Identification of key risk indicators, threshold warnings, and action limits to support proactive monitoring.
  • Stakeholders who understand how the key risk category fits into the organisational context; the number of stakeholders impacted by risk determines the amount of focus required.

Purpose of a Risk Appetite Statement

As mentioned above, Risk Appetite Statements are the Output. However, creating an appetite is not about merely writing a set of statements. While the main purpose is to establish limitations on risk, it also provides the following important benefits which must be understood and communicated:

  • Aligning business strategy with risk management. It involves providing a decision-making tool to enable prioritisation and the deployment of resources, and to drive considered, risk-based decisions.
  • Developing a common understanding and language for discussing risk at the board, management, and business levels.
  • Promoting risk awareness and enforcing the desired risk culture throughout the organisation.
  • Integrating risk appetite with other ERM tools, including RCSAs, KPIs, KRIs, Economic Capital and Stress Testing.
  • Meeting the needs of external stakeholders (e.g. regulators, investors, rating agencies) for risk transparency, soundness and sustainability.

N.B. The right risk appetite is one that maximises risk vs reward and not the one that only limits downside risk. Therefore, opportunity and seeking risk within risk profile to maximise that opportunity is the ultimate objective. This important distinction must be made clear from the outset and is the primary driver of the “purpose”.

Features of an effective Risk Appetite Statement

The FSB recommends that an effective risk appetite statement should:

  • Include key background information and assumptions that informed the financial institution’s strategic and business plans at the time they were approved;
  • be linked to the institution’s short- and long-term strategic, capital and financial plans, as well as compensation programs;
  • establish the amount of risk the financial institution is prepared to accept in pursuit of its strategic objectives and business plan, taking into account the interests of its customers (e.g. depositors, policyholders) and the fiduciary duty to shareholders, as well as capital and other regulatory requirements;
  • determine for each material risk and overall the maximum level of risk that the financial institution is willing to operate within, based on its overall risk appetite, risk capacity, and risk profile;
  • include quantitative measures that can be translated into risk limits applicable to business lines and legal entities as relevant, and at group level, which in turn can be aggregated and disaggregated to enable measurement of the risk profile against risk appetite and risk capacity;
  • include qualitative statements that articulate clearly the motivations for taking on or avoiding certain types of risk, including for reputational and other conduct risks across retail and wholesale markets, and establish some form of boundaries or indicators (e.g. non-quantitative measures) to enable monitoring of these risks;
  • ensure that the strategy and risk limits of each business line and legal entity, as relevant, align with the institution-wide risk appetite statement as appropriate; and
  • be forward looking and, where applicable, subject to scenario and stress testing to ensure that the financial institution understands what events might push the financial institution outside its risk appetite and/or risk capacity.

Although developed in 2013, these principles still serve as guiding measures for many institutions. On a simpler note, the following is also advised to more simply benchmark the effectiveness of a risk appetite statement.

  • Easy to understand; this is crucial for subsequent embedding of risk appetite in the organisation.
  • Provide a definition of the risk sub-type; important to avoid second-guessing of what is included.
  • Contain a link to strategic objectives; this sounds like an obvious point it is still quite common for statements with no direct reference to strategy, objectives or business plans.
  • Outline accountability, which will include a risk owner, subject matter expert or relevant committee.
  • Reference to KRIs and key controls; thereby validating the statement to set clear expectations.
  • Contain a response framework, stating the consequences of breaching the appetite.

Roles & Responsibilities

Governance is a necessary condition for effective risk appetite structures, and policies and procedures must define what to do and who is accountable for various actions.

The process of developing, implementing, and renewing a comprehensive Risk Appetite Statement (RAS) framework should involve key stakeholders from every level of the organisation.  Essentially, this would happen through a collaborative process between top management, the Board, and the CRO team acting as facilitators and overseers. The Risk Appetite Statement itself should document specific roles and responsibilities for carrying out the risk policy, including reporting and exception-management processes as previously mentioned.

Top-Down and Bottom-Up Approaches to Risk Appetite

Risk management theory states that risk appetite must be defined top-down, beginning with the board, with risk exposure allocated to the different businesses and translated into the corresponding risk management measures at different levels of the organisation. This is also the approach recognised by regulators and risk institutes.

However, it is worth noting that there is an alternative view, namely bottom-up. It is based on the premise that risk appetite is the sum of what you are doing. Defining risk appetite bottom-up will create risk appetite statements that reflect the accepted level of risk taking in a firm, which can then be observed in business practices and policies. But this method is useful in well-controlled and risk mature environments. It is often recommended in mid-size organisations (size complicates bottom-up exercises) that have generally well documented and controlled business operations but find it difficult to describe their risk appetite.

The purpose of this section is to make transparent the alternative approaches available. Though for a standard in a more complicated setting, top-down is considered the preferrable approach.

Cascading Risk Tolerances and Risk Limits

Overview

One of the main challenges in formulating risk appetite is translating it into meaningful practice, which essentially means identifying levels of tolerance and prescribing limits across an organisation. There is no universally accepted method to risk allocation. The process varies by organisation and is heavily dependent on bank size and familiarity with risk appetite program and capital allocation concepts. Regardless of the approach selected, the method applied should be meaningful to the bank and meet management and key constituent objectives.

For small to medium-sized organisations where the same senior executives sit at the table taking most of the relevant business and operational decisions, a single top-of-the-house appetite is sufficient. For larger firms with multiple lines of hierarchy or international presence, the appetite needs to be disseminated and translated at lower levels of the organisation, typically either based on business entity or business line.

  • Business lines, usually at a global level, require a risk appetite statement which is cascaded from the corporate/parent statement.
    • Quantitative limits are then allocated to the business based on various parameters including their revenue share. For example, the threshold for the overall expected loss amount can be split into lower sub-component limits attributed to various businesses.
    • Qualitative indicators may apply in exactly the same way (for example, conduct, people, or fraud-related indicators); with business units being given identical or more restrictive thresholds. Some measures may be relevant to a specific area only; for instance, rogue trading metrics will be monitored by the markets business only and will not apply to other business lines.
  • Material group entities, in particular, subsidiaries or legal entities that operate with their own board of directors, will also need to develop their own appetite, for approval by their board. The entity’s appetite statement will represent a hybrid cross-over between the business lines operating out of that entity alongside a cascade of the corporate/parent statement.
  • Industry research has shown that it is more common to allocate risk limits to principal risks firstly and/or business units secondly. It is less common to allocate to legal entities, furthermore these are only to material legal entities.
  • Statements need to operate consistently at a consolidated level and at a sub-strata level.
  • When allocating it is important to consider the level of risk category as previously mentioned.
  • A response framework needs to be in place within both the business lines and the entities.

As previously mentioned, the ultimate responsibility for approving the appetite lies with the board of directors of the organisation. The second line risk function plays a crucial role in developing the approach; articulating the firm’s position; working with subject matter experts and risk owners to make sense of the framework; and proposing statements and thresholds.

 Enterprise Approach

An effective Risk Appetite Statement (RAS) should provide a “cascading” structure of risk exposures and limits at the board, executive-management, and business-unit levels. This structure allows for drilling down to underlying exposures (e.g., “What business activities make up our strategic risk exposure to Turkey?”). Similarly, this structure permits aggregation of business-level or legal entity exposures upward to the enterprise level (e.g., “What is our total net credit exposure to UBS across the entire enterprise?”). The level of detail visible for each metric depends on the needs of the specific audience (i.e., board, corporate management, or business unit). The RAS would be at its most dynamic at the business level, where managers may choose to make changes based on risk/return opportunities while respecting board- and management-level risk tolerances.

There are many ways to determine risk tolerances. It is up to each organisation to determine which ones work best. The list below offers some approaches that an organisation may take to determine risk tolerance levels. Sometimes, a blended approach is best. For example, one may initially set a risk tolerance level using statistical analysis (95% confidence level observation) and then adjust it up or down according to management judgment.

  1. Board and management judgment
  2. Percentage of earnings or equity capital
  3. Regulatory requirements or industry benchmarks (e.g. capital requirements, Basel III)
  4. Impact on the achievement of business objectives
  5. Stakeholder requirements or expectations
  6. Statistics-based (e.g., 95% confidence level based on historical data)
  7. Model-driven (e.g., economic capital, scenario analysis, stress-testing)

Certain types of risk metrics can readily be aggregated across the organisation, while others are unique to specific business and operational units. Since the board and executive management RAS reports are focused on strategic and enterprise-wide risks, the risk metrics that can be aggregated should be well represented in these reports. Furthermore, the focus as previously noted is solely on principal risks that are material. Examples of metrics include:

  • Earnings-based, including earnings-at-risk and unexpected earnings volatility.
  • Value-based, including shareholder value-added and market/book ratios.
  • Loss-based, such as actual losses, operational loss-to-revenue ratios, stress-testing, or scenario-based losses.
  • Cash-flow-based, such as cash-flow-at-risk and liquidity-coverage ratios.
  • Financial risk metrics, including market risk and credit/counterparty risk exposures.
  • Number of incidents, such as policy exceptions, cyberattacks with business impact, and legal and regulatory issues.
  • Key stakeholder metrics, such as retention of high-performance employees or levels of customer satisfaction.

Finally, the RAS should provide a “common language” for the ERM program. This would consist of a glossary of relevant business or technical terms and acronyms as well as a data dictionary that describes each risk metric, how it is calculated, where the underlying data is generated, and why it is included.

Allocating Risk Limits

After setting enterprise-level risk limits, the next step is to allocate these limits to the various business units and/or material legal entities within the banking group. Remember the lower-level limits should be derived from those above to enable aggregation unless there is something specific or unique to a business unit or legal entity that must be captured solely within that level but expressed at an enterprise level. This allocation is typically done based on a blend of the following factors:

  • Risk Capacity: The ability of each business unit/material legal entity to absorb losses without jeopardizing the bank’s financial stability.
  • Strategic Importance and Revenue Based Allocation: The role of each business unit/material legal entity in achieving the bank’s strategic objectives as well as proportion of revenue or assets managed.
  • Economic Capital: Similar to the above point, economic capital is often a method to determine allocation though this is largely for quantitative metrics such as Credit Risk and Market Risk.
  • Risk Profile: The inherent risk associated with the activities of each business unit/material legal entity.
  • Historical Performance: Past risk events and loss experiences in each business unit/material legal entity.
  • Regulatory Requirements: Specific regulations that may apply to different business units/material legal entity, such as capital adequacy requirements for trading desks.
  • Scenario Analysis & Stress Testing: Examines potential future events, such as economic downturns, changes in interest rates, or geopolitical risks, and assesses their impact on each business unit or legal entity. This helps determine which units need tighter risk limits. Similarly, stress testing involves creating extreme but plausible scenarios to test the resilience of each business unit. Units that are more resilient under stress might be allocated higher risk limits.
  • Expert Judgement: Expert judgment from senior management, risk committees, and other stakeholders plays a critical role in the final allocation process. While quantitative measures may form the backbone of risk limit allocation, expert judgement is a crucial element that cannot be discounted particularly for qualitative assessments.

Examples:

Market Risk

Let’s assume the bank has set an enterprise-level VaR limit of 1.5% of total capital for market risk. This limit must now be distributed among the business units that engage in market risk activities, such as investment banking, treasury, and asset management.

  • Investment Banking: Given its high exposure to trading and market-making activities, it might be allocated a higher proportion of the market risk limit, say 0.8% of the total capital.
  • Treasury: Responsible for managing the bank’s liquidity and investments, the treasury unit might be allocated 0.5% of the total capital for market risk.
  • Asset Management: Typically involved in managing client portfolios with a more conservative risk approach, it might be allocated 0.2% of the total capital for market risk.

These allocations should be regularly reviewed and adjusted based on changes in market conditions, business strategy, and the performance of each unit.

Operational Risk

  • Quantitative Measures

Enterprise Level: The bank sets a KRI that operational system downtime should not exceed 0.1% annually.

Allocation to Legal Entities: If a subsidiary has critical operations accounting for 50% of total bank transactions, the downtime tolerance for that subsidiary might be 0.05% annually.

  • Qualitative Measures (Money Laundering example)

Enterprise Level:

  • Compliance Culture: The bank mandates a strong anti-money laundering (AML) culture where all employees are aware of the importance of compliance with AML regulations.
  • Training and Awareness: All staff, especially those in high-risk areas, must undergo regular AML training.
  • Customer Due Diligence (CDD): Entities must implement rigorous CDD and Know Your Customer (KYC) processes, with additional scrutiny for high-risk customers.
  • Governance and Oversight: The bank’s risk appetite includes robust oversight mechanisms, such as the establishment of a dedicated AML compliance team in each legal entity.

Allocation Across Legal Entities:

  • High-Risk Entities: In regions with higher AML risks (e.g., jurisdictions with weaker regulatory environments), the qualitative measures might include mandatory enhanced due diligence (EDD) for all new clients, more frequent audits, and closer oversight by the central AML compliance team.
  • Lower-Risk Entities: In well-regulated jurisdictions, the focus might be on maintaining the standard AML procedures but with periodic reviews to ensure no complacency.

Case Studies

HSBC

The extract below is the enterprise-wide Risk Appetite Statement from HSBC Risk Review published in 2023.

Our risk appetite encapsulates the consideration of financial and non financial risks. We define financial risk as the risk of a financial loss as a result of business activities. We actively take these types of risks to maximise shareholder value and profits. Non-financial risk is the risk to achieving our strategy or objectives as the result of failed internal processes, people and systems, or from external events. Our risk appetite is expressed in both quantitative and qualitative terms and applied at the global business and regional levels, and to material operating entities. Every three years, the Group Risk and Compliance function commissions an external independent firm to review the Group’s approach to risk appetite and to help ensure that it remains in line with market best practice and regulatory expectations. This review was last carried out in 2021 and confirmed the Group’s risk appetite statement (‘RAS’) remains aligned to best practices, regulatory expectations and strategic goals. Our risk appetite continues to evolve and expand its scope as part of our regular review process. The Board reviews and approves the Group’s risk appetite regularly to make sure it remains fit for purpose. The Group’s risk appetite is considered, developed and enhanced through:

  • an alignment with our strategy, purpose, values and customer needs
  • trends highlighted in other Group risk reports;
  • communication with risk stewards on the developing risk landscape;
  • strength of our capital, liquidity and balance sheet;
  • compliance with applicable laws and regulations;
  • effectiveness of the applicable control environment to mitigate risk, informed by risk ratings from risk control assessments;
  • functionality, capacity and resilience of available systems to manage risk;
  • and– the level of available staff with the required competencies to manage risks.

We formally articulate our risk appetite through our RAS. Setting out our risk appetite helps ensure that we agree a suitable level of risk for our strategy. In this way, risk appetite informs our financial planning process and helps senior management to allocate capital to business activities, services and products.

The RAS is applied to the development of business line strategies, strategic and business planning, and remuneration. At a Group level, performance against the RAS is reported to the Group Risk Management Meeting alongside key risk indicators to support targeted insight and discussion on breaches of risk appetite and any associated mitigating actions. This reporting allows risks to be promptly identified and mitigated and informs risk-adjusted remuneration to drive a strong risk culture.

Each global business, region and material operating entity is required to have its own RAS, which is monitored to help ensure it remains aligned with the Group’s RAS. Each RAS and business activity is guided and underpinned by qualitative principles and/or quantitative metrics.

We recognise the importance of a strong culture, which refers to our shared attitudes, beliefs, values and standards that shape behaviours including those related to risk awareness, risk taking and risk management. All our people are responsible for the management of risk, with ultimate supervisory oversight residing with the Board. Our risk appetite defines the level and types of risk that we are willing to take, while informing the financial planning process and guiding strategic decision making.

The following principles guide the Group’s overarching appetite for risk and determine how our businesses and risks are managed.

Financial position

– We aim to maintain a strong capital position, defined by regulatory and internal capital ratios.

– We carry out liquidity and funding management for each operating entity on a stand-alone basis.

Operating model

– We seek to generate returns in line with our risk appetite and strong risk management capability.

– We aim to deliver sustainable and diversified earnings and consistent returns for shareholders.

Business practice

– We have no appetite for deliberately or knowingly causing detriment to consumers, or incurring a breach of the letter or spirit of regulatory requirements.

– We have no appetite for inappropriate market conduct by any member of staff or by any Group business.

– We are committed to managing the climate risks that have an impact on our financial position and delivering on our net zero ambition.

– We consider and, where appropriate, mitigate reputational risk that may arise from our business activities and decisions.

– We monitor non-financial risk exposure against risk appetite, including exposure related to inadequate or failed internal processes, people and systems, or events that impact our customers or can lead to sub-optimal returns to shareholders, censure, or reputational damage.

Enterprise-wide application

Our risk appetite encapsulates the consideration of financial and non financial risks. We define financial risk as the risk of a financial loss as a result of business activities. We actively take these types of risks to maximise shareholder value and profits. Non-financial risk is the risk to achieving our strategy or objectives as the result of failed internal processes, people and systems, or from external events.

Our risk appetite is expressed in both quantitative and qualitative terms and applied at the global business and regional levels, and to material operating entities. Every three years, the Group Risk and Compliance function commissions an external independent firm to review the Group’s approach to risk appetite and to help ensure that it remains in line with market best practice and regulatory expectations. This review was last carried out in 2021 and confirmed the Group’s risk appetite statement (‘RAS’) remains aligned to best practices, regulatory expectations and strategic goals. Our risk appetite continues to evolve and expand its scope as part of our regular review process.

The Board reviews and approves the Group’s risk appetite regularly to make sure it remains fit for purpose. The Group’s risk appetite is considered, developed and enhanced through:

– an alignment with our strategy, purpose, values and customer needs

– trends highlighted in other Group risk reports;

– communication with risk stewards on the developing risk landscape;

– strength of our capital, liquidity and balance sheet;

– compliance with applicable laws and regulations;

– effectiveness of the applicable control environment to mitigate risk, informed by risk ratings from risk control assessments;

– functionality, capacity and resilience of available systems to manage risk; and

– the level of available staff with the required competencies to manage risks.

EBRD

The extract below is a snapshot of EBRD’s Operational and Reputational Risk Appetite Statement. Furter details and a breakdown of other risks and metrics can be found in the report.

Common Challenges and Good Practices

  • Losses Only: Previously, risk appetite was defined via a limit on aggregate losses. While this is a good start, quantitative measures alone are insufficient as they are typically backward-looking and do not provide guidance on behaviours. They need to be supplemented with descriptive statements and qualitative key risk indicators.
  • Zero Tolerance: A declaration of zero tolerance frequently features in the narrative. However, this does not apply to reality. If the firm has zero tolerance for fraud, it may as well consider exiting the business because some instances of fraud will inevitably occur. A better approach to the language would be to state the firm/bank has a risk-averse approach to financial crime, and aims to mitigate the risk by maintaining a robust control environment, while also recognising that occasional instances of fraud may occur.
  • Use of distributions and percentiles: Bringing statistics into this domain is not always helpful. Probability of loss at % confidence level statements will not easily be understood or actionable.
  • Stakeholders not engaged: Engagement at multiple levels of the organisation is critical to success. All relevant parties have responsibilities, and more importantly, bring a different perspective or expertise. This exercise is a collaborative effort.
  • Benchmark with industry peers: Risk Appetite Statements are, to an extent, publicly available. It is very useful and recommended to compare against those published.
  • Language easy to understand: Statements do not have to be over-complicated. On the contrary, if they can be explained simply enough for every employee to understand then the employees can read, understand and make concerted efforts to comply with them.

Final Thoughts

The Risk Appetite Statement establishes a board-approved policy that aligns the organisation’s risk tolerances with strategic objectives, risk profile, and risk management capabilities. It is a foundational component of an effective ERM program. For the board, executive management, and business and operational staff, the RAS addresses a central question: “How much risk are we willing to accept to pursue our business objectives?”

Improving a risk appetite and tolerance framework is an ongoing and dynamic process that requires feedback, learning, and adaptation. You should solicit and incorporate feedback from your board, senior management, and other stakeholders on the effectiveness and relevance of your framework.

Reach out to us if you need help with formulating your Risk Appetite Framework or Statements.

Ghassan ZeidanFounder & CEO of Paragon Consulting Partners

linkedin.com/in/ghassan-zeidan

Risk Management, Internal Audit and ESG Consulting Firm