the art of balancing risk and reward · 2017-11-28 · the art of balancing risk and reward change...

WHITE PAPER

The Art of Balancing Risk and RewardThe role of the board in setting, implementing and monitoring risk appetite

i

PAPER TITLE

Table of Contents

Introduction ....................................................................................... 1Risk Appetites Under Reform ............................................................... 2

Definitions ...................................................................................... 3Risk Ceiling .....................................................................................................3

Risk Appetite ..................................................................................................3

Risk Profile ......................................................................................................3

Risk Tolerances ...............................................................................................3

Upper Bound of Risk Tolerance .......................................................................3

Lower Bound of Risk Tolerance .......................................................................3

Risk-Bearing Capacity .....................................................................................3

Section 1: Setting the Risk Appetite ...................................................... 4A Bigger Role for the Board ............................................................... 5Links with Strategy .......................................................................... 6Components of a Risk Appetite .......................................................... 7

Sample Risk Appetite Components .................................................................8

A Top-Down Approach ...................................................................... 8Chartis: The ‘Synchronized Watches Moment’ ..............................................10

Section 2: Implementing the Risk Appetite ........................................... 11From Risk Appetite to Risk Tolerance ................................................ 11Risk Appetite and Risk Culture ......................................................... 12

Section 3: Monitoring the Risk Appetite ............................................... 13Time for an update? ....................................................................... 14

Conclusion ....................................................................................... 15Appendix ......................................................................................... 16

The Govindarajan-Andenæs Model ................................................... 16Stage 1: Defining Risk Appetite .....................................................................16

Stage 2: Agreeing on a Target Risk Profile .....................................................17

Stage 3: Execution ........................................................................................18

Stage 4: Embedding .....................................................................................18

Xcel Energy: A Collaborative Approach to Risk Appetite ................................19

ThE ART of BALAncIng RISk And REwARd

Introduction

Risk taking is inherent in the business of every financial institution. With higher risk comes greater reward. Yet, the most rewarded players in the financial services vertical are not the ones who take the greatest risk. The top institutions are the ones that have mastered the art of balancing risk and reward and understand how much risk the firm can profitably absorb.

Effective risk management is a critical success factor for every financial institution. As the recent financial crisis demonstrated, a poor understanding of risk, or an inability to recognize and control it, can be fatal. In the run-up to the crisis, banks exposed themselves to greater levels of risks than they realized, or intended. The types of risks were numerous and included not only credit risk associated with financially challenged borrowers, but also untested “innovative” investment vehicles, reliance on cheap short-term funds, high leverage and illiquid markets. Information asymmetries, lack of accountability and incentives that rewarded short-term revenue generation over long-term quality exacerbated the problem.

At its heart, the financial crisis that began in the subprime mortgage market and later spilled over into the global financial markets in 2008 was a failure of both risk management and governance. As the Senior Supervisors Group noted in its October 2009 report1, weaknesses in governance, incentives and infrastructure undermined the effectiveness of risk controls and contributed to overall systemic vulnerability. A lack of transparency and inadequate monitoring of risk exposures hindered boards from performing their oversight responsibility. As a result, the corporate risk profile was understated, and boards overestimated the firm’s risk-bearing capacity despite the fact that their risk appetite may have remained unchanged. In many instances, board supervision of risk taking broke down entirely.

Since the crisis, financial institutions have done much to re-think and strengthen their internal control infrastructures. Newly empowered chief risk officers (CROs) hold greater sway and independence to challenge the business. Many institutions have strengthened the management of their liquidity risk and introduced more robust processes to assess their cost of capital. Risk models have been revamped and many institutions have strengthened their stress testing procedures to provide a more holistic, forward-looking perspective on their risk exposures. Annual surveys conducted by the Economist Intelligence Unit, on behalf of SAS, have shown consistent increases in the level of investment and attention that financial institutions are giving to most aspects of their risk management.

1 Senior Supervisors Group. Risk Management Lessons from the Global Banking Crisis of 2008. Oct. 21, 2009.

1


Change is particularly evident at the board level. A 2010 survey from Ernst & Young2, which was co-sponsored by the Institute of International Finance, found that 83 percent of institutions had increased board oversight of risk. Many banks and insurers have formed board-level risk committees and given CROs direct reporting lines to the non-executive board. The level of risk expertise at the board level has been strengthened, and independent directors have become more engaged in challenging management and seeking assurances about the level of risk being taken.

Risk Appetites Under Reform

The strengthening of the processes by which financial institutions set and monitor their risk appetites has been a key area of recent reform. In the joint Ernst & Young and IIF survey cited above, 96 percent of the financial institutions surveyed said that they had increased their focus on risk appetite.

The concept of risk appetite is not new in the financial services industry. In essence, risk appetite can be defined as the quantity and types of risk that the organization is willing to assume in pursuit of its strategic objectives. Although many institutions have set risk appetites at the board level for many years, these have all too often consisted of broad-brush statements that bear little relation to the day-to-day operations of the bank. Executive teams, while cognizant of the risk appetites that boards have approved, have not done enough to implement them into the business by means of tolerances, thresholds and limits.

Most financial institutions agree that they need to do more to adopt a formalized approach to setting and monitoring their risk appetites. Yet despite this strong intent, approaches to setting and monitoring risk appetite vary across different firms. Financial institutions are also at very different stages of reform. Although there is clear recognition that change is required, some firms are still at an early stage of planning their approach, or are still conducting work on establishing limits for different types of risk. Very few firms, if any, have reached a point where their risk appetite statement drives both strategic and day-to-day business decisions at the business unit or desk level.

In this report, we examine the key stages in setting, implementing and monitoring a risk appetite, and we explore progress in strengthening the links between risk appetite and overall strategy.

2 Ernst & Young. Making Strides in Financial Services Risk Management, 2011.

2


3

DefinitionsA common problem with discussions on risk appetite is that definitions can be unclear, and

different terms can be used interchangeably to mean the same thing. Below, we provide

our definitions for four key terms associated with risk appetite statements that we use in

this report.3

Risk CeilingThe risk ceiling is the threshold beyond which the firm would no longer be able or allowed

to operate. The risk ceiling could be breached by factors that go beyond the threats of

direct financial weaknesses that cause liquidation. When the risk ceiling is breached, there

is no more headroom for the firm to carry out business and take on risk. As a corollary, a

breach of the risk ceiling need not always result in the firm ceasing to be a going concern

or filing for bankruptcy. A firm might have been affected by reputational issues, such as

media onslaughts, or depositor perceptions or market perceptions causing a contraction in

liquidity despite the fundamental financial soundness of the institution. This might result in a

temporary shock, from which the firm may not recover in the absence of extreme measures,

such as taxpayer or government intervention. The risk ceiling is therefore conceptually

important, especially when discussing reverse stress testing.

Risk AppetiteRisk appetite is the aggregated account of the board’s willingness (to allow management) to

take risks in the pursuit of strategic objectives. A corporate risk appetite statement is derived

through the prioritization of stakeholder needs and executive and non‐executive interaction

at the board level. It is a counterpart to organizational strategy and, like broad organizational

strategic aims, it should be written in a high‐level and overarching statement. It sets out an

appetite that is based on the interactions between various risks associated with pursuing

strategic objectives and the internal and external capabilities available to manage such risks.

Risk ProfileRisk profile is the true risk position of the firm at a given point in time. By definition, in the real

world, not all aspects of a firm’s risk profile will be immediately consistent with changes to the

board’s risk appetite.

Risk TolerancesRisk tolerances reflect the boundaries within which executive management is willing to allow

the true, day‐to‐day risk profile of the firm to fluctuate, while executing business objectives in

accordance with the board’s strategy and risk appetite.

Upper Bound of Risk ToleranceThe upper bound of risk tolerance refers to the level of risk to which the executive team is

willing to allow the risk profile to rise, before it expects board intervention.

Lower Bound of Risk ToleranceThe lower bound of risk tolerance reflects the minimum level of risk the executive team

expects to take to achieve agreed-upon objectives.

Risk-Bearing CapacityThe firm’s risk-bearing capacity is best described as the risk space in which the firm could

choose to achieve a trade‐off between risk and return.

3 Deepa Govindarajan, ICMA Centre, Henley Business School, University of Reading, Corporate Risk Appetite: Ensuring Board and Senior Management Accountability for Risk.


Section 1: Setting the Risk Appetite

In a June 2011 report4, the Institute of International Finance examined the progress that financial institutions have made since the crisis to strengthen their processes to set, implement and monitor risk appetite. It is clear that, while many firms have come a long way, most remain at the early stages of a journey to develop a robust risk appetite that is linked with overall strategy.

The rationale for developing a more robust risk appetite statement comes first and foremost from the board. In the wake of the financial crisis, boards have done much to change the way in which they think about risk. It has become increasingly important to demonstrate to shareholders and other stakeholders that non-executives are providing proper oversight of risk, and a key aspect of this is their role in setting and monitoring the risk appetite.

Edwin van der Ouderaa, a senior executive in Accenture’s Financial Services group, thinks that there has been a sea change in the way in which boards think about risk. “Banks used to focus much more on yield than they did on risk,” he explains. “But now that everyone has woken up to the true cost of risk, boards want to know first and foremost what their exposure is, and only then will they discuss whether they can get a yield out of it.”

Although regulators are looking more closely at risk appetite as a concept, much of their current focus is centered around recovery and resolution plans, stress testing and reactive regulation. As Deepa Govindarajan, a lecturer and Visiting Fellow at the ICMA Centre, Henley Business School, explains, it is important for supervisors to more proactively consider what risks financial institutions ought to take. “We do see some supervisors, such as the Financial Services Authority in the UK, intentionally scrutinizing business strategy,” she explains. “But a step in the right direction would be for institutional investors to hold firms accountable for the assessment of risks and to ensure that they are commensurate with that strategy. That cannot be done until risk appetite statements are substantial enough and, therefore, taken more seriously.”

Although most financial institutions would say that they have had a risk appetite statement in place for many years, a common problem is that it’s either poorly defined or determined in isolation from the business and strategy of the organization. “Every bank will tell you that they have a risk appetite, but in many cases, it will be a bland set of statements that bear little relation to the true strategic objectives that the firm wishes to pursue or the risks those choices entail,” says Govindarajan. “They might say that they want to be ‘best in class in risk management’ or that they have a zero appetite – but what does that really mean? Can they really justify and deploy the resources required to meet a zero appetite?”

According to a National Association of Corporate Directors (NACD) Blue Ribbon Study5, an effective risk appetite statement should:

4 Institute of International Finance. Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions. June 2011.

5 National Association of Corporate Directors and The Center for Board Leadership and its alliance partners (Heidrick & Struggles International, KPMG’s Audit Committee Institute, Oliver Wyman, Pearl Myers & Partners, Tatus LLC, Weil, Gotshal & Manges LLP). Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward. 2009.

4


5

• Clearlystatetheamountandtypesofrisksthattheorganizationiscomfortabletaking.

• Specifymaximumtolerablelimitsandvariabilityinrelativeparameters,bothqualitative and quantitative, based on stakeholder expectations, constraints and strategic objectives.

• Beactionablebymanagementsothatithasarealeffectontheorganization’sbusiness strategy and risk profile.

A Bigger Role for the Board

Moving the risk appetite from a mechanical, compliance-driven statement to one that is inextricably linked with strategy and day-to-day business is a formidable challenge. Banks and insurers are complex businesses, and developing a high-level risk appetite statement that does justice to that complexity requires considerable intellectual and financial resources. Even among senior management and boards that strongly support the need to strengthen the risk appetite process, it will take time and commitment for genuine progress to be made.

As the stewards of the business on behalf of investors, non-executives have the primary responsibility for setting the risk appetite and reassuring investors that the bank is taking risks that are commensurate with its overall strategy. “The risk appetite needs to be tied to the expectations of your main investors and to the performance goals the board is setting in terms of return on equity and other metrics,” says van der Ouderaa.

But while there is general consensus that the board should be responsible for setting risk appetite, there is some disagreement over the extent to which it should participate in the process. Some commentators worry that in many organizations, the role is more one of rubber-stamping rather than a deep assessment of the risks the organization faces. “The key thing that is lacking in many institutions is board ownership of risk appetite statements,” says Govindarajan. “Firms may have a dedicated risk officer who writes the risk appetite statement on behalf of the board, but the board needs to agree what it wants up-front rather than hoping that it will be told what the risk appetite statement needs to be. Boards that actually set risk appetites are few and far between.”

Govindarajan advises that boards should play a more active role in determining the risk appetite even if they leave the chores of drafting to others. Rather than challenge and endorse something that has been previously prepared by the chief risk officer, she argues that boards should be more involved in the discussions leading up to the formulation of the risk appetite. “The board should have a debate alongside the strategic goal-setting in terms of what it is asking the executive team to achieve and what risks that will legitimately entail,” she says. “The risk appetite should not be something that executives put together and boards rubber-stamp. There has to be a genuine assessment of risk from first principles. It is advisable that the board sets risk appetite and then oversees executives who in turn set underlying tolerances that fit within that appetite. Boards can of course accept information from various sources, but if they feel able to set strategic choices then surely they must be able to articulate the risks those choices bring.”


6

But some practitioners disagree with this message and suggest that it is not feasible for the board to have such a deep involvement. “It’s unrealistic to expect the board to define all of these decisions and first principles in the same way that it’s unrealistic to expect that the prime minister or the Cabinet would determine the detailed application of policy,” says Paul Barrett, Head of Risk Management at Chartis Europe. “Ultimately, the actual document and the detailed evidence that supports it will, in large part, be prepared by officers of the company, and it will be scrutinized through the relevant risk and capital committees, and by senior management, before going to the board for consideration and approval.”

Mike Cutter, Chief Risk Officer for Australia at ANZ, describes how at his institution, heads of different risk categories – such as credit risk or market risk – create a recommended risk appetite for their domain. This is then presented to the board, which deliberates each component and considers it in light of risk appetites across other categories. “The leaders of each risk domain describe what they think the risk appetite ought to be before this is signed off on and ratified by the board, [which] is ultimately responsible for defining it,” says Cutter. “Risk appetite is prepared in conjunction with the annual and strategic planning initiatives.”

Links with Strategy

Of crucial importance is the need to link the risk appetite statement with the overall strategy of the firm. Strategy encompasses a broad set of business objectives from product marketing and franchise expansion to discretionary balance sheet structuring, loan securitization scope and scale, and mergers/acquisitions. A strategic misstep in any one of those areas could spell disaster for the enterprise and there needs to be board-level focus and assessment of the attendant risks. Indeed, to separate the strategy process from the risk appetite could be interpreted as a failure of governance on the part of the non-executive directors. “Boards have a duty to stakeholders and they need to engage with the constant jostling of priorities that having multiple stakeholders brings,” says Govindarajan. “When they set strategy, there should be a counterpoint in the form of a certain risk appetite to achieve that. The reality is that there is no such thing as a risk appetite framework! A separate framework for risk appetite deployment is yet another complication that makes risk appetite seem distant to the real work of the firm and takes up valuable resources. It is the risk management framework that really matters. ”

As the board discusses strategic objectives, such as market expansion, it needs to consider the risks associated with it and determine whether they are consistent with the firm’s risk appetite. “You can’t look at strategic goals in isolation from the risks,” says van der Ouderaa. “You also need to consider the risk appetite and risk profile associated with that strategy, the resulting composition of the balance sheet, the source of funding you should be seeking and the assets you should be trying to acquire. All of those discussions involve risk.”


7

The ability to understand risks should go hand in hand with the ability to set strategy. “If we believe the board has the expertise and skill to run a certain business strategy, we are in effect saying that they have the skill and expertise to understand the risks associated with that strategy,” says Govindarajan. “We should not expect boards to be super-literate on the nuances of risk, but we should expect them to be able to ask the right high-level and key questions and to have an understanding of how the business might be affected by the risks the strategies entail.”

Components of a Risk Appetite

There is no one-size-fits-all approach to determining a risk appetite. Each financial institution will have its own particular circumstances that need to be taken into account. There are many factors that will affect the composition of the risk appetite statement and the approach the firm takes to developing it, including the strategic goals of the business, the depth of expertise in different parts of the business, and the geographical footprint of the firm. “I don’t see how you could have one size fits all, because each component and driver of risk appetite is going to be different for every organization,” says Richard Apostolik, President and Chief Executive Officer of the Global Association of Risk Practitioners.

A risk appetite statement will typically combine a number of quantitative and qualitative metrics (see table). Some high-level quantitative measures will be standard across most firms. These are likely to include: target tier-one ratio levels; return on equity; earnings volatility; liquidity ratios; and economic capital per risk type. Depending on the business, the board may also decide that it needs to add more specific quantitative measures, such as clear guidelines regarding the size and maturities of trades.

Qualitative metrics are, by their nature, difficult to measure, but there are ways to do this in most cases. Cutter highlights the example of reputational risk. One yardstick of this could be negative press coverage, which can be measured according to the breadth of the coverage, the severity and the number of days it lasts. “You can define different levels of impact, and each one can have its own risk categorization,” he says. “Thinking of qualitative risks in this way gives you a common language for discussion.”

Despite the importance of qualitative metrics to the risk appetite statement, there is no question that they are more difficult to take into account. “If you look at the literature on risk appetite, there is a lot of discussion about qualitative issues,” says Govindarajan. “But if you look at the way in which firms express qualitative risks in their risk appetite statement or tolerances, very few are able to translate that into anything meaningful. That does not mean that these issues do not matter; it just means we have to write these statements better.”

In addition to difficulties with setting and measuring qualitative risks, firms also need to ensure that the metrics they choose are not open to interpretation. There’s a danger that risk appetite statements may be so high-level that you end up with something too generic and ambiguous,” he explains. “What we have done since the crisis is to make the metrics that we use more specific and forward-looking.”

8


The board must also decide on the number of metrics that are appropriate. Bob Mark, PhD, Chief Executive of Black Diamond Risk, makes a distinction between the high-level limits that the board should impose and those more detailed ones that can be implemented by the chief risk officer and his or her team. “You want your board to determine the high-level limits underneath which more detailed limits can be set,” he explains. “You may, for example, expect the board to set a broad limit, such as how much interest rate the institution is prepared to assume. Then, beyond that, it is up to the risk team to determine how that should be implemented in a more detailed way across the institution.”

Sample Risk Appetite Components

Metric Illustrative Possible Components of Definition

Quantitative Target debt rating • Define capital requirements.

• May reference debt ratings set by credit rating agencies.

Earnings volatility • Specify desired earnings forecast by more than X% at a XX% confidence level.

• Target dividends.

Diversification • Allocation of capital into various business, markets, sectors or clients.

Liquidity headroom • Available liquidity resources to meet requirements at a percentage confidence interval.

Qualitative Reputation • Key statements of expected ethical behavior and corporate culture.

Regulation • Statements regarding regulatory compliance.

Governance • Statements regarding organizational governance expectations.

Strategy/growth • Overview of approach regarding risk and strategy/growth expectations.

A Top-Down Approach

Traditional methods of setting and monitoring risk appetites have tended to rely on a bottom-up approach. The firm will assess risk profiles in different business units or regions and then combine these to reach an enterprisewide figure. But care must be taken to avoid the potential for the bottom-up process to overestimate the total risk and exceed the risk tolerance set by the board.


9

Mean 99th Percentile Mean 99th Percentile Mean 99th Percentile

+ + ... =Operating Unit 1 Operating Unit 2 Firmwide Exposure

Figure 1: The bottom-up approach.

But Govindarajan argues that a bottom-up approach is insufficient. “At the moment, banks are looking at risks in Dubai and risks in Australia, for example, then combining the two to arrive at a risk appetite,” she explains. “But that is the wrong way round. Instead, they should be saying, ‘This is my appetite for risk, so that means that Dubai can take this much and Australia this much. And here is what the interplay of those underlying risk categories means.’”

This top-down process of setting high-level risk appetite and cascading it through the organization can then be combined with a bottom-up approach to monitoring the needs and risk profiles of different business units. This enables the firm to develop a strong link between the high-level risk appetite that the board has set and the day-to-day business conducted across the various units and divisions. It also avoids the risk of having the board pulled into operational management issues in which it should not be involved. “The board is not there to manage the business,” says Mark. “It is there to fulfill a set of fiduciary responsibilities associated with risk management, of which one is the ability to set limits to which the institution can adhere.”

10


For insurance companies in Europe, there are few items on the agenda that are as pressing and demanding as Solvency II. For the first time, insurers must take a risk-based approach to their solvency requirements, which they will calculate using either a standard formula or an approved internal model.

Solvency II will also require insurers to demonstrate strong governance and risk management systems, which must include a clearly articulated risk appetite. At Chartis Europe, the subsidiary of the US-based property and casualty insurer, a key area of focus has been to ensure that the risk appetite statement is fully aligned with the new capital regime. “We are deliberately tailoring our risk appetite statement, and its subordinate controls and limits, to align with the new regime and help us manage our surplus over those regulatory capital requirements,” says Paul Barrett, Head of Risk Management at Chartis Europe.

At a group level, the risk appetite statement is closely aligned with the strategic planning process and the economic capital requirements of the firm. “With the oversight of the board, we set a high-level risk appetite statement that we can then break down into a detailed analysis of the expected risks and returns for all the business units,” says Barrett. “Those plans are ultimately consolidated to determine what we expect our aggregate capital requirements would be and to understand the possible variances.”

Having completed this aggregation process, the board and senior management may determine that adjustments need to be made to the risk profile or even the overall risk appetite. “We may decide that we need to trim the kind of exposures that we’ve got or use other tools, such as changing our reinsurance, to make sure that we are comfortable with the expected risk and that the relevant lines or business units can deliver the kind of profit we are seeking,” says Barrett.

Chartis: The ‘Synchronized Watches Moment’

For insurance companies in Europe, there are few items on the agenda that are as pressing and demanding as Solvency II. For the first time, insurers must take a risk-based approach to their solvency requirements, which they will calculate using either a standard formula or an approved internal model.

Solvency II will also require insurers to demonstrate strong governance and risk management systems, which must include a clearly articulated risk appetite. At Chartis Europe, the subsidiary of the US-based property and casualty insurer, a key area of focus has been to ensure that the risk appetite statement is fully aligned with the new capital regime. “We are deliberately tailoring our risk appetite statement, and its subordinate controls and limits, to align with the new regime and help us manage our surplus over those regulatory capital requirements,” says Paul Barrett, Head of Risk Management at Chartis Europe.

At a group level, the risk appetite statement is closely aligned with the strategic planning process and the economic capital requirements of the firm. “With the oversight of the board, we set a high-level risk appetite statement that we can then break down into a detailed analysis of the expected risks and returns for all the business units,” says Barrett. “Those plans are ultimately consolidated to determine what we expect our aggregate capital requirements would be and to understand the possible variances.”

Having completed this aggregation process, the board and senior management may determine that adjustments need to be made to the risk profile or even the overall risk appetite. “We may decide that we need to trim the kind of exposures that we’ve got or use other tools, such as changing our reinsurance, to make sure that we are comfortable with the expected risk and that the relevant lines or business units can deliver the kind of profit we are seeking,” says Barrett.

Equally, this process may require Chartis to revisit its model because there may be a need to update its assumptions based on new information. “The model is only a simplified replication of reality and the world changes,” says Barrett. “So if the business is seeing a slightly different world and the model is giving us numbers that don’t quite align with that, there’s always an opportunity to have a conversation with our modelers and potentially revise or update the model.”

The ultimate outcome, says Barrett, is that the business plan, risk appetite and economic capital model are in full alignment. “They need to reach what I call ‘the synchronized watches moment,’” he says. “You need all three to concur so that we are clear about what we intend to do next year, the profit we expect to make and the risks we see accruing to the business in doing that.”


11

Section 2: Implementing the Risk Appetite

To be effective, a risk appetite must be embedded into the day-to-day operations and decision making at all levels of the firm. Yet this is an area where many financial institutions struggle. According to a survey conducted for the IIF’s June 2011 report, cascading the risk appetite statement through the operational levels of the organization is the most significant challenge they face. And in a striking finding from the E&Y/IIF survey, only one-quarter of respondents said that the risk appetite significantly affects the business decision-making process in their firms.

From Risk Appetite to Risk Tolerance

Overcoming the challenges of implementing the risk appetite requires close collaboration between the board, executive team and risk function. Once the board has set a high-level risk appetite, this must then be converted into a set of risk tolerances, thresholds and limits (see chart). This is typically the responsibility of the chief risk officer, who works in tandem with the senior executive team. “The chief risk officer needs to set detailed limits across the bank by business, risk type and by detail within risk type,” says Mark. “It should then be possible to aggregate all of those tier-two limits that the CRO has set and to monitor their performance against the tier-one limits that the board has defined.”

Independent Superior ERM Solutions

A p p r op

ri a

te

Po

licies

Business Strategies

Risk AppetiteAuthorities

Disclosure

These include:

•Theriskappetite(financialandnonfinancial) isintegratedandconsistentwiththeBusinessStrategies (andvisaversa).

•Riskmeasuresarebacktested,authorities(limits)are expressedinmeaningfultermsandreflectadesired toleranceforrisk.

•Riskisproperlydisclosedinternallyandexternallyona drill-downandintegratedportfoliomanagementbasis.

ChARACteRiStiCS of PoliCieS At the CoRe of SuPeRioR eRM SolutionS

Source: Black Diamond Risk Enterprises

12


Translating a high-level risk appetite statement into a set of controls, limits and thresholds across a complex business inevitably requires some degree of interpretation and extrapolation. “People need to understand that defining risk appetites is an art and not necessarily a science,” says Apostolik. “It requires assumptions and the translation of sometimes quite undefined ideas into something that is more concrete.”

This highlights the importance of ensuring that the board continues to play an active role in probing how senior management has put the risk appetite into action. “The board needs to challenge the executive team to justify their recommendations for the policies and procedures developed in support of implementation of the firm’s risk appetite,” says Apostolik. “This requires them to have a really deep understanding of what the organization does and its internal capabilities, without crossing the line into management’s day-to-day responsibilities.”

Typically, the risk officers will set tolerances with an upper and lower limit that provide the business with a set of parameters within which to operate. The lower limit describes the minimum risk that the firm would expect to take to achieve a given strategy. The upper limit describes the maximum risk that the firm can afford to take without breaching the risk appetite.

CROs will typically set limits that are tighter than the risk tolerance that the board and risk officers have defined. “In order to have sufficient opportunity to respond before a risk appetite threshold is breached, lower trigger points are established,” says Cutter. “This gives us the opportunity to enact conservative action or acceptance of a new risk appetite well before the board’s risk appetite is breached.”

Risk Appetite and Risk Culture

The process of implementing a risk appetite statement into the day-to-day operations of the firm can play an important role in building a more risk-aware culture across the business. By providing a consistent framework for considering risk and aligning it with the strategic goals of the company, the process enables a more informed discussion about the risks in the business plan and strategy.

Cutter sees risk appetite as a means of driving a risk culture because it provides a formal mechanism to make the business accountable for its risks. “If you have articulated a risk appetite in a meaningful way and someone does something different, then you can say that there is clearly a consequence of breaching that well-articulated, well-understood risk appetite,” he explains. “But if you have a poorly articulated or defined risk appetite, then people find it much easier to interpret it in a way that suits them or to claim that they didn’t realize a particular transaction was outside of that risk appetite.”


13

Implementing a risk appetite can also strengthen relationships between the risk function and the business. By encouraging a dialogue between the two sides, it can provide an important opportunity to build bridges and re-frame perceptions of risk management in the business. “The risk appetite discussion is a way of connecting the business and risks more closely and encouraging business managers to think of risk as a partner, rather than a compliance function,” says John Lee, PhD, Group Chief Risk Officer of Maybank.

The cultural dimension of risk appetite may be even more important than the controls framework that the risk function puts in place. “The problem with putting lots of controls in place is that you create bureaucracy,” says van der Ouderaa. “While you need strong reporting and oversight, I think it’s much more about the culture. You need to ensure that there is an explicit discussion about risk appetite with every level in the organization so that they understand why it is in place and how it links with the overall strategy of the firm. The risk appetite enables the business to see how risk plays a role in what they do and how it helps them to achieve their own goals and objectives.”

Section 3: Monitoring the Risk Appetite

Boards have an integral part to play in monitoring the risk appetite and in ensuring that the business adheres to it. This requires board members to have a good understanding of the organization and at least some expertise in risk concepts. It also requires an effective reporting and governance framework, as the monitoring process will only be as good as the information that board members receive. This highlights the importance of robust management information systems that can aggregate and present information in a digestible, accurate way that can be acted upon. But for many firms, this continues to be a problem. “I’m not sure that boards are always getting the crucial information they need to be able to make decisions,” says van der Ouderaa. “Banks still have a lot more work to do in terms of risk calculations, reporting and simulations to make sure that the board understands exactly what is going on.”

By making the board aware of different scenarios and explaining their implications should they occur, the risk function can provide a vital input to the process of monitoring the risk appetite. “It is absolutely key that the board is aware of what could happen,” says van der Ouderaa. “If they are aware of the real underlying risks – and not just the kinds of risks that could occur within a normal distribution – then they are in a more informed position to create and monitor a risk appetite that will be appropriate across a range of different outcomes.”

To monitor the risk appetite effectively, boards need frequent engagement with the CRO to assess performance against risk tolerances and limits. But making the link between this information and the performance against overall strategic goals can be challenging. “Boards need to understand the numbers that are being presented to them and decide if they make sense in light of the company’s strategy or mission,” says Apostolik. “The question is whether they have the right expertise to make those assessments, because that can be a difficult thing to do.”

14


In addition to the regular reports that CROs and the executive team provide, boards also need to assess the results of stress tests to determine whether any resulting action is required6. Board members need to be confident that stress tests have been performed rigorously and must be assured that the implications of the stress tests have been evaluated across the business. In particular, boards have a central role to play in determining whether the risk appetite needs to be adjusted in light of stress testing results.1

Time for an update?

In general, the risk appetite statement should be fairly consistent over time. Although certain aspects of the risk appetite may need to be tweaked in response to changing conditions or strategic objectives, too many revisions to metrics and tolerances create confusion and suggest to stakeholders that the board lacks confidence in its judgments. The key underlying metrics, for example, will rarely change. “If we have decided that the stressed return on equity of the book is an important metric, then we should never change that,” says Cutter.

But despite the need for consistency, there are times when certain aspects of the risk appetite need to be revised. This is particularly true in a world that remains volatile and uncertain. “Everything in our plans describing the future, to some degree or another, relies upon assumption and expert judgment,” says Barrett. “We have to monitor very carefully and ensure that we continue to validate and update our models in line with how the real world is actually unfolding.”

Equally, high levels of volatility may mean that limits are breached involuntarily. “Sometimes you have a limit and because the market moves, you find that a certain desk jumps across that limit,” says Mark. “You may decide that you want that risk to be brought back within the limit, or you may take the view that because that trade is highly profitable, you can adjust the limit.”

There may also be occasions when the pre-agreed risk tolerances are not appropriate for a particular transaction or piece of business. In that situation, the board may need to get involved to assess whether a revision to the risk appetite should be sanctioned. “The risk function needs to work with the business to understand its objectives and help it to achieve them,” says James Goforth, Manager for Credit and Commodity Trading Risk at Xcel Energy. “It’s a process of dialogue that might require us to work with the business to determine a different way of conducting the transaction, or it might lead to the board considering a revision of the risk appetite.”

New products will also need to be examined in the context of the risk appetite. Apostolik points out that many firms have new product committees, which look at the risks associated with a new product across the overall institution, rather than leaving this solely to the discretion of the management team within the specific unit. A new product may have excellent potential, but have a knock-on effect in terms of risk exposures elsewhere in the firm.

6 For more on stress testing, see the SAS white paper Stress Testing: A Board-Level Issue.


15

Xcel Energy: A Collaborative Approach to Risk Appetite

The concept of risk appetite is not unique to the financial services industry. Other sectors, including utilities and oil and gas, also apply similar concepts to ensure that the board and senior management can align risk-taking with overall strategic objectives. Moreover, the articulation of risk appetite is seen as a crucial component of enterprise risk management for many firms.

Like financial institutions, utilities are regulated entities, and this means that a clear articulation of risk appetite is important. Yet their approach to risk is very different. For one thing, they typically have a much lower appetite for speculative positions than a financial services firm. “Trading is not our core business, so we work to minimize our exposure to the derivatives markets in which we participate,” says James Goforth, Manager for Credit and Commodity Trading Risk at Xcel Energy, a utility provider of electrical power based in the US. “Our activities are subject to prudency reviews by our regulators, so our trade documentation is much more significant than a financial services firm.”

Like many utilities, Xcel Energy takes positions in the derivatives market to hedge its exposures. These can have upside – as well as protective – characteristics, but as Goforth explains, their key objective is risk mitigation. “Many deals are done with specific hedge plans and time frames around the placement of those hedges in an effort to mitigate the risks,” he says. “We don’t view giving up some of the speculative upside of deals in order to protect against the downside as a bad thing.”

At times, however, the opportunity for trades that lie beyond the company’s risk appetite may emerge. Although the overall approach is to keep deals well within risk tolerances, there is a process to assess whether transactions outside the normal deal structure can be completed. “First, we try to work with the trader to get some changes made to the structure of the deal in order to get the risks more in line with our preferred metrics,” says Goforth. “Given our status as a regulated utility, this approach to risk mitigation in deals is what we prefer.”

If this approach is not appropriate, deals that lie outside the standard risk tolerance are passed to an executive committee for review. “This committee reviews everything, including the accounting treatment, credit issues, hedge plan, regulatory treatment and expected margins, and will make a final decision,” says Goforth.

Decisions of this nature cannot be taken in a vacuum. Goforth describes the importance of education about the risk appetite among the business, and the need for the risk team to engage traders in constant dialogue to spot issues and resolve them as early as possible. “When we have to say ‘no’ to something, we always want to explain why and try to offer solutions to the issues that are keeping the deal from gaining approval,” says Goforth. “When we say ‘yes’ to something, we always provide feedback on what allowed us to support the deal. This collaborative interaction between the traders and the risk team is critical to our success.”

16


Conclusion

Since the onset of the financial crisis, financial institutions have made good progress on strengthening their approach to setting and monitoring risk appetite. Yet as this report shows, there is still more to be done. Many institutions continue to struggle with linking their risk appetite with their overall strategy and with embedding the board’s assessment of risk appetite into the day-to-day business of the firm.

Boards must determine an appropriate risk appetite, unambiguously document it and sufficiently quantify it so it can be acted upon. Further, boards must also make management accountable for ensuring that everyone in the institution is in compliance with the risk appetite. A framework will evolve to address gaps in current practices relative to risk appetite. This framework will include data, a variety of metrics, collaboration structures, analytical processes, and contextual translations and reconciliations that bridge the areas of capital management, risk management and corporate strategy.

Operationalizing the risk appetite requires the development of a risk appetite statement that includes: appropriate broad areas of coverage and associated key metrics; corresponding risk tolerance thresholds; and the ability to cascade more granular risk-taking limits down to the most fundamental operating unit level. Embedding risk appetite into the organization entails the creation and diligent use of a continuous monitoring process. Monitoring the risk appetite is a dynamic, iterative process. Just as strategy needs to evolve in response to changing internal and external conditions, so too must the risk appetite “live and breathe.” In so doing, it will bring about better alignment of interests within the organization, boost awareness, bridge gaps of understanding and nurture a more risk-aware culture.

Having a system in place that fully supports the risk appetite will help boards fulfill their responsibility to shareholders by:

• Keepingshareholdersinformedaboutanysignificantdeviationsfromtheriskappetite statement.

• Providingameansforearlierboardengagementintheeventofexceptionalcircumstances that require their approval or in advance of a major risk tolerance breech.

The end result will be a demonstrable increase in institutional resiliency and the ability to head off more problems while pursuing goals. This will, undoubtedly, also help to lessen regulatory safety and soundness concerns.


17

Appendix

The Govindarajan-Andenæs Model

Research by Deepa Govindarajan and Mads Andenæs into the topic of risk appetite has led to the development of a four-stage process model that explores the steps involved in defining, executing and embedding a risk appetite. This process is outlined below2.

Stage 1: Defining Risk Appetite

1. Identify organizational type and apex.

•Centralcommand/singleorganization

•Boardofsole/parentorganizationfollowedby:

− Underlying governance structure

•Federatedstructure

•Executiveofdivisionfollowedbyratificationof:

− Board of underlying legal entity

2. Agree on approach to defining appetite.

•Nature

•Levels

•Approvals

3. Examine primary stakeholders’ expectations.

•Commercialperformance

•Behavioralaspects

4. Identify balance between these expectations and examine key risks.

•Natureofrisk

•Extentofriskthatcouldmaterialize

•Extentofriskthatisacceptable

5. Create and formally approve a statement that broadly encompasses the approach to those risks, and generically describe:

•Acceptablerisks

•Unacceptablerisks

•Linesofdefense

7 Govindarajan-Andenaes Approach: Conveying Risk Appetite.

7

18


Stage 2: Agreeing on a Target Risk Profile

1. Executive to agree on risk budget consisting of:

•Theextentofrisksconsideredacceptableforeachunderlyingentity

•Interventionandmitigationthresholds

•Escalationthresholds

•Upperandlowertolerance

2. Executive to relate appetite to risk framework:

•Policies

•Processes

•Limits

•Culturalnorms

•Escalationmechanism

3. For the three lines of defense, executive to outline:

•Roles

•Responsibilities

•Escalation

4. For each underlying level of the hierarchy, the executive and board to agree on:

•Managementinformation

•Dashboard

Stage 3: Execution

1. Lines of defense to ensure implementation/review of:

•Policies

•Processes

•Limits

•Culture

2. Lines of defense should:

•Manage,monitorand/orescalatebreachesofintervention and mitigation thresholds.

•Ensuretwo-waycommunicationflowswiththosesettingriskappetite.


19

3. Executive and board should:

•EngageindeliberationandchallengeofagreedMIanddashboard.

•Reviewthestrategies,riskappetiteandriskprofile.

•Changeandrevisestrategies,riskappetiteandriskprofileasappropriateinatimely manner.

Stage 4: Embedding

1. Evaluate effectiveness of lines of defense.

•Reviseasrequiredtoensuresufficientandrobustindependent challenge is provided.

2. Regular reviews (and where required, external challenge) of:

•Stakeholderexpectationsandscopeofriskappetitestatement.

3. Corrective actions.

•Redress/remedy.

•Reviewoflessonslearned.

4. Cultural embedding.

•Ensurethatriskiscentraltobusinessdecisions.

SAS Institute Inc. World Headquarters +1 919 677 8000To contact your local SAS office, please visit: www.sas.com/offices

SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. Copyright © 2011, SAS Institute Inc. All rights reserved. 105503_79074.1211

the art of balancing risk and reward · 2017-11-28 · the art of balancing risk and reward change...

Documents