Professional Documents
Culture Documents
appetite frameworks to
strengthen financial institutions
June 2011
ii
Josef Ackermann
Rick Waugh
Klaus-Peter Mller
Charles Dallara
Managing Director
Institute of International Finance
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
2
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
Chairman
Josef Ackermann*
Chairman of the Management Board and
the Group Executive Committee
Deutsche Bank AG
Vice Chairman
Roberto E. Setubal*
Vice Chairman
Francisco Gonzlez*
Vice Chairman
Rick Waugh*
Treasurer
Marcus Wallenberg*
Chairman of the Board
SEB
3
|
Chairmen
Mr. Richard Waugh
Mr. JB King
Director
Ernst & Young
5
|
Managing Director
Mark Lawrence Group
Chairmen
Mr. G Srinivas
General Manager
Global Risk Management Group
ICICI Bank
9
|
Executive Summary
10
1.
8.
The strong link between risk culture and the risk appetite framework also was highlighted in the December 2009 IIF report, Reform in the Financial
Services Industry: Strengthening Practices for a More Stable System, in which the following generic definition was provided: Risk culture can be
defined as the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify,
understand, discuss, and act on the risks the organization confronts and the risks it takes.
11
|
12
13
|
Introduction
14
15
|
16
The identification of sound industry practices for risk IT is the subject of a parallel IIF report: Risk IT and Operations: Strengthening Capabilities,
June 2011.
17
|
18
19
|
20
Effectively cascading the risk appetite statement through the operational levels
of the organization and embedding it into operational decision making processes
15
10
10
7
6
25
Using the risk appetite framework as a driver of strategy and business decisions
20
1
2
Achieving sufficient clarity around the concept of risk appetite and some of the
terminology used (e.g. difference between risk appetite and risk limits)
7
4
2
1
How to most effectively aggregate risks from different business units and/or
different risk types, for risk appetite purposes
5
5
21
|
22
44. The link with culture is therefore potentially selfreinforcing: firms with a strong risk culture find
it relatively more straightforward than others to
implement a risk appetite framework. At the same
time, an effective risk appetite framework can
consolidate and reinforce an effective risk culture
with individuals and business heads feeling
reinforced about doing the right thing. National
traditions play a part in this. Some firms from
financial centers where there is traditionally a less
direct link between profit/return and remuneration
report that risk appetite may be an easier sell to
staff and business heads.
This self-reinforcing link is explained by one firm in
the following way: The adoption of a Risk Appetite
Framework did not encounter major resistance from
the organization. This is likely due to (a) the Banks
existing strong risk management culture and (b)
the fact that the specific metrics in the measures
component of the Risk Appetite Framework were
key existing metrics that already had buy-in across
the organization. In many respects, the adoption of
a formal Risk Appetite Framework codified existing
risk culture, principles, objectives, and measures.
Another firm highlighted that the risk appetite
framework plays a crucial role in establishing the
desired risk culture across the organization. The
discussions of risk appetite across the Group as
well as the specific content of the Board-owned
Risk Appetite Statement have promoted a strong
risk culture, which is key to success. Business Units
understand what is outside appetite and therefore
do not pursue these opportunities. The Risk
Appetite Statement contains a key section outlining
the principles of the risk culture that the Group
seeks to achieve.
Appendix III of the December 2009 IIF report, Reform in the Financial Services Industry: Strengthening Practices for a More Stable System, provides a
background discussion around the concept, importance, and key impacts of risk culture.
23
|
24
Overall Lessons:
There needs to be a demonstrable commitment
to explainingthrough training and day-today experiencethe importance the institution
attaches to risk appetite. This needs to have
the consistent support of the highest level of
management.
Many staff for whom the benefits of an
effective RAF are not immediately apparent
are unlikely to undergo an instant conversion.
Even after training and assimilation are in
place, it is necessary to operate rigorous
controls and limits.
It is important to develop measurable indicators
of compliance with risk management norms
that can form a robust basis for promotion
and remuneration. This should include not
only compliance with hard limits but also
with clearly stated behavioral expectations.
Compliance with these more qualitative criteria
can be more difficult to assess objectively
but is critical in establishing the desired
risk culture and is integral to making risk
appetite effective. Rigorous application of
such guidelines is consistent with cultivating a
strong risk culture, provided it is consistent and
relatively transparent.
Clear communication of risk appetite
parameters and preferences is a prerequisite for
developing the appropriate culture. Individuals
need to feel incentivized to comply with these
and confident in doing so. There can be no
hidden agendas or revealed preferences on the
part of management.
Consistency of messages and consistency of
senior behaviors with these messages, rewards
and sanctions that are demonstrably consistent
with the messages, and the absence of barriers
to bad news travelling upward are essential
components of a strong culture.
There is value in measures such as the creation
of a meaningful and non-public statement of
values codifying this. But culture is determined
ultimately by what the leadership does rather
than by what it says.
25
|
26
Overall Lessons:
Communication and education on the benefits
of a risk appetite framework are essential.
Members of senior management need to be
visibly and consistently associated with these.
Limit setting is a key part of risk management,
whether or not it is part of a wider risk appetite
framework. Business unit and risk management
heads should use the risk appetite framework
as the context for explaining and promulgating
limits and risk policies.
Business unit heads must own local business
plans, which in turn must pay proper regard to
risk. This, including the link to the wider risk
appetite, should be clearly and consistently
communicated to staff.
Continuous and open dialogue about risks is
seen as fundamentally important in effectively
embedding risk appetite in the business lines.
Business unit leaders have a strong leadership
role to play in this. When this dialogue about
riskswithin and across business units and
with risk and senior managementworks
well, it facilitates both intelligent challenges
to the risk appetite boundaries and their
evolution over time. In this way, the risk
appetite framework is made dynamic and is
able to sensibly accommodate new business
opportunities over time.
27
|
28
Overall Lessons:
To be effective, the risk appetite framework
needs to incorporate all material forms of
risk, including those that are not readily
quantifiable. Zero tolerance is not a very
meaningful or practical conceptall risks need
to be actively managed.
Firms should make a maximum effort to
quantify such risks, making use of such
innovative approaches as estimates of earnings
foregone.
Maximum use should also be made of proxies
and other metrics, even where these do not
permit the direct quantification of losses.
Quantification and the development of proxies
need to draw on operational risk frameworks.
Committee structures to address reputational
or legal risks directly, and the risk implications
of new products can, if well operated, bring
experienced oversight to bear effectively.
Overall Lessons:
Leadership from the top is crucial, in terms
of stating the reason for creating the RAF
and explaining its benefits. Nevertheless, it
may be necessary to start with an element of
compulsion.
The active dialogue within and across business
units and with risk management staff and
senior management is essential to communicate
the benefits that the implementation of an RAF
brings to the firm. Such dialogue should also
be linked to specific transactions within the
business line in order to effectively involve
front-line staff.
Education is a key element in raising awareness
about the full benefits originating from a
complete risk appetite framework.
Business unit leaders must have the principal
responsibility not only for bringing and
incorporating risk appetite into their business
but also for articulating the benefits of risk
appetite in their businesses.
29
|
30
31
|
32
Overall Lessons:
There needs to be an iterative relationship
between setting risk appetite and planning at
both the group and the business unit levels.
This involves a partnership between a groups
risk management, strategy, and finance and the
business units, with explicit consideration of
risk in business planning.
Risk posturea qualitative expression of
whether a business unit intends to take more,
less, or approximately the same amount of risk
over the next planning periodcan be a useful
starting point for this discussion.
33
|
34
35
|
Overall Lessons:
A comprehensive, enterprise-wide stress testing
mechanism is a key part of a fully effective risk
appetite framework.
36
37
|
38
39
|
40
41
|
42
43
institute of international finance
44
Regulatory
Constraints
Financial
Drivers &
Self-Imposed
Constraints
Regulatory
Financial
Risk &
Tolerances
Regulatory
Financial
Risk
Profile
Regulatory
The largest circle represents the regulatory constraints RBC faces. RBCs regulatory
constraints are classified as:
1) Financial Tend to be quantitative in nature and therefore easier to interpret.
Capital ratios and liquidity metrics are examples of financial regulatory
constraints.
2) Other Tend to be predominately qualitative in nature and therefore require
judgment in interpreting requirements and assessing compliance. Examples
include maintaining compliance with legislative and regulatory requirements,
and adhering to privacy and information security regulations.
The darker center circle represents RBCs risk appetite as defined by
1) Drivers These are business objectives that imply risks RBC must accept to
generate the desired financial return. Examples include revenue growth and
earnings per share.
2) Self-imposed constraints Quantitative and qualitative statements that
Reputational
restrict the amount of risk RBC is willing to accept. Examples follow
on the next page.
The center circle refers to our risk limits and tolerances that we translate from
risk appetite:
1) Risk limits are quantifiable levels of maximum exposure RBC will accept. They
are established only for risks that are financial and measurable, such as
credit risk and market risk.
2) Risk tolerances are qualitative statements about RBCs willingness to accept
risks that are not necessarily quantifiable and for those risks where RBC does
Reputational
not have direct control over the risk we accept (such as legal risk and
reputational risk).
We communicate risk limits and tolerances through policies, operating procedures and
limit structures.
The striped oval represents the organizations risk profile at a given point in time.
Reputational
45
|
46
Reporting
Risk profile relative to risk appetite is reported
quarterly to senior management and the Board of
Directors. An Annual Enterprise Risk Presentation
is also made to the full Board of Directors. We have
found that a comprehensive and balanced set of our
most meaningful metrics, connected with external
developments, has yielded effective discussion and
decision making. Reporting has been a key component
in building understanding of the framework and its
application.
Success Factors
An important success factor has been strong support
of our Board of Directors, Chief Executive Officer, and
senior management. Our emphasis on risk appetite as
an enterprise priority has been framed and accepted as
a critical element to advance our strong risk culture.
Repeated iterations with stakeholders were helpful
in gradually building pattern recognition, senior
management buy-in, Board of Directors support, and
confirmation of the central components of our Risk
Appetite Framework.
Risk appetite development has been led by our
CRO, with ongoing facilitation by senior executives
in Group Risk Management and engagement with
business segments. We began to build business segment
ownership of business segmentlevel risk appetite
by integrating risk appetite with business strategy. A
flexible approach was required because one method
would not fit for all businesses and stakeholders.
Our risk frameworks contain straightforward
terminology and can be generally understood by all
stakeholders. We avoid overly technical and complex
discussions about risk with our Board and senior
management, and focus discussion within the context of
real and current issues for our institution. In this vein,
our business segment statements of risk appetite are
quite focused and business driver specific, for example,
concentration risk for certain sectors, acceptable
earnings volatility and levels of capital at risk.
Challenges
It was initially challenging to achieve clarity on
what risk appetite means and how it is used to drive
management decisions. Board and senior management
decisions implied a high level risk appetite; however,
Moving Forward
Our enterprise Risk Appetite Framework is updated
at least annually, focused on continued development
of self-imposed constraints. For example, we are
enhancing constraints pertaining to low exposure to
stress events, operational risk and qualitative measures
for non-financial risks. Other areas of focus are to
create more forward looking metrics, and achieve
the right blend of qualitative and quantitative key
measures.
As mentioned, we will continue to enhance
articulations of risk appetite for our business
segments and key lines of business. Compensation risk
management is another practice that we are integrating
into our risk frameworks.
It is also our objective to cascade risk appetite
concepts to broader employee audiences, to create
a general understanding of risk appetite and instill
ownership of risk. Consistent with our industry peers,
we have made significant progress in the area of risk
appetite, and there remains work to be done to achieve
full business engagement and integration into all
relevant management processes.
47
|
48
Modest beginnings
The development of our RAS and associated framework
has been, and continues to be, iterative. As described
conservative
neutral
business unit 1
expansionary
business
unit 2
BB
bus
CYB
unit 3
key
sgA
Group:
$x bn
equity
past postures
current posture
49
|
50
Action plans
Trade -offs
Balance sheet
Exhibit 2: From risk posture to risk budget and actual risk settings
Risk settings
Existing
franchise
Outlook
Customer
needs
Controls
Potential
rewards
Confidence in
capabilities
Models
Trading
limits
Op. loss
tolerance
Risk
posture
Hurdles
(e.g. x-sell,
return, LVR,
etc.)
Policies
Audits
Limits
Risk
budget
Expectations
for return
Industry
Country
Market
IRRBB
Equity
Product
Liquidity
etc.
Processes / procedures
Risk-taking
capacity
Regulatory
constraints
Legacy
assets /
liabilities
Making
decisions
Product
exposure
monitoring
Customer
onboarding
Training
Messaging
Not all risk settings are in the RASbut all are consistent with it
51
|
52
53
|
54
Enterprise Risk
In 2006 the Bank created an Enterprise Risk function
with a mandate of linking capital capacity, revenue
and risk-taking across the various risk types (e.g.,
credit, market, liquidity, operational risk, etc.). The
first priority of the new team was the development of
appropriate and actionable risk metrics. From there, a
comprehensive information package was developed for
regular reporting to senior management and the Board
on all risks spanning the entire Bank against key Boardapproved risk limits, globally, creating a clear picture of
the Banks risk exposures. Additional priorities included
further development of the Banks credit risk strategy.
With these developments, the Board was more informed
and could become more engaged. Together, these risk
limits, and various risk reporting aspects, helped senior
management articulate to the Board the amount of risk
being taken at the institution.
By 2008 it was evident that a broader strategy was
required. Risk Management at the Bank was still, to a
Setting Context
The Banks most senior executives were actively
engaged in industry discussions relating to risk,
implications of the global crisis and the subsequent
way forward for the industry. Senior executives became
involved in IIF benchmarking efforts, supported by a
broad cross-section of management.
The Enterprise Risk mandate was expanding in
several ways. In addition to becoming central support
for the IIF benchmarking analysis, the team began
integrating risk measures from across the firm. They
started to serve as a clearinghouse for all types of risk
information, and as a risk communications channel
for senior management and the Board. Without a more
defined Risk Appetite Framework, however, the risk
reporting lacked context. So the team conducted an
internal assessment of what was in place and confirmed
the following:
Diving In
55
|
56
Evidence of Change
The value of formalizing the Risk Appetite
Framework is best illustrated by the
change in Scotiabanks Annual Report to
shareholders. Prior to 2008, there had been
no discussion of risk appetite. By 2010,
the Annual Report contained several pages
directly connected to the new Risk Appetite
Framework, captured here:
Risk
Governance
Risk Appetite
Governing Financial
Objectives
Strategic Principles
Risk Management Principles
Risk Appetite Measures
Risk Management Techniques
Strategies Policies & Limits
Guidelines Processes & Standards
Measuring Monitoring & Reporting
Risks
Credit Market Liquidity Operational Reputational Environmental
Risk Appetite
Framework
Governing Financial
Objectives
Risk Appetite
Measures
Strategies, Policies
& Limits
Guidelines, Processes
& Standards
Risk Management
Techniques
Measurement,
Monitoring
& Reporting
57
|
Strategic Principles
Risk Management
Principles
58
Spare Risk
Capacity
Dimension 5
Risks actively
sought
Dimension 2
Incr
easi
Actual Risk
Profile
Dimension 4
ng R
isk
BOUNDARY
(APPETITE)
Target Risk Profile
(Strategy)
Dimension 3
CBA Group
59
|
Bedding in RAS
r e qu i r e s c a s c a di n g
Principles
Supporting limits
Group
Risk Appetite Statement
(RAS)
Group Risk
Policies &
Tolerances
Business Unit
RAS
Line Of Business
(LOB) RAS
LOB Operating
Policies & Procedures
Validate or challenge
60
Link to strategy
A major element of the overall risk appetite framework
is the interaction between risk appetite and strategy.
The formal alignment and interaction of these two
elements had not previously been built into the
operations of the Group.
The first point of connection is that both appetite
and strategy should be aligned with the Groups
vision and values. Beyond that the appetite is setting
boundaries on risk taking activities while strategy
is seeking optimal use of the Groups resources in
response to the evolving environments in which we
operate. Each should be challenging the other. Equally,
reading one should give knowledge of the other. These
concepts are illustrated in Figure 3.
BU
Strategic
Plans
BU1
BU2
BU3
BU4
Assess
&
Revise
BU RA
Business Unit (BU) challenges
RA
Risk Appetite
Group
Statement/Policies
Successes to date
There have been several aspects of the development of
risk appetite that have worked well and translated into
meaningful benefits for the Group:
Firstly, the approach to engaging with the Board
led to a strong sense of ownership and a depth of
understanding of risk appetite by the Board that
would not otherwise have been achieved.
By setting clear Risk Culture expectations in the
Group RAS and putting ownership for developing
business unit RASs on the heads of the business
units (rather than the business unit risk teams),
there has been a cultural shift in the ownership
of risk from Risk Management to the businesses.
Business units now act with clearer responsibility
(ownership) for the risk they take on.
The incorporation of the review of risk appetite
as part of the strategic planning process, and
the presentation of strategic plans, formally
accompanied by recently agreed upon risk appetite
statements, to both management and Board has
brought risk appetite considerations formally
into key decision making and strategy setting
discussions.
61
|
62
Introduction
As discussed in the report, in mid-2010 the IIF Steering
Committee on Implementation (SCI) established
a Working Group on Risk Appetite (WGRA), with
the objective of identifying the key stages and the
technical and cultural challenges in the journey toward
designing, implementing, and monitoring adherence to
a sound risk appetite framework (RAF), and to bring to
bear Industry expertise and sound practices to examine
how these challenges can be addressed.
As a key first step, the WGRA has carried out a
survey among key industry participants to understand
better the key challenges that must be confronted
and addressed in a firm-wide implementation of risk
appetite. The survey aimed at capturing the interactions
and different perspectives among the Board, business/
senior management, and risk management in the
implementation of risk appetite framework.
An overview on the key messages emerging from the
survey is provided in the sections below.
Alpha Bank, ANZ Banking Group, Barclays, BBVA, BMO, BNP Paribas, Bank of America, Bank of Ireland, Commonwealth Bank [of Australia],
Commerzbank, Credit Suisse, Danske Bank, DBS Group, Deutsche Bank, Erste Bank, FirstRand, Handelsbanken, HSBC, ING, Itau, Macquarie, Mercantil,
Mizuho, Mitsubishi UFJ Financial Group, National Australia Bank, Nordea, Norinchukin Bank, RBC, RBS, Santander, Scotiabank , SEB, Socit Gnrale,
State Street, SunCorp, SwissRe, UBS, UniCredit, WellsFargo, and Westpac.
30%
HQ Location
23%
Number of firms
EMEA
22
10
The Americas
Activities undertaken
13
10
$0
$25 bn
$25
$50 bn
$50
$75 $100 bn
$75 bn $100 bn
+
47%
8
Balance Sheet Size
32
76%
87%
89%
50%
Insurance
Number of employees
9
Multiple countries within single continent
Global (Presence on all 5 continents)
Multi-continent
Activities undertaken
mber of firms
22
10
8
13
$0
$25 bn
$25
$50 bn
10
76%
14
$0
$500 bn
11
11
0 25k
25
50k
50
75k
75
150k
150k +
25
20
15
10
5
2
Not embarked
on the process
Little
Progress
50%
Insurance
$2000 bn
+
89%
Number of employees
$500
$1000
$1000 bn $2000 bn
87%
$50
$75 $100 bn
$75 bn $100 bn
+
Some
Progress
23
Good
Successful
Progress implementation
63
|
Market Capitalization
64
10
12
14
16
18
10
15
10%
20%
30%
40%
50%
60%
70%
80%
How to best express risk appetite for different risk types, some of which
can be quantified in generally accepted ways, and some of which cannot
be easily quantified
Using the risk appetite framework as a dynamic tool for managing risk
rather than another way of setting limits or strengthening compliance
Using the risk appetite framework as a driver of strategy
and business decisions
Achieving sufficient clarity around the concept of risk appetite
and some of the terminology used (e.g. difference between
risk appetite and risk limits)
How to effectively relate risk appetite to risk culture
$0 $500 bn
$500 $1000 bn
$1000 $2000 bn
$2000 bn +
65
|
Return on equity
Earnings volatility
Stress tests
RWA limits
Liquidity ratios
Industry concentration
Country envelopes
Assets-to-Capital Multiple
Operating leverage
66
Key Interactions
The successful implementation of a risk appetite
framework is critically dependent on effective
interactions among many key participants: Board
members, senior management, the risk management
function (embodied in the CRO), and business
line heads.
The survey shows that in the large majority of
firms, the initiative for setting the risk appetite was
taken by senior management, and the proposed
framework was approved by the Board after a
challenge process. This great degree of convergence
on the process reflects the key oversight role of the
Board. In a few cases, however, this initiative has
not yet been subject to substantive challenge from
the Board (Chart 8).
10
15
20
67
|
25
27
10
20
30
40
50
60
Capital Capacity 50
Budget Targets 28
Liquidity or other 26
market constraints
Culture 16
Shareholder input 16
and perspectives
Stress Test Results 16
External market 10
dynamics/considerations
Return
Specifying risk appetite only
Capital
Monitoring compliance only
Provisions
EL
Internal ratings
Cost of risk
Limits
Concentration limits
VaR
RAROC
RWA
EC
Stress Testing
Capital Ratios
Growth measures
EPS
Earnings Volatility
ROE
68
10
12
14
12
Qualitative management 8
assessment/guidelines
Non-quantitative measures 5
are not considered yet
Developed proxy measures
69
|
70
Cross-divisional communication.
The empowerment of the CRO was a key finding and recommendation of the July 2008 report of the IIF Committee on Market Best Practices.
71
|
Biggest Achievements,
Benefits, and Key Next Steps
72
12
16
4
6
1 1
14
1st Achievement
10
Balancing risk/reward
2nd Achievement
3rd Achievement
12
1
4
2
6
16
7
1
14
1 1
1st Achievement
10
12
2nd Achievement
3rd Achievement
10
15
1 2
1st Achievement
20
2
15
4
5
2 1
2nd Achievement
3rd Achievement
25
Project Team
For the Institute of International Finance:
Production:
73
|
74
Design by www.katetallentdesign.com