FSB's RAF Principles published-
send the car back lads...
So where do they take this deep dive into Risk Appetite? Other than awkwardly shoehorning in the soup de jour of "SIFIs", they stick to the hard areas which will get every risk practitioners' attention (namely, Risk Appetite Framework, Risk Appetite Statements, Risk Limits and Roles and Responsibilities), though "for clarity and simplicity", they jettison the use of Risk Tolerance. Definitions are supplied on p2-3, which you may find useful as anchor references.
They somehow make room for anodyne flannel in this very short document, for example;
Risk Appetite Frameworks
- Should "facilitate embedding risk appetite into the financial institution’s risk culture"
- Development and establishment is an "...iterative and evolutionary process that requires ongoing dialogue throughout the financial institution to attain buy-in across the organisation" (groan)
Risk Appetite StatementsHowever, the salient points for me were as follows;
- "Risk appetite may not necessarily be expressed in a single document; however, the way it is expressed and the manner in which multiple documents form a “coherent whole” need to be carefully reviewed to ensure that the board obtains a holistic, but compact and easy to absorb, view of the financial institution’s risk appetite"
- "Having risk limits that are measurable can prevent a financial institution from unknowingly exceeding its risk capacity as market conditions change and be an effective defence against excessive risk-taking" - tell that to Lehmans!
Risk Appetite Frameworks
- RAF "...sets the financial institution’s risk profile" - not convinced on that one, but may be semantic issue
- "explicitly defines the boundaries within which management is expected to operate when pursuing the institution’s business strategy"
- Should "be adaptable to changing business and market conditions" to allow for limit increases where appropriate
Risk Appetite Statements
- "[should] address the institution’s material risks under both normal and stressed market and macroeconomic conditions"
- "...should establish quantitative measures of loss or negative outcomes that can be aggregated and disaggregated"
- "...include key background information and assumptions"
- "...include quantitative measures that can be translated into risk limits"
- "...be forward looking and, where applicable, subject to scenario and stress testing"
- "[should] be set at a level to constrain risk-taking within risk appetite"
- "...should not be strictly based on comparison to peers or default to regulatory limits"
- "[should] not be overly complicated, ambiguous, or subjective"
Roles and Responsibilities
- ...must establish the institution-wide RAF and approve the risk appetite statement, which is developed in collaboration with the chief executive officer (CEO), chief risk officer (CRO) and chief financial officer (CFO)
- FSB specifically comment that Boards who "receive" or "note" Risk Appetite Statements have a lower understanding of risk appetite (so don't sponsor it!)
- " [should] regularly review and monitor the actual risk profile and risk limits against the agreed levels (e.g. by business line, legal entity, product, risk category), "including qualitative measures of conduct risk"
- " [should] ensure risk management is supported by adequate and robust IT and MIS to
- enable identification, measurement, assessment and reporting of risk in a timely
- and accurate manner."
- "...be accountable, together with the CRO, CFO, and business lines for the integrity of the RAF"
- "...ensure that the institution-wide risk appetite statement is implemented by senior management"
- "...provide leadership in communicating risk appetite to internal and external stakeholders"
- "...establish a policy for notifying the board and the supervisor of serious breaches of risk limits and unexpected material risk exposures"
While there are specific sections for the obligations of CRO, CFO, Internal Audit and Business Unit Management, they don't necessarily expand much further than what I consider to be normal functional expectations, so I haven't elaborated on them.
One should certainly therefore expect a much more aggressive approach from supervisors in future off the back of this - combing through strategy and board papers for evidence of Risk Appetite in application, and making sure that Risk Appetite Statements are not just 'rubber stamped', for example.
I certainly don't see much in this for stakeholders. Nothing particularly new is brought to the table here, and if this is the results of peer review and shared experiences, then clearly there is concurrence on how an RAF should be constructed, what a RAS looks like, and who should do what in regard to continuous monitoring.
The skill will be for risk practitioners to convince their CEOs/NEDs that, this is no longer a sidecar activity in the ERM best practice space, but a nascent global minimum standard which will invariably surface in national regulations in the forthcoming moths and years.