Love RAFs? CRO Forum's Risk Appetite survey

The CRO Forum have recently published the results of their 2014 survey on Risk Appetite development in insurance entities. It is perhaps the oldest drum in Risk Management Town, but one we are always happy to hear the beat of, and while we shouldn't expect a forum with such luminary members to deliver any shocking results, a careful sift through the carcass is always a smart idea.

The Cure - to tolerance breaches?

The final presenter at the PRA's recent NED briefing noted that Risk Appetite is "no longer an aspiration", a comment I felt was further behind the times than Nana wearing Juicy Couture. That said, on page 8 it suggests that less than a quarter of firms are "very satisfied" with their RAF maturity, and over a third feel they have "a lot of work to do", so perhaps he hit the nail half on the head...

This document should clarify whether that caution is justified, and with 48 responses from the top table, it should be a reliable benchmarking tool. Despite starting like a GCSE essay ("the topic of Risk Appetite has exploded"?), it contains some useful, if a little dry, benchmarks, such as;

• Principles for a RAF (p3-4) - hard to argue with
• Main goals - dominated by preserving capital, while only a third are looking to "improve shareholder value" or "optimise capital"
• Main stakeholder list (p5) seems good in breadth and priority
• Almost everyone is using regulatory capital in some way as a Risk Tolerance measure (p9)
• Stress and Scenario testing is being used by 80% to set Risk Tolerance levels, which feels at the right end of expectations
• 60% report quarterly, with most others slightly more or less frequent

It takes a few odd turns, in particular;

• One of the main objectives cited (p4) seem to be centre around boiling down things into a single document. I appreciate that pressure, but surely we feel that a RAF has a more substantial objective that document consolidation?
• "Development of a Risk Appetite Statement is an evolution" (p6) - don't agree at all, it is a task, otherwise it would never get done.
• Coverage of Risk Appetite Statements as "regulatory requirements", in particular under Solvency II. Just because the industry is choosing to discharge its obligations in EIOPA's Guidelines (SoG 15 & 16) by producing a single statement document, it doesn't make a Risk Appetite Statement a requirement.
• Less than half are using a "1-in-x" loss that would breach regulatory capital in their Risk Tolerances - just feels like a very obvious one to use, so suprised by that number

Some of the more practical issues faced by firms are well covered, for example;

• Difficulties for Groups when setting risk appetite. Does the parent/head-office set overall appetite, and the children sub-divide it by business unit/risk category/Both? Do the children set their own appetites and feed them up for aggregation?
• Listing Risk Concentration targets looks awkward across the board (p5). While firms seem to be able to quantify Liquidity and Capital targets in their Risk Appetite Statements, other categories are much less consistently quantified. Market, Credit and Insurance Risk appear to be quantified by less than a third of respondents, preferring to address these in separate policies/guidelines (a Solvency II by-product perhaps?).
• Setting Risk Tolerance levels is highlighted as a "minor" improvement required by over 60% of respondents.
• There is a veritable bombsite of Earnings at Risk metrics in use, which is healthy for the industry I guess (p10).
• What does one do when Risk Tolerance level is breached? Around a third are not OK with limit breaches and demand immediate rectification, while two thirds allow for a "Cure Period" to return the Risk Profile to its required form. A "Cure Period" seems the fairest breach rectification approach to me - after all, I don't care if Monday's blue...

A worthy benchmarking document, so fill those boots.

Financial Stability Board - Principles for an Effective Risk Appetite

Christmas has come early everyone - the Financial Stability Board have released their Principles for an Effective Risk Appetite Framework today, and I'm greedily ripping in to it before JC's birthday like a spoilt, yet handsome child...

FSB's RAF Principles published- 

send the car back lads...

There has been a reasonable amount of traffic on Risk Appetite this year (here, here and here for a start), after the FSB but announced their consultation earlier in the year, I've been on tenterhooks. This was following of the back of a thematic review on Risk Governance as a whole by the FSB, which they published back in February.

So where do they take this deep dive into Risk Appetite? Other than awkwardly shoehorning in the soup de jour of "SIFIs", they stick to the hard areas which will get every risk practitioners' attention (namely, Risk Appetite Framework, Risk Appetite Statements, Risk Limits and Roles and Responsibilities), though "for clarity and simplicity", they jettison the use of Risk Tolerance. Definitions are supplied on p2-3, which you may find useful as anchor references.

They somehow make room for anodyne flannel in this very short document, for example;

Risk Appetite Frameworks

• Should "facilitate embedding risk appetite into the financial institution’s risk culture" 
• Development and establishment is an "...iterative and evolutionary process that requires ongoing dialogue throughout the financial institution to attain buy-in across the organisation" (groan)

Risk Appetite Statements

• "Risk appetite may not necessarily be expressed in a single document; however, the way it is expressed and the manner in which multiple documents form a “coherent whole” need to be carefully reviewed to ensure that the board obtains a holistic, but compact and easy to absorb, view of the financial institution’s risk appetite"

Risk Limits

• "Having risk limits that are measurable can prevent a financial institution from unknowingly exceeding its risk capacity as market conditions change and be an effective defence against excessive risk-taking" - tell that to Lehmans!

However, the salient points for me were as follows;

Risk Appetite Frameworks

• RAF "...sets the financial institution’s risk profile" - not convinced on that one, but may be semantic issue
• "explicitly defines the boundaries within which management is expected to operate when pursuing the institution’s business strategy"
• Should "be adaptable to changing business and market conditions" to allow for limit increases where appropriate

Risk Appetite Statements

• "[should] address the institution’s material risks under both normal and stressed market and macroeconomic conditions"
• "...should establish quantitative measures of loss or negative outcomes that can be aggregated and disaggregated"
• "...include key background information and assumptions"
• "...include quantitative measures that can be translated into risk limits"
• "...be forward looking and, where applicable, subject to scenario and stress testing"

Risk Limits

• "[should] be set at a level to constrain risk-taking within risk appetite"
• "...should not be strictly based on comparison to peers or default to regulatory limits"
• "[should] not be overly complicated, ambiguous, or subjective"

Roles and Responsibilities

The Board

• ...must establish the institution-wide RAF and approve the risk appetite statement, which is developed in collaboration with the chief executive officer (CEO), chief risk officer (CRO) and chief financial officer (CFO)
• FSB specifically comment that Boards who "receive" or "note" Risk Appetite Statements have a lower understanding of risk appetite (so don't sponsor it!)
• " [should] regularly review and monitor the actual risk profile and risk limits against the agreed levels (e.g. by business line, legal entity, product, risk category), "including qualitative measures of conduct risk"
• " [should] ensure risk management is supported by adequate and robust IT and MIS to 
• enable identification, measurement, assessment and reporting of risk in a timely 
• and accurate manner."

CEO should

• "...be accountable, together with the CRO, CFO, and business lines for the integrity of the RAF"
• "...ensure that the institution-wide risk appetite statement is implemented by senior management"
• "...provide leadership in communicating risk appetite to internal and external stakeholders" 
• "...establish a policy for notifying the board and the supervisor of serious breaches of risk limits and unexpected material risk exposures"

While there are specific sections for the obligations of CRO, CFO, Internal Audit and Business Unit Management, they don't necessarily expand much further than what I consider to be normal functional expectations, so I haven't elaborated on them.

One should certainly therefore expect a much more aggressive approach from supervisors in future off the back of this - combing through strategy and board papers for evidence of Risk Appetite in application, and making sure that Risk Appetite Statements are not just 'rubber stamped', for example.

I certainly don't see much in this for stakeholders. Nothing particularly new is brought to the table here, and if this is the results of peer review and shared experiences, then clearly there is concurrence on how an RAF should be constructed, what a RAS looks like, and who should do what in regard to continuous monitoring.

The skill will be for risk practitioners to convince their CEOs/NEDs that, this is no longer a sidecar activity in the ERM best practice space, but a nascent global minimum standard which will invariably surface in national regulations in the forthcoming moths and years.

Towers Watson - 'Risk Appetite revisited' (did we ever leave it?)

I have been doing a little work on Risk Appetite in the background recently, so was intrigued to have a read through this recent release by Towers Watson on the subject, seemingly targeted at North American and UK markets, but relevant to any practitioner in this space. Somehow I wasn't put off by p6 when, in response to the hypothetical question 'What is Risk Appetite', they responded with, "...we do not want to focus too much on the issue..."!

Appetite - second helpings?

I had blogged earlier this year on Risk Appetite, covering the expectations of EIOPA on the matter (which are few), as well as the more pokey/proddy stakeholders like the PRA/Central Bank of Ireland/S&P (which are several!), so the backdrop of risk appetite's practical significance to insurers doesn't need to be repeated here, more how consultants and practitioners are improving their game on the ground. Worth noting here that a few of the other consultancies have proffered their two cents on the matter over the last year or so (here, here, and here).

While interest in 'risk appetite' is currently piqued at governmental level thanks to the forensic examination of the banking industry's failings (multiple references in Parliamentary Commission evidence here and here for example), the driver of activity in the UK and Ireland is predominantly from the regulatory compliance perspective rather than expectations of bespoke, strategy-driving activity. In addition, we now see the emergence of Internal Audit as a party with a vested interest in the matter, which has the potential to draw the subject even more to a tidy, but ultimately superfluous documentation exercise.

With that in mind, Towers note that this paper is focused on "...enhancing risk appetite by improving its articulation, via clearer linkages to mission and strategy", and a rather derisive tone is therefore applied throughout regarding the familiar quantification methods preferred by regulators to monitor likelihood of insolvency in the next 12 months, giving equal billing to non-monetary capital and qualitative measurements. The paper also crosses some familiar ground, such as a lack of consistent terminology, which it tries to address (below).

Oddly, the document does not reference the FSB's thematic review of risk governance earlier this year, which will surely drive efforts in this space in the medium term, if only due to the paucity of certainty on the subject. That the FSB believe that regulators have "more work to do" is striking, and while they also bemoan the lack of common terminology, they don't let that prevent them from offering definitions of their own, as well as listing their "Key features" of a Risk Appetite Framework.

More obvious statements

• "..clearer linkages are needed to mission and strategy for risk appetite to be effective"
• "risk appetites must include boundary constraints"
• "We suggested that greater clarity around the definition of risk is needed..."

Definitions

• Risk - "In this context, risk should be defined in terms of those events and circumstances that may result in an insurer failing to deliver on its mission."
• Risk appetite - "...the manner in which a company expresses an identified set of risk-trading opportunities, and sets boundaries on its risk-trading among those opportunities, aligned with successfully delivering on its mission."
• Risk strategy - "The company’s risk strategy articulates how risk fits with the mission".
• Risk tolerance - "Risk tolerances are a quantitative extension of the risk strategy...risk tolerances must be measurable...[and] place quantitative boundaries on the company’s strategy"
• Risk limits - "Risk limits are more granular tolerance levels expressed for specific risk sources, business units, and/or products that are used to implement the risk tolerances."
• Risk appetite statement - "...risk appetite statements should be taken as the combination of risk strategy tolerances and preferences, bringing together qualitative and quantitative enterprise perspectives on risk as both opportunity and threat."
• Mission - "mission is the insurer’s unique multi-period and multi-stakeholder value creation proposition."

Technical suggestions

• They promote four facets of risk assessment: size, likelihood, impact and significance.
• For those working on statement content, they recommend "...since published mission statements can be fairly terse, the risk appetite may need to look beyond the explicit elements of the mission and consider elements that are implicit." Instinctively that feels unfair, but I guess the world of implicity is one for the second line to inhabit, while the first line concentrate on value-adding.
• Concept of adaptive buffers sits nicely with me - the most visceral ones being economic capital and reinsurance/hedging/liquidity facilities, but TW attempt to expand that over qualitative areas of the risk appetite statement
• Risk preference ranking of 0-4 depicted at the back is a handy schematic

Sore points

• "Some take the view that risk appetite can be expressed as a single metric, or perhaps a small set of metrics, that capture the organisation’s willingness and ability to bear risk." - that 'some' would include the FSB, COSO, the Central Bank of Ireland and the IRM, so I wouldn't be too sniffy at efforts to-date
• "Much of the work to-date on risk appetite statements has been driven by solvency supervision requirements, many statements tend to focus primarily on potential losses of capital"- a natural and by no means unwelcome by-product of having regulators in the box-seat, as opposed to stakeholders combining their efforts to establish compulsory risk appetite statement content?
• "While most insurers have, by now, developed risk appetite policy statements and discussed them with their boards, many have expressed dissatisfaction with the exercise" - that feels a rather loose statement, and if true says more about the personnel charged with performing the work.

I'll take a look at the diversity of definition in the risk appetite space across different bodies in a separate post - for now, just enjoy this tidy piece of work for what it is.