Risk Appetite As A Key Element Of An Effective Enterprise Risk Management Framework

Introduction

2008 witnessed a global financial crisis with governments’ worldwide taking emergency action to prevent collapse of the banking system. In Ireland the government issued state guarantee of Irish domestic banks. Allied Irish Bank and Bank of Ireland were subsequently recapitalised in order to enable them to continue to lend. One of the main causes of the crisis was that banks were engaging in business without fully understanding the risks they were taking. There was concentration of risk in the property sector. Risk is defined in the ISO guide 73 as “effect of uncertainty on objectives”. In order for institutions to ensure the achievement of the objectives or strategies risk has to be managed. Enterprise Risk Management (ERM) is the process for managing risk. ERM has been in existence for a number of years and is defined as “as a process aimed at helping organisations identify potentially adverse events and subsequently manage the associated risks in furtherance of objectives”.

Risk Appetite

Risk appetite is a key element of an effective ERM framework. Rittenberg and Martens in their research on understanding and communicating Risk appetite define it as: The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. Risk appetite guides resource allocation. Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks.

Risk appetite is established monitored and communicated through the risk appetite framework. Risk appetite and strategy are interlinked. Risk appetite enables and organisation to take calculated risks in the pursuit of strategy and objectives, it also places constraints on activities.

Risk Appetite Framework (RAF)

The RAF is defined by Financial Stability Board as: The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the financial institution, as well as to the institution’s reputation vis-à-vis policyholders, depositors, investors and customers. The RAF aligns with the institution's strategy. An effective RAF is important in managing risks and reduces surprises.

Key elements of RAF

Risk appetite for a financial institution should be formulated, implemented and reviewed on a continuous basis with the direct involvement of the board of directors to ensure that it is line with changes in market conditions, regulations, strategies, objectives and procedures.

Risk Appetite Statement

The risk appetite statement is a key element of the RAF. It provides a consistent framework for understanding risk throughout an organisation. Management should look at the entire organisation when setting the risk appetite and address the following questions: What risks does the institutions face (existing risk profile), How much risk is the institution prepared to take, Who is responsible for managing these risks, How does the risks profile affect capital and How can the institution ensure that there are no surprises.

Risk appetite statements should be well articulated in order to guide decision making and behaviour at the top and should be cascaded downwards so that everyone is guided by it. A risk appetite statement is a live document which should be reviewed and monitored on an ongoing basis especially if there are changes in the business model or the market at large. It should be built into the daily business processes and activities at all levels in the institution. The risk capacity of an organisation should be considered when setting risk appetite. Risk capacity is the maximum amount of risk which an organisation is technically able to assume without breaching one or more of its capital base, liquidity, borrowing capacity, reputational and regulatory constraints. In order to ensure that a breach or risk appetite does not lead to failure of an institution, the sound practice is to build buffers around risk appetite. For example if the risk capacity is 100, risk appetite can be set at 80 giving a buffer of 20. Risk Limits These are quantitative measures based on forward looking assumptions that allocate an institution’s aggregate risk appetite statement. Risk limits should be measurable and specific. Organisations should set upper and lower tolerance levels around a risk. Lower tolerance levels around risk limit are important in ensuring the organisation is taking enough risk to achieve to achieve its strategic goals. Risk limits should be cascaded across the organisation and a breach should trigger corrective action. Risk limits should be monitored and should be adhered to. For example the Barings Bank case where Nick Leeson engaged in unauthorised trades from 1992 to 1995 resulting in total loss of £827m which brought Barings bank down. The case demonstrates failure in internal controls and risk management. There was lack of oversight. Risk limits were not monitored and reported resulting in the failure of Barings Bank.

Roles and Responsibilities

The RAF should outline the roles and responsibilities of those overseeing its implementation and the monitoring. The board of directors should approve the RAF and risk appetite statement with should be developed in collaboration with the Chief Executive Officer (CEO), Chief Financial Officer (CFO) and Chief Risk Officer(CRO). CEO, CRO and CFO should translate the board’s expectations into targets and limits. RAF should be independently reviewed by internal audit, external audit or an independent third party. How the RAF will address key stakeholder expectations An effective RAF will ensure key stakeholder expectations are met in the following ways:

  1. As risk appetite is aligned to strategy it will ensure the financial institution’s objectives are achieved which will increase the likelihood of generating profits and therefore meeting shareholders expectation.
  2. An effective RAF will lead to better management of risks and therefore reduce chances of institutions/bank failure and this provides stable work environments which will meet employee expectations.
  3. The regulator expectations will be met as risk limits will be monitored reducing breaches and sanctions. For example Citibank Europe Plc was fined circa €1. 3m in respect of six breaches of the Code of Practice on Lending to Related Parties.
  4. Rating agencies may require an organisation to hold more capital and this has an effect on the risk appetite.
  5. Debt holders will monitor the firm’s rating and may increase the cost of capital if the firms rating drops.
  6. Customers require fair treatment and are protected by the consumer protection code issued by the Central Bank which has to be adhered to by organisations.

Key challenges in implementing an effective risk appetite framework.

Linking risk appetite to planning is a challenge. This is because historically different metrics were used to measure risk and strategic planning. This can be solved with strong collaboration of senior management including risk function, finance and strategic planning. For example the Wells Fargo case whereby sales staff were given unrealistic sales targets and in order to achieve them they used sordid tactics such as issuing unauthorized ATM cards and assigning PIN numbers.

Cascading the risk appetite across the entire organisation

Linking the risk appetite to actual business decisions is critical for the implementation of an effective RAF. Employees should understand what the organisations risk approach means to them individually and apply it in their daily roles. Aggregating data from across different business areas can be challenging but is required in order to have a holistic view of the organisation and to prevent breaches. Cascading the RAF across the organisation is important as it helps employees to understand their role in risk management. Developing risk metrics Risk metrics are required for monitoring risk profile against risk appetite. The challenge is getting the number of metrics right is difficult as too many metrics may result in a loss of focus and too few may not be meaningful. It is difficult to get metrics that will apply to all staff. Too many metrics can also cause confusion at the top level. IT systems should be developed to facilitate the reporting of risk metrics. Metrics should also be developed for hard to measure risks. Metrics can be qualitative and quantitative. Metrics used by firms Include regulatory capital adequacy, credit rating, VAR and leverage ratio.

Cost benefit analysis

Implementing an effective RAF may be costly and the challenge is to ensure risks are covered appropriately at a sustainable cost. For example operational risk such as cyber risk has no rewards yet a breach may be costly to an institution. For example Ulster Bank was fined €3. 5m for IT and governance failings by the Firm that resulted in approximately 600, 000 customers being deprived of essential and basic banking services over a 28 day period during June and July 2012.

ERM framework may not sufficiently flexible to absorb changes to objectives quickly. This leads to risk exposure in areas which were not previously considered and may result in losses. For example the board increasing targets and not considering how the targets will be implemented. ERM should be integrated in the planning process to ensure risks are considered early enough. Other challenges in effectively implementing risk appetite within an ERM framework include poor identification of risks, inadequate definition of risk appetite, risk identification confused for risk control.

Human element of risk management ERM is implemented by humans who may error and make poor judgement especially in times of pressure, errors may also be caused by lack of training and expertise. Employees may also collude to circumvent controls or hide data. Management may also override controls for illegitimate purposes. Management is the custodian of controls and if they override controls this may lead to firm failure as was seen in the case of Anglo Irish bank which had procedures and processes on paper but in certain cases they were not implemented or followed in practice. Risk evaluation procedures and risk mitigants were not implemented in practice. This contributed to the collapse of the bank.

Conclusion

This leads to the conclusion that risk appetite is a key element of an effective ERM framework. ERM has been existence for a number of years. There are challenges in implementing the ERM framework. It is evident from the recent financial crisis that ERM frameworks were not implemented effectively by financial institutions. Firms that had implemented ERM were also affected by the crisis. For some firms the processes were stated on paper but were not applied properly. In some cases ERM framework was not integrated with strategic planning when the two should be aligned. While in some cases there was the element of group think and management override over controls Nyberg Report (2011). The risk function was also under resourced and not listened to by the board. ERM framework will only work well if it is properly implemented and monitored. An effective RAF will highlight the risks that a firm should take in order to meet its strategic objectives. This will also help meet stakeholder expectations such as shareholders, regulators, customers, employees and debtholders.

29 April 2020
close
Your Email

By clicking “Send”, you agree to our Terms of service and  Privacy statement. We will occasionally send you account related emails.

close thanks-icon
Thanks!

Your essay sample has been sent.

Order now
exit-popup-close
exit-popup-image
Still can’t find what you need?

Order custom paper and save your time
for priority classes!

Order paper now