CHAPTER 14
Risk Appetite
In this chapter, we explore the most challenging element of the operational risk framework: risk appetite. The risk appetite element of the framework is the glue that holds the framework together, as it provides context for the risks that are identified and assessed and ensures appropriate escalation and governance of operational risk.
However, there was little guidance on operational risk appetite in the original Basel II documents, and firms have struggled with this element in the past few years. Regulators have now provided further guidance that makes it clear that the board of directors, senior management, and businesses all have roles to play in setting and managing operational risk appetite. This guidance has proven helpful, and firms are now making real progress in addressing this element of the framework, albeit with a wide range of practices.
THE ROLE OF RISK APPETITE
Operational risk management, measurement, and capital modeling produce data, scores, and capital numbers that are designed to be used by the firm to identify, assess, monitor, control, and mitigate operational risk. All of these activities rely on an underlying understanding of the risk appetite of the firm.
Assessment of risk assumes that there is a gauge against which that assessment is measured. However, finding and expressing an operational risk appetite can prove to be very challenging. Unlike other risk categories, operational risk is inherent in the very existence of the firm. As such, a risk appetite of zero operational risk is untenable. What then is the appropriate level of operational risk?
Risk appetite usually matures as the operational risk program develops. Once operational risk loss event data is gathered, then management is able to determine whether they consider this level of losses to be acceptable or not. As RCSA data is gathered, the participants express whether they feel the risks to be high and in need of mitigation or whether they are at acceptable levels.
As scenario analysis workshops are conducted, participants engage in discussion around the worst possible cases and determine whether there may be mitigating actions required. As KRIs are designed and gathered, thresholds are determined and refined to reflect the risk levels that are considered acceptable.
Therefore, the operational risk framework itself supports the evolution of the operational risk appetite of the firm. Thresholds and scores will be adjusted as that appetite is refined or changes.
For that reason, most firms did not attempt to articulate their operational risk appetite until the operational program had had a few years to evolve and mature. The risk appetite is a critical pillar that holds the whole operational risk framework together, as is illustrated in Figure 14.1.
Before examining the rules and approaches that apply to operational risk appetite, it is necessary to establish terminology. Many firms use different terms in this space, referring to risk capacity, risk appetite, risk tolerance, and risk thresholds—often interchangeably and confusingly.
It may help to consider this area of the framework in all four ways, and for the purposes of this chapter we take the following approach. Risk capacity is the ability of the firm to absorb risk and is often related to the capital that it holds. Risk appetite is the firm's view on what risks it is willing or unwilling to take. Risk tolerance reflects specific levels of risk that will be permitted without the need for mitigation. Risk limits are thresholds that are used to monitor measures of risk. The relationship between these is illustrated in Figure 14.2.
FIGURE 14.1 The Role of Risk Appetite in the Operational Risk Framework
FIGURE 14.2 The Relationship between Risk Capacity, Appetite, Tolerance, and Limits
In Figure 14.2 it can be seen that the governance flows down from capacity, through appetite and tolerance to limits. It is also clear that the escalation of risk flows upward from limits to risk capacity. These flows impact the roles and responsibilities of the board, senior management, and the business lines and limit owners.
REGULATORY EXPECTATIONS
The regulators have evolved their thinking on risk appetite, not just in operational risk, but as an important element in corporate governance. Basel II only mentions the word appetite once, in the Pillar 2 section of the rules:
The [operational risk] framework should cover the bank's appetite and tolerance for operational risk, as specified through the policies for managing this risk.1
In its 2003 “Sound Practices for the Management and Supervision of Operational Risk” document, the Basel Committee on Banking Supervision (BCBS) did not add much color. They referred to appetite in their principles:
Principle 6: Banks should have policies, processes and procedures to control and/or mitigate material operational risks. Banks should periodically review their risk limitation and control strategies and should adjust their operational risk profile accordingly using appropriate strategies, in light of their overall risk appetite and profile.2 [emphasis added]
They talked about how the risk appetite should be used in remuneration considerations:
Senior management should also ensure that the bank's remuneration policies are consistent with its appetite for risk.3 [emphasis added]
And they referred to it as a consideration when deciding whether to accept risk or self-insure against certain risks:
In some instances, banks may decide to either retain a certain level of operational risk or self-insure against that risk. Where this is the case and the risk is material, the decision to retain or self-insure the risk should be transparent within the organization and should be consistent with the bank's overall business strategy and appetite for risk.4 [emphasis added]
But there was no Basel guidance provided as to how operational risk appetite could or should be articulated and initially little pressure from the regulators for banks to get any clear risk appetite statements in place.
However, there was a fundamental change in emphasis in this area when BCBS updated the 2003 “Sound Practices” guidance with the “Principles for the Sound Management of Operational Risk and the Role of Supervision” document in 2011. Instead of five mentions of appetite, there were now 19, and the bar had been significantly raised.
Perhaps most importantly, under the 2011 guidance the board of directors was now expected to approve and review the operational risk statement, and we have more clues as to what that statement should include:
Principle 4: The board of directors should approve and review a risk appetite and tolerance statement for operational risk that articulates the nature, types, and levels of operational risk that the bank is willing to assume.5
The footnote provides additional guidance as to the meaning of risk appetite and risk tolerance were as follows:
“Risk appetite” is a high level determination of how much risk a firm is willing to accept taking into account the risk/return attributes; it is often taken as a forward-looking view of risk acceptance. “Risk tolerance” is a more specific determination of the level of variation a bank is willing to accept around business objectives that is often considered to be the amount of risk a bank is prepared to accept. In this document the terms are used synonymously.6
In other words, BCBS did not clearly distinguish between appetite and tolerance, but they did start to define the concepts for us as a forward-looking view of risk acceptance.
The updated “Sound Practices” still required senior management to ensure that the operational risk framework was consistent with the risk appetite of the firm7 and charged audit to “review the robustness of the process of how [risk appetite and tolerance] limits are set and why and how they are adjusted in response to changing circumstances.”8
The “Sound Practices” document of 2011 also required a clear articulation of risk appetite, stating that the framework documents must:
… describe the bank's accepted operational risk appetite and tolerance, as well as thresholds or limits for inherent and residual risk, and approved risk mitigation strategies and instruments . . .9
Documenting this description remained a challenge for banks, as they attempted to articulate a risk appetite for errors occurring due to inadequate or failed processes, people, systems, or external events. The simple answer is, of course, we don't want any mess-ups. But a bank or a fintech cannot have a risk appetite of zero, as this is not tenable.
Neither the U.S. regulators' AMA guidance nor the Committee of European Banking Supervisors guidelines on operational risk offered any further assistance with these challenges, making little or no mention of risk appetite. The only additional guidance that had been offered out of the Bank of International Settlements (BIS) is a footnote in their “2012 Core Principles for Effective Banking Supervision”:
“Risk appetite” reflects the level of aggregate risk that the bank's Board is willing to assume and manage in the pursuit of the bank's business objectives. Risk appetite may include both quantitative and qualitative elements, as appropriate, and encompass a range of measures.10
As a result, a fairly complex, and at times inconsistent, nomenclature had arisen in this element of the framework.
In 2007 the United Kingdom's Financial Services Authority (FSA) conducted a study11 into the range of practices being used to define and use operational risk appetite and tolerance within the operational risk frameworks of banks. They identified a very wide range of practices and simply summarized their findings to show the many ways that these terms were being used and thresholds being set.
FIGURE 14.3 FSA Findings on How ORA Can Be Defined or Articulated at Several Levels Using Varying Metrics
Figure 14.3 is a reproduction of the diagram that the study used to demonstrate the many ways that risk appetite and tolerance could be managed. In their paper, the FSA refers to operational risk appetite as ORA and notes that qualitative and quantitative approaches were being developed across the industry.
This broad range of practices was noted, but not particularly criticized, and firms continued to take a slow-paced approach to the development of this element of their operational risk framework.
However, in 2009, the Senior Supervisors Group (SSG), which includes the major national banking regulators from Europe and the United States, issued a report, “Risk Management Lessons from the Global Banking Crisis of 2008”12 (the “2009 SSG report”). This report, in the SSG's own words, “reviewed in depth the funding and liquidity issues central to the crisis and explored critical risk management practices warranting improvement across the financial services industry.”13 Two of the key findings of weakness were (1) the lack of robust risk appetite frameworks and (2) weaknesses in information technology (IT) infrastructure and data.
To further address these two items, in 2010 SSG issued “Observations on Development in Risk Appetite Frameworks and IT Infrastructure.”14 Therefore, while Basel was silent on more guidance on risk appetite, the national regulators offered their views on their expectations around risk appetite frameworks.
In 2015, BCBS updated their Corporate Governance Principles for Banks and provided additional guidance for banks that were looking to implement effective risk appetite frameworks. BCBS incorporated much of the language used by the SSG and provided the following definitions:
| risk appetite | The aggregate level and types of risk a bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan. |
| risk appetite framework (RAF) | The overall approach, including policies, processes, controls and systems, through which risk appetite is established, communicated and monitored. It includes a risk appetite statement, risk limits and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the bank, as well as to its reputation vis-à-vis policyholders, depositors, investors and customers. The RAF aligns with the bank's strategy. |
| risk appetite statement (RAS) | The written articulation of the aggregate level and types of risk that a bank will accept, or avoid, in order to achieve its business objectives. It includes quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also include qualitative statements to address reputation and conduct risks as well as money laundering and unethical practices.11 |
The SSG's approach to risk appetite continues to be a helpful framework when considering how to implement an effective risk appetite framework. This approach applies to all aspects of the risk framework, not just the operational risk framework.
This brings us to the most recent guidance from BCBS, “Revisions to the Principles for the Sound Management of Operational Risk,” which was published in March 2021. BCBS acknowledged that “several principles had not been adequately implemented, and further guidance would be needed to facilitate their implementation,” and they included “articulation of operational risk appetite and tolerance statements” as one of those areas.12 They finally dedicated a whole principle to providing guidance on how to determine and articulate a risk appetite for operational risk:
Principle 4: The board of directors should approve and periodically review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk the bank is willing to assume.
26. The risk appetite and tolerance statement for operational risk should be developed under the authority of the board of directors and linked to the bank's short- and long-term strategic and financial plans. Taking into account the interests of the bank's customers and shareholders as well as regulatory requirements, an effective risk appetite and tolerance statement should:
- be easy to communicate and therefore easy for all stakeholders to understand;
- include key background information and assumptions that informed the bank's business plans at the time it was approved;
- include statements that clearly articulate the motivations for taking on or avoiding certain types of risk, and establish boundaries or indicators (which may be quantitative or not) to enable monitoring of these risks;
- ensure that the strategy and risk limits of business units and legal entities, as relevant, align with the bank-wide risk appetite statement;
- and be forward-looking and, where applicable, subject to scenario and stress testing to ensure that the bank understands what events might push it outside its risk appetite and tolerance statement.
27. The board of directors should approve and regularly review the appropriateness of limits and the overall operational risk appetite and tolerance statement. This review should consider current and expected changes in the external environment (including the regulatory context across all jurisdictions where the institution provides services); ongoing or forthcoming material increases in business or activity volumes; the quality of the control environment; the effectiveness of risk management or mitigation strategies; loss experience; and the frequency, volume or nature of limit breaches. The board of directors should monitor management adherence to the risk appetite and tolerance statement and provide for timely detection and remediation of breaches.13
Banks and fintechs can now use this additional guidance to evaluate whether their risk appetite frameworks are appropriate and complete.
IMPLEMENTING A RISK APPETITE FRAMEWORK
SSG had three key findings regarding risk appetite in 2010 that continue to resonate today, more than 10 years later:
- Many firms had made progress in conceptualizing, articulating, and implementing a risk appetite framework (RAF).
- An effective RAF greatly improves a firm's strategic planning and tactical decision making.
- Strong and active engagement by a firm's board of directors and senior management plays a central role in ensuring that a RAF has a meaningful impact on the organization.
SSG also observed three important characteristics that led to a more effective implementation of a risk appetite framework:
- Strong internal relationships at the firm.
- The board of directors ensures that senior management establishes strong accountability for the risk appetite, with clear incentives and constraints for business lines.
- A common risk appetite language is in use across the firm, expressed through qualitative statements and appropriately selected risk metrics.
SSG provided further guidance on implementing a risk appetite framework under the following categories, and we consider each in turn.
- The Risk Appetite Framework as a Strategic Decision-Making Tool
- Risk Appetite Governance: The Board, “C-Suite,” and Business Lines
- Promoting a Firmwide Risk Appetite Framework
- Monitoring the Firm's Risk Profile within the Risk Appetite Framework
The Risk Appetite Framework as a Strategic Decision-Making Tool
Having a risk appetite framework in place allows for business decisions to be considered in the context of risks being taken relative to the board or senior management's appetite for risk.
For example, a decision to expand a business line should include considerations of how the risk profile may change with that expansion. If that change is well understood and meets with the approval of the senior management, then the expansion will proceed. In contrast, if the risks in an existing business are either beyond the appetite of the firm or are not well understood, then the risk appetite framework can facilitate exiting that business for risk reasons.
Risk appetite discussions often lead to important related discussions on the strategic direction of the firm and its core competencies. Firms have often taken a step back and spent time rearticulating their strategy and business goals before moving forward with linking these to their risk appetites.
Putting a written risk appetite statement down on paper is challenging and usually results in a very-high-level statement that expresses the strategic priorities of the firm. The BCBS Corporate Governance definition of risk appetite provides additional guidance to banks on this:
The written articulation of the aggregate level and types of risk that a bank will accept, or avoid, in order to achieve its business objectives. It includes quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also include qualitative statements to address reputation and conduct risks as well as money laundering and unethical practices.14
A clear risk appetite should be resilient enough to prevent business lines from drifting away from the core strategy of the firm and to assist the firm in staying within its own strategic plans. However, it should also be able to evolve to reflect changing business environments and strategic decisions to move in a new direction.
Appetite Governance: The Board, “C-Suite,” and Business Lines
SSG clearly outlined that in order for a RAF to be successfully implemented, the relative roles and responsibilities of the board, senior management, and the business lines should be as follows:
- The board of directors, with input from senior management, sets overarching expectations for the risk profile.
- The CEO, CRO, and CFO translate those expectations into incentives and constraints for business lines, and the board holds the businesses accountable for performance related to the expectations.
- Business lines, in turn, manage within the boundaries of these incentives and constraints, and their performance depends in part on the RAF's performance.17
This can be illustrated using an amended appetite triangle, as shown in Figure 14.4.
Successful risk appetite governance relies on a strong and well-informed board, a good partnership among the senior management team, and a business strategy and budgeting process that is integrated and transparent.
FIGURE 14.4 Risk Appetite Governance
Promoting a Firmwide Risk Appetite Framework
There is still a wide range of practice today in how widely a firm's risk appetite statements and approaches are disseminated across the firm. Some firms educate only those in senior roles and in business areas where risk is actively managed. Others will run a town hall campaign to ensure that every member of the firm understands the risk appetite of the firm and how to manage within it.
Operational risk is unique in this area, as every member of the firm does actively manage operational risk in some way. Whether they are a security guard, a bond trader, a controller, an IT programmer, or a client relationship manager, all staff will manage the risk of inadequate or failed people, process, systems, or external events.
For this reason, once an operational risk appetite is stated and an approach is established for the risk appetite framework, it will likely be important to include training and awareness on this subject in any firm-wide operational risk training that is rolled out.
The most effective way to embed the framework is to hold people accountable for remaining within that appetite. In some firms, the consequences of nonadherence to risk principles or appetite statements can lead to loss of compensation, loss of promotion opportunity, or even dismissal from the firm.
Monitoring the Firm's Risk Profile within the Risk Appetite Framework
Setting limits for market and credit risk is a fairly clear-cut process. Limits can be set for traders, for trading desks, for business lines, and for the firm. Value at risk (VaR) limits can be set and monitored and business decisions taken with reference to those limits and the current use of the limits. Credit can be denied to counterparties that have credit profiles that are outside the credit risk appetite of the firm. BCBS defines risk limits as follows:
Setting “limits” for operational risk is very challenging. Unlike market and credit risk, in operational risk it is not possible to simply unwind a position to get back under a risk limit. When the operational risk loss is identified, the event has already occurred, and the loss is realized. Unwinding a position may not reduce the operational risk. It is also not feasible to set a “limit” on how many mistakes you can make.
However, there are mechanisms for monitoring operational risk, other than the use of limits.
MONITORING OPERATIONAL RISK APPETITE
In operational risk, it may be inappropriate to consider having an appetite for some risks. For example, should a firm have a set appetite for internal fraud? For this reason, it can be helpful to consider risk tolerance instead. What level of internal fraud will the firm tolerate, even though its appetite is zero?
Using the language adopted earlier in the chapter, let us consider possible risk capacity, appetite, tolerance, and limit statements for operational risk. See Figure 14.5.
FIGURE 14.5 Operational Risk Appetite Framework
Risk Capacity
The risk capacity for operational risk is the same as for all risk for the firm, as it is the total risk that the firm can withstand, and generally would be expressed in terms of its capital ratios or liquidity.
Operational Risk Appetite
Corporate operational risk appetite statements are likely to be qualitative statements, stating the amount of risk the firm chooses to take, is willing to take, or is not willing to take. In operational risk, these statements are often purposefully broad (vague even) as accepting operational risks as being within the appetite of the board or senior management is generally not palatable. Examples of such statements could be:
- The firm will comply with laws and regulations.
- The firm will avoid business activities that may have adverse reputational impact.
- The business is an equal opportunities employer.
- The firm will invest in a robust infrastructure to support its business.
Operational Risk Tolerance
Many of the regulatory rules interchange the terms appetite and tolerance, but a semantic difference between them is particularly useful in operational risk management. While operational risk appetite statements will need to be necessarily broad, operational risk tolerances can be much more specific, as they can outline specific levels of the risk that the firm is willing to take, in the context of the broader risk appetite statements. For example, some might be black-and-white qualitative statements:
- The firm has zero risk tolerance for internal fraud.
Others might be more quantitative:
- Total annual operational risk losses will not exceed 1 percent of revenue.
- Total annual operational risk losses will not exceed $500 million.
- Employee turnover should not exceed 15 percent.
- High-risk audit items will be resolved within 90 days.
- High residual risks identified in an RCSA will be mitigated or accepted within three months.
Operational Risk Limits/Indicators
While operational risk does not lend itself to limits in the same way that market and credit risk do, it does have many ways in which risk levels can be monitored. The choice of operational risk tolerance statements will drive the tools that are used to monitor risk levels. Each of the four main building blocks of an operational risk framework offers opportunities for articulating and monitoring operational risk appetite.
Losses
Tracking operational risk events against tolerance statements can provide a view into the current level of operational risk. While losses are not forward-looking, there may be a tolerance statement regarding the number or size of losses, and these can be tracked by business line, by risk category, and by cause.
If losses are approaching thresholds that may exceed the tolerance statement, then the risk would be escalated to senior management for a decision on any necessary mitigating actions.
For example, a new business might be expected to keep its operational risk loss events below a certain percentage of revenue in order to have approval to continue.
Capital
If an AMA approach is being taken to operational risk capital, then the capital levels will move as losses are incurred, scenarios change, and business environment internal control factors change. If a firm has adopted the new Standardized Approach, then capital requirements will move with changing losses. Some firms set risk limit statements for their operational risk capital, requiring escalation to senior management if those levels are breached.
RCSA
When we explored the use of scoring in RCSAs in Chapter 10, we were in effect building risk tolerance. For example, if a scoring matrix is used for risk impact, then this assumes that the risk tolerance is set at the low, medium, and high levels that are expressed in that matrix. The example scoring matrix can be seen again in Table 14.1.
These qualitative risk impact tolerance statements allow for RCSA reporting that expresses the level of risk as against the risk tolerance of the firm. In Chapter 10, we saw that scoring methods for controls and risk impacts can be developed and combined to produce an overall risk severity score, as in Figure 14.6.
TABLE 14.1 Impact Scoring Example
| Impact Type | Low | Medium | High |
|---|---|---|---|
| Financial | Less than $100,000 | Between $100,000 and $1 million | Over $1 million |
| Reputational | Negative reputational impact is local. | Negative reputational impact is regional. | Negative reputational impact is global. |
| Legal or Regulatory | Breach of contractual or regulatory obligations, with no costs. | Breach of contractual or regulatory obligations with some costs or censure. | Breach of contractual or regulatory obligations leading to major litigation, fines, or severe censure. |
| Clients | Minor service failure to noncritical clients. | Minor service failure to critical client(s) or moderate service failure to noncritical clients. | Moderate service failure to critical clients or major service failure to noncritical clients. |
| Life Safety | An employee is slightly injured or ill. | More than one employee is injured or ill. | Serious injury or loss of life. |
FIGURE 14.6 RCSA Risk Severity Scoring Matrix
Therefore, RCSA outputs can be used as a tool to monitor risk levels against the tolerance of the firm. In this example, if the tolerance statement states that all high risks must be remediated or accepted with a certain time period, then the RCSA is the tool by which that situation can be identified and tracked. When a risk reaches a level that breaches the threshold for “high,” then necessary action can be taken.
Metrics
There are many metrics that can be used to monitor risk levels against risk tolerance statements. Any metrics that are identified as part of the operational risk KRI program should have thresholds set and should be used to produce reporting that allows for escalation of risks that are moving beyond the operational risk tolerance of the firm. As discussed in Chapter 9, the monitoring of business environment and internal control factors is an important element in the operational risk framework.
While RCSA provides monitoring at a fairly high level, metrics allow for monitoring at an individual control level, and sometimes, when a true KRI is identified, at the individual risk level. The risk appetite and tolerance of the firm are therefore very important when setting appropriate thresholds for metrics, as these metrics can then be used as “limits” for monitoring. The correct threshold will allow for appropriate escalation of rising risks so that business decisions can be made to keep the firm within its operational risk and appetite and its tolerance in the risk category.
RISK APPETITE TODAY
Risk appetite is a key area of concern for the board of a bank or fintech and needs to be effectively articulated and monitored. The regulatory expectation is now established that risk appetite must be articulated, and operational risk needs to be part of that articulation. Annual reports now include extensive sections addressing how risk appetite is established and governed, although the detailed risk appetite statements are rarely shared publicly and operational risk appetite is often expressed in only qualitative terms.
While it remains a challenging element in the framework, more and more senior management teams and boards are recognizing the benefits of setting appetites and tolerances to help ensure that the firm remains within its chosen strategic path and within its chosen risk boundaries.
KEY POINTS
- Operational risk appetite is a regulatory requirement under Basel.
- There is still a wide range of practice in risk appetite approaches today.
- The board and senior management have responsibilities to set, approve, and monitor risk appetite.
- Risk capacity is the ability of a firm to withstand risk.
- Risk appetite is the firm's willingness to take on risk.
- Risk tolerance expresses specific risk levels that will be acceptable.
- Risk limits/levels set thresholds for indicators above which escalation is required.
- Losses, RCSA, and KRIs all provide ways to monitor risk levels.
REVIEW QUESTION
- Under Basel II, the board of directors has which of the following responsibilities for the firm's operational risk appetite statement?
- Review and approve
- Review only
- Approve only
- Develop, review, and approve
NOTES
- 1 Bank for International Settlements, “International Convergence of Capital Measurement and Capital Standards: A Revised Framework,” 2004, section 737.
- 2 www.bis.org/publ/bcbs96.pdf, 4.
- 3 Ibid., section 21.
- 4 Ibid., section 41.
- 5 www.bis.org/publ/bcbs195.pdf, 5.
- 6 Ibid., p. 6, footnote 12.
- 7 Ibid.
- 8 Ibid., section 19, 5.
- 9 Ibid., section 27(c).
- 10 www.bis.org/publ/bcbs230.pdf, footnote 51.
- 11 Bank of International Settlements, Banking Basel Committee on Banking Supervision, “Guidelines – Corporate Governance Principles for Banks,” July 2015, https://www.bis.org/bcbs/publ/d328.htm.
- 12 Bank of International Settlements, Banking Basel Committee on Banking Supervision, “Revisions to the Principles of the Sounds Management of Operational Risk,” March 2021, https://www.bis.org/bcbs/publ/d515.htm.
- 13 Ibid., 8–9.
- 14 See note 11.
- 15 See note 11.