How to valuably implement regulatory requirements
In June 2016, a respective SSM report on governance and risk appetite was published. The report criticizes governance in European credit institutions and addresses the problem that credit institutions do not have sufficient frameworks for drafting and monitoring the risk appetite.
The risk appetite framework sets the scene about how the risk appetite can be specified consistently in an institution from strategic to operational level. Hence, it serves as a link in risk governance, enhances risk awareness and fosters the risk culture.
Regulatory requirements for risk appetite frameworks
The 2017 MaRisk amendment stipulates that the management board has to define the institution’s risk appetite for all relevant risks. This is a deliberate decision to what extent risks have to be taken and leaves room for interpretation how this risk appetite could be operationalized. However, the FSB is more specific and should be considered to be the starting point with its “Principles for an Effective Risk Appetite Framework” (2013). This paper comprises definitions of terms and guidelines on a risk appetite framework, statement, limits, roles and responsibilities. Further FSB publications supplement this framework paper.
The “Thematic Review on Supervisory Frameworks and Approaches for SIBs” (2015, FSB) publication, for example, addresses the implementation of international regulatory requirements in the FSB member states. According to the review, German supervision particularly expects a challenge for credit institutions about how to integrate the risk appetite into the strategy and how to establish a respective risk culture in the years to come. The risk culture term is further specified in the “Guidance on Supervisory Interaction with Financial Institutions on Risk Culture” (2014, FSB). The board of directors and senior management are responsible for defining basic principles and expectations for the risk culture and have to set it “tone from the top”.
Based on the FSB framework paper, the BCBS published a guideline on “Corporate Governance Principles for Banks” (2015, BCBS). This guideline requires a risk governance framework for each credit institution. The framework should contain a methodological derivation of the risk appetite, which has to be considered in a respective risk appetite statement. The EBA set out similar requirements in its “Guideline on Internal Governance” in 2017.
The IIA even takes the next step and underlines the fact that a well elaborated and implemented risk appetite framework and the respective risk culture enhance the position of risk management as a second line of defense and its interconnectedness across the entire bank.
As already described in the initial situation, the SSM and SREP push to set up and/or revise a risk appetite framework in credit institutions.
Risk appetite framework enhances risk governance
The risk appetite framework is a crucial prerequisite for effective risk governance, since it creates the strategic, organizational, methodological and behavioral framework.
The risk appetite statement is the core component of the risk appetite framework. It is a written statement of the main risk tolerance for achieving overall bank goals. It should include both quantitative key figures and qualitative statements. Several Anglo-American institutions even publish excerpts of their risk appetite statements on total bank level in their annual reports and thus use it for communication with investors, supervision and rating agencies.
The contents of the risk appetite framework are based on the main statements in the risk strategy, which are then further specified with the help of appropriate metrics and requirements and consistently operationalized through respective limits. The framework sets the “tone from the top” and goes along with the top management definition of a credit institution’s risk culture. At the end of the day, a risk appetite framework thus harmonizes the key elements of risk governance (strategy, organization, behavior and tools/methods).
However, to address regulatory requirements, it is not enough to just elaborate a risk appetite framework for enhancing risk governance. Risk governance can only be fostered if the framework is consistently embedded into bank-wide organization and total bank steering.
Embedding the risk appetite framework into the management process
It is of particular importance to embed the risk appetite framework in the following four areas:
1. Interlock the business and risk strategies
Again and again, the business strategy of a credit institution defines volumes of target portfolios or business segments that do not fit to the risk-bearing capacity or regulatory target ratios. Anyhow, an integrated performance and bank planning is established which will surely miss the goals of the risk strategy.
Now the risk appetite framework aims to raise awareness for taking and dealing with risks within the risk capacity. According to the business strategy and based on the derived risk appetite and the written risk appetite statement, a range is defined for planning purposes which has to be complied with. Breaches of these provisions require to adjust bank planning. This process is often iterative in practice, since bank planning correlates with the risk appetite. For example, excessively planned new business will increase the P&L result and thus also the risk capacity in the years to come. This process helps the framework ensure a consistent business and risk strategy. It prevents that risks are taken unintentionally and excessively which do not fit the credit institution’s risk profile.
It is necessary to align reporting processes with the risk appetite statement. This creates a transparent information basis for business decisions. Credit institutions do not have to reinvent reporting, they can use existing reporting processes instead. The different reporting formats should clearly indicate the key figures of the risk appetite statement and the limits for decision makers.
The reason is that the risk appetite is finally operationalized through limitation. The respective limits set the management stimuli for the overall bank. The important total bank limits have to be integrated into the risk appetite statement. As a priority, limits for key risk drivers of the credit institution have to be elaborated according to the risk appetite. In addition to risk type limits, also limits for the actually central concentrations (sectors, countries, currencies) are part of that. The elaborated limits have to be consistently interpreted for the fiscal year and should serve as an orientation for decisions. If the risk situation in a business segment during the fiscal year performs worse than expected, decision makers will have to discuss whether the risk profile still fits the risk appetite established at the beginning of the year. In case it turns out that the risk profile does not match the risk appetite, respective countermeasures will have to be taken.
3. Harmonization with stress testing
The risk appetite framework has two key interfaces to stress testing. On the one hand, the stress testing and simulation capability is a prerequisite for an effective risk appetite framework. The capability makes it possible to review the statement key figures based on preliminary bank planning. Thus, the risk appetite can be tested in different scenarios and drafted methodologically so that the credit institution still maintains its risk-bearing capacity even in a stress case adequate to the risk appetite.
On the other hand, the key figures of the risk appetite statement allow for reviewing the stress test results (MaRisk, ICAAP, ILAAP and supervisory stress test).
Clearly specified stress case limits or targets help generating management stimuli particularly through ongoing stress tests.
4. Staff communication
A separate communication process has to be established for the risk appetite framework, since the announcement within the credit institution is of paramount importance for its effectiveness and thus for the strengthening of the risk governance. All employees and stakeholders have to become aware that the risk appetite framework has become the link and/or core of risk governance. It is recommendable to separate the internal and external communication and to not simply provide it via Intranet portals. A cascaded risk appetite statement down to the business segments can support target-group-specific internal communication.
The implementation of a risk appetite framework entails numerous methodological challenges. The consistent alignment of the risk appetite to the bottleneck resources, the allocation of these bottleneck resources, the standardized derivation of limits as well as the cascading to business segments are only few examples.
Additionally, the risk appetite framework has to be embedded into the organization and management of the total bank for improved effectiveness of the risk governance. If respective interfaces are missing between parts of risk governance, the desired and often well elaborated management effect of individual tools will fizzle out. By embedding it into an individual risk appetite framework, these interfaces can be implemented in a tailored manner.
Thus, the risk appetite framework and statement give risk management the opportunity to preserve its interests during the strategy and planning process and to review planned business models from a risk perspective. This means, the framework is going to change the risk culture regarding the planning and decision-making processes in many credit institutions and will also invalidate the criticism of supervision described at the beginning in case of a consistent implementation.
If such a concept defines the rules of the game for possible business transactions already prior to or during the annual planning, the realization of the planning can hardly be seen as necessary evil during the ongoing business year. Both the fundamental concept as well as the generally generated added value should be communicated to the staff.
In addition to these economic incentives related with the introduction of a risk appetite framework, we would like to finally point out that risk governance and the risk appetite framework have been integrated into the SREP requirement for Pillar I capital requirements with the current regulations. Thus, apparent deficits may not only lead to unused management stimuli, but also to increased capital requirements.