Cascading the risk appetite For one firm, the journey to embed risk appetite into the operational infrastructure of the organization started at the top. Following discussions with the board, the CEO issued a formal policy that risk appetite has to be defined before the business plans are written. The goal was to connect the risk appetite process to the business, rather than simply making it a “big group-level exercise.” The firm started in 2008 at the holding level, establishing metrics around a range of things such as capital, liquidity, return on equity, operations, pension risk as a proportion of total risk, and diversification by geography and line of business. According to the CRO, the tolerances have to be relatively large at the group level with a fair degree of flexibility. From the holding level, the risk appetite-setting process cascades downward to the major legal entities and then within the entities down to individual countries, and finally to individual lines of businesses. The firm does medium-term outlooks for geographies and businesses and each is required to develop an upfront statement of risk appetite. The firm believes that the risk organization, which is driving this process, is making steady progress communicating to and engaging with the businesses to integrate risk appetite into the planning cycle, and says the effort has helped focus the businesses on the impact of risk. As with any change in a large, complex organization, getting people to do something they didn’t have to do before is always a challenge. As the CRO sums up, “The risk appetite initiative is already an accepted process, because we have told everybody it’s an accepted part of the process, but next year it will be more accepted, and hopefully the year after that it will just be business as usual.”
Integrating risk planning at the business level One firm has recently created a much more formal requirement and process for the business units to conduct an assessment of their individual risk appetites as part of their annual planning exercise. The senior management team together with the board has established five key financial metrics or indicators as a baseline and asks the individual business units to include an additional three metrics pertinent to their business. They then must assess their sensitivity to each of those metrics responding to a series of questions such as: What scenarios are you willing to see — 1 in 7? What if that moved to 1 in 25? What’s your top-down expectation? What does your book actually produce? Then using the firm’s economic model, these assumptions and various scenarios are stress tested to see how they hold up. Based on the assessment of risk appetite, unit leaders are asked to develop a risk plan for the business. The CRO meets with the risk and finance directors and their teams to review the plans as part of what the firm calls a risk executive dialogue. The bank has formally embedded reverse stress testing into the risk appetite framework, which helps identify how they would be impacted by the stress, assess their capacity to cope with further stress, and determine at what point the business model is no longer viable. According to the CRO, “Reverse stress testing is one of the big things that regulators have hit on which is really very useful.”
26