Page 1

Chapter 5 Risk Appetite Risk Appetite: context and objectives Risk appetite is the amount of risk an organization is ready to take in pursuit of its strategic objectives. This concept of risk appetite has gradually made its way into various corporate governance codes since the 1990s1. Nowadays, most corporate governance codes state that the board is responsible for making sure that the monitoring and internal controls of the company are such that the firm operates within its risk appetite. Given its implications for the board, risk appetite has attracted considerable attention since the financial crisis of 2008. This chapter presents the features and challenges in defining risk appetite for nonfinancial risks. It highlights the necessary trade-off between risk and reward, and between a fast-moving organisation and the cost of controls. Building on several established sources such as COSO, it explains the most common recent standard regarding the structure of risk appetite, linking the different parts of a risk management framework. “The Board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives (…) and should maintain sound risk management and internal control systems”2. Since they are directly named as responsible for 1 The Cadbury report in 1992, the Turnbull report in 1999 and the Walker Review in 2009, just to name a few. 2 “A Review Of Corporate Governance In UK Banks And Other Financial Industry Entities” , Walker report, 2009.


determining risks, board members generally take a keen interest in defining risk appetites. But this is easier said than done, and many firms or institutions struggle with both the concept and its practical application. Defining a risk appetite means assessing all the possible risks facing an oganization, establishing the boundaries for acceptable and unacceptable incidents, and creating the necessary controls that these limits require. Done thoroughly, risk appetite definition may lead to difficult conversations and highlight painful truths, such as inner contradictions about what an organization officially states and what is happening in reality. Unsurprisingly, some dread the exercise. Yet, one of the key roles of the risk function is to provide conceptual and methodological assistance to define risk appetite. Once the risk appetite is defined, the risk function is responsible for monitoring risk exposure and ensuring that it is consistent with the risk appetite. It must advise on all important business decisions and challenge unacceptable risks3. In addition to a reluctance to uncover inner contradictions, there is another reason why risk appetite struggles for acceptance – namely, the suggestion of ‘appetite’. Why would you have an appetite for risk? Even more so for operational risks, perceived by so many as being purely downside risks? Many prefer the term ‘risk tolerance’, or, for some, ‘risk acceptance’. Regardless of semantics, we believe it is a common, yet fundamental, flaw when financial firms fail to recognize the business revenues that can be generated by taking prudent operational risks.

Reward: the missing piece of risk appetite When choosing an investment portfolio for pensions or savings, we balance the expected portfolio returns with the risk of volatility: the

3 Source: A. Chapelle, M. Sicsic, “Building an invisible framework for risk management”, Operational Risk and Regulation, July 2014.


bigger the volatility, the larger the possible upside, bringing capital gains, but also the larger the possible downside, bringing losses. Some will choose bigger risks in the hope for larger profits, and some will feel more comfortable with less risk for correspondingly smaller returns. When considering a loan to corporates or individuals, a bank will either calibrate its interest rate with the risk of debtor default, or reject the loan altogether if the perceived risk of default is beyond its tolerance. Some banks will be very conservative in their lending policy, while others will accept sub-prime customers and shaky businesses because the revenues that these clients bring to the bank (as long as they don’t default) are significantly larger than the revenues generated from lending to solid businesses and affluent individuals. In other words, it’s a calculated risk. Credit risk and market risk have clearly defined returns in the form of credit margin and capital gains, and the trade-off between risk and return is well understood by financial institutions. Banks never struggle to write a credit risk policy, which is another name for a risk appetite statement for credit risk, or to establish a market risk policy, which is the same thing as a risk appetite statement for market risk. So, why does it seem so difficult for operational risk? Because financial institutions thrive on taking credit risk and market risk, or underwriting risk in the case of insurance companies, but consider operational risk as an annoyance when it is small, a scary threat when it is large, and a regulatory burden in every case. Most financial organizations, even today, simply ignore or choose to ignore the revenues generated by operational risk. When a risk is presented with no indication of potential returns, the rational reaction is to reduce the risk as much as possible. And this will remain so as long as risk managers keep presenting operational risk assessments to the board without highlighting the benefits of taking those risks in pursuit of strategic objectives. The risk appetite (for operational risk, fraud risk, regulatory risk, people risk, etc) will be ‘low’ or ‘zero’ by default. However, one could argue that all the non-financial revenues of banks and insurance companies, particularly fee revenues, are the visible returns of operational risk. Industrial companies and technological companies have very little revenues from financial activities; they do not allocate credit, nor do they manage a trading room or underwrite


insurance policies. All their revenues come from operational activities. Risk management is called operational risk management only in the financial sector, to distinguish it from credit and market risks. I argue that operational risks have a visible return for financial firms: the fee income, and, less visibly, the return from gaining new revenues with new products and new operations. By increasing the size and complexity of a business, you also increase operational risk from, among other things, processing errors, IT failures, and regulatory noncompliance. So how much risk is acceptable and for wich reward? Of course, operational risk, like every risk, has downsides and indeed very large ones; these are the so-called tail risks. The vast majority of operational risk incidents are minor or negligible, but once in a while, things go very wrong. The worst operational risk incidents can wipe out a firm, as happened to Barings, Arthur Andersen, MF Global and Knight Capital. Other risks are large enough to cancel more than a year’s operating revenues, like the embargo fines of BNP Paribas (18 months of gross revenues lost) and the rogue trading at Societe Generale (a loss of one year’s operating revenues). There are also reputation risks that are embarrassing enough to stain a firm’s image for a very long time, such as the LIBOR rigging scandals at Barclays and elsewhere, the tax evasion scandal at UBS, and the fake client accounts at Well Fargo. The benefits of operational risk must always be balanced with the potential for damage or even devastation, as in the examples above. Managing risk is like heating a pan of milk: you must keep your eye on it or it will boil over. Or, to use a better analogy, it’s like handling a rebellious child. It’s not enough to say you won’t tolerate a child’s bad behavior; you must also educate the child, provide guidelines and boundaries for behavior, and apply appropriate sanctions when required. The next section details how comprehensive risk appetite structures should be tied to exposure limits, controls, KRIs and governance of the firm.


Risk Appetite Structure When defining risk appetite, the natural tendency is to express what we do not want. For instance: no major data breach, no incidents causing more than x million of losses, no regulatory breach. What many risk appetite statements fail to specify is how to avoid these events. You must link these statements to the corresponding risk management measures and controls, otherwise risk appetite fails in its primary objective: to guide the level or risk-taking and necessary controls within the organization. Using a funnel analogy, Figure 5.1 expresses the various steps and actions between the strategic objectives of an organization and its tolerance for adverse events. First, the mission and strategy of the organization determines its risk exposure and therefore its inherent risks, either by choice or by constraint. For example, a European bank may choose to expand to the United States and willingly take on the operational risks generated by international growth, such as a different regulatory environment, new labor laws, and increased complexity of processes and communication. For those operating in the US, complying with the US legal and regulatory environments is not a matter of choice: it’s a given. Risk exposure and inherent risks are therefore a result both of choices and compliance. Next, to reduce these inherent risks to a level of tolerable loss, the multiple activities of risk management need to take place: preventive controls, allocation of limits, and guidance and policies to limit residual risks (post controls) to an acceptable level for the firm. Then, if accidents happen, you need early detection and rapid reaction using agreed steps to reduce, as far as possible, the net impact of events, especially in crisis situations. From Natwest outages to LIBOR rigging, from systems failures at British Airways to passenger mistreatment by United Airlines, and from Deepwater Horizon to the Grenfell Tower fire, effective crisis management can mean the difference between saving a reputation or seeing it destroyed. Part 3 of this book focuses on the importance of risk mitigation and controls and chapter 20 explores the interconnections between reputation and resilience.


Figure 5.1 The risk appetite funnel

Mission, Strategy and Exposure

Inherent Risk: Exposure and Threats

Internal controls: Preven on and Guidance Residual Risk Events Incident Management Net damage

Appe te for exposure / Exposure Mandate

Appe te for controls: Costs and me implica ons Residual risks resul ng from exposure + preven on Correc ve controls; mi ga on procedure Loss tolerance

Turning these funnel steps into a table creates an actionable risk appetite structure – one that is being adopted by the financial organizations with a more mature approach to operational risk management. Figure 5.2 presents the five elements of a comprehensive risk appetite framework. Risk appetite statements come first, and they are usually qualitative and organized according to risk categories, even if an overarching statement is common at the top level of the firm. Although risk categorization is the usual way of organizing risk appetite, other options are possible, depending on the firm’s organizational structure. Some firms articulate their risk appetite through board sub-committees, each loosely related to risk types, which has the benefit of linking directly to the governance structure of the organization. Another example is a clearinghouse that defined its risk appetite around its three main business processes, because its activities are organized around these processes, with a different level of risk appetite for each process. Some


organizations may prefer to define risk appetite in relation to the main business lines, because the line management structure is the dominant one and different risk appetite levels apply to different business lines. To define their appetite level, some firms have replaced the classic “low – medium – high” by more colourful words of “Averse”, “Cautious”, “Open”, and “Seeker” / “Hungry”. The latter is reserved for risk types that related to business revenues, such as credit risk for banks, actuarial risks for insurance companies and investment risks for asset managers. Risk taking is typically “Averse”, “Minimal” or “ALARP” 4 for compliance risk, conduct and fraud, while firms will be “Cautious” for operational risk types such as human errors and sytem downtime (depending on nature and frequency of activity, however), that may be too costly to reduce to minimal levels. In the COSO approach5, risk tolerance is the quantitative expression of risk appetite but express the same level of risk taking. This is the approach I favor. However, for many firms, tolerance is the higher level of risk-taking accepted in practice, with an amber, buffer-type zone before reaching the forbidden red zone beyond risk appetite and tolerance. In these firms, risk appetite is seen more as an aspirational safety level than a realistic one. This widespread attitude, however, begs the question of the credibility of the risk appetite limits If you give a higher tolerance, will that become the new norm? Moving goals posts, blurry limits and discrepancies between talk and action have long undermined governance and discipline. There is little room for acceptable deviations in market or credit limits, so why should there be for operational risk? Governance is a necessary condition for effective risk appetite structures, and policies and practices must define what to do and who is accountable for actions when risk limits are breached. Most importantly, once the appetite and tolerance are stated (they are sometimes merged into one statement), the key controls, or systems of control, are documented to support and validate the statements. 4 ALARP: “As Low As Reasonably Practicable” ; a concept commonly used in safety systems and in the military, that raises interest amoing risk managers in the financial industry without still fully picking up. 5 Understanding and Communicating Risk Appetite, Rittenberg & Martens, COSO White Paper, 2012.


Documentation, such as the list of key controls for each main risk type, is particularly useful for demonstrating to internal and external stakeholders, including regulators and clients, that the organization lives up to its objectives. Next, monitoring thresholds and key indicators for control reliability, activity limits and other KRIs should provide management with the relevant information and assurance that the business operates as it should. Direct experience of incidents and near misses, compared with estimates of acceptable limits, reveal whether current actions are appropriate for the frequency and severity of adverse events under the tolerated limits. Monitoring tools and reporting are discussed in Part 4. Figure 5.2 Structure of actionable risk appetite

Risk Appe te • Qualita ve Statements • Implicit risk / reward tradeoff, or pure risk avoidance at a cost • Per risk category

Risk Tolerance • Metrics transla ng appe te • Value at risk, indicators, budget

Key controls • Internal controls and processes ensuring the respect of risk limits

Risk Limits • Key indicators and thresholds • Allow monitoring • Loss budget or incident tolerance

Governance • What to do if limits are breached •  Risks owners & accountabili es

Table 5.1. displays examples of risk appetite and tolerance statements in firms I know or have worked with. Elements of the text have been removed to protect the firms’ information without affecting understanding. Some firms prefer to merge appetite and tolerance in one statement and express the limits of risk-taking in the controls and key risks indicators. Many will express risk appetite through maximum tolerance for events. However, large banks and mature firms have moved away from that practice and instead express their risk appetite through


internal controls to limit certain losses at certain probabilities of occurrence. Continue reading‌.


Profile for John Wiley and Sons

Sample Chapter: Operational Risk Management by Ariane Chapelle  

View a sample chapter of Ariane Chapelle's new book 'Operational Risk Management: Best Practices in the Financial Services Industry'. Order...

Sample Chapter: Operational Risk Management by Ariane Chapelle  

View a sample chapter of Ariane Chapelle's new book 'Operational Risk Management: Best Practices in the Financial Services Industry'. Order...