Risk Appetite: The COVID-19 Trigger to Reassess
The events so far this year provided shockwaves through the many sectors in our economy. While some businesses struggled to stay afloat, relying on government stimulus to remain solvent, the financial sector was dealing with falling asset prices, cash flow and liquidity concerns, and large fund outflows. Most organisations were almost certainly operating with risk outside their comfort level.
Many growth plans have been deferred as organisations try to recover revenues and see out this fog of uncertainty. Organisations are now assessing their business models and strategies in readiness for whatever the post-pandemic environment will start to look like. This 1-in-100 year risk event should serve as a reminder for organisations to re-evaluate and re-assess their risk appetite when reviewing and/or resetting strategy.
The current business disruption raises many questions, including:
* Is the organisation operating outside its risk appetite in the current environment?
* Has the COVID-19 experience caused us to reconsider what our risk appetite truly is?
* Does our risk documentation adequately articulate our risk appetite?
* Have our people been confused about the bounds of our risk appetite when making decisions in these dislocated times?
* How effective is our current reporting against risk appetite? Is it enabling us to respond to evolving risks on a timely basis?
* Are we taking enough risk to facilitate achievement of our objectives, despite the volatile conditions?
This blog explores these questions in the context of the key elements of a risk appetite framework, how the pandemic has renewed the importance of having a robust framework, and how a well-developed risk appetite statement can ensure that risk and strategic objectives are closely aligned.
In Australia, the need for boards of APRA-regulated organisations to set, manage and monitor risk appetite stems from the prudential standard on risk management, CPS/SPS 220. This standard requires organisations to maintain a clear and concise risk appetite statement to address its material risks, and for these statements to convey both acceptable and maximum levels of risk, the process for monitoring to those tolerance levels, and taking appropriate action and reporting against any breaches.
APRA, nor any other regulator provides a silver bullet, and there is no best ‘template’ out there on how to develop a risk appetite framework. However, APRA does periodically review the adequacy of risk appetite statements of regulated entities relative to the CPS/SPS 220 requirements and make recommendations for further improvement where appropriate.
APRA regulated entities are also required to make an annual assessment of the effectiveness of its risk management framework as part of signing its annual APRA risk management declaration in accordance with Attachment A to CPS/SPS 220. This may provide an opportune time to review the adequacy of the risk appetite framework, given its integral nature to the risk management framework.
A Myriad of Approaches
We have observed a wide range of approaches to articulating risk appetite across the financial services industry, and there is no one right way. The approach adopted needs to be fit for purpose and effective for the relevant organisation.
For non-APRA regulated entities, we quite often find that risk appetite is yet to be formally articulated in any level of detail, though this position has shifted over recent years in respect of some types of ASIC regulated organisations.
For APRA regulated entities, we often observe gaps in the qualitative expression of risk appetite and the quantitative expression of risk tolerance across all risk categories.
We often see the use of probabilistic risk tolerance measures (e.g. loss of $x not occurring with more than a y% probability), particularly within the insurance space. This approach can work well where actuarial or financial models support the real-time or frequent measurement of the actual position relative to risk tolerance limits and inform decision-making processes. It can be more problematic in respect of non-financial risks.
In some cases, we have observed complex calculations being applied across relevant KPIs to determine whether the organisation is inside or outside risk tolerance. While there may be a rationale for such approaches (e.g. to get a broader view of the risk position beyond individual indicators), we generally find that it overcomplicates the process.
A calculation-based approach can make it more difficult for individuals within the business to know when they are operating outside of risk appetite, or to determine if making a particular decision would push the organisation outside of its risk tolerance. Further, a calculation-based approach may hide the early warning signals from the tripping of one or more KPIs that are in fact indicative of a breach of risk tolerance.
Getting the Terminology Right
When revisiting risk appetite, it is important to get the definitions of key concepts clear, to facilitate the development of a coherent framework. There is not necessarily any one right way to do this, but the foundational elements of the framework must be well thought through and consistently applied.
The key concepts underpinning any risk appetite framework include:
* We typically define risk appetite as being a qualitative expression of the target level of risk that the organisation is willing to take to achieve its objectives. In better practice risk appetite statements, risk appetite is defined at both the collective and individual risk levels.
* Under CPS / SPS 220, risk appetite is defined as the degree of risk that an institution is prepared to accept in pursuit of its strategic objectives and business plan, giving consideration to the interests of depositors and/or policyholders.
* We typically define risk tolerance as being a quantitative expression of the outer limits of the risk appetite outside which the organisation is not comfortable operating without an action plan to reduce the level of risk within a reasonable timeframe.
* Under CPS / SPS 220, risk tolerance is defined, for each material risk, as the maximum level of risk that an institution is willing to operate within, expressed as a risk limit and based on its risk appetite, risk profile and capital strength.
Risk Tolerance Warning Level
* We typically define the risk tolerance warning level as being a quantitative expression of a level within the risk appetite range at which the organisation is approaching the risk tolerance limit, which acts as an early warning trigger for actions to be taken to avoid a breach of risk appetite.
* We typically define risk capacity as being the maximum level of risk that the organisation is able to take given its resources, objectives and the prevailing environment. Risk capacity is not typically articulated specifically within risk appetite statements, but is given due regard in setting the risk tolerance limits for individual risks at an appropriate level, and articulating the overall risk appetite.
We typically view the interactions between these key concepts as follows:
Key Concepts underpinning the Risk Appetite Framework
Risk appetite serves an organisation best when framed within the context of business goals. The right strategy and corresponding risks cannot be gauged unless one is viewed in the context of the other. Organisations take risks in order to innovate and grow, reducing vulnerability to competition and shocks in the external environment. Risk appetite is really about the type and degree of risk taking deemed necessary in the pursuit of strategy.
An organisation’s strategy and its business objectives must be in harmony with its risk appetite. This is so the organisation understands the risk implications of its chosen strategy, and can re-evaluate its strategy to one with a more suitable risk profile, especially if new risks emerge or existing risks such as a global pandemic suddenly appear on the radar.
When designing risk appetite statements, organisations need to get the hierarchy right, and tailor to its specific needs. These might start off as high-level risk appetite statements at the top, then cascade to be expressed as either risk or objective-focused approaches.
Risk-focused approaches, often adopted in regulated sectors such as banking, superannuation and insurance, articulate appetite in accordance with a risk taxonomy, based on common characteristics of risk (e.g. 20% credit exposure limit in region X). This helps define acceptable levels for each risk and aide monitoring. If done in isolation, it can result in managing risk in silos. An objective-focused approach is closely aligned to the organisation’s strategy (e.g. grow our digital channels) but requires a strong understanding of its risk profile.
As the organisation cascades risk appetite throughout the organisation, these high-level statements and limits become more and more specific, eventually based on a detailed set of measures and limits at the day-to-day level. If overly detailed and complex to derive, it becomes impossible to aggregate back up into timely information for decision-making at executive management levels. Conversely, if risk statements are too generic, they cannot be applied with any precision. Striking a good balance is key.
There is no one right way to structuring the documentation of an organisation’s risk appetite framework, it simply needs to be fit for purpose.
Depending on the scale and complexity of an organisation, the risk appetite may be articulated in its entirety within a stand-alone risk appetite statement document, or a section within / attachment to the risk management strategy / framework document.
It may instead be comprised of a range of documents, with cross references between the high-level risk appetite statement and the risk tolerances and operational risk limits set out in various policy documents and operational system specifications.
Most organisations with developed risk frameworks will have existing risk management mechanisms to deploy risk appetite statements set by boards and disseminate throughout the organisation. The tricky part is communicating appetite so as not to become an abstract idea conceived by boards that lacks understanding and effectiveness throughout the business.
Communication must come from the top down and be endorsed at the highest levels of the organisation to demonstrate that implementation is valued by leaders and decision makers.
Communication styles need to resonate across all stakeholder groups and at varying levels within the organisation, so managers and employees can understand risk in the context of their roles. It should be jargon free and easy to digest. Risk training and an effective risk awareness program can support this. In particular, face to face risk training on risk appetite can facilitate engagement and draw out questions to improve awareness and understanding, and identify opportunities for further enhancement.
The depth of documentation distributed can be differentiated by level to get cut through and ensure relevance to role. For example, the complete risk appetite statement may be provided to the board and executives, while summary handbooks with guiding principles can be provided to business unit managers and staff.
Once strategy and objectives are set, the focus shifts to execution by those responsible for the day to day running of the business. Setting appetite allows boards to set boundaries for acceptable variation in performance using measures, or metrics. Some more mature organisations that can produce good, reliable data can develop indicators to alert management when acceptable boundaries are about to be hit, or exceeded. When boundaries are crossed, this can prompt discussions with executives and boards to take affirmative action.
These boundaries are often easier implement and monitor for financial risks, as the metrics used to measure these risks, such liquidity coverage ratios and credit concentrations limits, can be expressed as a quantified amounts. For so many superannuation funds, the impact of the pandemic forced them to re-evaluate portfolios and strategies after acceptable limits were triggered following unprecedented member withdrawals. Quantifiable appetites can also make it simpler to cascade (or impose) limits on various business units.
By contrast, non-financial risks, often defined as ‘anything other than a financial risk’ includes broader risk categories such as market conduct, cyber security and regulatory or compliance risk. The nature of such risks makes it more difficult quantify, so it relies on risk appetite to be expressed as detailed descriptive statements and requires judgement and closer attention to monitor to acceptable boundaries.
Organisations must also implement a feedback loop so that the risk appetite set at the highest levels are informed by the specific limits and measures established at the business unit level. If an organisation continually trips set limits, perhaps there is an opportunity to re-calibrate risk appetite. The feedback loop should also facilitate the further refinement of the risk appetite statement where a lack of clarity or differing interpretations are identified as part of implementing the risk appetite statement through on-going decision-making within the day-to-day business operations.
A strong risk appetite will provide increased clarity to boards, senior executives and staff at all levels on the risks the organisations is willing to take to accomplish its goals. In the end, there is no right or wrong way to approach developing a risk appetite framework, but it must be an ongoing and evolving process to help navigate volatile environments. As this pandemic has created a major dislocation to our current operating rhythms, it is an ideal time to re-evaluate risk appetite to help organisations through the current uncertainty and in readiness for the future.
Hall Advisory specialises in governance, risk, compliance and strategic advisory services across the financial services sector.
In respect of risk appetite, we are well placed to assist you with:
* Development, enhancement and implementation of risk appetite frameworks, including board risk appetite workshops.
* Independent review of risk management frameworks, including adequacy and effectiveness of risk appetite frameworks.
* Risk management training.
* Integration of risk management and strategic planning frameworks.