Risk Governance
After completing this reading, you should be able to: Explain Basel regulatory... Read More
In this chapter, the concept of a Risk Appetite Framework (RAF) is described and its elements are identified. An explanation of a well-developed RAF’s benefits will also be given and the best practices for a firm’s Chief Risk Officer (CRO), CEO, and Board of Directors will also be studied.
In individual business lines, the role of the RAF in risk management within the organization and effective procedures when a company’s risk profile is being monitored for RAF adherence shall be discussed. The company with a robust risk data infrastructure has advantages which this chapter seeks to explore, in addition to giving a description of the key elements of an effective policy for managing IT risk within the organization.
Finally, the factors causing poor or fragmented IT infrastructure in a firm will be described with an explanation of a firm’s problems and effective procedures for aggregating data.
For a firm’s strategic planning and a tactical decision making to be improved, there must be an effective RAF and a risk data infrastructure that is robust as this will lead it to be more forward-looking, flexible, and proactive. It is a common practice by some organizations to establish their risk appetite parameters and make sure that they have timely and accurate quantitative risk data as well as the ability to quickly adjust positions during a negative market event.
Since CEOs, CROs, and CFOs have the biggest influence when it comes to business strategy and risk management decisions, a more effective RAF will be generated when they work closely with the board of directors. For implementing IT risk infrastructure projects, the financial and human capital required have to sufficient so as to create better results.
As outlined by the Basel Committee on Banking Supervision, the approval and overseeing of a bank’s overall risk strategy implementation, including its risk tolerance, is the responsibility of the board of directors.
A wide variety of approaches have been taken by firms in the RAF adoption that ranges from brief and qualitative to complex, lengthy, and quantitative. The different views on the outlook of an RAF are reflected by these approaches in addition to the different stages of development of the frameworks across firms.
Most firms have their RAF clearly related to their strategic planning. The following are some observations made through studies:
An explicit forward-looking view of a firm’s desired risk profile is established by the RAF in a variety of scenarios and sets out the process for achieving that risk profile. A risk appetite statement (RAS) establishing boundaries for the desired business focus is the starting point of a risk appetite framework and it should articulate the desired approaches the board wishes to take for a variety of businesses, risk areas, and product types.
The statement should provide the senior managers with both guidance and constraints in pursuit of the company’s strategy. It should also be relatively simple, easily communicated, resonating with multiple stakeholders, and frequently referenced.
Developed RAFs should be flexible and responsive to environmental changes, despite there being difficulty in the forecasting of market conditions with certainty over time. Definitive and consistency are features that risk appetite should possess to contain strategic drift.
In framing discussions and decisions on the strategic direction of the firm, the uses of a company’s RAF ranges from deliberations concerning possible acquisitions to new business lines or new products.
To prepare for the unexpected, regular discussions on the management of unexpected economic or market events in a given jurisdiction or products are reviewed and conducted by companies whose RAF is more developed. The effects of these business decisions on the consolidated entity should be the most important consideration taken into account.
In their quest for producing accurate results, companies still face significant challenges when they rely on a comprehensive risk data infrastructure. This is despite there being a consensus among firms concerning the usefulness of stress testing and scenario analyses in the measurement of risk level and prospective risk appetite.
These are some noteworthy observations made by studies about industry players:
The effort describing the boundaries within which management is expected to operate is explicitly described in the RAF. The framework should be communicated starting from the top of the organization for an effective implementation of the RAF.
The roles assigned by these firms whose RAFs are developed are as follows:
The formulation, monitoring, and assessment of a company’s RAF are supported by engaged boards in most leading companies. If a significant amount of time and effort is invested to articulate the risk appetite statement of the company, then there will be greater stakes in making sure that there is proper implementation. Decision making will thus be guided throughout the firm by the board.
An active and iterative review process is usually applied by stronger boards for an effective RAF to be driven. The company’s risk appetite statement is shaped by the board who, jointly with the management, regularly works to align the framework with that statement.
Another popular practice is having a clear process for discussing and determining when the RAF should be adapted to changing circumstances. The management can, therefore, ensure that the board is fully conversant with the risk profile of the firm.
There is a complicated understanding, by engaged board members, on financial and risk concepts. Critical to effective duties performance is a board composition that is appropriate. For there to be a suitable level of expertise, the board composition of some firms has been adjusted, for risks monitoring and expectations setting.
Furthermore, extensive training is provided by most firms to board members for their shortcomings to be fully addressed. The subjects of the training range from derivatives to capital adequacy.
For the risk appetite adherence to be set and monitored, there is the need to receive the right information. Finally, reputational risk’s importance has been reemphasized by the 2007-2009 crisis as a key focus, with all firms attempting to incorporate its assessment into their RAFs protecting their brand.
For a successful implementation of the RAF throughout the firm, there should be strong support at the level of the CEO. By referencing and applying the RAF to support strategic decisions, a strong message is sent about the significance of the framework.
The stature of the risk management function can be further strengthened by the willingness of the CEO to give the CRO the final word on many risk decisions. This relationship is very crucial and extends to the board and the board risk committee who are sometimes encouraged by the CEO to directly contact the CRO.
The transparency of the framework and the dissemination is increased by a strong alliance between the CFO and the CRO as it underscores the interplay and the important relationship between risk strategy and budgetary considerations including the common approaches engendered by the RAF. Both the CFO and CRO can report to the board or the board risk committee at every meeting on the risk profile of the company relative to the risk appetite statement.
The connection between the business strategy and the budgeting process is an important element in the process of building an RAF. To ensure an alignment of each business strategy with the company’s desired risk profile, the RAF is a useful tool.
Through the RAF, the board and the senior management can understand how much the medium-term business plans of one business line need to be adopted for the business proposal by another business line to proceed.
The occurrence of proposals outside some given parameters is reduced by the existence of a clear RAF that is well communicated to the business lines. Therefore, the firm may be prevented from unknowingly drifting from its initial risk appetite as market conditions changes.
For most firms, there is an adequate integration of the RAF with new product initiative processes.
For an entire company to be committed to a successful framework, a set of incentives and consequences should be established by the company whose RAFs are more developed. The directors and senior management of the firms carefully consider how adherence to the RAF can be incentivized and how the repercussions of ignoring it are communicated.
A lack of a clear agreement about the scope and reach of the RAF within a company is a common occurrence among senior leaders. To ensure a strong understanding of the risk culture and decision-making process, most firms involve new staff in risk and capital committee meetings.
There should be an ongoing and iterative assessment of a firm’s consolidated risk profile against its risk appetite. The connection between a firm-wide risk profile and its risk appetite is monitored through quarterly reviews of the RAF.
The firms test whether there is a continued alignment between the consolidated risk profile with the business practices limits and stress performance expectations constituting their RAFs. The following observations were made by studies:
Multiple metrics are combined by firms whose RAFs are developed to deliberately assist in the management and mitigation of downside risk. The metrics applied should range from the dynamic and forward-looking to static and point-in-time; they could include:
For a long time, the ability of many firms to manage financial risk due to the rapid and intense unfolding of market events had been hindered by inadequate IT systems. This, therefore, raised the need for companies to build more robust infrastructure systems. Hence, many companies began projects aimed at improving IT infrastructure; particularly those addressing the aggregation of risk data.
The fragmentation of the current IT infrastructure leading to slower risk management remediation projects is due to the following factors:
Timely and accurate aggregation of data is important for reporting on credit, market, liquidity, and operational risks. Accurate information is a necessity when making decisions on the strategic direction of companies as it assists in setting the risk appetite and managing those risks according to rapidly changing economic or market circumstances.
An assessment of risk data requirements and gaps within the IT systems needs to be included in the strategic planning processes. With a highly developed IT infrastructure, a firm should be able to clearly articulate, document, and communicate internal risk reporting requirements.
Senior IT governance functions, business line units, and IT experts are usually brought together by companies whose IT infrastructure is developed. Their standards are usually defined with defined internal risk reporting requirements so as to have their business lines and IT units operating within a framework that is enterprise-approved.
An effective partnership at a company is usually underpinned by the following factors:
To ensure that timelines and deliverables are met, companies successful in aligning IT strategies with the need for business line managers and risk managers possess strong project management offices (PMOs).
Data administrators and data owners are often appointed in companies whose IT projects implementation is effective, so as to ensure data accuracy, integrity, and availability.
The ability to automate data flows and ensuring low amounts of manual intervention required for critical data to be compiled is an important attribute. Manual intervention and manual manipulation of data are rarely relied upon by companies with leading practices. Their risk data aggregation is largely automated to increase the timelines of internal risk reporting with minimal human error-linked operational risks.
The overall value of internal risk reporting can be undermined by the failure to aggregate risk data accurately, timely, and comprehensively. Rapid and relatively seamless data transfer has been permitted in consolidated platforms and data warehouses employing common taxonomies thereby facilitating a firm-wide view of risk.
Data aggregation processes have to be applied by leading firms to cover all relevant transactional and accounting systems and data repositories to maintain a comprehensive coverage of management information system (MIS) reporting. MIS practices usually include a periodic reconciliation between risk and financial information.
Firms should be able to compile internal risk data on the basis of a legal entity. It was clearly demonstrated by the financial crisis that firms should manage their legal and geographic risks associated with a global cross-border financial marketplace.
One of the problems hindering accurate and comprehensive firm-wide aggregation of risk data is the lack of integrated systems and platforms. Firms whose IT infrastructures are developed usually apply the following practices to effectively aggregate risk data:
The ability of management to reduce the application of MIS is often undermined by capacity constraints especially during periods of stress. Establishing appropriate planning and testing to handle volumes for both steady-state and stressed-volume scenarios are currently possible for most firms. However, the inclusion of scenarios involving sharp volumes fluctuations is a must for most companies in their capacity planning and testing.
1) The supervisors of Oakland International Bank have to observe several elements for the implementation of the Risk Appetite Framework. Which one is LEAST likely to be considered?
The correct answer is A.
The implementation of the Risk Appetite Framework requires strong accountability structures, a common risk appetite language across the firm, and strong internal relationships.
The commitment of appropriate human and capital resources, clear owners of information, and the appointment of data administrator has to do with the implementation of a comprehensive risk data infrastructure.