Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions

After completing this reading, you should be able to:

• Describe best practices for the implementation and communication of a risk appetite framework at a firm.
• Explain key challenges to the implementation of a risk appetite framework and describe ways that a firm can overcome each challenge.
• Assess the role of stress testing within a risk appetite framework, and describe challenges in aggregating firm-wide risk exposures.
• Explain the lessons learned in the implementation of a risk appetite framework through the presented case studies.

Risk Appetite – Definition

Several definitions that explain what risk appetite is exist, but they all bring out the same concept. One definition is that risk appetite is: “a firm’s view on how strategic risk-taking can help achieve business objectives while respecting constraints to which the organization is subject.”

Another definition says that “risk appetite is the amount and type of risk that a company is able and willing to accept in pursuit of its business objectives.”

The creation and implementation of a robust risk appetite framework is a crucial part of any risk management practice.

To define a company’s risk appetite, one needs to come up with a document called a “statement of risk appetite.” This is the document that outlines and brings the needs of all stakeholders together by acting both as a governor of risk and a driver of current and future business activity.

The statement of risk covers all risks, in both qualitative and quantitative aspects. A risk appetite framework is, therefore, a structure that is put in place to outline a firm’s approach to the management, measurement, and control of risk.

Best Practices for the Implementation and Communication of a Risk Appetite Framework

Time and Resources

A good risk appetite framework will require time and significant intellectual and financial resources. Recognition of the need to strengthen risk management and governance arrangements by a firm’s leadership ensures that the necessary resources are made available. The leadership needs to understand that creating and implementing a risk appetite framework goes beyond simply meeting regulatory requirements.

Firm-specific Framework

Different firms are at different stages of developing and implementing their risk management frameworks. In addition, there is a wide range of approaches that are being adopted. This is because each firm has a different business model, structure, and degree of complexity.

No one risk appetite framework fits all organizations. While some practices do cut across various organizations, diversity of approach is inevitable and should not be discouraged. Supervisors and risk management heads need to be alert to this and avoid insisting on formulaic solutions that may not be aligned with business needs.

Effective Communication and Training

Communication and education on the benefits of a risk appetite framework are essential. Members of senior management need to be visibly and consistently proactive in this respect. Business unit heads must own local business plans, which in turn must pay proper regard to risk. The business plan and potential risks, including the link to the wider risk appetite, should be clearly and consistently communicated to staff.

Continuous and open dialogue about risks is also key in effectively embedding risk appetite in the business lines. When this dialogue about risks, within and across business units and with risk and senior management, works well, it facilitates both intelligent challenges to the risk appetite boundaries and their evolution over time. In this way, the risk appetite framework is made dynamic and is, therefore, able to sensibly accommodate new business opportunities over time.

Comprehensive View and Coverage of All Risks

To be effective, the risk appetite framework needs to incorporate all material forms of risk, including those that are not readily quantifiable. Firms should make maximum effort to quantify such risks, making use of such innovative approaches as estimates of earnings foregone.

Proxies and other metrics should be maximumly used, even where direct quantification of losses isn’t permitted. Quantification and the development of proxies need to draw on operational risk frameworks.

A well-functioning risk appetite framework is one that is pervasive throughout an organization. Attempts to introduce risk appetite as a remote and disembodied aspect of risk management have tended to fail.

Incorporation of Culture, Governance & Business Strategy

The process has been much more successful where it has been recognized that risk appetite needs to be intimately bound up with corporate culture, corporate governance, strategy and planning as well as risk. Boards have an integral part to play in the definition and monitoring of risk appetite and the interchange with management, risk management, and the business is crucial in this. Board members need to be properly equipped to engage fully with risk and risk appetite. They need to understand generic risk concepts and the relevance of these to the business. They also need to have access to the information and expertise necessary to enable them to develop a good understanding of the risk profile of the firm. They should insist that the material provided to them strikes the right balance between providing a comprehensive macro perspective and illustrating the required level of detail.

Board members should be proactive in insisting on proper support from management and risk management professionals. In, particular, such support should facilitate the acquisition of education on risk concepts and approaches, technical briefings, and updates on the risk implications of products and activities.

The Board needs to establish the framework for risk, typically through the articulation of a clear and meaningful risk appetite statement. This is likely to include several key metrics as well as clear qualitative guidance with respect to less quantifiable risks.

Board members need to ensure that risk appetite is used in a dynamic and iterative way. An effective risk appetite framework extends far beyond a mechanism that simply creates limits. Instead, it involves a dynamic or iterative process in which the board provides a clear statement or set of signals regarding its preferred risk/return trade-off. Such an iterative approach results in board members having other significant challenge functions. This challenge is essential to ensuring that the risk appetite framework is neither too rigid nor too flexible.

These challenge functions include, but are not confined, to:

• Making sure that mechanisms are in place to ensure that new business initiatives, transactions, or products are consistent with the enterprise-wide risk appetite and that the risk implications of the same are fully understood.
• Ensuring that mechanisms are in place to monitor and manage risks that are not readily quantifiable, e.g., reputation and legal risks and that their level is consistent with overall risk appetite.
• Ensuring that stress testing is undertaken in a rigorous and comprehensive way and that the board can assess the results in the context of the risk appetite framework (more on this below).

In general, an effective risk appetite framework is indissolubly linked to the culture of an institution. There are no simple measures of risk culture, and it is a key responsibility of boards to understand and shape this culture.

A Good Risk Management Team

The development and maintenance of an effective risk appetite framework is a shared responsibility, with risk management staff playing an essential role in the process. Risk management staff need to be actively involved at multiple levels in the development of the risk appetite framework. They should provide clarity of concept and definition and support in understanding the implications of the risk appetite statements and metrics as they develop, through the necessary coaching and training.

An effective risk appetite framework covers all risks, and it is important that risk management staff work with all stakeholders in developing the right balance of appropriate quantitative and qualitative metrics.

Risk appetite is an iterative process that requires perseverance. It is worth noting that the challenges faced early in the process are different from those experienced in its later stages. At all stages, it is important for risk management to ensure full engagement by all key stakeholders, including the board, senior management, and risk practitioners.

Risk management must allow businesses to take charge of the process of developing line-of-business-level risk appetite statements. This means that the business unit leaders themselves, not the embedded risk management staff within the business units, develop their own risk appetite statements.

Risk management needs to provide the appropriate infrastructure and controls to support the ongoing maintenance of the risk appetite framework. This includes comprehensive and timely reporting to senior management and the board to provide a clear reference to the current risk profile and to make the framework itself both real and relevant. Ongoing reporting of the firm’s risk profile relative to the agreed-upon risk appetite—and how this is changing—and repeated/iterative discussions of the evolving framework itself, will help to build both “pattern recognition” and acceptance of the framework as a useful tool.

Education and communication are areas in which it is vital for risk management to participate on an ongoing basis. It is necessary to effectively communicate the key elements of the design, implementation, and maintenance of the risk appetite framework to all stakeholders internally and externally. It also is important that the board be able to address questions raised by shareholders and regulators alike in regard to the appropriateness of the nature and quantum of the risks being assumed, both individually and in aggregate, and how senior management is challenged in this realm.

Stress Testing and Monitoring

Risk appetite needs to be viewed in the context of both normal and stress conditions. Risk management needs to be capable of providing both perspectives. Besides, it should facilitate appropriate discussion at the board level with regard to the potential impact of risk appetite on business strategy and planning.

Most importantly, risk appetite should be monitored on an ongoing basis at the group level. Further, a contingency plan or escalation procedure should be triggered when the risk appetite metric is exceeded.

Key Challenges to the Implementation of a Risk Appetite Framework

Some key challenges include the following:

• Poor communication.
• Lack of proper and adequate training.
• Initial resistance & skepticism: The benefits of an effective risk appetite framework, while very real, are often not apparent to more junior staff, and, indeed, there may be some initial resistance or skepticism among these groups.
• Lack of a comprehensive view of risks: Expressing risk appetite in a way that covers all relevant risks is also a challenge for firms. This is particularly true with respect to risks that are less quantifiable and require a more qualitative approach. Once the process moves beyond traditional credit and market risks—where historical data is abundantly available—to focus on reputational, strategic, and operational risks, significant challenges remain.
• Weak risk culture.
• Lack of involvement from the senior leadership.

Overcoming the Challenges Associated With Implementing Risk Appetite Frameworks

Communication & Training

Effective internal communication that makes risk appetite directly relevant to employees in business units is seen as a major challenge by all participating banks. An effective risk appetite framework should be pervasive throughout an organization. All the staff with any significant decision-making authority should understand an institution’s stand on risk and what it means for them.

For this reason, communication and training are essential starting points. Effectively cascading the risk appetite framework throughout a firm and embedding and integrating it into the operational decision-making process is clearly the largest challenge for almost all firms.

Involvement/Management

A firm’s senior management, particularly the Chief Executive Officer, needs to be personally involved in promulgating the message about the risk appetite framework and what it means. There needs to be complete agreement between the board and management on a meaningful and comprehensive definition of risk appetite. In addition, concepts need to be communicated in a straightforward way that is devoid of jargon. There is a need for clarity in communication about where risk appetite fits alongside risk capacity or tolerance, that is, how much risk it is technically possible for the firm to take, and the current level of risk the firm is taking.

Finally, there needs to be clarity regarding the ownership of risk. The risk function should own the overall risk framework and interface with the board on risk appetite. However, responsibility for risk within business units and for achieving consistency with the enterprise-wide risk stance rests squarely on business unit heads.

Risk Culture

The link with the wider risk culture is of central importance but is also problematic in some firms. Broad discussion among firms reinforces the point that without a strong risk culture, success on the risk appetite journey is extremely difficult, if not impossible. On the other hand, it is extremely easy to implement an effective risk appetite framework where already, there is a strong risk culture.

A strong culture implies that staff understands what is required of them with respect to risk. Where such a strong risk culture exists, it may be possible for firms to scale down their reliance on narrow compliance with limits and processes. Nevertheless, even the strongest culture needs to be supported by good systems, controls, and limits.

It is also necessary to establish a strong link between risk appetite and compensation. At the simplest level, this can be an assessment of whether business results and key performance indicators have been achieved by operating within limits and in accordance with the behaviors and culture described and embedded within the risk appetite. Where this is not the case, remuneration incentive awards should be moderated or adjusted accordingly.

Expressing Risk Appetite in a Way That Covers All Relevant Risks

This is particularly true with respect to risks that are less quantifiable and require a more qualitative approach. Once the process moves beyond traditional credit and market risks—where historical data is abundantly available—to focus on reputational, strategic, and operational risks, significant challenges remain.

However, it is widely recognized that a risk appetite framework cannot be confined to risks that can be easily measured. To be meaningful, risk appetite needs to take a comprehensive view across a firm. Besides, risk appetite statements need to capture and include those risks that cannot be easily quantified.

The Role of Stress Testing Within a Risk Appetite Framework

How can appropriate levels of risk be determined for individual businesses and in aggregate for the group in total?

It is crucial to consciously constrain aggregate risks in advance to ensure a firm’s survival under severe stress scenarios. A comprehensive, enterprise-wide stress testing mechanism is a key part of a fully effective risk appetite framework.

The senior management and the board need to carefully analyze and understand the likely distribution of potential outcomes that would be experienced over time under a variety of severe, but plausible economic and market scenarios. In addition, they need to determine the tolerable level of loss under each of these scenarios.

Stress testing involves the analysis of a combination of macroeconomic scenarios and changes in market variables. It aims at understanding financial outcomes for a group, including potential credit and market losses and the likely reduction or loss of business revenues under severe economic and market scenarios. It is a requirement by national regulators to carry out stress testing. Aside from this, it enables the management to assess and determine the implications for a firm.

Results of stress tests need to be linked to key objective variables, e.g., P&L. They should explicitly illustrate how outcomes for these objectives and variables would comply with risk appetite boundaries through time.

Challenges in Aggregating Firm-wide Risk Exposures

Risk appetite aggregation defines the process through which an organization decides whether the risk appetite boundaries set by an individual business, on aggregate, fit within the organization’s overall risk appetite. It checks whether the boundaries set align with the organization’s risk appetite framework.

Some of the challenges experienced in executing this process include:

• The inability of capital measures to capture and reflect non-quantifiable risks.
• The challenge of determining the appropriate treatment of risk concentrations and diversification within and between risk types.
• The difficulty of directly linking capital measures to specific macroeconomic stress scenarios.
• The inability of capital measures to capture the liquidity dimensions of risk, which are so crucial for understanding potential losses in severe scenarios.
• The non-intuitive nature of capital measures. Experience has shown that it is difficult to get senior managers and directors to engage with statistical variables and capital measures (e.g., Value at Risk at 99% or 99.95% confidence levels) in a meaningful way and use them with confidence in the risk aggregation appetite process. The experience of several firms has been that it can be easier to get active engagement from senior management and directors around specific macroeconomic scenario assumptions.

For these reasons, it is difficult to determine an acceptable level of aggregate risks using capital measures alone. This is one reason why, in addition to capital and liquidity measures, leading banks in certain jurisdictions are increasingly using a variety of stress testing processes.

Some ways that have been tried and tested in combating these challenges are outlined below:

• All risks should be included in the aggregation process, not just those that are quantifiable, such as market, credit, and liquidity risks.
• For risks that are quantifiable, comparison of the enterprise-level limit framework to the aggregation of business unit limits—including single name, industry concentration limits, or economic and regulatory capital allocation—is an effective and practical measure of alignment.
• Attention to the diversity, quality, and stability of earnings across the enterprise is essential.
• Aggregation should identify areas of excessive risk concentration. In this regard, it is also important that when aggregating risk, there shouldn’t be over-reliance on a potential diversification benefit. Recent history has proved that in times of crisis, diversification of risk often fails in practice.
• For all risks, the aggregate view of risk posture is helpful in determining how an organization is approaching risk overall. If, for example, each individual business unit is willing to take on more risk in the coming year, comparison of risk posture at the platform level is a simple cross-check to determine if senior management has that same awareness.

Lessons Learned in the Implementation of a Risk Appetite Framework through the Presented Case Studies

Case Studies:

1. RBC – May 2011.
2. National Australia Bank.
3. Scotiabank – A Canadian Experience May 2011.
4. Commonwealth Bank of Australia.

1. Developing a Risk Appetite Framework at RBC – May 2011

Work to formalize RBC’s enterprise risk appetite began in 2006. It was executed as part of the annual process to benchmark and refresh credit risk and market risk limits.

An initial presentation on risk appetite was made to the Risk Committee of the Board of Directors to gain feedback on the approach to articulating RBC’s risk appetite and confirm areas of priority.

These are the highlights from the RBC case study:

• Strong support from the Board of Directors, Chief Executive Officer, and senior management.
• The emphasis on risk appetite as an enterprise priority has been framed and accepted as a critical element in the advancement of their strong risk culture.
• Repeated iterations with stakeholders were helpful in gradually building pattern recognition, senior management buy-in, Board of Directors’ support, and confirmation of the central components of our Risk Appetite Framework.
• Risk appetite development was led by the CRO, with ongoing facilitation by senior executives in Group Risk Management and engagement with business segments. They began to build business segment ownership of business segment—level risk appetite by integrating risk appetite with business strategy.
• A flexible approach was required because one method would not be fit for all businesses and stakeholders.
• The risk frameworks contained straightforward terminology that could generally be understood by all stakeholders. They avoided overly technical and complex discussions about risk with the board and senior management. Instead, they focused their discussions within the context of real and current issues for the institution.
• The business segment statements of risk appetite were quite focused and business driver-specific, for example, concentration risk for certain sectors, acceptable earnings volatility, and levels of capital at risk.

Challenges

• It was initially challenging to achieve clarity on what risk appetite means and how it is used to drive management decisions.
• Board and senior management decisions implied a high-level risk appetite. However, it was initially challenging to gain consensus and concisely articulate the risk appetite for the enterprise.
• Iterative discussions on the framework and ongoing reporting of risk profiles helped improve their definition of risk appetite and build understanding and acceptance with senior management and the board.

Lessons learned

• By articulating risk appetite at both an enterprise and business segment level, they managed to achieve an effective combination of top-down constraints and business-specific risk drivers. The linkage between the enterprise-level constraints and the actions of businesses to grow or change risk profiles became clear. Ownership of issues also became clearer.

• Risk appetite and risk profile are effective communication tools. Increased transparency and reporting on these matters facilitated internal alignment among business and functional leaders and supported effective decision-making.

• The enterprise risk profile provided a consolidated view of risk concentrations and deficits to ensure alignment between actual risk exposure and target risk exposure.

• The Risk Appetite Framework and risk profile have also been very helpful in conversations with the board, regulators, and rating agencies.

• Risk appetite became increasingly integrated into their business strategies and planning processes so that strategies are developed and approved in the context of risk appetite.

  They are embedding into their annual strategic planning process analysis of how growth objectives, degree of planned change, and “risk posture” may impact business segment risk profile and risk appetite.

2. Risk Appetite Within National Australia Bank: An Ongoing Journey

The setting of risk appetite within the National Australia Bank currently manifests itself in two key ways. Firstly, the framework by which the Bank determines its risk posture is strongly aligned to and informs the planning process. Secondly, the statement of risk appetite (the Risk Appetite Statement (RAS)) and its three elements (“posture,” “budget” and “settings,” described below) sets out the Bank’s capacity for taking on risk and the settings associated therewith.

Highlights and lessons from The National Australia Bank case study:

• Fostering leadership of the debate on risk appetite from the CEO, the CRO, and the Board Risk Committee.
• Fostering a receptive internal environment. The organization has worked hard on its culture over time and has a strong emphasis on teamwork, collaboration, and enterprise thinking. This, alongside the wake-up call issued to all parties associated with the financial services sector (arising from the global financial crisis and its aftermath), has enabled more sophisticated and planned discussions and analysis on the forward outlook for risk and the environment and our response through posture, appetite, and strategy.
• Identifying a single, dedicated team with accountability for the RAS and the broader framework has allowed them to attain consistency in approach and provide the impetus for innovation.
• Separating the discussion of risk appetite into three parts, each of which is linked but serves a different purpose: risk posture, risk budget, and risk settings.
• Integrating the risk appetite and RAS with the strategic and financial planning process.
• Increasing the dialogue with the business units around their view of risk posture.
• Delivering three RASs to the Board with the cycle and content linked to the planning process. This has allowed for more regular board discussions on risk appetite and has reinforced the link between risk appetite and business strategies and plans. The board now sees more careful consideration of the implications of proposed actions and activities on the Group risk profile and its relation to the Group Risk Appetite and evidence of risk appetite thinking in its discussions with management.
• Supplementing the RAS and associated discussion with risk workshops and targeted risk papers for the board, has assisted the Board in linking risk appetite to the business activities and the portfolios.
• Engaging with the regulator.
• Identifying key stakeholders in the business to champion risk appetite discussion.
• Maintaining the ongoing commitment of key stakeholders such as the board and senior executive.

Challenges

• Balancing the desire for quantitative or prescriptive criteria to define risk posture with the flexibility and generality that qualitative, “principles-based” definitions provide.
• Choosing the appropriate metric for each application. For example, economic capital is the metric for risk “budgeting” across the Group, but other metrics are more useful for other applications, such as exposure limits, trading desk limits, industry or country credit exposure limits, etc.
• Whilst used as the measure of risk budget, the use of economic capital remains a challenge.
• Balancing coverage of credit risk with other material risks (e.g. operational or reputation risk), which are less easily quantified or described.
• The key for National Australia Bank in advancing the risk appetite framework has been:
  • Identifying dedicated resources for accountability.
  • Developing a standardized risk language around posture, appetite, and settings.
  • Aligning risk with strategy and finance.
  • Fully engaging risk as a key participant in the planning process.
  • Continuing to develop thinking around the risk appetite framework by engaging with the key stakeholders.
  • Seeking ways to broaden the view and understanding of risk appetite so others feel more engaged in its development.

3. Scotiabank–A Canadian Experience in Setting Risk Appetite May 2011

The financial crisis that was experienced in the year 2008 sparked a strategic inflection point for the world’s view on “risk”. It compelled the Risk Management discipline in global financial institutions to re-assess every method and assumption embedded in their processes.

One such institution was Scotiabank in Canada. Scotiabank considers the implementation of its Risk Appetite Framework to have been successful.

Scotiabank already had a risk appetite position embedded in its strong risk culture that had served it well through the financial crisis. However, Scotiabank recognized the potential value of a more clearly defined, comprehensive Risk Appetite Framework based on governing financial objectives, risk principles, and risk appetite measures.

Scotiabank integrated these key dimensions into an enterprise-wide framework, strengthening its overall approach to governing risk-taking activities. The Risk Appetite Framework was approved by the bank’s Board of Directors in early 2010.

The biggest benefits of defining the Risk Appetite Framework for Scotiabank have been that it provides greater transparency of the key objectives, principles, and measures defining the bank’s appetite for risk in the pursuit of value, and it has enabled greater awareness and more effective communication with internal risk decision-makers and external stakeholders.

This “case” captures how the development of a strong and functioning Risk Appetite Framework can be accomplished in the setting of a strong, existing risk culture where there is a deep network of established controls, limits, and risk oversight structure. The development of the Framework was the straightforward part. Work continues on key challenges around implementation and further alignment.

The key challenge continues to be:

• Awareness and application of the Framework within the Business Lines.
• Finding the right balance between broad principles and granular guidance for day-to-day decision-making with line management throughout the Bank.

In terms of awareness, the program was launched with “roadshows,” but more communication work needs to be done to evolve from reliance on the culture and norms, to embedding the Framework as the more clearly defined and rigorous context for decision-making.

As for “the right balance,” there still needs to be a linkage between the high-level principles and metrics as expressions of risk appetite at the top of the bank and the risk indicators and limits deployed at a business unit level. While some measures of credit and market risk have been allocated to businesses, others, including most measures for operational risk are not easily aggregated, nor divided. As such, the bank (and the industry) continues to work in an effective way to link certain “top of the house” measures with business-specific risk performance measures. Additional work also remains to further integrate the Risk Appetite Framework with other risk policies and the enterprise-wide stress testing program.

Ultimately, Scotiabank’s test of an Effective Risk Appetite Framework is that:

• It fits the organization.
• The Board understands it.
• Management is having good discussions reflecting both qualitative and quantitative measures.
• Decisions are made and action is taken.
• Sustainable long-term earnings growth is achieved.

3. Risk Appetite Framework Development at the Commonwealth Bank of Australia

Within the Commonwealth Bank of Australia (CBA) Group, risk appetite had always been part of the risk vocabulary. However, historically there has been little documentation of a formal framework.

During the mid-2000s, some attempts had been made to define the framework but it was not until the appointment of the new Group Chief Risk Officer in 2008 and the actions of an energetic Board Risk Committee chairman that the need for a formal, board-owned risk appetite foundation gathered real traction. Consequently, a project to develop a risk appetite framework was launched at the start of 2009, and this case study covers the various stages of its development to date.

There have been several aspects of the development of risk appetite that have been successful and translated into meaningful benefits for the Group:

• Firstly, the approach to engaging with the board led to a strong sense of ownership and a depth of understanding of risk appetite by the board that would not otherwise have been achieved.
• By setting clear Risk Culture expectations in the Group RAS and putting ownership for developing business unit RASs on the heads of the business units (rather than the business unit risk teams), there has been a cultural shift in the ownership of risk from Risk Management to the businesses. Business units now act with clearer responsibility (ownership) for the risk they take on.
• The incorporation of the review of risk appetite as part of the strategic planning process, and the presentation of strategic plans, formally accompanied by recently agreed-upon risk appetite statements, to both management and the board has brought risk appetite considerations formally into key decision-making and strategy-setting discussions.
• The understanding of the interaction of strategy and risk appetite has changed previously held views that risk appetite was a barrier to progress, and in particular that it could not be challenged or changed. A lot of work has gone into explaining the connection between strategy and appetite and the important way that they are brought together in strategic planning, to give both management and the Board transparency over decisions either to amend the strategy to align with the existing appetite, or the appetite to allow the proposed strategy. The joint consideration and refinement of strategy and risk appetite is now part of business as usual.
• By establishing clear boundaries, business units understand what is outside their risk appetite and, therefore, do not pursue these opportunities, leading to a reduction in both wasted effort and frustration.
• By bringing the requirement to operate into alignment with the Group and local risk appetite statements into the performance management and remuneration framework, risk appetite has achieved a high level of awareness and influence on behaviors. Key behaviors are found in the Group RAS, e.g., responsibility to raise issues, protection for doing so, and “no harm” to people who raise false-positive issues.

Key Lessons Learned

• Without sponsorship from the top, it is difficult to get traction in developing a risk appetite framework.
• finding the right balance between broad principles and granular guidance for day-to-day decision-making with line management throughout the Bank.
• The conversations around risk appetite are equally as important and beneficial as the actual Risk Appetite Statement document produced from them.
• Culture is a fundamental part of risk appetite and to the success of embedding risk appetite in the organization. Taking the time to craft descriptions of what risk appetite the Group and business units have for variance in risk culture breathes life into risk culture

Practice Question

Why is the culture of an organization important with respect to the Risk Appetite Framework?

A. Risk Appetite Frameworks are easily implemented in organizations that do not have any risk culture.

B. The process of implementing a Risk Appetite Framework has been much more successful where it has been recognized that risk appetite needs to be intimately bound up with corporate culture, corporate governance, and strategy and planning as well as risk.

C. The culture of an organization dictates what kind of risks the organization can manage and which one the firm is unable to manage internally.

D. The boundaries within which a Risk Appetite Framework operates are controlled by the culture of the organization.

The correct answer is B.

The process of implementing a Risk Appetite Framework has been much more successful where it has been recognized that risk appetite needs to be intimately bound up with corporate culture, corporate governance, strategy, and planning as well as risk.

A is incorrect:It is not correct to say that Risk Appetite Frameworks are easily implemented in organizations that do not have any risk culture. This is because risk culture affects how successful the implementation of a risk appetite framework is.

C is incorrect: The culture an organization does not dictate what kind of risks the organization can manage and which one the firm is unable to manage internally.

D is incorrect: The boundaries within which a Risk Appetite Framework operates may be influenced by the culture. The boundaries are, however, not controlled by the culture of the organization.