In this chapter, the concept of a Risk Appetite Framework (RAF) is described and its elements are identified. An explanation of a well-developed RAF’s benefits will also be given and the best practices for a firm’s Chief Risk Officer (CRO), CEO, and Board of Directors will also be studied.

In individual business lines, the role of the RAF in risk management within the organization and effective procedures when a company’s risk profile is being monitored for RAF adherence shall be discussed. The company with a robust risk data infrastructure has advantages which this chapter seeks to explore, in addition to giving a description of the key elements of an effective policy for managing IT risk within the organization.

Finally, the factors causing poor or fragmented IT infrastructure in a firm will be described with an explanation of a firm’s problems and effective procedures for aggregating data.

Summary of Key Observations and Conclusions

For a firm’s strategic planning and a tactical decision making to be improved, there must be an effective RAF and a risk data infrastructure that is robust as this will lead it to be more forward-looking, flexible, and proactive. It is a common practice by some organizations to establish their risk appetite parameters and make sure that they have timely and accurate quantitative risk data as well as the ability to quickly adjust positions during a negative market event.

Since CEOs, CROs, and CFOs have the biggest influence when it comes to business strategy and risk management decisions, a more effective RAF will be generated when they work closely with the board of directors. For implementing IT risk infrastructure projects, the financial and human capital required have to sufficient so as to create better results.

Implementing a Risk Appetite Framework

1. Strong internal relationships at the firm is necessary to the RAF implementation. Firms with a close cooperation between the board of directors and senior management, senior management and business line leaders, CRO and the board of directors, and other senior managers and business line leaders have an effective reinforcement of the RAF.
2. Ensuring that a strong accountability structure is established by senior management for the translation of the RAF into clear business line constraints and incentives is the duty of the board.
3. The acceptance and effective monitoring of the RAF is facilitated by a company’s common risk appetite language whose expression is via quantitative statements and risk metrics that are appropriately selected. This will provide the management with a clear roadmap to execute and improve transparency.

Implementing a Comprehensive Risk Data Infrastructure

1. Strong governance processes are exhibited by firms whose IT infrastructures are highly developed. This includes strategic planning, a commitment of appropriate human and capital resources, clear owners of information, and the appointment of data administrators.
2. The accuracy and timeliness of aggregated risk data can be improved by fewer manual workarounds and more automation which are necessary for the implementation of highly developed IT risk infrastructures.
3. Disparate IT systems from a new business or via mergers and acquisition activities should be integrated into firm-wide systems and infrastructures in the shortest time possible.

Implementing a Risk Appetite Framework

Background and Approach

As outlined by the Basel Committee on Banking Supervision, the approval and overseeing of a bank’s overall risk strategy implementation, including its risk tolerance, is the responsibility of the board of directors.

A wide variety of approaches have been taken by firms in the RAF adoption that ranges from brief and qualitative to complex, lengthy, and quantitative. The different views on the outlook of an RAF are reflected by these approaches in addition to the different stages of development of the frameworks across firms.

The Risk Appetite Framework as a Strategic Decision-Making Tool

Most firms have their RAF clearly related to their strategic planning. The following are some observations made through studies:

1. The principle that all risks should be understood and managed by the board and senior management. This may lead to a situation where the firm forfeits specific business lines due to their failure to understand the risks despite the businesses being profitable at the time in question.
2. The reduction of a firm’s warehousing of subprime assets by half following its RAF principles to scale down noncore businesses.
3. The RAF of a firm may assist in the identification of in IT and human resources.
4. Some firms fail to provide situations of the RAF influencing specific decisions despite many other firms insisting on the importance of the RAF in assisting decisions about acquisitions.

An explicit forward-looking view of a firm’s desired risk profile is established by the RAF in a variety of scenarios and sets out the process for achieving that risk profile. A risk appetite statement (RAS) establishing boundaries for the desired business focus is the starting point of a risk appetite framework and it should articulate the desired approaches the board wishes to take for a variety of businesses, risk areas, and product types.

The statement should provide the senior managers with both guidance and constraints in pursuit of the company’s strategy. It should also be relatively simple, easily communicated, resonating with multiple stakeholders, and frequently referenced.

Developed RAFs should be flexible and responsive to environmental changes, despite there being difficulty in the forecasting of market conditions with certainty over time. Definitive and consistency are features that risk appetite should possess to contain strategic drift.

In framing discussions and decisions on the strategic direction of the firm, the uses of a company’s RAF ranges from deliberations concerning possible acquisitions to new business lines or new products.

To prepare for the unexpected, regular discussions on the management of unexpected economic or market events in a given jurisdiction or products are reviewed and conducted by companies whose RAF is more developed. The effects of these business decisions on the consolidated entity should be the most important consideration taken into account.

In their quest for producing accurate results, companies still face significant challenges when they rely on a comprehensive risk data infrastructure. This is despite there being a consensus among firms concerning the usefulness of stress testing and scenario analyses in the measurement of risk level and prospective risk appetite.

These are some noteworthy observations made by studies about industry players:

1. Most firms rarely use stress-testing results when setting limits;
2. The senior management of firms that applied stress tests for the RAF insisted that all elements of a company’s risk profile cannot be captured by a single stress test; and
3. For the reported risk metrics to capture most risks, there are significant problems that complicate matters further in the aggregation of data.

Risk Appetite Governance: The Board C-Suite and Business Lines.

The effort describing the boundaries within which management is expected to operate is explicitly described in the RAF. The framework should be communicated starting from the top of the organization for an effective implementation of the RAF.

The roles assigned by these firms whose RAFs are developed are as follows:

1. Overarching expectations are set by the board and senior management for the risk profile;
2. These expectations are translated by the CFO, CEO, and CRO into incentives and constraints for business lines. The business lines are held accountable by the board for its performance related to the expectations; and
3. Business lines manage, within the boundaries of these incentives and constraints, their performance partly relying on the RAF’s performance.

Board of Directors

The formulation, monitoring, and assessment of a company’s RAF are supported by engaged boards in most leading companies. If a significant amount of time and effort is invested to articulate the risk appetite statement of the company, then there will be greater stakes in making sure that there is proper implementation. Decision making will thus be guided throughout the firm by the board.

An active and iterative review process is usually applied by stronger boards for an effective RAF to be driven. The company’s risk appetite statement is shaped by the board who, jointly with the management, regularly works to align the framework with that statement.

Another popular practice is having a clear process for discussing and determining when the RAF should be adapted to changing circumstances. The management can, therefore, ensure that the board is fully conversant with the risk profile of the firm.

There is a complicated understanding, by engaged board members, on financial and risk concepts. Critical to effective duties performance is a board composition that is appropriate. For there to be a suitable level of expertise, the board composition of some firms has been adjusted, for risks monitoring and expectations setting.

Furthermore, extensive training is provided by most firms to board members for their shortcomings to be fully addressed. The subjects of the training range from derivatives to capital adequacy.

For the risk appetite adherence to be set and monitored, there is the need to receive the right information. Finally, reputational risk’s importance has been reemphasized by the 2007-2009 crisis as a key focus, with all firms attempting to incorporate its assessment into their RAFs protecting their brand.

The C-Suite

For a successful implementation of the RAF throughout the firm, there should be strong support at the level of the CEO. By referencing and applying the RAF to support strategic decisions, a strong message is sent about the significance of the framework.

The stature of the risk management function can be further strengthened by the willingness of the CEO to give the CRO the final word on many risk decisions. This relationship is very crucial and extends to the board and the board risk committee who are sometimes encouraged by the CEO to directly contact the CRO.

The transparency of the framework and the dissemination is increased by a strong alliance between the CFO and the CRO as it underscores the interplay and the important relationship between risk strategy and budgetary considerations including the common approaches engendered by the RAF. Both the CFO and CRO can report to the board or the board risk committee at every meeting on the risk profile of the company relative to the risk appetite statement.

Business Lines

The connection between the business strategy and the budgeting process is an important element in the process of building an RAF. To ensure an alignment of each business strategy with the company’s desired risk profile, the RAF is a useful tool.

Through the RAF, the board and the senior management can understand how much the medium-term business plans of one business line need to be adopted for the business proposal by another business line to proceed.

The occurrence of proposals outside some given parameters is reduced by the existence of a clear RAF that is well communicated to the business lines. Therefore, the firm may be prevented from unknowingly drifting from its initial risk appetite as market conditions changes.

For most firms, there is an adequate integration of the RAF with new product initiative processes.

Promoting a Firmwide Risk Appetite Framework

For an entire company to be committed to a successful framework, a set of incentives and consequences should be established by the company whose RAFs are more developed. The directors and senior management of the firms carefully consider how adherence to the RAF can be incentivized and how the repercussions of ignoring it are communicated.

A lack of a clear agreement about the scope and reach of the RAF within a company is a common occurrence among senior leaders. To ensure a strong understanding of the risk culture and decision-making process, most firms involve new staff in risk and capital committee meetings.

Monitoring the Firm’s Risk Profile within the Risk Appetite Framework

There should be an ongoing and iterative assessment of a firm’s consolidated risk profile against its risk appetite. The connection between a firm-wide risk profile and its risk appetite is monitored through quarterly reviews of the RAF.

The firms test whether there is a continued alignment between the consolidated risk profile with the business practices limits and stress performance expectations constituting their RAFs. The following observations were made by studies:

1. The risk profile of companies with RAFs that are more developed is clearly documented and regularly reviewed against the companies’ risk appetite.
2. As a way to compare the risk appetite with the risk profile, the discipline of assessing the fair values of a firm’s risk exposures is applied, since MTM changes to P&L statements provide a real-time window to monitor risk.

Multiple metrics are combined by firms whose RAFs are developed to deliberately assist in the management and mitigation of downside risk. The metrics applied should range from the dynamic and forward-looking to static and point-in-time; they could include:

1. Targets for capital beyond solely regulatory measures;
2. A variety of liquidity ratios, terms, and horizons for survival;
3. Net interest income volatility or earnings-at-risk computations;
4. Expected loss ratios;
5. VaR limits;
6. Concentration of risks by internal or external credit ratings;
7. Limits of risk sensitivity;
8. The credit spreads of the firm;
9. Asset growth ceilings by business line or type of exposure;
10. Internal audit ratings’ performance;
11. Added economic value; and
12. Capital, liquidity, and earnings post-stress-test.

Implementing a Comprehensive Risk Data Infrastructure

Background and Approach

For a long time, the ability of many firms to manage financial risk due to the rapid and intense unfolding of market events had been hindered by inadequate IT systems. This, therefore, raised the need for companies to build more robust infrastructure systems. Hence, many companies began projects aimed at improving IT infrastructure; particularly those addressing the aggregation of risk data.

The fragmentation of the current IT infrastructure leading to slower risk management remediation projects is due to the following factors:

1. Failure by business lines and IT management to agree on a long-term strategy due to competition for resources within the company;
2. Decisions favoring short-term financial considerations leading to budget reductions for IT infrastructure projects;
3. Inconsistent approaches applied to the upgrading of systems due to weak processes of governance; and
4. The number of legacy systems set in place to be increased by mergers and acquisitions at newly consolidated organizations.

The Importance of IT Governance in Strategic Planning and Decision-Making

Timely and accurate aggregation of data is important for reporting on credit, market, liquidity, and operational risks. Accurate information is a necessity when making decisions on the strategic direction of companies as it assists in setting the risk appetite and managing those risks according to rapidly changing economic or market circumstances.

An assessment of risk data requirements and gaps within the IT systems needs to be included in the strategic planning processes. With a highly developed IT infrastructure, a firm should be able to clearly articulate, document, and communicate internal risk reporting requirements.

Senior IT governance functions, business line units, and IT experts are usually brought together by companies whose IT infrastructure is developed. Their standards are usually defined with defined internal risk reporting requirements so as to have their business lines and IT units operating within a framework that is enterprise-approved.

An effective partnership at a company is usually underpinned by the following factors:

1. Budgetary resources are usually committed to the development of IT infrastructures by firms with leading IT infrastructures for internal risk reporting with equal priority levels given to project funding emphasizing revenue generation and speed to market.
2. Associated risk infrastructures critical to operations management is usually outstripped by revenue-generating infrastructures for new businesses and products.
3. The crucial aspects of the strategic planning process for new products are mainly technological infrastructures and capacity assessments.
4. Equal governance measures should be applied by companies depending on outsourced IT activities affecting the aggregation of data, infrastructure, and internal risk reporting to the said activities.

To ensure that timelines and deliverables are met, companies successful in aligning IT strategies with the need for business line managers and risk managers possess strong project management offices (PMOs).

Data administrators and data owners are often appointed in companies whose IT projects implementation is effective, so as to ensure data accuracy, integrity, and availability.

Automating Risk Data Aggregation Capabilities

The ability to automate data flows and ensuring low amounts of manual intervention required for critical data to be compiled is an important attribute. Manual intervention and manual manipulation of data are rarely relied upon by companies with leading practices. Their risk data aggregation is largely automated to increase the timelines of internal risk reporting with minimal human error-linked operational risks.

The overall value of internal risk reporting can be undermined by the failure to aggregate risk data accurately, timely, and comprehensively. Rapid and relatively seamless data transfer has been permitted in consolidated platforms and data warehouses employing common taxonomies thereby facilitating a firm-wide view of risk.

Data aggregation processes have to be applied by leading firms to cover all relevant transactional and accounting systems and data repositories to maintain a comprehensive coverage of management information system (MIS) reporting. MIS practices usually include a periodic reconciliation between risk and financial information.

Firms should be able to compile internal risk data on the basis of a legal entity. It was clearly demonstrated by the financial crisis that firms should manage their legal and geographic risks associated with a global cross-border financial marketplace.

Prioritizing the Integration of IT Systems and Platforms

One of the problems hindering accurate and comprehensive firm-wide aggregation of risk data is the lack of integrated systems and platforms. Firms whose IT infrastructures are developed usually apply the following practices to effectively aggregate risk data:

1. Prioritizing the integration of legal systems from mergers and acquisitions immediately after the finalization of the transaction; and
2. Ensuring the aggregation of data from new products or initiatives by a product approval processes.

Maintaining Appropriate Systems Capacity

The ability of management to reduce the application of MIS is often undermined by capacity constraints especially during periods of stress. Establishing appropriate planning and testing to handle volumes for both steady-state and stressed-volume scenarios are currently possible for most firms. However, the inclusion of scenarios involving sharp volumes fluctuations is a must for most companies in their capacity planning and testing.

Practice Questions

1) The supervisors of Oakland International Bank have to observe several elements for the implementation of the Risk Appetite Framework. Which one is LEAST likely to be considered?

1. The commitment of appropriate human and capital resources, clear owners of information, and the appointment of data administrator
2. Strong accountability structures
3. A common risk appetite language across the firm
4. Strong internal relationships at the firm

The correct answer is A.

The implementation of the Risk Appetite Framework requires strong accountability structures, a common risk appetite language across the firm, and strong internal relationships.

The commitment of appropriate human and capital resources, clear owners of information, and the appointment of data administrator has to do with the implementation of a comprehensive risk data infrastructure.