Risk Appetite
Risk Appetite
com/risk
Risk Appetite
Frameworks
Insights into evolving
global practices
An IACPM/PwC Study
November 2014
Table of Contents
Executive summary 1
1. Introduction 3
2. Key observations 5
6. Conclusion 21
Risk Appetite Framework
Welcome
Executive message
summary
1 Financial Stability Board Principles for an Effective Risk Appetite Framework, 2013
1. Introduction
Risk capacity is the maximum level The International Association of Credit Portfolio Managers (“IACPM”)
of risk the firm can assume before
and its members regularly perform in-depth studies of significant topics of
breaching constraints determined
by regulatory capital and liquidity
interest to the financial services industry. Based on strong industry interest
needs and its obligations, also from for additional information on RAFs, IACPM and PricewaterhouseCoopers
a conduct perspective, to depositors, LLP (“PwC”) jointly undertook a study based on a survey of 78 financial
policyholders, other customers, and institutions, supplemented by interviews with 43 of the respondents. This
shareholders. study was conducted from June to November 2014.
—Financial Stability Board, Principles
for an Effective Risk Appetite
Framework, 2013 1.1 Objectives and scope of this study
IACPM and PwC undertook this extensive study to understand the practices and
challenges of financial institutions as they develop, implement, and enhance
RAFs. The objectives of this study included:
• Assessing progress in industry practices since the IIF and FSB published their
standard-setting RAF-related papers in 2011 and 2013, respectively;
• Developing a further understanding of the RAF components that survey
respondents viewed as most important or challenging to implement; and
• Describing institutions’ approaches to operationalizing RAFs, allocating risk
appetite, and integrating RAFs with day-to-day business decisions as well as
longer-term strategy formulation.
While more detailed information from this study has been provided separately
to the surveyed institutions, this abbreviated report outlines key observations
from the study, and provides detailed observations and insights in relation to the
following selected topics:
• Allocating risk appetite below enterprise level;
• Integrating the RAF with strategy and business planning; and
• Risk appetite statements and metrics.
2 Institute of International Finance Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions, 2011; Senior Supervisors Group Observations on Devel-
opments in Risk Appetite Frameworks and IT Infrastructure, 2010; Financial Stability Board Principles for an Effective Risk Appetite Framework, 2013; OCC Guidelines establish-
ing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches, 2014
The study surveyed 78 banks and insurance companies across the globe,
making this the largest published study of RAF practices in the financial Development Banks
services industry. Throughout this report, we refer to participants as “surveyed
institutions,” or “survey respondents.” The surveyed institutions were typically
0 5 10
represented by individuals who have responsibility for developing and
implementing RAFs at the enterprise level within their respective organizations.
These individuals responded to a detailed questionnaire and a large number of
them also participated in follow-up interviews conducted by PwC.
Aus/Canada
G-SIBs 4 5 14 23 Other
Non G-SIBs 3 13 10 11 37 EU-Emea
US
Insurers 5 3 2 10 Asia
Development Banks 8
GSIB
GSIB
Non-GSIB Banks Non-GSIB
Insurers
Dev Banks
Other
Aus/Canada
GSB
Other
US
Insurers Asia
Development Banks
2. Key observations
Figure 2 shows that 40% of surveyed institutions acknowledged that their RAFs
at the top-level business lines required further development. When assessing
the maturity of their RAFs at the lower-level business lines, 60% of surveyed
institutions believed that their RAFs were less than adequate. The state of RAF
development was also less mature at legal entity levels for an overwhelming
majority of the surveyed institutions. This is not surprising since the prevailing
management hierarchy for financial institutions continues to be business lines
rather than legal entities. The lack of progress in this area also reflects the
survey respondents’ skepticism of the benefits of articulating risk appetite at
the legal entity level even though other regulatory initiatives such as resolution
planning have continued to raise the importance of taking the legal entity view.
0 50 100%
Enterprise Leading
Highly developed
Top-level Adequate
business line Some or no progress
Lower-level
business line
Credit risk
Non-credit risk
Legal entity
3 Credit risk has been displayed separately due to the relative maturity of this risk type across surveyed institutions. Other financial and non-financial risk types
(e.g., market risk, operational risk, reputational risk, etc.) have been grouped together as “non-credit risk types”.
The main challenges facing surveyed institutions include effectively allocating risk
appetite across the organization, integrating risk appetite into decision-making,
and articulating risk appetite through metrics and limits.
The challenges faced by the surveyed institutions are summarized below and
mechanism to cascade risk appetite
further elaborated in subsequent sections of this paper. integrate of risk appetite into decision making process
express risk appetite
integrate with stress testing
1. Embedding the RAF into an organization Inadequate information system
lack of risk culture
Defining the best approach to allocate risk appetite below the enterprise level regulatory requirements drives RAF to become
into the broader organization is a major challenge for survey respondents. The bureaucratic
lack of board support
wide range of concerns cited by survey respondents included number of metrics lack effective communication
In addition to the three primary challenges outlined above, the study revealed
the challenges below.
Figure 4 suggests that only a few survey respondents indicated that weaknesses
in risk culture and lack of support from key stakeholders were remaining
challenges for implementing effective RAFs. This is an encouraging indicator
of the emergence of stronger risk culture and better intra-organizational
coordination across risk management, finance, treasury, business planning, and
“I pretty much agree with
business lines.
everything the regulator
requires.”
Supervisory expectations
“FSB 2013 propelled
Survey respondents appreciated the FSB guidance that established board and
the RAF to be owned by
the board, elevating senior management roles and responsibilities along with the general principles
the urgency to improve for effective RAFs. However, the surveyed institutions cited a preference for
this aspect of risk more details in certain aspects of the guidance such as the end goal of allocating
management.” risk appetite to legal entities, and effective reconciliation of top-down risk
— Survey respondent appetite with bottom-up perspectives. In addition, survey respondents from
large global institutions believed that better coordination among various
national supervisors could result in more consistent guidance on RAF standards
across the various jurisdictions of their operations.
“I cascade risk appetite Notwithstanding this stated preference for more guidance in certain areas,
to business lines and risk
survey respondents also believed that granular supervisory expectations may
type. Further slicing and
dicing my risk appetite be viewed as prescriptive, limiting necessary flexibility for successful RAF
to legal entities is implementations.
unnecessary and does not
add any value.”
“I am waiting to see if I
really need to cascade RAF
to frontline officers. What
does this mean anyway?”
— Survey respondent
The approach for allocating risk appetite varied widely across surveyed
institutions and was driven by multiple factors, including the complexity of the “Setting the firmwide risk appetite
business mix and the maturity of the RAF. is the first step; the aggregate risk
appetite has to be allocated to the
firm’s business lines, legal entities
Survey respondents faced challenges in understanding effective ways to allocate
and down to all relevant levels, which
risk appetite beyond the enterprise level. Some typical concerns were: need to align with the firm’s strategic
• Where should the risk appetite be allocated (e.g., among business lines, legal and business plans”
entities, or risk types)?
—Financial Stability Board, Principles
• How far below the enterprise level should risk appetite be allocated? for an Effective Risk Appetite
Framework, 2013
Sections 3.1 through 3.4 below highlight practices reported by the survey
respondents in these areas.
4 Some industry practitioners use the terminology “cascading risk appetite” as an alternative to “allocating risk appetite” to describe how both quantitative measures and quali-
tative statements of risk appetite are expressed below the enterprise level to other dimensions such as business lines, risk types, product lines, and legal entities, such that risk
appetite considerations are embedded into the strategic and tactical decision making.
0 50 100%
1 97
2 72
3 42
4 10
Figure 7 – Sequences for allocating risk appetite FSB guidance confirms the importance
of accounting for bottom-up
Primary sequence Primary & supplemental sequences information while risk appetite is
allocated:
Enterprise Enterprise “RAF should be driven by both top-
down board leadership and bottom-
up involvement of management
at all levels, and embedded and
Top-level Top-level Risk types understood across the financial
business line business line institution.”
“Financial institutions and supervisors
should check that the ‘top-down’
Lower-level Lower-level Top-level risk appetite is consistent with the
business line business line business line ‘bottom-up’ perspective through,
for example, employee surveys,
independent reviews, and internal
reporting.”
—Financial Stability Board, Principles
25% 73% for an Effective Risk Appetite
Framework, 2013
4
18
73
39
Primary Supplemental
Top-down Bottom-up
Figure 9 – Sequences by which risk appetite is allocated for an illustrative sample of 16 G-SIBs
Allocate from
enterprise to
risk types
Allocate from
enterprise to
top-level
business lines
Allocate to
two levels only
Primary and
supplemental
sequences
Bottom-up
allocation
A few survey respondents mentioned that as risk culture improved and business
lines started taking more ownership of risk, their business plans increasingly
incorporated risk appetite considerations. Consequently, their business plans
were better aligned with top-down risk appetite, enabling reconciliation of
enterprise and lower level perspectives.
This detailed planning process at the enterprise and top-level business lines
provides feedback to all levels of the institution. In each of the steps
shown in Figure 11, feedback is used to help fine-tune business plans and
associated capital and liquidity plans to better meet the institution’s business
and risk strategies.
Figure 11 - Integration of the risk appetite framework into existing business planning process
Risk
appetite Board and senior management
statement
1 2 3
RAF at the enterprise level
Top-down
business Strategy and business planning
goals Risk appetite assessment
Bottom-up -Scenario generation
Iterative
business -Risk profile measurement
adjustments
plan -Risk capacity measurement
Top-down -Refinement of risk appetite
risk Confirmation of risk limits
appetite Capital and liquidity plans
5. Risk appetite
statements
and metrics
Figure 12 – Qualitative vs. quantitative nature of risk appetite statement at various levels
62%
49%
45%
33% 33%
26%
19%
13%
7%
1%
0% 0%
Only Combination of Combination of Only a qualitative
quantititative high-level detailed quantitative indicator of preferred
outcomes quantititative and and qualitative outcomes
qualitative outcomes outcomes
Figure 13 - Enterprise-level risk appetite statement components with categories of metrics and
some sample metrics
• Scope of RAS A.
• Linkage to mission statement and core values Qualitative description of
• Goals in areas such as strategic business intent, capital adequacy, liquidity, guiding principles related to
desired risk profile, reputation, and enterprise capabilities the firm’s risk appetite
• Key risks in relation to strategy and core businesses
D.
D. Each qualitative guidance and quantitative metric can have multiple Metrics expressed in
dimensions such as under normal and stressed environments multiple dimensions
In the case of less quantifiable risk types, the RAS typically reflected related
policies and qualitative guidelines. However, there is an increasing trend to use
proxy metrics, where available. For instance, many survey respondents quantify
reputational risk using proxies such as brand health, customer-centric metrics,
and employee satisfaction surveys.
PwC Risk Appetite Framework 18
Risk Appetite Framework
Figure 14 shows that survey respondents tend to describe more risk types in the
RAS at the enterprise level and for top-level business lines and address fewer
risk types within lower-level business lines and legal entities. This is intuitive
since many risks, particularly the less quantifiable types, are more appropriately
managed at higher levels within the organization.
Figure 14 – Number of risk types covered in risk appetite statement at various organization levels
Figure 15 – Top binding constraints for risk appetite statements at various organizational levels
Enterprise Top-level business lines
0 80% 0 80%
Regulatory capital Concentration limits
Concentration limits Economic capital
Economic capital VaR
Earnings volatility
RWA
Stress testing capital
ROE Regulatory capital
Internal/external ratings Expected loss
RWA Earnings volatility
VaR Growth measures
Expected loss ROE
Growth measures RAROC
RAROC
Internal/external ratings
Provisions
Liquidity Provisions
Cost of risk Stress testing capital
EPS Cost of risk
6. Conclusion
Both financial institutions and supervisors agree that the RAF is an essential
component for effective risk governance. Surveyed institutions are at different
stages of maturity in the development and implementation of their RAFs. Industry
practices are markedly divergent with respect to operationalizing different
elements of the RAF and linking it to other governance, management, and business
processes. However, there is industry convergence with RAFs becoming more
evolved at the enterprise level. Less encouragingly, even six years after the financial
crisis, more than a third of survey respondents acknowledge that their RAFs are
not adequately developed at the lower levels of the organization where day-to-day
decision making ultimately affects the overall risk profile of the firm.
Allocating risk appetite below the enterprise level is challenging, varies widely
across institutions, and is driven by multiple factors, including complexity of
business mix and maturity of the RAF. Consequently, surveyed institutions have not
coalesced on practices for cascading risk appetite down throughout the enterprise.
However, some institutions appear to be making a concerted effort to extend their
risk appetite allocation approaches to include different organizational hierarchies,
more risk types, and feedback between top-down and bottom-up perspectives.
Given the current and anticipated attention given to RAFs by the industry and
supervisors, we expect to see significant developments in the coming years. The
implementation of the RAF should be as broad as possible, with risk appetite
considerations woven into all relevant aspects of the firm. These broad linkages
will help to fully realize the benefits of an effective RAF and improve risk culture,
sustain the enterprise over the long-term, and strengthen institutional resilience in
times of crisis.
Contacts
PwC IACPM
Zubin Mogul
Managing Director
[email protected]
+1 646 471 6761
Acknowledgements
We would like to thank the following individuals for their contributions:
Brian Wille, Kunal Rajani, Marc-Albert Michaud, Matthew Small, Miguel Saez,
Rashmi Jain, Seth Hunter and Sicong Song.
PricewaterhouseCoopers LLP has exercised reasonable care in the collecting, processing, and reporting of this information but has not inde-
pendently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers LLP gives no
express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not
be liable to any entity or person using this document, or have any liability with respect to this document.
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm,
and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure <www.pwc.com/
structure> for further details. This document is for general information purposes only, and should not be used as a substitute for consultation with
professional advisors.