www.pwc.

com/risk

Risk Appetite
Frameworks
Insights into evolving
global practices
An IACPM/PwC Study
November 2014

Table of Contents

Executive summary 1

1. Introduction 3

2. Key observations 5

3. Allocating risk appetite 10

4. Integration of risk appetite framework with

relevant business processes 14

5. Risk appetite statements and metrics 17

6. Conclusion 21
 Risk Appetite Framework
Welcome
Executive message
summary
The RAF is an overall approach for
establishing, communicating, and
monitoring all material risks of the
firm through organizational roles
and responsibilities, risk appetite
statements, policies, risk limits,
processes, controls, and systems.
1 Financial Stability Board Principles for an Effective Risk Appetite Framework, 2013
1 PwC Risk Appetite Framework
In the aftermath of the financial crisis of 2008, and in response to standard-
setting guidance from the Financial Stability Board1 and other regulators,
financial institutions have renewed efforts to strengthen the risk appetite
framework (“RAF”) within their organizations. Both supervisors and financial
institutions agree that the RAF is an essential component of an effective risk
governance process.
The International Association of Credit Portfolio Managers (“IACPM”) and
PricewaterhouseCoopers LLP (“PwC”) jointly performed a study to understand
industry practices and challenges of developing, implementing, and enhancing
RAFs. The IACPM/PwC study surveyed 78 financial institutions across the globe,
making this the largest published study of RAF practices.
Surveyed institutions have made significant progress in developing and
implementing their RAFs, typically at the overall level of the enterprise.
Establishing the RAF has led to better risk awareness at all organizational levels
and enhanced internal understanding of a firm’s risk profile. Many institutions
have been motivated to enhance their RAFs to establish better alignment of
enterprise-level risk appetite with strategic goals. Institutions continue to pursue
this overarching objective with tighter integration of risk appetite into both
long-term business planning and day-to-day management decision making.
Notwithstanding the progress that has been made, many institutions also
acknowledged their RAFs have not yet adequately developed at the lower levels
of the organization where day-to-day decision making ultimately affects the
overall risk profile of the firm.
Other key observations from the study include:
• RAFs strengthen risk governance by integrating and leveraging separate
risk management elements in a holistic manner
• RAFs create a unifying platform to facilitate a common understanding of
different risk types across the organization
• Industry practices are markedly divergent with respect to operationalizing
different elements of the RAF and linking it to other governance,
management, and business processes.
 Risk Appetite Framework

Survey respondents continue to face many challenges in their continuing

efforts to develop and implement their RAFs. The top three challenges
facing surveyed institutions include:
• Effectively allocating risk appetite across the organization
• Incorporating risk appetite into decision making
• Articulating risk appetite through metrics and limits.

Most survey respondents viewed RAF implementation as more than a

regulatory exercise. While existing supervisory guidance has been helpful to
the industry, global institutions among those surveyed indicated they would
benefit from more consistency of expectations across different jurisdictions.
Survey respondents also seek additional clarity from supervisors with
respect to certain aspects of operationalizing the RAF.

Further evolution of industry practices will help institutions fully realize

the business benefits from the considerable investments being made in
establishing an effective RAF.

PwC Risk Appetite Framework 2

 Risk Appetite Framework
1. Introduction
Risk appetite is defined as the
aggregate level and types of risk a
firm is willing to assume within its
risk capacity to achieve its strategic
objectives and business plan.
­—Financial Stability Board, Principles
for an Effective Risk Appetite
Framework, 2013
Risk capacity is the maximum level
of risk the firm can assume before
breaching constraints determined
by regulatory capital and liquidity
needs and its obligations, also from
a conduct perspective, to depositors,
policyholders, other customers, and
shareholders.
­—Financial Stability Board, Principles
for an Effective Risk Appetite
Framework, 2013
2 Institute of International Finance Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions, 2011; Senior Supervisors Group Observations on Devel-
opments in Risk Appetite Frameworks and IT Infrastructure, 2010; Financial Stability Board Principles for an Effective Risk Appetite Framework, 2013; OCC Guidelines establish-
ing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches, 2014
3 PwC Risk Appetite Framework
In response to the 2008 financial crisis, several financial institutions
embarked on strengthening the risk appetite framework (“RAF”) within their
organizations. Both supervisors and financial institutions agree that the RAF is
an essential component of an effective risk governance process.
Since 2008, guidance on RAFs has been forthcoming from multiple sources,
including the Institute of International Finance (“IIF”), the Senior Supervisors
Group (“SSG”), the Financial Stability Board (“FSB”), and the Office of the
Comptroller of the Currency (“OCC”) in the United States.2
The International Association of Credit Portfolio Managers (“IACPM”)
and its members regularly perform in-depth studies of significant topics of
interest to the financial services industry. Based on strong industry interest
for additional information on RAFs, IACPM and PricewaterhouseCoopers
LLP (“PwC”) jointly undertook a study based on a survey of 78 financial
institutions, supplemented by interviews with 43 of the respondents. This
study was conducted from June to November 2014.
1.1 Objectives and scope of this study
IACPM and PwC undertook this extensive study to understand the practices and
challenges of financial institutions as they develop, implement, and enhance
RAFs. The objectives of this study included:
• Assessing progress in industry practices since the IIF and FSB published their
standard-setting RAF-related papers in 2011 and 2013, respectively;
• Developing a further understanding of the RAF components that survey
respondents viewed as most important or challenging to implement; and
• Describing institutions’ approaches to operationalizing RAFs, allocating risk
appetite, and integrating RAFs with day-to-day business decisions as well as
longer-term strategy formulation.
While more detailed information from this study has been provided separately
to the surveyed institutions, this abbreviated report outlines key observations
from the study, and provides detailed observations and insights in relation to the
following selected topics:
• Allocating risk appetite below enterprise level;
• Integrating the RAF with strategy and business planning; and
• Risk appetite statements and metrics.
 Non-GSIB
Risk Appetite Banks
Framework

1.2 Demographics Insurers

The study surveyed 78 banks and insurance companies across the globe,
making this the largest published study of RAF practices in the financial Development Banks
services industry. Throughout this report, we refer to participants as “surveyed
institutions,” or “survey respondents.” The surveyed institutions were typically
0 5 10
represented by individuals who have responsibility for developing and
implementing RAFs at the enterprise level within their respective organizations.
These individuals responded to a detailed questionnaire and a large number of
them also participated in follow-up interviews conducted by PwC.

Figure 1 provides the demographic profile of the 78 surveyed institutions. They

include 23 global systematically important banks (“G-SIBs”), 37 non G-SIBs, 10
insurers (four of which are global systematically important insurers or “G-SIIs”)
and eight supranationals or multi-lateral development banks.

Figure 1 - Demographic profile of surveyed institutions

Aus/Canada
G-SIBs 4 5 14 23 Other
Non G-SIBs 3 13 10 11 37 EU-Emea
US
Insurers 5 3 2 10 Asia
Development Banks 8

Asia US EU Australia/Canada Other

The information presented in this report is based solely on responses to the

survey questionnaire and follow-up interviews with the surveyed institutions.
While the IACPM and PwC exercised reasonable care in collecting, processing,
analyzing, and reporting the information furnished by surveyed institutions,
their responses were not independently verified, validated, or audited to further
establish the accuracy and completeness of the information provided. GSIB
Non-GSIB

GSIB
GSIB
Non-GSIB Banks Non-GSIB
Insurers
Dev Banks
Other

Aus/Canada
GSB
Other

Non-GSIB Banks EU-Emea

US

Insurers Asia

Development Banks

0 5 10 15 20 25 30 35 40 PwC Risk Appetite Framework 4

 Risk Appetite Framework
2. Key observations
Risk profile is defined as a point-in-
time assessment of an institution’s
net exposures (after taking into
account mitigants) aggregated
within and across each relevant risk
category based on forward looking
assumptions.
­—Financial Stability Board, Principles
for an Effective Risk Appetite
Framework, 2013
For the purpose of this study, ‘top-
level’ refers to the primary lines
of business within an institution
(e.g., investment banking and
capital markets, wholesale banking,
commercial banking, retail banking,
etc.). ‘Lower-level’ refers to business
lines or product lines within the
primary lines of business (e.g., credit
cards, residential mortgages, and auto
finance within retail banking).
5 PwC Risk Appetite Framework
2.1 Current state of progress with
respect to risk appetite frameworks
Six years after the financial crisis of 2008, most survey respondents consider
themselves to have established adequate or leading RAFs at the enterprise level.
However, significant work is needed to embed the RAF further into the organization
to encompass lower-level business lines and legal entities.
RAFs are generally well developed at the enterprise level
As shown in Figure 2 below, 60% of surveyed institutions characterized the
state of development of the RAF as either ‘leading’ or ‘highly developed’ at the
enterprise level within their respective firms. Only 20% of surveyed institutions
believed that the current state of their RAF development was less than adequate.
These responses reflected survey respondents’ self-assessed views of the state
of their RAFs. However, even survey respondents who indicated they have
a leading or highly developed RAF at the enterprise level continue to face
numerous challenges requiring future enhancements. Some firms continue to
remain less than fully aware of the current shortcomings of their respective
RAFs relative to those of other surveyed institutions. For most firms, further
development of their RAFs and full implementation across all relevant areas of
the organization will require sustained continued investment.
RAFs are less evolved at the business line level
The emphasis by regulatory bodies, including the FSB, on the need to allocate
risk appetite to business lines and legal entities has started to have an impact
on some survey respondents. A small percentage of the surveyed institutions
reported their RAFs as either ‘leading’ or ‘highly developed’ at the business line
level. These institutions have started to allocate risk appetite to business lines in
a manner consistent with enterprise-level strategic business objectives and risk
appetite. As a result, business line strategies and decision making have resulted
in risk profiles that are more aligned with the risk appetites of these institutions.
Figure 2 shows that 40% of surveyed institutions acknowledged that their RAFs
at the top-level business lines required further development. When assessing
the maturity of their RAFs at the lower-level business lines, 60% of surveyed
institutions believed that their RAFs were less than adequate. The state of RAF
development was also less mature at legal entity levels for an overwhelming
majority of the surveyed institutions. This is not surprising since the prevailing
management hierarchy for financial institutions continues to be business lines
rather than legal entities. The lack of progress in this area also reflects the
survey respondents’ skepticism of the benefits of articulating risk appetite at
the legal entity level even though other regulatory initiatives such as resolution
planning have continued to raise the importance of taking the legal entity view.
 Risk Appetite Framework

Figure 2 – Current state of risk appetite framework development3

0 50 100%

Enterprise Leading
Highly developed
Top-level Adequate
business line Some or no progress

Lower-level
business line

Credit risk

Non-credit risk

Legal entity

2.2 Benefits of risk appetite

GSIB
framework development GSIB
Non-GSIB
Non-GSIB Banks
Integrating risk appetite into long-term business planning
Insurers and day-to-day GSIB
management decision making was the top motivator Devfor the majority of
Banks
Other Non-GSIB
surveyed institutions.

A majority of surveyed institutions were motivated to develop and implement

their RAFs for reasons other than complying with supervisory expectations.
RAFs have led to better risk awareness at all organizational levels and enhanced
internal understanding of risk profiles. This is an encouraging development for
the industry as a whole since current supervisory expectations are increasingly
0 10
motivated by policy imperatives to strengthen the financial services sector
20 30 40 50 60 70 80 “We 80
plan to invest
0 10 20 30 40 50 60 70
rather than merely seeking rules-based compliance. heavily in developing and
Other NA
implementing a robust RAF
Figure 3 shows the key drivers thatDev
were most frequently cited by survey
Banks in the next few years. By
Developing
respondents for the ongoing development and implementation of their RAFs. the time we complete our
Insurers EU/EMEA the
journey to implement
RAF, we are targeting to be a
Non-GSIB
Figure 3 - Most important risk appetite framework Banks
motivators US
leader amongst our peers in
GSIB this respect.”Australia/Canada
0 50 100% — Survey respondent
Influence strategy and Asia
business planning 94

Strengthen risk governance 60

Satisfy regulatory requirements 33

Establish unified framework

to assess different risk types 15

3 Credit risk has been displayed separately due to the relative maturity of this risk type across surveyed institutions. Other financial and non-financial risk types
(e.g., market risk, operational risk, reputational risk, etc.) have been grouped together as “non-credit risk types”.

PwC Risk Appetite Framework 6

 Risk Appetite Framework
“At a minimum, the increased
collaboration between
departments may allow the
firm to respond more quickly
to mitigate risk during
future crises.”
— Survey respondent
7 PwC Risk Appetite Framework
The RAF adds both risk and return considerations to
strategy formulation and business decision making
Many surveyed institutions benefited from aligning risk appetite with strategic
goals by explicitly incorporating both risk and return considerations into
strategic and tactical business decision making. This alignment of strategic
objectives and associated return targets within an institution’s desired and
actual risk profile augments the traditional enterprise risk management
(“ERM”) framework that has been in place at many of the surveyed institutions
for several years.
Most survey respondents have completed one or more annual cycles of
developing and/or refreshing their risk appetite statement(s) and obtaining
requisite board approvals. The periodic reassessment of risk appetite has begun
to provide valuable context for evaluating new strategic initiatives as well as
more tactical decisions. In some firms, business lines have shown an increased
sense of risk ownership from being able to provide input to risk targets in a
manner that is consistent with their organization’s overall risk appetite.
The RAF strengthens risk governance by
integrating and leveraging separate risk
management elements in a holistic manner
Surveyed institutions believed that the RAF had enhanced risk governance
at different levels within their organizations and cited this as a motivator for
embarking on the further development of their RAFs. Some survey respondents
mentioned that they viewed the RAF as a platform for connecting different
risk management elements such as risk policies, ERM, risk limits, economic
capital (“EC”), and stress testing into a single unified framework that reinforced
consistency.
The RAF enables all relevant
stakeholders to evaluate their decisions
Survey respondents indicated that by setting up more formalized processes
to implement the RAF, institutions were able to facilitate and promote inter-
departmental or cross-functional collaboration around analysis and decision
making relating to enterprise objectives, risk appetite, risk profile, risk
management and risk/return optimization. Undertaking the development
of effective RAFs had also helped to foster collaboration and sharing of
management information across functional units of an institution. Some
interviewees said that the RAF led to more proactive, firmwide involvement in
risk assessment than traditional ERM because the RAF required stakeholders to
consider risk in their daily business decisions and activities.
The RAF creates a unifying framework to facilitate common
understanding of different risk types across the organization
Some survey respondents viewed the RAF as a single platform where a
comprehensive array of quantifiable and non-quantifiable risk types were
expressed in unified terms against the same strategic plan and measured with a
consistent set of tools. This consideration was a driver behind efforts to further
enhance their RAFs. Survey respondents have increased the comprehensiveness
of risk types and associated risk metrics covered within their respective RAFs.
 Strengthening risk management 60

Satisfying regulatory requirements 33

Risk Appetite Framework
Establish unified framework to assess different risk types 15

2.3 Common challenges

Improving IT and data quality 0

The main challenges facing surveyed institutions include effectively allocating risk
appetite across the organization, integrating risk appetite into decision-making,
and articulating risk appetite through metrics and limits.

Despite going through the evolution of RAF development and implementation

over a period of 3-4 years, many surveyed institutions recognized that they have
not yet fully realized all benefits of their RAFs. Although significant progress has
been made, most survey respondents acknowledged that they continue to face
challenges in effectively implementing RAFs, as shown in Figure 4.

Figure 4 – Most frequently cited challenges

0 20 40 60 80%
Mechanism to allocate risk appetite 68
Integration of risk appetite into
decision making process 65

Expression of risk appetite 56

Methodology to integrate risk
appetite and stress testing 15

Inadequate information systems 14

Lack of risk culture 10

Supervisory expectations 9
make RAF bureaucratic
Lack of board support 5
Lack of effective 1
communication

The challenges faced by the surveyed institutions are summarized below and
mechanism to cascade risk appetite
further elaborated in subsequent sections of this paper. integrate of risk appetite into decision making process
express risk appetite
integrate with stress testing
1. Embedding the RAF into an organization Inadequate information system
lack of risk culture
Defining the best approach to allocate risk appetite below the enterprise level regulatory requirements drives RAF to become
into the broader organization is a major challenge for survey respondents. The bureaucratic
lack of board support
wide range of concerns cited by survey respondents included number of metrics lack effective communication

used, choice of appropriate metrics tailored to individual business lines, choice

of methodology to allocate enterprise risk appetite, sequence for allocating risk
appetite, and number of levels below the enterprise level for embedding risk
appetite, as discussed in Section 3. Some survey respondents also mentioned
that an overly structured and detailed approach to risk appetite allocation,
calibration, and monitoring can be inefficient from a cost-benefit perspective.

2. Integrating risk appetite considerations

into long-term business planning
Both interviews and survey responses confirmed that there is a need for further
integration of risk appetite into long-term business planning and day-to-day
business decision-making. Challenges included asynchronous timing of existing
processes such as strategic planning, financial budgeting, and stress testing,
along with unclear definition of roles and responsibilities and inadequate
coordination among various stakeholders. Section 4 provides a more detailed
review of this challenge and associated lessons learned by the surveyed
institutions.

PwC Risk Appetite Framework 8

 Risk Appetite Framework
“I pretty much agree with
everything the regulator
requires.”
“FSB 2013 propelled
the RAF to be owned by
the board, elevating
the urgency to improve
this aspect of risk
management.”
— Survey respondent
“I cascade risk appetite
to business lines and risk
type. Further slicing and
dicing my risk appetite
to legal entities is
unnecessary and does not
add any value.”
“I am waiting to see if I
really need to cascade RAF
to frontline officers. What
does this mean anyway?”
— Survey respondent
9 PwC Risk Appetite Framework
3. Articulating risk appetite
Articulating risk appetite and recording it in a well-written risk appetite
statement that is understood consistently by all stakeholders remains a
challenge. Section 5 discusses industry practices and highlights diverging
approaches with respect to types of metrics, the mix of qualitative statements
and quantitative metrics, and appropriate analytics for calibrating risk buffers.
In addition to the three primary challenges outlined above, the study revealed
the challenges below.
Adequacy of other RAF elements
Successful implementation of the RAF is enabled by reliable data, appropriate
analytics, strong risk culture, and effective risk policies. Survey respondents
consistently cited that limitations related to data and models prevented
aggregation and pivots of information for viewing through different lenses.
Additionally, the analytics for calibrating risk appetite metrics for use at
different levels or dimensions within the organization were also an area of
continuing effort.
Figure 4 suggests that only a few survey respondents indicated that weaknesses
in risk culture and lack of support from key stakeholders were remaining
challenges for implementing effective RAFs. This is an encouraging indicator
of the emergence of stronger risk culture and better intra-organizational
coordination across risk management, finance, treasury, business planning, and
business lines.
Supervisory expectations
Survey respondents appreciated the FSB guidance that established board and
senior management roles and responsibilities along with the general principles
for effective RAFs. However, the surveyed institutions cited a preference for
more details in certain aspects of the guidance such as the end goal of allocating
risk appetite to legal entities, and effective reconciliation of top-down risk
appetite with bottom-up perspectives. In addition, survey respondents from
large global institutions believed that better coordination among various
national supervisors could result in more consistent guidance on RAF standards
across the various jurisdictions of their operations.
Notwithstanding this stated preference for more guidance in certain areas,
survey respondents also believed that granular supervisory expectations may
be viewed as prescriptive, limiting necessary flexibility for successful RAF
implementations.
 Risk Appetite Framework

3. Allocating risk appetite

The approach for allocating risk appetite varied widely across surveyed
institutions and was driven by multiple factors, including the complexity of the “Setting the firmwide risk appetite
business mix and the maturity of the RAF. is the first step; the aggregate risk
appetite has to be allocated to the
firm’s business lines, legal entities
Survey respondents faced challenges in understanding effective ways to allocate
and down to all relevant levels, which
risk appetite beyond the enterprise level. Some typical concerns were: need to align with the firm’s strategic
• Where should the risk appetite be allocated (e.g., among business lines, legal and business plans”
entities, or risk types)?
­—Financial Stability Board, Principles
• How far below the enterprise level should risk appetite be allocated? for an Effective Risk Appetite
Framework, 2013
Sections 3.1 through 3.4 below highlight practices reported by the survey
respondents in these areas.

3.1 Allocating risk appetite

below enterprise level
Survey respondents reported a range of practices for allocating risk appetite
below the enterprise level.4 FSB guidance recommends allocating risk appetite
to business lines and legal entities. In practice, more than 80% of surveyed
institutions allocated risk appetite to either top-level business lines, risk types,
or both, as outlined in Figure 5.

Reluctance to allocate risk appetite to lower-level business lines and to legal

entities is prevalent, with only 50% of surveyed institutions allocating risk
appetite to lower-level business lines, and only 38% to legal entities. Survey
respondents acknowledged that they had not allocated risk appetite beyond the
top-level business lines or risk types for many reasons, including absence of clear
understanding of the end goal, insufficient familiarity with RAFs at lower levels
of the organization, and lack of relevant data and analytics for calibrating and
monitoring risk appetite metrics.

Figure 5 – Allocating risk appetite below the enterprise level

0 50 100%
Risk types 92
Top-level business lines 84
Lower-level business lines 51
Regions 51
Countries 45
Legal entities 39

4 Some industry practitioners use the terminology “cascading risk appetite” as an alternative to “allocating risk appetite” to describe how both quantitative measures and quali-
tative statements of risk appetite are expressed below the enterprise level to other dimensions such as business lines, risk types, product lines, and legal entities, such that risk
appetite considerations are embedded into the strategic and tactical decision making.

PwC Risk Appetite Framework 10

 Risk Appetite Framework

3.2 Determining level of allocation

below enterprise level
Surveyed institutions also have allocated risk appetite to varying levels within
the organization. As shown in Figure 6, a significant majority allocated risk
appetite to at least two levels below the enterprise level: 97% allocated to one
level below, 72% allocated to two levels below, 42% allocated to three levels
below, and only 10% went as far as four levels below the enterprise level. Two
surveyed institutions did not allocate risk appetite below the enterprise level.

Figure 6 – Highest number of levels of allocation below enterprise level

0 50 100%
1 97

2 72

3 42

4 10

3.3 Different sequences

for risk appetite allocation
As institutions continue to enhance their RAFs, some survey respondents
mentioned that using a single sequence for allocating risk appetite did not
provide sufficient flexibility to implement a robust RAF. To ensure that each
decision was viewed through different prisms, some institutions used more than
one sequence for allocating risk appetite below the enterprise level. Figure 7
illustrates two representative approaches: one that allocated risk appetite in a
single sequence, and another that used multiple sequences.

Survey results showed that 0 73%

10 percent
20 30 of surveyed
40 50 institutions
60 70 80relied on more
Influence strategic than onebusiness
long term sequence for risk appetite allocation. In general,
planning 62 as an institution’s risk
appetite framework matures, risk appetite tends to be allocated using multiple
Integration into the day to day management decision making 42
sequences.
Satisfying regulatory requirements 34

Influence business planning 31

Establish unified framework to assess risk and return trade offs 31
Further developing and embedding risk culture 27
Strengthen risk monitoring framework 26

Integrating stress testing into RAF 19

Establish unified framework to assess different risk types 14

11 PwC Risk Appetite Framework

 Risk Appetite Framework

Figure 7 – Sequences for allocating risk appetite FSB guidance confirms the importance
of accounting for bottom-up
Primary sequence Primary & supplemental sequences information while risk appetite is
allocated:
Enterprise Enterprise “RAF should be driven by both top-
down board leadership and bottom-
up involvement of management
at all levels, and embedded and
Top-level Top-level Risk types understood across the financial
business line business line institution.”
“Financial institutions and supervisors
should check that the ‘top-down’
Lower-level Lower-level Top-level risk appetite is consistent with the
business line business line business line ‘bottom-up’ perspective through,
for example, employee surveys,
independent reviews, and internal
reporting.”
­—Financial Stability Board, Principles
25% 73% for an Effective Risk Appetite
Framework, 2013

3.4 Top-down versus bottom-up approach

Supervisors and surveyed institutions agree that risk appetite should be
0 10 20 30 40 50 60 70 80
formulated in a top-down manner. As outlined in Figure 8 below, 73 institutions
used the top-down approach and only four institutions used a bottom-up
approach to allocate risk appetite.

As lower levels of the organization become more conversant with addressing

risk appetite considerations in their decision making, bottom-up approaches,
in which lower-level business lines play a more active role in informing risk
appetite, were more likely to be adopted. According to the survey, eighteen
of the 73 firms that used the top-down approach supplemented their primary
Bifurcation of
allocation with bottom-up information (please refer to Figure 7 for an cascade at
illustration of primary and supplemental risk appetite allocation sequences). level 2

As the implementation of RAF in business lines matures and as risk cultures

develop further, surveyed institutions indicated they were more likely to
incorporate information from lower levels of their organizations to help refine
the top-down risk appetite set by the board and senior management.
Secondary or tertiary cascade waterfall adopted
Figure 8 - Allocation approaches5

4
18
73
39

Primary Supplemental

Top-down Bottom-up

5 One survey respondent did not answer this question

PwC Risk Appetite Framework 12

 Risk Appetite Framework

3.5 Risk appetite allocation examples

Figure 9 illustrates a range of risk appetite allocation sequences implemented
by a representative sample of surveyed institutions. Each row in the figure
represents an institution, while each column (level) represents the sequence in
which risk appetite is allocated according to each institution’s preferences. As
shown in the figure, there is no dominant sequence for allocating risk appetite
below enterprise level across the surveyed institutions.

Figure 9 – Sequences by which risk appetite is allocated for an illustrative sample of 16 G-SIBs

Level 0 Level 1 Level 2 Level 3 Level 4

Allocate from
enterprise to
risk types

Allocate from
enterprise to
top-level
business lines

Allocate to
two levels only

Primary and
supplemental
sequences

Bottom-up
allocation

Enterprise Risk types Legal entities Top-level business lines

Products Regions Countries Lower-level business lines

13 PwC Risk Appetite Framework

 Risk Appetite Framework

4. Integration of risk appetite

framework with relevant
business processes
As discussed in Section 2.2, influencing strategic planning and day-to-day
decision making is cited as the top objective underlying the development and “The RAF should be aligned with the
implementation of RAFs. This is consistent with the FSB guidance. business plan, strategy development,
capital planning and compensation
schemes of the financial institution.”
While the alignment of the RAF with business plan, strategy development,
capital planning, and compensation schemes is critical to the implementation ­—Financial Stability Board, Principles
for an Effective Risk Appetite
of an effective RAF, interviews with survey respondents suggest that they have
Framework, 2013
succeeded in linking their RAFs to only a limited number of these areas. The
implementation of the RAF should be as broad as possible, with risk appetite
considerations woven into all relevant aspect of the firm including risk-related
activities that are less visible (e.g., new product approvals, client onboarding,
transaction suitability, incentives). These broad linkages will help to truly
embed the RAF into the organization at all levels—in the executive suite and
among junior employees, across the enterprise and within business lines, when
formulating strategy and in making day-to-day decisions, through both an
external perspective and internal lens, for line units as well as staff functions,
while taking the long view and also in the short term—and help improve risk
culture within the institution.

4.1 Involvement of risk

appetite framework stakeholders
When asked about the degree of integration and coordination across various
departments relevant to the RAF, survey respondents consistently indicated
that observed levels of involvement with strategy and business planning
departments were less than ideal. This was corroborated by the survey findings,
which revealed that in 75% - 85% of the surveyed institutions, business
planning personnel had either no involvement or limited involvement in RAF
development, implementation and monitoring, as shown in Figure 10.

Generally, all survey respondents interviewed believed that active participation

of top-level business line management in RAF decision making is desirable, but
the extent of current involvement needed improvement. Numerous surveyed
institutions stated they have concrete plans to better integrate business line
management into the RAF in the near future. As shown in Figure 10, in 40%–
50% of the surveyed institutions, top-level business line leaders were not key
participants in RAF development, implementation and monitoring.

PwC Risk Appetite Framework 14

 Risk Appetite Framework

Figure 10 - Roles and responsibilities of risk appetite framework participants

CRO CFO Treasury Strategy and Top-level

14 business planning business lines
Approve and calibrate 1
53 20 15 32 15 16 6 32 21 24 14 13 25 39 7 32 25 14
metrics and limits—
2
Implement RAF— 51 16 56 8 30 18 22 26 23 23 17 26 33 8 37 18 15
Monitor risk profile
55 16 9 34 17 18 16 26 15 21 14 27 36 14 34 20 10
and risk limits— 1
43
Owner Key participant Limited involvement No involvement

4.2 Synchronizing planning cycles

Over time, many institutions have developed processes, run by different
corporate functions, for strategic planning, capital and liquidity planning,
financial forecasting/budgeting and more recently, risk appetite formulation.
These processes often operate on different calendar cycles, some driven by
deadlines for financial reporting, others by regulatory filings. Many survey
respondents said that synchronizing these cycles was critical for effectively
integrating risk appetite considerations into business decision making. However,
survey respondents also cautioned that synchronizing plans involved significant
operational challenges as well as longer planning cycles to allow time for
gathering and reconciling the opinions of additional stakeholders. This practical
challenge has led some owners of these planning processes to resist efforts to
align their planning cycles.

A few survey respondents mentioned that as risk culture improved and business
lines started taking more ownership of risk, their business plans increasingly
incorporated risk appetite considerations. Consequently, their business plans
were better aligned with top-down risk appetite, enabling reconciliation of
enterprise and lower level perspectives.

Figure 11 is an illustrative example of the approach adopted by some survey

“After discussing risk
appetite with other firm
participants for a few
years, business lines are
able to submit a better
thought-out plan.”
— Survey respondent
respondents for synchronizing risk appetite assessment with the existing
business planning cycle. Business planning is preceded by top-down
communication of business strategy as well as risk appetite, perhaps as only a
broad, qualitative expression in the early stages. The business planning process
then proceeds as follows:
• Business plans of lower-level business lines are aggregated and shared upward
for use by senior management to assess consistency with enterprise risk
appetite
• Senior management at the enterprise level and top-level business lines
synchronize their efforts in an iterative process to create an appropriate
capital plan and liquidity plan
• To assess whether the business plan and associated capital and liquidity
plans are consistent with the institution’s risk appetite, the risk profile and
risk capacity are measured via stress testing and economic capital applied to
the same proposed business plan iteratively until the different plans are in
alignment with each other and the enterprise-level risk appetite.

15 PwC Risk Appetite Framework

 Risk Appetite Framework

This detailed planning process at the enterprise and top-level business lines
provides feedback to all levels of the institution. In each of the steps
shown in Figure 11, feedback is used to help fine-tune business plans and
associated capital and liquidity plans to better meet the institution’s business
and risk strategies.

Figure 11 - Integration of the risk appetite framework into existing business planning process

Risk
appetite Board and senior management
statement

1 2 3
RAF at the enterprise level
Top-down
business Strategy and business planning
goals Risk appetite assessment
Bottom-up -Scenario generation
Iterative
business -Risk profile measurement
adjustments
plan -Risk capacity measurement
Top-down -Refinement of risk appetite
risk Confirmation of risk limits
appetite Capital and liquidity plans

RAF at top-level business lines

RAF at lower-level business lines

Success requires persistence—one large G-SIB had to undertake multiple

attempts before successfully synchronizing RAF-related work flows across all its
functional teams and processes. Separately, many survey respondents
mentioned that the Internal Capital Adequacy Assessment Process (“ICAAP”)
and Comprehensive Capital Analysis and Review (“CCAR”) requirements have
magnified the need for synchronizing various planning cycles.

PwC Risk Appetite Framework 16

 Risk Appetite Framework
5. Risk appetite
statements
and metrics
“The articulation in written form of
the aggregate level and types of risk
that a firm is willing to accept in order
to achieve its business objectives. It
includes qualitative statements as well
as quantitative measures expressed
relative to earnings, capital, risk
measures, liquidity and other relevant
measures as appropriate. It should
also address more difficult to quantify
risks such as reputation and money
laundering and financing of terrorism
risks, as well as business ethics and
conduct.”
­—Financial Stability Board, Principles
for an Effective Risk Appetite
Framework, 2013
17 PwC Risk Appetite Framework
While there is broad agreement on the principle of developing a risk appetite
statement (“RAS”) to articulate the firm’s risk appetite, in practice, the content
of an RAS can be widely diverse in terms of (a) balancing qualitative and
quantitative components, (b) risk types included in the RAS, and (c) appropriate
metrics that describe the risk appetite at both the enterprise level and other
dimensions.
5.1 Mix of qualitative and
quantitative factors
Consistent with the FSB guidance, survey respondents broadly agree that both
quantitative metrics and qualitative descriptions are essential components of an
effective RAS. As shown in Figure 12, a majority of respondents, around 80%,
used a combination of quantitative metrics supported by qualitative statements
at the enterprise and top-level business lines. Three survey respondents used
just quantitative expressions of risk appetite in their RAS across all levels of the
organization.
At the enterprise level, surveyed institutions appear to have converged on two
broad types of RAS. One group used a condensed form of RAS with high-level
qualitative statements and 5-10 firmwide quantitative targets relating to risk
concentrations, earnings, capital and liquidity, and return/risk measures. As
shown in Figure 12, about half of the survey respondents only used such high-
level measures. The second group also included a number of additional metrics
broken out by risk types and business lines in the RAS. Figure 12 shows that 33%
of firms expressed a detailed set of qualitative outcomes as well as quantitative
measures in their RAS at the enterprise level. Survey respondents that used
this combination also relied increasingly on quantitative metrics to allocate risk
appetite below the enterprise level into lower-level business lines.
Figure 12 – Qualitative vs. quantitative nature of risk appetite statement at various levels
62%
49%
45%
33% 33%
26%
19%
13%
7%
1%
0% 0%
Only Combination of Combination of Only a qualitative
quantititative high-level detailed quantitative indicator of preferred
outcomes quantititative and and qualitative outcomes
qualitative outcomes outcomes
Enterprise level Top-level business lines Lower-level business lines
 Risk Appetite Framework

Figure 13 illustrates the components of an enterprise RAS based on a composite

of practices followed by survey respondents. It describes the four typical
components of an enterprise RAS. Most survey respondents use some or all
of these components in varying degrees based on specific preferences of each
institution.

Figure 13 - Enterprise-level risk appetite statement components with categories of metrics and
some sample metrics

A. High-level qualitative statements

• Scope of RAS A.
• Linkage to mission statement and core values Qualitative description of
• Goals in areas such as strategic business intent, capital adequacy, liquidity, guiding principles related to
desired risk profile, reputation, and enterprise capabilities the firm’s risk appetite
• Key risks in relation to strategy and core businesses

B. Enterprise-wide common quantitative metrics

B.
Consistent articulation of
Risk Earnings Capital and Return /risk quantitative risk and return
concentrations liquidity measures metrics for aggregation and
allocation to business lines
and risk types
C. Qualitative guidance & quantitative metrics by risk type

Credit Market Liquidity & funding Operational

Limits, product mix, Limits, product mix, Limits, sources and Efficiency, resilience,
profitability, periodic profitability, periodic uses, cost efficiency key indicators
recalibration recalibration
C.
Metrics specific to risk
Business Reputation and Regulatory and types or business lines
Long-term viability, conduct compliance
sustainability, Core values, Supervisory
stakeholder, customer-centric expectations,
confidence business conduct, laws and regulations
corporate social
responsibility

D.
D. Each qualitative guidance and quantitative metric can have multiple Metrics expressed in
dimensions such as under normal and stressed environments multiple dimensions

5.2 Risk types to be included in the RAS

Survey respondents generally agreed with supervisory expectations that promote
a comprehensive view of the enterprise’s risk exposures. Traditional quantifiable
risk types (e.g., credit risk, market risk, funding and liquidity risk, and
operational risk) are typically the first to be included in the RAS. Many survey
respondents mentioned recent active efforts to include less quantifiable risk types
(e.g., business risk, reputation and conduct risk, regulatory and compliance)
driven both by supervisory expectations and expanded risk awareness within
their institutions.

In the case of less quantifiable risk types, the RAS typically reflected related
policies and qualitative guidelines. However, there is an increasing trend to use
proxy metrics, where available. For instance, many survey respondents quantify
reputational risk using proxies such as brand health, customer-centric metrics,
and employee satisfaction surveys.
PwC Risk Appetite Framework 18
 Risk Appetite Framework

Figure 14 shows that survey respondents tend to describe more risk types in the
RAS at the enterprise level and for top-level business lines and address fewer
risk types within lower-level business lines and legal entities. This is intuitive
since many risks, particularly the less quantifiable types, are more appropriately
managed at higher levels within the organization.

Figure 14 – Number of risk types covered in risk appetite statement at various organization levels

Enterprise Top-level business lines Lower-level business lines Legal entity

0 20% 0 25% 0 20% 0 30%
13 7 13 1 13 5 13 3
12 9 12 6 12 0 12 0
11 7 11 4 11 5 11 5
10 20 10 9 10 8 10 5
9 16 9 12 9 0 9 3
8 9 8 9 8 13 8 3
7 13 7 10 7 13 7 26
6 4 6 21 6 8 6 15
5 12 5 12 5 16 5 21
4 0 4 7 4 7 4 8
3 1 3 1 3 18 3 3
2 1 2 1 2 0 2 0
1 0 1 4 1 11 1

5.3 Choice of specific metrics

As shown in Figure 15, there is a wide range of binding metrics used by survey
respondents across various levels of their institutions. While stress testing-driven
regulatory capital requirements are the top binding metric at the enterprise
and legal entity levels for around 68% of institutions, it is applied as a binding
constraint at the business line levels for approximately 25% of institutions.
Heightened regulatory capital requirements, driven by various regulations such
as Comprehensive Capital Analysis and Review and Basel III, have led many
surveyed institutions to emphasize regulatory capital in their RAS.

Despite less emphasis by regulators on economic capital, it continues to be an

important metric for many survey respondents at various levels, as outlined in
Figure 15. During interviews, survey respondents cited the following reasons for
continued inclusion of economic capital in RAS:

• Economic capital is entrenched in risk management practice: For many

survey respondents, economic capital is still a significant component of risk
quantification and management. Hence, crafting an RAS with economic
capital metrics makes it easy to allocate risk appetite across the organization.
• Aggregation and allocation of risk: A number of survey respondents said
that economic capital is still the most effective way to allocate risk across
businesses. A few firms cited economic capital as an effective means to
aggregate credit, market, and operational risks. Funding and liquidity risks
are yet to be widely incorporated in economic capital approaches.
• Diversification benefits: Many institutions still consider economic capital to
be the favored methodology for modeling correlations between various asset
classes, risk types, sectors, and regions.

19 PwC Risk Appetite Framework

 Risk Appetite Framework

Figure 15 – Top binding constraints for risk appetite statements at various organizational levels
Enterprise Top-level business lines
0 80% 0 80%
Regulatory capital Concentration limits
Concentration limits Economic capital
Economic capital VaR
Earnings volatility
RWA
Stress testing capital
ROE Regulatory capital
Internal/external ratings Expected loss
RWA Earnings volatility
VaR Growth measures
Expected loss ROE
Growth measures RAROC
RAROC
Internal/external ratings
Provisions
Liquidity Provisions
Cost of risk Stress testing capital
EPS Cost of risk

Lower-level business lines Legal entity

0 80% 0 80%
Concentration limits Regulatory capital
VaR Concentration limits
Economic capital
Institutions might choose to express
RWA
RWA a set of metrics for business lines
Growth measures
VaR that are different from those used
Expected loss
ROE at the enterprise level. Finding an
Economic capital
Earnings volatility optimal methodology for translating
ROE
Stress testing capital enterprise-level metrics to metrics
Regulatory capital
Growth measures tailored for business lines and lower
Provisions Expected loss
Earnings volatility
operating units is a challenge for many
RAROC surveyed institutions. To illustrate, a
RAROC Internal/external ratings
Cost of risk lower-level business line originating
Provisions
Internal/external ratings residential mortgages might need to
EPS
Stress testing capital Cost of risk understand how regulatory capital,
RWA, and economic capital relate
to more detailed risk metrics such
As a subset of respondents, G-SIBs cited their top 5 binding constraints at the as FICO scores, concentration limits
enterprise level to be regulatory capital, risk weighted assets (“RWA”), earnings by mortgage types (such as fixed or
volatility, concentration limits, and stress testing capital. adjustable, by region or by borrower
quality), and net interest income.
Converting enterprise-level metrics
to business line-level metrics is
necessary to prevent institutions
from unknowingly taking excessive
risk or failing to optimize risk versus
return. If institutions are unable to
translate their metrics appropriately,
an alternative approach may be
to communicate a qualitative risk
appetite to lower-level operating units
and rely on upper-level business line
and risk management staff to monitor
alignment with risk appetite.

PwC Risk Appetite Framework 20

 Risk Appetite Framework

6. Conclusion

Both financial institutions and supervisors agree that the RAF is an essential
component for effective risk governance. Surveyed institutions are at different
stages of maturity in the development and implementation of their RAFs. Industry
practices are markedly divergent with respect to operationalizing different
elements of the RAF and linking it to other governance, management, and business
processes. However, there is industry convergence with RAFs becoming more
evolved at the enterprise level. Less encouragingly, even six years after the financial
crisis, more than a third of survey respondents acknowledge that their RAFs are
not adequately developed at the lower levels of the organization where day-to-day
decision making ultimately affects the overall risk profile of the firm.

Developing and implementing an effective RAF does not require institutions to

develop an entirely new set of processes and practices. Instead, institutions should,
wherever possible, leverage and strengthen existing capabilities that are used to
manage the enterprise. Successful implementation of the RAF is enabled by strong
risk culture, effective risk policies, appropriate analytics, and reliable data. Firms
need to continue making investments to enhance both the analytics and data
required for calibrating risk appetite metrics for different organizational and risk
dimensions.

Allocating risk appetite below the enterprise level is challenging, varies widely
across institutions, and is driven by multiple factors, including complexity of
business mix and maturity of the RAF. Consequently, surveyed institutions have not
coalesced on practices for cascading risk appetite down throughout the enterprise.
However, some institutions appear to be making a concerted effort to extend their
risk appetite allocation approaches to include different organizational hierarchies,
more risk types, and feedback between top-down and bottom-up perspectives.

Converting enterprise-level metrics to business line-level metrics is necessary to

prevent institutions from unknowingly taking excessive risk or failing to optimize
risk and return. If institutions are unable to translate higher-level quantitative
expressions of risk appetite to lower-level business lines, they should consider using
more qualitative articulations while ensuring that business line management is
monitoring ongoing alignment with enterprise risk appetite.

21 PwC Risk Appetite Framework

 Risk Appetite Framework

Importantly, survey respondents view RAF implementation as more than a

regulatory exercise. This is an encouraging development for the industry as a
whole since current supervisory expectations are motivated by policy imperatives
to strengthen the financial services sector rather than merely seeking rules-
based compliance. The surveyed institutions appreciate the FSB guidance, which
established board ownership of the RAF and laid out general principles for effective
RAFs. However, survey respondents also cite a preference for more detail around
supervisory expectations for extending the RAF to legal entities and reconciling
top-down risk appetite with bottom-up perspectives. In addition, global institutions
believe that coordination among various national supervisors can result in more
consistent guidance on RAF standards.

Given the current and anticipated attention given to RAFs by the industry and
supervisors, we expect to see significant developments in the coming years. The
implementation of the RAF should be as broad as possible, with risk appetite
considerations woven into all relevant aspects of the firm. These broad linkages
will help to fully realize the benefits of an effective RAF and improve risk culture,
sustain the enterprise over the long-term, and strengthen institutional resilience in
times of crisis.

PwC Risk Appetite Framework 22



Risk Appetite Framework

23 PwC Risk Appetite Framework

 Risk Appetite Framework

Contacts
PwC IACPM

Eva Chan Som-lok Leung

Director Executive Director
[email protected] [email protected]
+1 646 471 3465 +1 646 289 5434

Michael Alix Marcia A Banks

Principal Associate Director
[email protected] [email protected]
+1 646 471 3724 +1 646 289 5432

Shyam Venkat Juliane Saary-Littman

Principal Research
[email protected] [email protected]
+1 646 471 8296 +1 646 289 5433

Zubin Mogul
Managing Director
[email protected]
+1 646 471 6761

Acknowledgements
We would like to thank the following individuals for their contributions:
Brian Wille, Kunal Rajani, Marc-Albert Michaud, Matthew Small, Miguel Saez,
Rashmi Jain, Seth Hunter and Sicong Song.

PwC Risk Appetite Framework 24

www.pwc.com/risk

PricewaterhouseCoopers LLP has exercised reasonable care in the collecting, processing, and reporting of this information but has not inde-
pendently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers LLP gives no
express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not
be liable to any entity or person using this document, or have any liability with respect to this document.

© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm,
and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure <www.pwc.com/
structure> for further details. This document is for general information purposes only, and should not be used as a substitute for consultation with
professional advisors.