View
225
Download
5
Category
Preview:
Citation preview
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
1/80
June 2011
IMPLEMENTING ROBUST RISK APPETITE FRAMEWORKS TOSTRENGTHEN FINANCIAL INSTITUTIONS
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
2/80
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
3/80
June 2011
IMPLEMENTING ROBUST RISK APPETITE FRAMEWORKS TOSTRENGTHEN FINANCIAL INSTITUTIONS
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
4/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
i
THE FINANCIAL CRISIS DEMONSTRATED CLEARLY THAT AN EFFECTIVE RISK APPETITE
FRAMEWORK (RAF) IS A CRUCIAL COMPONENT OF SOUND ENTERPRISE-WIDE RISKMANAGEMENT. ACCORDINGLY, BOTH THE FINANCIAL SERVICES INDUSTRY AND THE
REGULATORY COMMUNITY ARE DEVOTING A GREAT DEAL OF ATTENTION TO THIS
ESSENTIAL GOVERNANCE TOOL.
The Board of Directors of the IIF and the SteeringCommittee on Implementation (SCI) are pleased to presentthis Report to the international financial community. As isclear from the Report and its annexes, there is widespreadrecognition of the intrinsic importance of developingand implementing robust risk appetite frameworks, andtangible progress is being made in this by a number of firms.
However, despite solid motivation to get this right, thechallenges are complex and this is still very much ‘work inprogress’ for many.
This Report highlights a number of the specific challengesfaced by the industry in the implementation of soundRAFs. Drawing on real-life case studies, the results of acomprehensive industry survey and in-depth interviews,the Report brings industry expertise and experience to bearon examining how these challenges have been successfullyaddressed in a number of leading firms. In doing so, thereport seeks to identify emerging sound practice as itapplies to the key stages in the journey towards establishinga sound risk appetite framework.
The key objective of this Report is to offer insights andspecific practical recommendations for the differentstakeholders involved in designing and implementing arobust and meaningful risk appetite framework. In addition
to highlighting emerging good practice this Report is alsooffered as the basis for a constructive dialogue with theglobal supervisory community on this important issue.
The Institute is grateful to member firms for thecommitment of time and resources in developing thisReport, in particular the members of the IIF Working Groupon Risk Appetite, as well as those firms contributing specific
case-studies. We are extremely grateful to the co-Chairsof the Working Group, Mark Lawrence, Managing Director,Mark Lawrence Group and Kevin Nye, Sr. Vice-President,Royal Bank of Canada for leading the enormous amount ofwork that has gone into the production of this Report. Inaddition, our special gratitude goes to Ernst & Young andPwC for their contribution in analyzing the survey data (andsubsequent comments) and identifying themes and insightsfrom it.
The lists of IIF Board of Directors, the membership of theSCI, and Risk Appetite Working Group members are includedin the Report .
Josef AckermannChairman of the IIF Board
Chairman of the Management Board
and the Group Executive Committee,Deutsche Bank AG
Klaus-Peter MüllerMember of the IIF Board
Chairman of the Supervisory Board
Commerzbank AG
Rick WaughMember of the IIF Board
President and Chief Executive Officer
Scotiabank
Charles DallaraManaging Director
Institute of International Finance
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
5/80
CONTENTS
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
IIF Board of Directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
IIF Steering Committee on Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
IIF Risk Appetite Working Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Section 1 - Principal Findings from the Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Section 2 - Key Outstanding Challenges in Implementing Risk Appetite Frameworks . . . . . . . . . . . . . . . . . 20
Section 3 - Emerging Sound Practices in Overcoming the Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Section 4 - Recommendations for Firms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Section 5 - Implications for Supervisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Annex I: Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Royal Bank of Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
National Australia Bank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Scotiabank. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Commonwealth Bank of Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Annex II: Summary of the Responses to the Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
6/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
2
IIF BOARD OF DIRECTORS
Ms. Suzan Sabanci DincerChairman and Executive Board MemberAkbank T.A.S.
Mr. Yannis S. Costopoulos*
Chairman of the Board of Directors
Alpha Bank A.E.
Mr. Peter Wallison
Senior Fellow
Financial Policy Studies
American Enterprise Institute
Mr. Hassan El Sayed Abdalla
Vice Chairman and Managing DirectorArab African International Bank
Mr. Michael Smith
Chief Executive OfficerAustralia and New Zealand Banking Group Limited
Mr. Walter Bayly
Chief Executive OfficerBanco de Crédito del Perú (BCP)
Mr. Baudouin Prot*Chief Executive OfficerBNP Paribas
Mr. Robert P. Kelly*
Chairman and Chief Executive Officer
BNY Mellon
Mr. Vikram Pandit
Chief Executive Officer
Citigroup, Inc.
Mr. Martin Blessing
Chairman of the Board of Managing Directors
Commerzbank AG
Mr. Urs Rohner
Chairman of the Board of DirectorsCredit Suisse Group AG
Mr. Andreas Treichl
Chairman of the Management Board and Chief Executive
OfficerErste Group Bank AG
ChairmanJosef Ackermann*
Chairman of the Management Board and
the Group Executive Committee
Deutsche Bank AG
TreasurerMarcus Wallenberg*Chairman of the Board
SEB
Vice ChairmanRoberto E. Setubal*
President and Chief Executive Officer,
Itaú Unibanco S/A and Vice Chairman of the Board of
Itaú Unibanco Holding S/A
Vice ChairmanFrancisco González*
Chairman and Chief Executive Officer
BBVA
Vice ChairmanRick Waugh*
President and Chief Executive Officer
Scotiabank
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
7/80
*Member of the Administrative and Nominations Committee
Mr. Gary D. Cohn
President and Chief Operating OfficerGoldman, Sachs & Co.
Mr. Douglas Flint
Group Chairman
HSBC Holdings PLC
Mr. K. Vaman Kamath
Chairman of the Board
ICICI Bank Ltd.
Mr. Jiang Jianqing
Chairman of the Board of Directors and President
Industrial and Commercial Bank of China
Mr. Jan Hommen
Chairman of the Executive BoardING Group
Mr. Charles H. Dallara (ex officio)*
Managing Director
Institute of International Finance
Mr. Corrado Passera
Managing Director and Chief Executive OfficerIntesa Sanpaolo S.p.A.
Mr. Jes Staley
Chief Executive Officer
Investment Bank
J.P. Morgan Chase & Co.
Mr. Yoon-dae Euh
Chairman
KB Financial Group Inc.
Mr. Yasuhiro Sato
President and Chief Executive OfficerMizuho Corporate Bank, Ltd.
Mr. James Gorman
President and Chief Executive Officer
Morgan Stanley
Mr. Ibrahim S. Dabdoub
Group Chief Executive Officer
National Bank of Kuwait
Mr. Frédéric Oudéa
Chairman and Chief Executive Officer
Société Générale
Mr. Peter Sands
Group Chief ExecutiveStandard Chartered, PLC
Mr. Walter B. Kielholz
Chairman of the Board of Directors
Swiss Reinsurance Company Ltd.
Mr. Nobuo Kuroyanagi*
ChairmanThe Bank of Tokyo-Mitsubishi UFJ, Ltd.
Mr. Oswald Gruebel
Group Chief Executive Officer
UBS AG
Mr. Martin Senn
Chief Executive OfficerZurich Financial Services
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
8/80
Chairmen
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
4
Mr. Kevin Garvey
Head of Group Credit Review & Reporting
AIB Group
Mr. Edward Murray
Partner
Allen & Overy LLP
Mr. Roberto Sobral Hollander
Director
Dep. Gestao de Riscos e Compliance
Banco Bradesco
Ms. Barbara Frohn Verheij
Managing DirectorBanco Santander
Mr. Alex Wolff
Head, Risk StrategyBank of Ireland
Mr. Robert Pitfield
Group Head, Chief Risk Officer
Bank of Nova Scotia
Mr. Desmond McNamara
Managing Director Capital & Analytics
Group Risk
Barclays PLC
Mrs. Mayte Ledo Turiel
Chief Economist
Chief Economist for Economic, Financial Scenarios and
Regulation
BBVA
Mr. Christian Lajoie
Head of Group Prudential Affairs / Co-Head of Group
Prudential and Public Affairs
BNP Paribas
Mr. Brian Rogan
Vice Chairman and Chief Risk Officer
BNY Mellon
Mr. James Garnett
Head of Risk Architecture
Citi
Mr. Edward Greene
PartnerCleary Gottlieb Steen & Hamilton LLP
Mr. Christian Wältermann
Director
Group Risk Management and Market Risk OperationsCommerzbank AG
Mr. Andreas Blatt
Head Risk IT
CRO ITCredit Suisse
Mr. Tonny Andersen
Member of the Board & Head of Danske Bank DK
Danske Bank A/S
Mr. Andrew Procter
Global Head of Government & Regulatory Affairs
Government & Regulatory Affairs
Deutsche Bank AG
Mr. Bjørn Erik Næss
Group Executive Vice President
Group Finance and Risk Management
DnB NOR
Dr. Florian Strassberger
General Manager
Head of North America
DZ Bank
IIF STEERING COMMITTEE ON IMPLEMENTATION
Mr. Richard WaughPresident and Chief Executive Officer
Scotiabank
Mr. Klaus-Peter Müller Chairman of the Supervisory Board
Commerzbank AG
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
9/80
Ms. Patricia Jackson
Partner
FS RiskErnst & Young
Mr. JB King
Director
Ernst & Young
Mr. Robin Vince
Head of Operations
Goldman Sachs & Co.
Mr. Rakesh Jha
Deputy CFO
ICICI Bank
Mr. Alex Van der Laan
Head of Credit CapitalsING Group
Mr. Mauro Maccarinelli
Head of Market Risk Management
Risk Management DepartmentIntesa Sanpaolo S.p.A
Mr. Adam Gilbert
Managing Director
Regulatory PolicyJPMorgan Chase
Dr. Mark Lawrence
Managing Director
Mark Lawrence Group
Dr. Philipp Härle
Director
McKinsey & Company
Mr. Fernando Figueredo MarquezGlobal Chief Risk Officer
Global Risk Management
Mercantil Servicios Financieros
Mr. Akihiro Kitano
Senior Manager
Basel 2 Implementation Office
Mitsubishi UFJ Financial Group, Inc.
Mr. Masao Hasegawa
Managing Director , CRO, & CCOMitsubishi UFJ Financial Group, Inc
Mr. Hideyuki Toriumi
Senior Manager
Basel 2 Implementation Office
Mitsubishi UFJ Financial Group, Inc.
Mr. Tsuyoshi Monri
President and CEO
Mizuho Corporate Bank (USA)
Mr. Naoaki Chisaka
Vice President
Corporate Planning Division
Mizuho Financial Group, Inc.
Mr. Kenji Fujii
Joint Head of Global Risk Management Group
Global Risk Management
Mizuho Securities Co., Ltd.
Ms. Jane Carlin
Managing Director
Morgan Stanley
Mr. Paul Mylonas
General Manager of Strategy and Governance, Chief
Economist of the Group, and Secretary of the Executive
CommitteeNational Bank of Greece
Mr. Parkson Cheong
General Manager and Group Chief Risk Officer
Group Risk ManagementNational Bank of Kuwait S.A.K.
Mr. Scott McDonald
Managing Partner
Financial ServicesOliver Wyman
Ms. Monika Mars
Director
Financial Services
PricewaterhouseCoopers AG
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
10/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
6 Mr. Morten FriisChief Risk OfficerRoyal Bank of Canada
Mr. Nathan Bostock
Head of Restructuring and Risk
Royal Bank of Scotland
Mr. John Cummins
Group Treasurer
Royal Bank of Scotland
Mr. Steven Oon
Head of Firm Wide Risk Management
Royal Bank of Scotland
Mr. Pierre Mina
Head of Group Regulation Coordination
DGLE/CRGSociété Générale
Mr. Clifford Griep
Executive Managing Director, Risk & Policy Officer
Ratings GroupStandard & Poor’s
Mr. Paul Smith
Group Chief Risk Officer
Group RiskStandard Bank of South Africa
Mr. Robert Scanlon
Group Chief Credit Officer
Risk
Standard Chartered Bank
Mr. Nobuaki Kurumatani
Managing DirectorSumitomo Mitsui Banking Corporation
Mr. Philippe Brahin
Director
Risk Management
Swiss Reinsurance Company Ltd
Ms. Ozlem Oner Ernart
Manager
Risk Management - Credit & Subsidiaries RiskT.Garanti Bankasi
Mr. Takashi Oyama
Counsellor on Global Strategy to President and the Board of
Directors
The Norinchukin Bank
Mr. Richard Metcalf
Managing Director and Group Risk Chief Operating Officer
UBS AG
Mr. Sergio Lugaresi
Senior Vice President Head of Regulatory Affairs
Institutional and Regulatory Strategic AdvisoryUniCredit Group
Dr. Peter BuombergerGroup Head of Government and Industry Affairs
Zurich Financial Services
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
11/80
IIF RISK APPETITE WORKING GROUP
Dr. Mark LawrenceManaging Director
Mark Lawrence Group
Mr. Kevin NyeSenior Vice President
Enterprise Risk, Group Risk Management
Royal Bank of Canada
Chairmen
Ms. Tamara van den Broek
ABN AMRO
Ms. Barbara Frohn Verheij
Managing Director
Banco Santander
Mr. Alex Wolff
Head, Risk StrategyBank of Ireland
Ms. Joan Mohammed
SVP, Central Risk GroupBank of Montreal
Ms. Jennifer Moore
Senior ManagerBank of Montreal
Mr. Lawrence Uhlick
Chairman
BBVA Compass
Mr. Thomas Flynn
Chief Financial OfficerBMO Financial Group
Ms. Anne-Charlotte Charpentier
Deputy Head - Risk Appetite Coordination
Group Risk Management - Strategic Risk Analysis
BNP Paribas
Mr. Fredi Rüdisühli
Director, Management Support CROCredit Suisse
Mr. Peter Rostrup-Nielsen
Chief Risk Officer
Group Risk
Danske Bank
Mr. Stuart Lewis
Deputy Chief Risk Officer
Legal Risk & CapitalDeutsche Bank AG
Mr. Andrew Procter
Global Head of Government & Regulatory Affairs
Government & Regulatory Affairs
Deutsche Bank AG
Mr. Nick Stone
Government & Regulatory Affairs
Deutsche Bank AG
Mr. Andrew Duff
Manager
Financial Services Risk Management Advisory
Ernst & Young
Mr. Robert Berry
Chief Market Risk OfficerGoldman Sachs & Co.
Mr. Javier Torres
Subdirector General Adjunto
Internal Validation and Integral Risk Control - Risk DivisionGrupo Santander
Mr. Peter Lindfelt
Senior Vice PresidentHandelsbanken
Mr. David McDonald
Head of Economic Capital
HSBC Holdings PLC
Mr. Alan Smith
Global Head of Risk Strategy
Global Risk
HSBC Holdings PLC
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
12/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
8 Mr. G SrinivasGeneral Manager
Global Risk Management GroupICICI Bank
Mr. Koos Timmermans
Member of the Executive Board and CRO
ING Group
Mr. Rodrigo Couto
Superintendent
Integrated Risk ManagementItaú Unibanco S/A
Dr. Sérgio Werlang
Executive Vice President
Risk and Financial Control
Itaú Unibanco S/A
Mrs. Robin Doyle
Sr. Vice President, LOB CFO
J.P. Morgan Chase & Co.
Mr. Alastair Holmes
Head of Group Retail Credit
Group RiskLloyds TSB Bank Plc
Mr. Fernando Figueredo Marquez
Global Chief Risk Officer
Global Risk ManagementMercantil Servicios Financieros
Mr. Hiroaki Demizu
Chief Manager of BASEL3, Corporate Planning Division
BASEL3 implementation projectMitsubishi UFJ Financial Group, Inc.
Mr. Akihiro Kitano
Senior Manager
Basel 2 Implementation OfficeMitsubishi UFJ Financial Group, Inc.
Mr. Naoaki Chisaka
Vice President
Corporate Planning Division
Mizuho Financial Group, Inc.
Mr. Kouhei Kuroda
General Manager
Risk ManagementMizuho Financial Group, Inc.
Mr. Kenji Fujii
Executive Officer, Head of Global Risk Management Group
Mizuho Securities Co., Ltd.
Mr. Robert Armstrong
General Manager Credit Strategy
National Australia Bank Ltd.
Mr. Shaun Dooley
Group Chief Credit Officer
Risk
National Australia Bank Ltd.
Mr. Richard Barfield
Director
PricewaterhouseCoopers LLP
Mr. David Stephen
Deputy Chief Risk Officer
Risk Management
Royal Bank of Scotland
Mr. Ross Anderson
Director
Government AffairsScotiabank
Mr. Victor Gomez
Manager, Financial Sector Policy
Public, Corporate & Government AffairsScotiabank
Mr. Sean McGuckin
Senior Vice President & Head, Risk Policy & Capital Markets
Global Risk Management
Scotiabank
Mr. Robert Scanlon
Group Chief Credit Officer
Risk
Standard Chartered Bank
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
13/80
Mr. Robert Stribling
Group Chief Risk OfficerSuncorp
Mr. Eric Reiner
Managing Director
Firm-wide Risk Control and Methodology
UBS
Mr. Darryll Hendricks
Managing Director
Global Head, Risk MethodologyUBS AG
Mr. Michael Astrinos
Associate Director, Risk-Reward
Group FinanceWestpac Banking Corporation
Mr. Edmund Bosworth
Head of Risk Reward
Group FinanceWestpac Banking Corporation
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
14/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
0
EXECUTIVE SUMMARY
1. A clearly articulated statement of risk appetite and
the use of a well-designed risk appetite framework
to underpin decision-making are essential to
the successful management of risk. The recent
financial crisis has shown that an effective risk
appetite framework (RAF) is a key governance tool
and a crucial component of sound enterprise-wide
risk management.
2. Establishing an effective risk appetite framework
is a challenging but essential component of good
risk management and continues to receive agreat deal of attention from both the financial
services industry and the regulatory community.
The Senior Supervisors Group (SSG), in its
analysis of the risk management implications
of the global banking crisis of 2008, focused
extensively on risk appetite issues. Their 2009
report, Risk Management Lessons from the Global
Banking Crisis of 2008, highlighted a number of
deficiencies in the way the Industry in general
was approaching this subject. The SSG cited
the importance of the involvement of Boards
and senior management in the articulation andimplementation of risk appetite and observed
that the Industry needs to continue working to
make risk appetite statements much more robust
to encompass a suitably wide range of measures
and actionable elements. There is broad agreement
across the Industry with these major findings.
In December 2010, the SSG elaborated further
on this subject in its report, Observations on
Developments in Risk Appetite Frameworks and IT
Infrastructure .
3. The IIF’s Steering Committee on Implementation
(SCI) has sought to identify and analyze importantareas of weakness in Industry risk management
practices as well as to promote sound practices
aimed at remedying them. The SCI established a
Working Group on Risk Appetite (WGRA) in mid-
2010 with the following objectives:
• To assess and evaluate current Industry
practices in the area of risk appetite.
• To identify the key stages and the technical
and management challenges in the journey
toward setting—and monitoring adherence
to—appropriate boundaries for risk, within a
sound risk appetite framework.
• To bring Industry expertise and sound practices
to bear on examining how these challenges
have been addressed in leading firms (including
the analysis of real-life case studies).
• To develop specic practical recommendations
for firms to address the challenges of
implementing a robust and meaningful risk
appetite framework.4. For the purposes of this report, the following
definition of “risk appetite”—first set out in
the IIF’s December 2009 report Reform in the
Financial Services Industry: Strengthening
Practices for a More Stable System —is used
(although financial firms use a variety of similar
definitions): Risk appetite is the amount and
type of risk that a company is able and willing to
accept in pursuit of its business objectives. Risk
appetite in this sense is linked to but conceptually
separate from “risk capacity,” which is the
maximum amount of risk a firm is technicallyable to assume given its capital base, liquidity,
borrowing capacity, and regulatory constraints.
It is also distinct from but related to the existing
levels of risk being run by a firm. It is obviously
essential to ensure that a firm’s risk appetite is
defined in such a way as to ensure that it does not
exceed the firm’s risk capacity.
5. The WGRA has sought to address these objectives
through a global survey of the progress made by
firms in implementing risk appetite and in-depth
interviews and the creation of a number of case
studies. Responses to the survey were sought froma diverse cross-section of senior roles in firms,
including Board members, senior management,
and risk officers, all of whom provided a variety
of perspectives on the development of RAFs within
their organizations.
6. This report from the WGRA includes a combination
of findings and, more important, a number
of practical recommendations as to how to
implement a robust and meaningful risk appetite
framework. Some of the findings with respect to
the key challenges that firms face in establishing
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
15/80
a risk appetite framework are not necessarily
new. However, the report provides new insights
and value through its practical recommendations
regarding how to address the challenges.
7. The case studies in Annex I cover the
development of RAFs at National Australia
Bank, Commonwealth Bank of Australia, RoyalBank of Canada, and Scotiabank. While none of
these firms would claim to have completed the
process, all report that they have made significant
progress in implementing effective RAFs. In these
case studies, the contributing banks share the
approaches they have taken to overcoming the
challenges involved, thereby providing valuable
insights into this difficult and developing area of
management and supervisory focus.
8. A number of participating firms report substantial
progress in the creation of risk appetite
frameworks, and they report seeing tangible
benefits. However, the financial services industry
as a whole is still at the early stages of what needs
to be seen as a journey. It is doubtful whether
any single firm has fully completed that journey,
and the identification of a comprehensive set of
industry-wide sound practices is still some way
off. This report nevertheless contains a number
of valuable insights and proven techniques for
enhancing risk appetite practices.
9. The following key issues and emerging sound
practices are detailed within this report:
• A strong risk culture1 is a prerequisite to
eventually putting in place an effective
RAF, and is also itself reinforced by the
introduction of such a framework. Firms with
demonstrably robust risk cultures that support
“tone from the top” are best equipped to
build engagement and put in place effective
structures. One important implication of this
is that an RAF should not be seen as a discrete
set of mechanisms or processes, but rather as
something inextricably linked to a wider set of
issues that govern a firm’s risk culture.• It is essential that the determination of risk
appetite is inextricably linked to strategy
development and business plans, otherwise
the two will rapidly come into conflict,
creating significant tensions, and the conduct
of business activities may lead to risk outcomes
that, in aggregate, are outside acceptable
boundaries. It is important to note that our
study has shown that leading banks have
made this linkage in an effective way. Formal
involvement of the risk management function
in the strategy and business planning processes
has resulted in great benefits, which are evident
in some of the case studies supplied.• RAFs call for the use of extensive judgment
on the part of Boards and management, in
terms of where to begin, where to focus,
and how to engage business leaders. Diverse
risk cultures and business models, as well as
differing degrees of complexity, mean that this
is definitely an area in which one size does not
fit all. While some convergence of practices
can be expected to emerge over time, diversity
of approaches among firms with different
business models and risk profiles is inevitable,
legitimate, and desirable.
• A risk appetite framework provides a context
for such traditional risk management tools
as risk policies, limits, and management
information based on clear risk metrics.
An RAF should never aim to supplant these
but can provide the framework within which
conventional controls operate and can promote
a better understanding and acceptance of their
rationale and importance.
• Developing a risk appetite framework requires
significant time and intellectual resources.
The firms that have made the most progress
report a substantial element of “learning by
doing” in an iterative manner over time, and
that ongoing dialogue and communication at
all levels of the firm have been crucial in this
process. Risk appetite cannot be implemented
through top-down decrees, but instead needs
to be embraced and understood throughout a
firm. Business leaders need to be given time to
define and embed the concepts of risk appetite
into their decision-making processes, and this
engagement takes time to evolve and mature.
For this reason, the creation and evolution ofa strong risk appetite framework is a multiyear
journey—results do not appear instantly.
• An important implication of the above is
that, in assessing firms’ commitment to, and
progress in, the implementation of a risk
appetite framework, it is not possible to look
1 The strong link between risk culture and the risk appetite framework also was highlighted in the December 2009 IIF report, Reform in the FinancialServices Industry: Strengthening Practices for a More Stable System, in which the following generic definition was provided: “Risk culture can bedefined as the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify,understand, discuss, and act on the risks the organization confronts and the risks it takes.”
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
16/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
2
at a simple and uniform set of indicators .
Supervisors and internal stakeholders
are encouraged to take a broad and
multidimensional view in making assessments
in this area.
• Clarity regarding the ownership of risk is
essential. To ensure the broad congruence ofbusiness and risk decisions and the overall,
enterprise-wide risk appetite, business heads
should have visible ownership of risk in their
areas and incorporate risk explicitly in their
business planning. In fact, responsibility for the
articulation and management of risk appetite
within the businesses needs to reside firmly
and clearly with business unit leaders—not with
their embedded risk management staff—along
with the ownership of the actual risks in the
businesses. The risk management function
should own the overall RAF, serve in anadvisory capacity, and lead the interface with
the Board on risk appetite.
• Communication is a key enabler, both in
the development of an effective RAF and
in its effective operation. Regular dialogue
about risk appetite and evolving risk profiles
needs to occur among the Board, senior
management, the risk management function,
and the businesses. This dialogue needs to
encompass the development and evolution of
the framework itself as well as the risks that
are being taken throughout the businessesand the extent to which these (individually
and collectively) conform to the overall risk
appetite. There is also significant value to be
gained from communicating risk principles to
broad employee audiences. The promulgation
of agreed-upon key risk appetite themes needs
to come from the top, and professionals within
the risk management function can also act on
opportunities to illustrate risk principles and
explain and motivate the boundaries of risk
appetite in day-to-day interactions with front-
line staff.
• Firms that report the most progress in
risk appetite practices benefit from strong
collaboration among their risk management,
finance, and strategy functions. Such
collaboration is fundamentally required during
the development of statements of risk appetite
and the design of a risk appetite framework,
but it is equally important in the day-to-
day operation of an RAF. While the Board
has final responsibility for risk matters, this
is emphatically not about the Board making
decisions about risk in isolation that are then
handed down as instructions to the businesses.
Rather, it is about developing an iterative and
collaborative process for creating a framework
and shared understanding about the boundaries
of acceptable risk—both individually and in
aggregate—that forms the basis of continuousdialogue and decision-making about preferred
risk/return tradeoffs at all levels in a firm.
• Stress and scenario testing are important
components of a risk appetite framework.
Specifically, consciously constraining aggregate
risks in advance in such a way as to ensure a
firm’s survival under severe macroeconomic,
market and liquidity stress scenarios is at the
heart of setting risk appetite appropriately. The
choice of stress scenarios needs to balance the
need to focus attention on severe outcomes
while not placing impossible requirementson the businesses. This is a very important
element of management and Board judgment,
along with assessing the results of the stress
tests and deciding on business and strategic
adjustments that may be necessary to ensure
that plausible losses under severe scenarios
would be held to acceptable levels within the
risk appetite framework. The individual stress
and scenario testing capabilities of firms vary
widely today, and our work has shown that
firms are currently taking diverse approaches
to using these tools for determining riskappetite. Specifically, some firms are using
extensive stress and scenario testing in a very
fundamental way in the determination of
their risk appetite, whereas others are using
these tests only to “sense-check” their overall
risk appetite, or (in some cases) not at all.
Consequently, this is a challenging area in which
Industry practices are still evolving and further
guidance is needed, but there is agreement that
stress testing results need to be incorporated
into the determination of aggregate risk
appetite in a very fundamental way.
10. The report concludes with a set of implications
and recommendations for Board directors, senior
management, risk management, and supervisors—
the most important of which include these:
• Board directors should set the framework for
risk appetite and put into place mechanisms
to ensure that decision-making will be
consistently and transparently guided by it.
But this is only the beginning of the process.
Effective RAFs involve a highly iterative
approach, with ongoing discussions of
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
17/80
risk involving senior management and the
businesses, and must be rooted in a strong
risk culture. Engagement and challenge by
the Board are key to achieving the right
balance between rigidity and flexibility in the
risk appetite framework; this is necessary if
the framework is to be both workable and ameaningful source of discipline.
• Senior management should provide visible
support and own the development of the
RAF. Behaviors need to be continually and
transparently consistent with the risk appetite
principles that have been enunciated at the top.
Business leaders need to articulate risk appetite
in ways that are both tailored to their business
strategies and operations and consistent with
the enterprise-wide RAF, and they need to
establish appropriate controls and reporting to
manage risk.
• The risk management function needs to
be actively involved at all levels of the
development of the RAF and its operation. In
its advisory capacity, this function adds value
by being a catalyst for effective conversations
with business leaders about risk and reward.
It also is critical that risk management also
develop supporting risk frameworks, policies,
and reporting capabilities that enable business
leaders to own and enhance their RAFs.
• Supervisors are encouraged to take a broad
perspective when forming views regarding
firms’ commitment to, and progress in, the
implementation of RAFs. The process is
complex and time consuming, and it touches
fundamentally on culture and behaviors in
organizations. Assessments of commitmentand success need to reflect this complexity.
Successful outcomes are not reflected in the
creation of ever more granular limit structures,
and no single set of indicators or checklists can
capture individual firms’ progress in this area.
11. The results of this study show that demonstrable,
tangible progress is being made in many areas
of risk appetite by leading firms. However, the
challenges are complex, and the financial
services industry as a whole has a long way to
go in the implementation of effective RAFs. The
development and implementation of RAFs is still very much a work in progress for most firms,
and the gap between emerging leading practices
and standard Industry practices is likely to be
substantial for some time. The WGRA is confident
that this report contains valuable insights and
guidance for the various stakeholders involved,
including supervisors. As such, it will support the
Industry’s efforts to understand and implement
effective risk appetite frameworks as a cornerstone
of effective risk management.
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
18/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
4
INTRODUCTION
12. One of the key lessons of the financial crisis
was that some firms took more risk in aggregate
than they were able to bear given their capital,
liquidity, and risk management capabilities, and
some took risks that their management and Boards
did not properly understand or control. Indeed, in
its October 2009 report, Risk Management Lessons
from the Global Banking Crisis of 2008, the
Senior Supervisors Group (SSG) highlighted major
governance challenges at the 20 largest banks in
the most-affected jurisdictions, in particular “theunwillingness or inability of Boards of Directors
and senior managers to articulate, measure and
adhere to a level of risk acceptable to the firm.”
The SSG concluded that “a key weakness in
governance stemmed from … a disparity between
the risks that their firms took and those that their
Boards of Directors perceived the firms to be
taking.” Put simply, Boards did not understand
well enough, or properly control in advance,
the risks that their firms were taking. These
conclusions are not disputed by the Industry.
13. Three years after the crisis, largely as aconsequence of these conclusions, there is now
consensus between supervisors and the Industry
that a clearly articulated statement of risk appetite
and the use of a well-designed risk appetite
framework to underpin decision-making are
essential to the successful management of risk.
Taken together, such a statement and framework
provide clear direction for the enterprise and
ensure alignment of expectations among the
Board, senior management, the risk management
function, supervisory bodies, and shareholders.
In combination with a strong risk culture, theyprovide the cornerstone for building the effective
enterprise-wide risk management framework that
is essential to the long-term stability of a firm.
14. In 2008 the Institute of International Finance
formed a high-level Committee on Market Best
Practices (CMBP) to draw key lessons for the
financial services industry from the global
financial crisis that was unfolding at that time.
The CMBP issued a report containing a number
of key principles and recommendations for the
Industry, focusing on areas such as governance,
risk management, and transparency. The core
purpose of these recommendations was to
promote much more robust risk management and
governance frameworks in financial institutions.
15. Early in the discussion and analytical process
that led to the final CMBP report, IIF members
identified risk appetite as being of fundamental
importance. The CMBP report defined risk appetite
as “a firm’s view on how strategic risk taking can
help achieve business objectives while respectingconstraints to which the organization is subject.”
A key finding of the CMBP was that putting in
place a robust risk appetite framework constitutes
an essential component of adequate risk
management. The CMBP elaborated on a number
of aspects regarding risk appetite, including the
high-level governance aspects of defining and
implementing a risk appetite framework.
16. In 2009 the IIF, recognizing the need to
actively promote the implementation of the
CMBP recommendations, established a Steering
Committee on Implementation (SCI). This
committee was charged with steering the IIF’s
efforts on further analysis of key risk management
implications of the crisis as well as tracking IIF
members’ efforts in revising their practices and
implementing Industry practices recommendations.
In December 2009 the SCI issued its report,
Reform in the Financial Services Industry:
Strengthening Practices for a More Stable System,
which assessed the progress made by the Industry
in implementing and embedding revised risk
management and governance practices.
17. Among other issues, the 2009 SCI report focused
once again on risk appetite, further developing
and discussing the concept and a number of
related issues. The report also provided an
augmented definition of risk appetite as being “the
amount and type of risk that a company is able
and willing to accept in pursuit of its business
objectives.” The statement of risk appetite balances
the needs of all stakeholders by acting both as
a governor of risk and a driver of current and
future business activity. It is expressed in both
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
19/80
quantifiable and qualitative terms and covers all
risks.” In particular, the 2009 report set out an
analytical framework for risk appetite and outlined
a number of key issues in regard to the practical
implementation of the concept by financial firms.
18. Risk appetite has also received a great deal of
attention from the regulatory community. Inparticular, the SSG—which has been the public
sector group most deeply involved in the analysis
of the risk management implications of the crisis—
has focused extensively on risk appetite issues
and related supervisory implications. Specifically,
the SSG’s 2009 report, Risk Management Lessons
from the Global Banking Crisis of 2008, identified
risk appetite as a crucial element of robust risk
management. The SSG identified a number
of deficiencies in the way the Industry was
approaching risk appetite issues, observing, for
example, that much more evidence was neededof Board involvement in setting and monitoring
adherence to firms’ risk appetite, and that the
Industry needed to continue working to make
risk appetite statements much more robust to
encompass a suitably wide range of measures and
actionable elements.
19. In December 2010, the SSG issued another
report, Observations on Developments in Risk
Appetite Frameworks and IT Infrastructure , which
elaborated on this subject. In particular, the SSG
highlighted the importance of Board and senior
management involvement in the articulation andimplementation of the risk appetite framework and
emphasized the need to embed revised practices
within firms so that such practices can be
sufficiently resilient in an increasingly competitive
environment.
20. While there is clearly a substantial amount of
ongoing work by both the Industry and the
regulatory community in the area of risk appetite
frameworks, it is widely recognized that additional
guidance would be helpful as firms continue
refining their practices and methodologies. The
reports by the IIF and the SSG, together with thesubstantial experience gained by firms in the
last several years, constitute a fertile ground in
which to continue developing guidance as to how
management and Boards should confront and
resolve difficult, basic issues linked to the design
and implementation of a risk appetite framework.
21. As firms, in response to the crisis, continue to
make progress in improving their risk appetite
processes, primarily in pursuit of stronger
risk management but also to meet evolving
supervisory expectations, additional guidance
should draw on lessons from firms’ experience
and from the successful practices that are being
developed globally by many in the Industry. This
can, in turn, form the basis for a constructive
dialogue with the global supervisory community.
22. In order to organize the in-depth analysis anddiscussion of risk appetite issues, assess the
Industry’s state of practice on the subject, and
learn by leveraging the experience and expertise
of a broad range of market participants, the IIF SCI
established the Working Group on Risk Appetite
(WGRA). The WGRA and the present report have
the following key objectives:
• To assess and evaluate current Industry
practices in the area of risk appetite.
• To identify the key stages and the technical
and cultural challenges in the journey towardsetting—and monitoring adherence to—
appropriate boundaries for risk, within a sound
risk appetite framework.
• To bring Industry expertise and sound practices
to bear on examining how these challenges
have been addressed, including the analysis of
real-life case studies.
• To develop specic practical recommendations
for firms to address the challenges of
implementing a robust and meaningful risk
appetite framework.
23. The WGRA has carried out an Industry survey,
group discussions, interviews, and case studies
involving a diverse sample of participants
globally. As detailed in Annex II, respondents
to the survey represented a cross-section of
geography and institutional size, all at various
stages of the implementation journey. The survey
was sent to 79 firms; 73 responses were received
from 40 firms. Although the survey responses
received were rich and comprehensive, in order
to get behind them to understand at a practical
level how challenges were overcome to enable
the sharing of good practices, multiple thematic
conference calls, as well as bilateral in-depth
discussions, were held with Industry participants
in several continents, covering the key topics and
challenges considered in Section 2. The survey
responses, conference calls, extensive bilateral
discussions, and the four case studies supplied
have provided the background for our in-depth
analysis of the current challenges facing the
Industry and a practical set of recommendations to
move forward.
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
20/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
6
24. Annex I presents four highly detailed case
studies which were generously provided, upon
request, by Commonwealth Bank of Australia,
National Australia Bank, Royal Bank of Canada,
and Scotiabank. These case studies are intended
to complement the evidence gathered through
the survey and the WGRA discussions andto provide valuable insights and “real-life”
examples of the approaches that large firms have
taken to overcoming the challenges involved in
establishing a risk appetite framework (RAF).
The case studies represent an integral part of
this report and are recommended reading as they
contain a wealth of detailed information regarding
the diversity of approaches taken, the role of
leadership and collaboration, the iterative nature
of RAF development and the influence of culture
in the risk appetite process.
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
21/80
SECTION 1 – PRINCIPAL FINDINGS FROM THEINVESTIGATION
2 The identification of sound industry practices for risk IT is the subject of a parallel IIF report: Risk IT and Operations: Strengthening Capabilities,June 2011.
25. This section outlines a number of key findings
of our work on risk appetite, the extent to which
the Industry is embracing it, and the principal
impediments to implementation. It outlines a
number of practical steps that firms have taken to
overcome the principal challenges and which form
the basis of emerging Industry sound practices in
this evolving area. In some instances the findings
of this report are not new. The survey highlights,
reinforces, or otherwise clarifies issues that the
Industry continues to struggle with and thatat times have been commented on elsewhere.
The report does, however, aim to offer valuable
insights on how many of these challenges are
being overcome.
26. It is clear from the responses to the survey
and from the discussions that followed that
developing a risk appetite framework is a journey
on which the Industry finds itself in the early
stages. Although the cultural, organizational,
and technical challenges are formidable and the
majority of firms are not yet where they either
need or want to be, our investigation has shownthat a number of leading firms in the Industry
are making good progress. Evidence suggests
that there has been more progress in designing,
implementing, and embedding risk appetite
frameworks—at least in participating firms—than
has been generally realized until now.
27. The aggregate risk profiles of large financial
institutions are complex, multidimensional,
and, even where risk IT is well developed,
relatively opaque.2 Consequently, developing
a risk appetite framework requires time and
significant intellectual and financial resources.Not surprisingly, the degree of progress varies
across participating banks, and a substantial gap
is likely to remain for some time between leading-
edge practices and what is “typical.” One very
striking feature of the results of this investigation,
however, is the widespread recognition of the
intrinsic importance of risk appetite to good risk
management and the motivation to get this right.
28. Where progress has been made to date, it has
been driven principally by a recognition by the
firms’ leadership of the need to strengthen risk
management and governance arrangements. It
has not typically been solely, or even primarily,
a response to specific regulatory or supervisory
requirements.
29. Not only are firms at different stages of
development of their RAFs, they are also
adopting a wide range of approaches, as can
be clearly seen from the important and detailedcase studies supplied in Annex I. This reflects
differing business models, structures, and degrees
of complexity. Thus, an important finding of
our work is that one size does not fit all. While
some convergence of practices can be expected
to emerge over time, diversity of approach
is inevitable and should not be discouraged.
Supervisors need to be alert to this and avoid
insisting on formulaic solutions that may not be
aligned with business needs.
30. Despite the different stages of development of
firms’ RAFs and the multiplicity of approaches
being taken, our investigation has shown
that there is some convergence of thought
and experience around the implementation,
design, and impact of an effective risk appetite
framework. These areas of convergence include:
a. Successful implementation is highly dependent
on effective interactions among all key
stakeholders, including Board members, senior
management, the risk management function,
and the operating businesses. In a large majority
of firms, defining or setting the risk appetite is
initiated by senior management and, after an
effective challenge process, is approved by the
Board. In all cases the “tone from the top” was
essential to driving the process. It is clear that
where there is visible and continuous support
of the risk appetite concept from the Board
and senior management, the development and
implementation of the risk appetite framework
was much more effective in all respects.
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
22/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
8
b. The in-depth discussion around the survey
results indicates quite clearly that putting in
place an effective risk appetite framework
is inextricably linked to the risk culture of
a firm. To be fully effective, the risk appetite
framework, together with an appreciation
of its benefits, needs to be disseminatedthroughout the institution. Done properly,
implementation of a risk appetite framework
can act as a powerful reinforcement to a strong
risk culture in providing a coherent rationale
and consistent framework for understanding
risk at all levels. It can never substitute for
proper systems, controls, and limits, but
instead supplements and motivates these and
may even increase compliance. Firms with
strong risk cultures that provide staff with
guidance for their own behavior and what
to look for and challenge in others are muchmore effective in the implementation process.
This is especially important when developing
appetite statements around those risks that are
less quantifiable (e.g., operational risk, risks
of legal or regulatory non-compliance, and
reputational risk). It is also clear that risks
cannot be completely avoided, and aspirational
statements relating to “zero tolerance” of
certain types of risk are less useful than
detailed guidance to the businesses about how
such risks should be viewed and managed.
c. While implementing an RAF is challenging,those firms that have made progress are clear
that they see tangible benefits resulting
from their risk appetite process. While these
benefits are not always apparent at the start,
there is a high degree of consensus among
such firms that the RAF is allowing the Board
and the senior management to have a more
informed discussion of the risks in the business
plan and strategy. Firms reporting the most
progress have also established strong linkages
between risk issues and strategy, planning, and
finance—the last two of these being areas in
which risk was often not formally considered
in the past. These linkages have been put in
place at both the enterprise-wide and business
unit (BU) levels. Such processes may, at least
initially, make the resource planning cycle
longer and more complicated, but this is a
price well worth paying in return for fostering
a more robust risk culture and a stronger
awareness throughout the organization. Firms
at a more advanced stage also highlight the
benefits deriving from a stronger integration
of risk considerations into the strategic and
business plans and more effective risk/reward
decision-making across the organization. These
benefits can be clearly seen in the case studies
attached in Annex I.
d. There is a high degree of commonality around
the most relevant inputs driving the shapingof a firm’s risk appetite. Most often used is
capital capacity, followed by budget targets,
liquidity, and other market constraints and
stress test results. Although not captured in the
survey data, several firms emphasized that a
firm’s overall strategy and financial objectives
should be considered as a key input.
e. Limits and controls have a central role in
any well-run organization, but an excessively
narrow emphasis on granular limits (or too
many of them) can provide false comfort
to management and supervisors; lead to a
mechanical, “tick-box” (or compliance-type)
approach; and detract from or undermine this
crucial dialogue. A strong RAF is much more
powerful than limits alone: staff at all levels
with any significant responsibility should know
what they need to do and why, rather than
merely follow instructions. The overwhelmingly
important conclusion from firms’ experiences
in this area is that developing an RAF is
not about putting in place “tablets of stone”
and creating and implementing a structure
of many hundreds of highly granular limits.It is important that stakeholders, including
supervisors, should recognize this when
assessing progress in this area.
f. The survey shows that a large majority of firms
(70%) are taking a comprehensive view of all
risks across the firm, not merely focusing on
those risks that can be easily measured, and
are using a combination of quantitative and
qualitative metrics in expressing risk appetite.
This reinforces the point that risk appetite does
not mean the creation of a complex, highly
granular set of limits. That said, at this stagein the journey the most common transmission
mechanism for communicating Board-level risk
appetite statements throughout the enterprise is
the translation into limits. This in part reflects
the quantifiable nature of some risks and
provides for clear, recognizable boundaries.
g. Stress testing and stress metrics play a role
in the risk appetite framework of almost all
respondents (only one firm stated that they are
not used). The use of stress tests varies, with
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
23/80
some banks putting them at the center of the
risk appetite setting process, whereas others
use stress tests primarily to “sense-check” their
appetite.
h. A large majority of those responding indicated
that risk appetite is monitored on an ongoing
basis at the group level and that a contingencyplan or escalation procedure is triggered when
a risk appetite metric is exceeded.
31. As noted above, the case studies in Annex I are an
essential part of this report and clearly illustrate
many of the points listed above. Additionally,
the complete summary findings and data from
the survey are appended to the main body of this
report (see Annex II).
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
24/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
0
SECTION 2 – KEY OUTSTANDING CHALLENGES INIMPLEMENTING RISK APPETITE FRAMEWORKS
32. Despite the visible progress being made by many
in the Industry in the implementation of effective
risk appetite frameworks, more needs to be done.
The survey and discussion reveal there is a degree
of commonality in the hurdles firms are facing
and the need for proven practical solutions to
these issues. Section 3 provides a number of
examples of emerging Industry sound practices
in addressing these. This section outlines the
largest challenges that are proving most difficult
to overcome. The chart below shows the mostrelevant survey results in this context.
33. The link with the wider risk culture is of central
importance but is also problematic in some
firms. Broad discussion among firms reinforces
the point that without a strong risk culture
success on the risk appetite journey is extremely
difficult, if not impossible, while it is easiest to
implement an effective RAF where there is already
a strong culture around risk. However, a number
of respondents cited culture and its link to risk
appetite as being an important and difficult issue.
A strong culture implies that staff understandwhat is required of them with respect to risk and
why, and where such a strong risk culture exists
it may be possible for firms to place less reliance
on narrow compliance with limits and processes.
Nevertheless, even the strongest culture needs to
be supported with good systems, controls, and
limits. It is also necessary to establish a strong
link between risk appetite and compensation. At
the simplest level this can be an assessment of
whether business results and key performance
indicators (KPIs) have been achieved by operating
within limits and in accordance with thebehaviors and culture described and embedded
within the risk appetite. Where this is not the
case remuneration incentive awards should be
moderated or adjusted accordingly.
34. Effectively cascading the risk appetite
framework throughout the firm and embedding
and integrating it into the operational decision-
making process is clearly the largest challenge
for almost all firms. While most firms have
risk policies and risk measures in the form of
limits that can easily be cascaded through the
organization, other guidance on risk tends to bemore general and at a higher level. The linkage
10
4
2
5
7
4
1
7
6
7
5
2
1
3
1
6
3
4
2
3
5
5
3
0 5 10 15 20 25
Effectively cascading the risk appetite statement through the operational levels
of the organization and embedding it into operational decision making processes
How to best express risk appetite for different risk types,
some of which can be quantified in generally accepted ways,
and some of which cannot be easily quantified
Using the risk appetite framework as a dynamic tool for managing risk rather than
another way of setting limits or strengthening compliance
Using the risk appetite framework as a driver of strategy and business decisions
Achieving sufficient clarity around the concept of risk appetite and some of the
terminology used (e.g. difference between risk appetite and risk limits)
How to effectively relate risk appetite to risk culture
How to make best use of stress-testing in the risk appetite process
How to most effectively aggregate risks from different business units and/or
different risk types, for risk appetite purposes
12
3
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
25/80
between high-level risk appetite principles and
the risk policies and metrics guiding day-to-day
decision-making needs further development. As
noted, firms that have been most successful in
creating an RAF to date have recognized that it
needs to pervade the organization in the sense
that risk concepts are fully understood by staffat a range of levels and influence behavior as a
result of being internalized. The benefits of a risk
appetite framework are often much more apparent
to Board members and senior management than
they are to mid-level staff. This raises questions
of how best to train and educate staff to enable
them to perceive the benefits of the new approach
and also touches upon the desired responsibilities
of management in such training and the way
in which the new approaches can or should be
supplemented with formal controls and limits.
35. The best way of expressing risk appetite in away that covers all relevant risks is also proving
a challenge for firms. This is particularly true
in respect to risks that are less quantifiable and
require a more qualitative approach. Once the
process moves beyond traditional credit and
market risks—where historical data is abundantly
available—to focus on reputational, strategic, and
operational risks, significant challenges remain.
However, it is widely recognized that an RAF
cannot be confined to risks that can be easily
measured. To be meaningful, risk appetite needs to
take a comprehensive view across a firm, and riskappetite statements need to capture and include
those risks that cannot be easily quantified. The
identification and effective mitigation of such
risks is a difficult challenge that is not, of course,
confined to risk appetite. While some firms are
comfortable tracking these risks with qualitative
indicators, most are making significant efforts to
quantify such risks, through, for example, proxy
measures and use a combination of qualitative and
detailed quantitative elements in their risk appetite
statements.
36. Some respondents are finding it difficult to shiftthe perception that risk appetite is primarily
about setting limits. While limits and risk policies
are important components of an effective risk
appetite framework, the more dynamic nature
of risk appetite and its role in managing risk,
driving strategy, and optimizing return on a much
broader basis needs to be ingrained throughout the
organization. Ensuring that the RAF is positioned
and perceived internally as a dynamic tool for
shaping the risk profile of the institution, rather
than as merely a dressed-up, “grander” process for
setting limits and additional business constraints
is also an important challenge. In reality, it is
necessary to strike the right balance between a
framework on the one hand which is so rigid,
constraining and inflexible over time as to be
unable to sensibly and prudently accommodate
the evolution of the businesses and group strategyin a timely fashion, having due regard to the risk
implications, and one on the other hand which is
excessively flexible and too easily substantially
changed from one period to the next (perhaps
in response to any number of proposed growth
initiatives), and consequently imposes insufficient
discipline on the businesses, lacks continuity,
and is difficult for all employees to understand
and embrace. Striking this balance correctly
requires careful judgment by Boards and senior
management.
37. Many firms have difficulty forging the necessarylinks between risk appetite and the strategic
and business planning processes, though
leading firms have done this successfully. It is
relatively straightforward to establish an RAF in
the sense of the Board setting out a statement of
risk preferences that the business then seeks to
translate into a range of limits. There is a growing
recognition, however, that this is a very narrow
concept of risk appetite and that the establishment
of actionable guidance at the business unit level
is crucial. The traditional approach of making
high-level statements and then seeking to turnthese into a plethora of granular and not well-
understood limits has been shown to have serious
limitations, as it tends to result in risk appetite
being seen within the businesses as a remote and
sometimes irrelevant part of the risk management
apparatus. As explained further below, risk
appetite needs to be an integral part of a business.
Its effects need to be pervasive throughout the
organization, and there needs to be a clear link
between the RAF and business decisions.
38. Stress testing, and how it should be effectively
incorporated into the risk appetite framework,remains an area of uncertainty and evolving
practice in the Industry. While it is widely
accepted as being a component of an effective
risk appetite framework, there is less consensus
about exactly how stress testing should be
incorporated into a framework. The use of stress
tests varies widely, with some banks putting them
at the center of the risk appetite–setting process,
even as others use stress tests primarily to sense-
check their appetite. As a general observation,
the firms that were most affected by the financial
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
26/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
2
crisis appear to be more advanced in this area,
but further guidance is required for the majority.
While an important focus of an RAF will be the
level of risk with which the Board and senior
management are comfortable during “business
as usual” conditions, it is equally important to
understand and consider the implications ofextreme but plausible scenarios on the risk profile.
The technical and methodological challenges of
stress and scenario testing are well known. In the
RAF context, Boards, senior management, and
business units need to ask how the results of stress
tests should be interpreted and what they mean
for risk profiles and preferences. One particularly
important question in this context is the extent
to which Board members and risk professionals
are equipped a) to make sense of scenarios that
have potentially very substantial impacts but
low probability and b) to push back against thepressures from the business that are curtailing
apparently profitable lines of business.
39. A related issue is how to achieve an appropriate
aggregation at the group level of the levels of
risks for the different individual businesses
and how to establish relationships between these.
Individual business units need to have a consistent
framework for setting their own tolerances
for risk, and these need to be consistent withthe overall enterprise-wide risk appetite, both
individually and in aggregate. Although progress
has been made in this area by a number of firms,
no single approach is dominant today. There is
currently no uniform process for translating high-
level risk appetite indicators into more specific
measures, such as risk limits and tolerances,
and further work is needed in the area of risk
aggregation.
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
27/80
SECTION 3 – EMERGING SOUND PRACTICES INOVERCOMING THE CHALLENGES
40. The objective of this section is to draw on the
survey and the case studies, as well as discussions
with firms to identify ways in which the principal
challenges identified in the previous section might
be overcome. The point needs to be made at the
outset that the Industry is still some distance from
an identifiable body of sound practices in most of
these areas. What follows, however, is intended to
form the basis of emerging good practices.
3.1 RISK APPETITE AND RISK CULTURE41. A crucial challenge is building a strong link and
an effective interaction between culture and the
RAF. Risk culture can be defined as the norms and
traditions of behavior of individuals and of groups
within an organization that determine the way in
which they identify, understand, discuss, and act
on the risks the organization confronts and the
risks it takes.3 It is widely recognized that a strong
(or weak) risk culture manifestly and directly
impacts the risk appetite process.
42. Firms that had made the most progress inestablishing a risk appetite framework report that
there is a close and indissoluble link between
risk appetite and culture. Risk appetite is about
the organization being clear, and making clear to
others its desired level of risk. This in turn informs
the planning and risk taking decisions of the
business units. Decision-makers, while continuing
to be bound by policies and limits, have a clearer
understanding of why the policies and limits are
as they are. And to the extent that they have the
discretion and scope to exercise judgment, the risk
appetite will provide them with a lodestone that
helps to inform them in doing so.
43. Some firms have found that internal “values”
statements can be of some use in reinforcing
culture. If these are seen as self-serving and
isolated examples of “management-speak,” such
statements are likely to be counterproductive;
however, if they are part of a consistent set
of messages and behaviors that provide staff
members with a guide to their own behavior, they
can be the basis on which staff can feel able to
constructively challenge behaviors or decisions of
others, and they can be of real benefit.
44. The link with culture is therefore potentially self-
reinforcing: firms with a strong risk culture find
it relatively more straightforward than others to
implement a risk appetite framework. At the same
time, an effective risk appetite framework can
consolidate and reinforce an effective risk culture
with individuals and business heads feelingreinforced about doing the right thing. National
traditions play a part in this. Some firms from
financial centers where there is traditionally a less
direct link between profit/return and remuneration
report that risk appetite may be an easier “sell” to
staff and business heads.
This self-reinforcing link is explained by one firm in
the following way: “The adoption of a Risk Appetite
Framework did not encounter major resistance from
the organization. This is likely due to (a) the Bank’s
existing strong risk management culture and (b)the fact that the specific metrics in the ‘measures’
component of the Risk Appetite Framework were
key existing metrics that already had buy-in across
the organization. In many respects, the adoption of
a formal Risk Appetite Framework codified existing
risk culture, principles, objectives, and measures.”
Another firm highlighted that “the risk appetite
framework plays a crucial role in establishing the
desired risk culture across the organization. The
discussions of risk appetite across the Group as
well as the specific content of the Board-owned
Risk Appetite Statement have promoted a strongrisk culture, which is key to success. Business Units
understand what is outside appetite and therefore
do not pursue these opportunities. The Risk
Appetite Statement contains a key section outlining
the principles of the risk culture that the Group
seeks to achieve.”
3 Appendix III of the December 2009 IIF report, “Reform in the Financial Services Industry: Strengthening Practices for a More Stable System,” provides abackground discussion around the concept, importance, and key impacts of risk culture.
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
28/80
IMPLEMENTINGROBUSTRI
SKAPPETITEFRAMEWORKSTOSTRENGTHE
NFINANCIALINSTITUTIONS |
4
45. Given these close links, the practical steps for
getting the culture of risk appetite right are similar
to those for getting overall risk culture right.
Overall, firms report that they know when they
are making progress when references to risk and
risk appetite become a normal part of day-to-day
discourse about the business.
Overall Lessons:
• There needs to be a demonstrable commitment
to explaining—through training and day-to-
day experience—the importance the institution
attaches to risk appetite. This needs to have
the consistent support of the highest level of
management.
• Many staff for whom the benets of an
effective RAF are not immediately apparent
are unlikely to undergo an instant conversion.Even after training and assimilation are in
place, it is necessary to operate rigorous
controls and limits.
• It is important to develop measurable indicators
of compliance with risk management norms
that can form a robust basis for promotion
and remuneration. This should include not
only compliance with hard limits but also
with clearly stated behavioral expectations.
Compliance with these more qualitative criteria
can be more difficult to assess objectively
but is critical in establishing the desiredrisk culture and is integral to making risk
appetite effective. Rigorous application of
such guidelines is consistent with cultivating a
strong risk culture, provided it is consistent and
relatively transparent.
• Clear communication of risk appetite
parameters and preferences is a prerequisite for
developing the appropriate culture. Individuals
need to feel incentivized to comply with these
and confident in doing so. There can be no
hidden agendas or revealed preferences on the
part of management.• Consistency of messages and consistency of
senior behaviors with these messages, rewards
and sanctions that are demonstrably consistent
with the messages, and the absence of barriers
to bad news travelling upward are essential
components of a strong culture.
• There is value in measures such as the creation
of a meaningful and non-public statement of
values codifying this. But culture is determined
ultimately by what the leadership does rather
than by what it says.
3.2 “DRIVING DOWN” THE RISKAPPETITE INTO THE BUSINESSES
46. Effective internal communication that makes risk
appetite directly relevant to employees in the
business units is seen as a major challenge by
all participating banks. A variety of approacheshave been taken, but no clear consensus has yet
emerged about how to do this most effectively.
This remains very much work in progress, even for
the leading banks.
47. Two points, however, emerged very clearly in this
regard:
• An effective risk appetite framework should be
pervasive throughout the organization in that
all staff with any significant decision-making
authority should understand the institution’s
stance toward risk and what it means for them.
• Yet the benets of an effective risk appetite
framework, while very real, are often not
apparent to more junior staff and, indeed, there
may be some initial resistance or skepticism
among these groups.
48. For this reason, communication and training
are essential starting points. The CEO needs
to be personally involved in promulgating the
message about the risk appetite framework
and what it means. There needs to be complete
agreement within the Board and management
on a meaningful and comprehensive definitionof risk appetite, and the concepts need to
be communicated in a straightforward way
without jargon. There also needs to be clarity in
communications about where risk appetite fits
alongside risk capacity or tolerance, that is, how
much risk it is technically possible to take, and
the current level of risk being taken. Finally, there
needs to be clarity regarding the ownership of
risk. The risk function should own the overall
risk framework and the interface with the Board
on risk appetite. However, responsibility for
risk within the business units and for achieving
consistency with the enterprise-wide risk stance
rests squarely with business unit heads.
A cornerstone in the architecture of an RAF and
a key step in its internal communication is the
articulation of a risk appetite statement. While
Annex II (page 65) provides significant examples of
elements included in the risk appetite statements of
firms participating in our survey, some firm-specific
examples are provided below:
8/20/2019 IIF_Implementing Robust Risk Appetite Framework to Strengthen Financial Institutions_ IIF
29/80
49. Limits are a necessary part of driving risk
appetite into the businesses. Effective limits are
an essential part of any risk framework, whether
or not the firm embraces a full RAF. Financial
institutions have operated with limits (e.g., for
lending or market transactions) for many years,
without necessarily effectively controllingaggregate risks within acceptable levels. The
establishment of an effective framework goes far
beyond the simple setting of limits, however. There
is a strong consensus that it is very important
for staff who are subject to limits to understand
both the context and rationale for these and
their implications for revenue, customer service/
satisfaction, and aggregate risks. The objective is
to foster an effective, ongoing dialogue about the
boundaries of acceptable risks and the implications
of these boundaries, including for the optimal
allocation of scarce resources within the firm.50. In this context, a strong culture of responsibility
for, and open dialogue about, risks in the
businesses is seen as fundamentally important
in effectively embedding risk appetite in the
business lines. Business unit leaders have a strong
leadership role to play in this. Firms that have
made the most progress in implementing risk
appetite have put in place processes designed
to ensure the broad congruence of business and
risk decisions and the overall enterprise-wide
risk appetite. In these firms, business heads are
required to have visible ownership of risk intheir areas and to incorporate risk explicitly in
their business planning. Processes then need to
be put into place to check the consistency of
these—both individually and in aggregate—with
the overall risk appetite. Business unit heads
are responsible for formulating these local
plans. They also have a responsibility to explain
the importance of risk appetite concepts and
boundaries within their business units. Illustrating
the links between specific business initiatives
and day-to-day transactions and the broader risk
appetite helps to make these processes come alive
for staff within the businesses. Some firms have
also found value in a “thematic” approach to risk,
placing a specific focus on aspects of risk—such as
reputation risk—for a specific period.
51. Similarly, staff on risk committees or those who
are involved in the approval of transactions can
link risk appetite concepts to individual policies
and transaction approvals, thereby raising
awareness and understanding of the boundaries
and importance of risk appetite facilitating
• One rm explains that its risk appetite
statement is currently a mix of quantitative
limits/metrics and qualitative guidelines:
i) Limits and metrics consistently monitored
include: ROE; Stress tests; RWA limits;
Capital market measures (e.g. VaR, tradinglimits); Liquidity ratios; Single-
Recommended