Four Steps for Building an Effective Risk Appetite Framework

December 7th, 2016

risk-appetite-12-7-16.pngRisk appetite is a key component of a bank’s risk management framework. Effective risk management is fundamental in ensuring there is an appropriate balance between risk and reward.

Good risk management does not involve avoiding risk at all costs. Instead, it allows taking on more risk as long as the bank is making informed choices and has measures in place to mitigate risks. Having a strong risk appetite statement and well established policies and procedures is important, but equally important is the effective implementation of this framework.

Based on discussions with a number of credit risk executives at small and large banks, we have identified four steps for implementing an effective credit risk framework.

1. Ensure data quality and integrity.
Clean, standardized data is essential to making fair, timely and accurate credit decisions. The bank also needs to see its complete exposure to ensure it’s not over-exposed at the time of origination.

Regulators are increasingly demanding that a solid risk governance framework include policies and processes to provide risk data aggregation and reporting capabilities. In order to accomplish this, banks should have the IT infrastructure to store data and support risk aggregation and reporting in order to capture material risks, concentrations and emerging risks in a timely manner.

Technology can significantly improve data quality and aggregation. Current systems offer a single source of truth and gather all the risk data in one system that is easy to view and access. So there’s no need for checking multiple systems, tracking exposure in spreadsheets, or adding up numbers. These systems can also aggregate exposures across products, industries, regions, and so forth.

2. Set appropriate limits.
At most banks, the limit-setting process falls to the risk management team. But setting limits is as much an art as a science in many institutions.

One way to ensure appropriate limits is to align compensation with risk culture and take an approach to limit setting that is well articulated, tied to business objectives, and clearly sets out the consequences of breaching limits. In addition, banks can leverage the funding and resources that have already been allocated to conduct regulatory stress testing to help set risk appetite limits.

We have worked with clients to define their risk appetite limits through a well defined analytical and quantitative approach. Ultimately, this approach can help risk management set appropriate limits, adjust limits as the market environment changes, obtain business buy-in, and improve the bank’s overall risk culture.

3. Implement and enforce limits.
Effective risk appetite can be thwarted by integration challenges between risk, business and other functional areas at banks. Lack of cultural alignment and faulty processes often prevent the risk appetite framework from being adopted by the business units at the point of origination, rendering it ineffective.

At many banks, the process is still manual–checking reports and spreadsheets to ensure compliance where automation could save time and increase accuracy. Solutions now exist that let bank officers see at the point of origination where a potential deal is going to breach risk appetite limits. At that point, before moving forward, the red flag is raised and originators can decide to continue the approval process and seek an exception, escalate it to management, or even decline the deal.

4. Monitor limits and manage breaches.
Identifying limit breaches and near-breaches in a timely manner is critical to a dynamic risk appetite monitoring process. Limits should be reviewed and updated frequently, as changes in market conditions, risk tolerance, strategy, or other factors arise. Having ready access to customer and portfolio data, and where various exposures stand against limits, is essential to make timely decisions.

Breaches must be identified as they occur, automatic alerts sent to the right decision-making individuals at the bank, and the breach and resolution must be well documented so it can be audited in the future. Manual calculation and spreadsheets cannot guarantee this; only a strong IT infrastructure with limits and management capabilities can achieve this desired state.

Conclusion: The Way Forward
Technology can deliver significant value to the overall risk appetite process. Automated systems provide efficiency gains, better data quality and enhanced analytics. And these factors, in turn, drive the ability to measure, monitor and adjust risk taken against established risk appetite.

For more on this topic, see our white paper.


Hichem Kerma is a senior engagement advisor for Moody’s Analytics.