Читать книгу Non-financial Risk Management in the Financial Industry - Группа авторов - Страница 116

A RAF’s components must be periodically reviewed, to guarantee that they are meaningful, thorough and up-to-date; periodicity of review, however, varies depending on the framework’s level. In addition, also the regulator mandates periodic independent reviews of the RAF by the internal audit function.[15]

Level 1: The overall Risk Appetite Statements (RAS) are reviewed ad hoc in case of senior management input or fundamental changes in business risk appetite or in the risk management framework. In general, variations at RAS level are less frequent than the tuning of other metrics because financial institutions should ensure stability and consistency to avoid strategic drift.

Level 2: Risk appetite metrics and corresponding thresholds are subject to periodic reviews – in general, annually – to account for major deviations in risk assessment results, new emerging risks or new business activities.

Level 3: KRIs and corresponding thresholds are reviewed more frequently – typically, on an annual basis – to ensure that changes in the risk categories are monitored, the regulatory framework and/or monitoring capabilities are embedded in a timely manner. For Level 3 indicators, any time new risk assessment results are published, it is verified whether there are changes in the residual risk level of the categories being monitored that require adjustments in the KRIs (e.g. new risk category with significant residual risk, requiring the identification of new operational indicators). Based on this preliminary assessment, control functions are expected to review the selection of indicators, based on predefined criteria (e.g. expert judgment):

 For confirmed risk categories, indicators and related thresholds are updated, revised or changed based on new priorities, capabilities or control processes.

 A risk committee with a representative from the board should usually approve any change to the RAF.

 For ‘new’ risk categories, ad hoc indicators are selected, and related thresholds are preliminarily defined, based on relevant regulation, organisational ambition and available information.

 For risk categories moving to ‘non-monitored’ levels, corresponding indicators are removed from the RAF.