Читать книгу Non-financial Risk Management in the Financial Industry - Группа авторов - Страница 84

A risk appetite framework (RAF) sets the maximum level of risk an institution is willing to accept for the pursuit of its business plan and long-term strategic objectives, considering stakeholders interests and risk-specific regulatory requirements. The concept of risk appetite has evolved over the past ten years, reaching maturity not only through new regulatory standards but also the continuous hands-on efforts and tuning of financial institutions.

In 2009, the Senior Supervisors Group (SSG) under the Financial Stability Board (FSB) carried out an in-depth analysis of major failures and structural weaknesses in financial services’ governance, risk management and internal controls systems, which were then identified as partial causes of the financial and banking crisis of 2008.[1] The analysis highlighted a significant disparity between the FSB’s perception of risk management and appetite, and the actual performance of financial institutions. The FSB underlined the need for comprehensive and clear risk information, along with competences that allow for a proper risk oversight among board members and senior management, a message reinforced in recent years.[2]

Supervisory authorities called for a more structured, quantifiable and factual approach to the definition of risk appetite and management. In 2010, the SSG followed up on its findings and observed a general improvement in the identification of measurable indicators and in communication efforts towards (and from) senior management. However, such approaches were not yet fully consolidated within financial institutions.[3]

In 2013, the FSB helped push the risk appetite framework further by collecting and rationalising lessons learnt and best practice observed among market players.[4] The FSB also contributed to the consolidation of key terminology and concepts, setting the minimum requirements in terms of:

 clear expression and identification of risk appetite and related limits, providing relevant vocabulary as well as guidelines to ensure significance and soundness;

 governance of risk appetite frameworks, clarifying expectations concerning roles and responsibilities of different actors within an institution.

In the ensuing years, market players have embedded such concepts and guidelines, and they have further evolved metrics and indicators in RAFs. Such refinement firstly focused on financial risks, the real culprits of the 2008 crisis. In the past five years, however, increased attention has been devoted to non-financial risks (NFR). The European Central Bank (ECB) gave a boost to the RAF evolution for NFR, paving the way for inclusion of non-financial risks as a measure of sound risk management in its 2016 Supervisory Review and Evaluation Process guidance.[5] It stated that “Material non-financial risks (in particular compliance risk, reputational risk, IT risk, legal risk and conduct risk) are expected to be included more explicitly in the RAF, if not with quantitative proxies, at least with qualitative statements.”[6]

From 2016 onwards, several financial institutions introduced a ‘formal’ RAF for non-financial risks. Still, most companies started approaching non-financial risks with broad qualitative statements, while only the most advanced institutions adopted a ‘business steering’ approach, with quantitative metrics cascaded into business operational limits, making explicit the trade-offs between business decisions and risk exposures. This business-oriented approach has marked an important step forward from the traditional slogan of ‘zero tolerance’ to a practical risk-based decision-making tool, which in the most advanced institutions is closely interlinked with other key business processes (e.g. strategic planning).

Nonetheless, the sophistication of quantitative indicators and level of granularity are not homogeneous across non-financial risk types. For some, it has proven convenient and feasible to transform a qualitative, high-level statement into quantitative metrics, to then further break them down into detailed indicators. In other cases, however, quantitative metrics are absent or still limited, and the RAF has remained mainly a qualitative exercise. This chapter will illustrate different ways adopted by market players to embed non-financial risks in RAFs.