Читать книгу Non-financial Risk Management in the Financial Industry - Группа авторов - Страница 85

The core concepts underlying a RAF, unanimously recognised by regulators and transversely applied for financial as well as non-financial risks, are “appetite,” “capacity” and “limit.”[7] These express how risk is measured and the relevant thresholds are monitored:

 Risk Appetite is intended as the express, formal statement concerning the aggregate type and levels of risks which an entity is willing to accept in its effort to pursue its strategic objectives. It can be expressed either as a quantitative measure or as a qualitative sentence. When detailed at a metric/indicator level, it is often identified as “target” and provides the reference threshold for the business’ development and steering, indicating the risk level considered optimal for the organisation.

 Risk Capacity (sometimes also referred to as “limit”) is intended as the maximum level of risk that can be tolerated by the entity, before breaching relevant constraints (either regulatory or internal). Values beyond it are considered unacceptable, and both management and the board must take this into consideration when taking risk decisions in normal as well as in stressed conditions.

 Risk targets/caution/limit levels are the quantitative thresholds which cascade the aggregate risk appetite at the operational level (business line, entity). They represent the maximum acceptable deviation from the target level, and they are set leaving sufficient room to operate, also in stress conditions.

Considering the definitions above, market players typically define three different levels within their RAFs:

Level 1: Overall risk appetite statement (RAS)

A high-level formal declaration that sets out the types and level of risks that can be assumed in the pursuit of strategic business objectives, for each risk type. For the RAS to be actionable, it usually contains express indication of:

 key principles guiding response to non-financial risks, to be cascaded in risk appetite metrics;

 prohibited activities for the organisation for which “zero tolerance” applies.

Level 2: Risk appetite metrics and tolerance levels

Primary metrics in which the overall RAS can be disaggregated and the related tolerance thresholds set. Usually linked to residual risk measures captured by a risk assessment, this is the primary step to allow measurement and monitoring of the entity’s performance against applicable risk appetite objectives and limits.

Level 3: Detailed risk indicators and thresholds

Key Risk Indicators (KRIs) that allow the institution to measure and monitor the performance of the defined risk appetite metrics, and allow for a definition of detailed tolerance thresholds (target, caution, limit) for each. The further disaggregation of risk appetite metrics into KRIs can simplify continuous monitoring and the implementation of remediating actions to decrease levels of risk if necessary.

An RAF’s design and parametrisation involves all three lines of defence.[8] Given the strategic purpose of RAF, embedding business evaluation is critical to make RAF a steering tool for the organisation. The most mature market players involve key business functions across all the three levels of the framework (Figure 1).