Risk Appetite

The Quintessential Technology Source for Corporate Financial Professionals

Home » Risk and Compliance APAC » CXO Insights

Risk Appetite

Hugo Assagra, Group Head of Credit Risk Strategy, OSB Group

Hugo Assagra, Group Head of Credit Risk Strategy, OSB Group

Risks are inherent to anything we do, and no organization can operate without being exposed to risks as they are necessary for achieving its objectives (the reward part of the equation). However, some risks can lead to devastating consequences and losses. So, the key is knowing what risks a company is exposed to or is willing to take and having the appropriate monitoring and management in place to respond quickly in case a mitigation action is required. 

The ISO 31000 risk management standard refers to risk appetite as the ‘Amount and type of risk that an organization is prepared to pursue, retain or take.’ This concept helps guide an organization's approach to risk management.

Risk appetite management is an essential aspect of the risk management framework. It helps define the level of risk that an organization is willing to accept in pursuit of its objectives and ensures that risks are properly monitored and controlled. When it comes to measuring risk appetite, both quantitative and qualitative measures are often employed:

• Quantitative measures involve the use of numerical data and statistical analysis to assess risk levels. This can include metrics such as value at risk (VaR), stress tests, or risk-adjusted return on capital (RAROC). These measures provide a quantitative assessment of the potential impact of risks and help determine the tolerable limits within which an institution can operate;

• Qualitative measures focus on the subjective assessment of risk appetite and often rely on descriptions, narratives and judgements rather than a numerical approach. This involves understanding the institution's risk culture and awareness, strategic goals, and risk tolerance, amongst other qualitative aspects of the risk management framework.

An effective risk appetite framework must have both depth to support the company’s strategy execution and breadth to reflect all risk categories a company is exposed to – financial and non-financial risks. The implementation of a risk appetite framework should follow the following high-level approach:

• First and foremost, a company needs to have clarity on its strategic objectives, as this will drive the enterprise-wide risk appetite statement measures and limits a company is committed to operating within. This happens at the highest level of the organization and will be governed by the board of directors and Executive Committee;

• Secondly, key risk drivers and specific policies and principles should be derived from the risk appetite statements and determine the way measures and limits will be operationalized;

• Finally, the principles and policies will support the definition of detailed and more specific risk appetite metrics, limits and triggers articulating both quantitative and qualitative measures across all types of risk.

"By effectively managing risk appetite, financial institutions can strike a balance between pursuing their objectives and maintaining prudent risk management practices"

Risk Appetite Management

Once the risk appetite framework is well defined and approved by the board, the company needs to establish the appropriate rhythm and tools to monitor the report and manage it. The following scheme provides a high-level view of how risk appetite is managed in practical terms where the desired range for a risk appetite metric to operate is highlighted between upper and lower triggers – represented by ‘b’ and ‘c’ in the image below:

Triggers: acting as early warning indicators, triggers are specific events or conditions that, when breached, indicate a deviation from the desired risk appetite prompting a reassessment of risk levels, review of risk controls, and potential remedial actions to bring the risk back within acceptable limits.

Limits: the level at which an immediate escalation and action is required should the company’s risk profile is breached. Whenever a metric breaches the upper or lower limit, represented by 'a' and 'd', the company's objective is under threat, and corrective actions must be taken immediately.

Capacity: is defined as the maximum level of risk a company can operate. In case a metric breaches the risk capacity, the company is unviable, and a recovery/resolution plan needs to be enacted. 

Recovery Plan: A recovery and resolution plan, often abbreviated as RRP, is a regulatory requirement for financial institutions to ensure their preparedness in the event of severe financial distress or failure. The main purpose of the plan is to outline strategies and procedures that would enable the institution to recover from financial difficulties and, if necessary, be resolved in an orderly manner without causing systemic disruptions or relying on bailouts.

Regulators require financial institutions, especially systemically important ones (SIFIs), to develop and submit recovery and resolution plans as part of their risk management and regulatory compliance efforts. These plans are continually reviewed and updated to reflect changes in the institution’s risk profile and evolving regulatory requirements. The ultimate goal is to enhance the resilience of financial institutions and reduce the potential negative impact on the broader financial system in the event of financial distress or failure.

Conclusion

In summary, risk appetite management involves a combination of quantitative and qualitative measures to assess, define, and monitor risk levels. Triggers act as early warning indicators, while breaches prompt escalation for appropriate action. By effectively managing risk appetite, financial institutions can strike a balance between pursuing their objectives and maintaining prudent risk management practices.

On the other hand, when the risk appetite is not properly utilized, a financial institution may forego various opportunities for growth, innovation, investment, collaboration, and competitive advantage. Striking the right balance between risk and reward is essential to harness the full potential of the opportunities available in the market and achieve long-term success.

All in all, the risk appetite reflects how a company articulates its strategy, and the resiliency and success of the business depend on how well it is executed. Quoting Warren Buffett, Risk comes from not knowing what you’re doing.”

tag

Financial

Risk Management

review

Weekly Brief

ON THE DECK

Read Also

Mastering Financial Statement Modelling for Strategic Forecasting

Mastering Financial Statement Modelling for Strategic Forecasting
Ian Wong, Director, Financial Planning and Analysis (FP&A), Johnson Electric
Finance Fuels Innovation In The Ai Age

Finance Fuels Innovation In The Ai Age
Rob Garlick, Head of Innovation, Technology & the Future of Work, Citi Global Insights, Citi
Presentation Techniques for Financial Presentations

Presentation Techniques for Financial Presentations
Ian Wong, Director, Financial Planning and Analysis (FP&A) at Johnson Electric
Leading Finance and Business Development in the Hospitality Industry

Leading Finance and Business Development in the Hospitality Industry
Wuthivet Vetchabutsakorn, Senior Vice President and Group Head of Finance, ONYX Hospitality Group
Risk Appetite

Risk Appetite
Hugo Assagra, Group Head of Credit Risk Strategy, OSB Group
Business Restructuring practices for enterprise transformation

Business Restructuring practices for enterprise transformation
Wuthivet Vetchabutsakorn, Senior Vice President, Group Head of Finance, ONYX Hospitality Group