A Difficult Task, But a Necessary One

The Challenges of Gauging Effective Risk Appetite

Managing a bank’s risk appetite strategy is unique to each organization. Unlike some areas that are more clearly regulated — for example, FDIC-insured deposit accounts — the level of risk an institution is willing to incorporate into its overall management portfolio must be customized.

The crucial step in doing so is creating an accurate and durable Risk Appetite Statement, which is considered one of the most challenging aspects of risk management. It is a high-level document that outlines the broad parameters of risk levels that management finds acceptable.

The first task in defining risk appetite is choosing the basis on which to build enterprise risk management (ERM). This will be the basis for the institution processing and defining the balance between risk and profit goals. There are two organizations that have developed the most widely used benchmarks for assessing risk:

• The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
• The International Organization for Standardization (their ISO 31000 benchmarks).

Some institutions choose to develop customized, in-house benchmarks. But a thorough understanding and inclusion of the risk factors contained in COSO and ISO 31000 should be part of any such internal standards. Given the complexity of both documents, research about hiring outside consultants to be part of developing the Risk Appetite Statement should also be part of the early decision-making process.

No matter the technical basis on which the Risk Appetite Statement is built, the real work is building consensus within the organization about risk management. It is not uncommon for early sessions with stakeholders to lay bare a wide divergence about both the level of risk that is considered appropriate and the nature of external risk factors at play.

Much of the work will be the give-and-take of melding those opinions into a strategic document that the organization can depend on in making decisions. In a nutshell, much of the syntheses will be based on agreeing on how to model “known unknowns,” an always challenging task. For example:

• Is there enough data or historical precedent on which to create a reliable model for a specific situation?
• Has an established pattern of volatility over time — which appears to be a solid basis on which to assess risk — changed in ways that are not yet apparent (for example, due to cutting-edge technological innovations)?
• Is the area of economic activity so complex that modeling is prone to giving random outcomes?
• Is there risk concentrated in geographic areas that are becoming more prone to widespread catastrophe, more so than the modeling has yet incorporated?

Once benchmarks have been chosen and models accepted by all parties, the process can continue. The institution’s desired level of risk appetite should be categorized into specific metrics — risk tolerances, which are more focused benchmarks for acceptable risk levels regarding specific objectives — and methodologies with which to monitor the risk taken on by the organization.

By establishing risk tolerances, the implementation of the Risk Appetite Statement can be managed with greater specificity and transparency. This, in turn, provides a more confident environment for achieving the institution’s overall strategic objectives.