By Jean-Pascal Kretz, Managing Consultant, Risk Advisory services
As post mortem examinations of failed companies showed, a poor definition of risk appetite potentially leads to multiple errors in the course of business, such as taking unwarranted risks, resorting to short-term funding while taking long-term commitments, or to a general lack of alignment towards risk taking within the firm. These risk management mistakes could already prove to be fatal to the organization in isolation; if they happen simultaneously within an institution, demise is most certainly unavoidable.
In less than 20 years, our bank has gone from a local financial institution lending to public entities to an international financial behemoth with a balance sheet of almost €700 bn, to being a huge strain on public finances in several countries.
Along this highway to hell, a few signposts that should have been red lights:
- multiple M&As (generally at overestimated prices)
- extremely fast diversification of business from strict public financing to the vaunted “universal bank” model
- internationalisation of activities leading our bank to dangerous markets
- all the way to the bitter end , massive recourse to short-term leveraging; consequence of our bank’s long-lasting inability to access large volumes of deposits.
With benefit of the hindsight, a couple of important takeaways jump to mind: always do a proper due diligence before investing in an M&A prospect and be aware of your liquidity position (as well as of all risk management decisions with an impact thereon such as entering into massive interest rate swaps). There is no harm in ensuring the Management Body is not following a high risk – high return risk strategy in search of income to distribute, or that the Internal Audit function is performing as expected.
However, the quintessential truth of the matter is that you have to understand your business model, its strong points and limitations to be able to properly select the risks you take. This is the cornerstone of a company’s risk management, which will then be communicated so that a streamlined risk culture is established and decision making is done in full understanding of the risk(s) implied. Finally, it is crucial that at least one line of defence monitors (and cracks down on) all (possibly deviant) behaviours.
Risk management will provide the metrics and methods for the risk appetite, which in turn will drive the strategy. The risk appetite statement disclosed to the external and internal parties will be the expression thereof.
Before the global financial meltdown, risk appetite was notoriously absent from the directives; CRD III marks the first mention of risk appetite, in the context of alignment between remuneration policies and risk taking, followed in CRD IV by two additional mentions. Indeed, CRD IV requires “significant firms” to establish a separate non-executive risk committee whose mission is to advise the management body on the firm’s current and future risk appetite and on the strategy to follow, as well as assisting in the risk oversight role - management remaining the sole accountable for decisions taken.
Late in 2013, the FSB set the focus on risk appetite as an actionable and measurable tool to drive risk culture within financial institutions in its ‘Principles for An Effective Risk Appetite Framework’, following up on its risk governance and risk culture review and principles. Despite being in the spotlight ever since, risk appetite and its components and what makes a good risk appetite framework is still a debated topic, with no strong regulatory impulse towards any particular direction.
- The definition of the constituents of risk appetite
- The definition and application of the risk appetite framework
- The differences and common grounds between banking and insurance regrading risk appetite
- The perceived advantages of a well-defined risk appetite and
- The establishment of the backbone for a functional risk appetite framework
I hope you will enjoy the ride, and as Rage Against the Machine almost famously sang, Know your Risk Appetite.
Risk appetite is not a starting point; it stems from confronting different views on risk within the organisation and is the articulation of an overall risk management procedure. In line with the principles published by the FSB and the ISO 31000, we consider the following components as crucial to the establishment of a comprehensive Risk Appetite Framework:
A correct risk profile will allow to answer, at any moment, this very – not – simple question: ‘Where am I standing in terms of overall risk throughout my organisation?’
It will not come as a surprise that a full perfect picture of one’s risk profile is not attainable. At best, a good assessment of the risks from multiple angles will eventually allow to have a good estimation of the full risk picture. However, the inability to have an extensive, dynamic and correct assessment of an institution’s risk profile turned out to be the ultimate cause of failure of many institutions; if ignorance can be bliss in certain cases, it does not apply to risky positions.
AIG, almost ruined by its AIG Financial Products (AIGFP) unit, is a (curiously still) living proof of that. Because it was a non-insurance unit, AIGFP was not regulated along the rest of the Group by local insurance supervision but by the late US Office of Thrift Supervision.
AIGFP entered massively in the CDS market, underwriting CDS on CDOs, therefore gaining a massive exposure on US housing market and sub-prime mortgage loans and almost sinking the Group when the meltdown occurred. Under a proper risk profiling, a massive CDS exposure without reserves or cash to cover for potential calls would have probably raised a couple of eyebrows before the whole institution crumbled.
Once you know where you are standing, you might want to know whether you have the capacity to modify your risk profile and still make it out alive , which brings us to the next risk element of interest.
Managing your risk capacity is a matter of survival in most cases, because it affects either your capital or your liquidity levels – or both.
Evidence shows both are a sure way to fail for banks and other institutions. If you already are at the limit on your regulatory obligations, adding new risky assets without correcting the previous situation will end poorly, to put it mildly.
Assuming we are expressing risk capacity in regulatory capital terms, an obvious – and somewhat optimistic – definition is to consider that 100% of the difference between actual capital levels and regulatory minimum levels of capital represents the risk capacity.
In reality, getting close to the maximal risk capacity would already be problematic. Since capital position disclosures and regulatory reviews are quite frequent, the realisation by other players of potential troubles within the organisation would probably trigger reactions with a negative impact on the quality and quantity of capital available for loss absorption. This could quickly spiral out of any control and end up in resolution.
The exact same could be said about liquidity risk capacity, defined as the maximal liquidity outflow the Group can manage without breaching minimum liquidity requirements. In fact, in the case of liquidity, things can go very wrong much faster, because the exact magnitude of a potential outflow is unknown.
A very dead proof thereof is the late Banco Popular Español. In its valuation report from June 2017 , the Single Resolution Board is quite clear:
“For the sake of completeness, it is noted that the liquidity of the Group is the key factor that is triggering the failure of the bank. (…) the bank has been confronted with significant cash outflows across all customer segments (…). Sparked by a deterioration of the reputation of the institution as a result of media coverage and the announcement made by the bank on the need to proceed to either a capital increase or an M&A transaction due to the deteriorating financial situation, together with the impact of subsequent rating downgrades, deposit outflows [took place in] the context of a steady reduction of funding with a limited liquidity buffer.”
Normal behaviour leading to a quicker death: when the market and customers start questioning your ability to continue to operate – a realisation initiated or reinforced by the media and rating agencies, they will endeavour to put as much distance between you and their assets or funds as is possible. Therefore, risk capacity should always keep a significant headroom as against the maximal (or minimal) level expected by the Regulator.
Finally, even if you are capable of increasing the overall risk level within your institution, this increase cannot happen in a haphazard manner. It has to be defined at a general level, refined by specific risk profiles and a maximal acceptable level of failure. This brings us to the last intertwined components of the definition of the risk appetite framework:
Risk appetite is the aggregate level and types of risk the institution is willing to assume within its risk capacity, in line with its business model, to achieve its strategic objectives, constrained by
Risk appetite thus defined is a conscious decision to accept to take on risks coherent with the overall corporate strategy for an estimated return, bearing in mind the possibility of failing during the attempt.
As for all conscious decisions, it should be justified, monitored and subject to adjustment if the course deviates from the expectations.
Looking at the constituents described above, it is already quite obvious that the nature of your business will have an impact on your risk appetite, in particular if the purposes of the companies are radically different from an economic perspective.
Your approach to risk and the types of risk you are facing cannot be the same when you are an insurance company aiming at gathering, pooling and redistributing risk, or a bank, transforming maturities from deposits and funding lines in loans and providing additional services (payment systems, etc.).
The particularities of each business and the articulation within a dedicated framework will be the topic of a future post. Until then, stay tuned.