Risk Appetite

To understand risk appetite, we need to take a step back and first understand the bigger picture, that is Risk Governance.

As mentioned in Comptroller’s Handbook on “Corporate and Risk Governance”, Risk governance framework begins from the top with “Risk culture”, followed by “Risk appetite”, and concluding at the bottom with the “Risk management system”.

Banks, Risk management incorporates three lines of defense:

1. First line of defense: they could be frontline units, branch staff, sales staff, call Centre personals, relationship managers, who directly interact with customer and are responsible profits for the organizations.
2. Second line of defense: consist of independent risk management (IRM), loan review officers, compliance officers, and chief credit officers, HR, who are tasked with assessing risk autonomously from the unit and
3. Third Line of defense: internal audit, which furnishes independent assurance.

?What is Risk Appetite?

Risk appetite refers to the level of risk that an organization is willing to accept in pursuit of their objectives. It represents the amount and type of risk that an entity is prepared to take on in order to achieve its goals, considering factors such as its tolerance for uncertainty, potential losses, and desired returns.

To determine risk appetite within an organization it must:

• Understand the business goals and priorities. It is crucial that an organization identifies and in defines its risk appetite. Different objectives may require different levels of risk tolerance.
• An organization must define its Risk tolerance level. This refers to the level of uncertainty or potential loss that an organization is willing to sustain. It helps establish boundaries for acceptable risk-taking.
• As part of Regulatory and compliance requirements, an organization must comply with various regulations and legal obligations; this may influence their risk appetite by imposing certain limits or standards.
• The expectations or preferences of stakeholders, including investors, customers, and employees, can also be an influence to organization's risk appetite.
• One of the key aspects is assessing the organization's financial strength and resources it has, that is essential in determining its ability to absorb and manage different types of risks.

?What is Risk Appetite Statement?

A risk appetite statement plays an important role within a financial institution's risk governance framework. It serves to strengthen its risk culture.

This statement is collaboratively developed by the board of directors and senior management. Unlike the "Risk Assessment", which looks backward, the "Risk appetite statement" looks forward, setting boundaries within which senior management that must be adhered to while executing the institution's strategic plan.

It establishes clear limits and guidelines, guiding decision-making processes and ensuring alignment with the institution's risk tolerance levels and strategic objectives.

The Strategic objectives must be formulated, mutually endorsed, and executed in accordance with the principles outlined in the risk appetite statement. This statement defines the balance between business risk and the expansion of operations.

It precisely outlines the risk categories that the financial institution will actively pursue, taking into consideration factors such as product offerings, clientele, geographical reach, and service areas. Moreover, compliance with Anti-Money Laundering (AML)/Counter-Terrorist Financing (CTF) regulations and sanctions screening policies should weigh heavily in determining limits or thresholds.

?“The OCC Guidelines” on Risk Appetite Statement states

A bank is required to establish a comprehensive written statement that clearly defines its risk appetite, serving as the foundation for its risk governance framework.

This risk appetite statement should encompass both qualitative and quantitative elements.

Qualitatively, it should outline a robust risk culture and detail how the bank will identify and manage risks, including those that are challenging to quantify.

Quantitatively, it should establish limits that incorporate rigorous stress testing procedures where applicable, addressing the bank's earnings, capital, and liquidity.

These limits should be set at levels that consider appropriate capital and liquidity buffers, prompting management and the board of directors to mitigate risks proactively before they threaten the bank's financial stability.

The risk appetite statement must be communicated to all employees in a way that all employees to align their risk-taking decisions with related features of the bank’s risk appetite statement. IRM should establish and adhere to enterprise policies that include concentration risk limits.

These policies should state how aggregate risks are effectively identified, measured, monitored, and controlled, consistent with the bank’s risk appetite statement.

?