Risk appetite as a dynamic management tool

Transcription

1 Risk appetite as a dynamic management tool

2 Background The topic of risk appetite is at the centre of attention currently. There are various reasons for this: the financial crisis, which has made it clear that many financial enterprises have exceeded the boundaries of their risk appetite either explicitly or implicitly, which put the topic high on the agendas of both managing and supervisory directors alike; the demand for greater risk management and risk appetite transparency expressed by different types of stakeholders (shareholders, investors, rating agencies, etc.); and current regulatory and corporate governance trends. The definition of risk appetite Risk appetite is the amount and type of risk that a company is able and willing to accept in pursuit of its business objectives. Challenges Challenges abound in the financial sector. Although many institutions have formulated their risk appetite one way or the other, key focus areas remain before risk appetite can actually be used as a dynamic management tool. The challenges ahead include: an effective governance structure to formulate and cascade risk appetite; the relationship between risk appetite and risk capacity; a consistent conceptual framework for the relationships between risk appetite and cascading to types of risks, business units and/or legal entities; cascading methods for business units and types of risks; an effective monitoring and internal control structure to monitor risk appetite, including the confrontation between risk appetite and the enterprise s actual risk position; and the proper culture, to ensure risk appetite supports day-today decision-making. What needs to be done? There is no one-size-fits-all approach to risk appetite, but the approach adopted by each organisation must reflect its own business and strategy. The current focus should be on assessing whether the overarching framework is consistent with the business s wider goals and stakeholders expectations. Also consistency between other policy documents and with the enterprise s internal and external communications is important. Obviously, many organisations have defined their risk appetite. It may be relevant to check the quality and maturity of the current model compared with common practice or market practice, and how risk appetite can be better embedded into the organisation so that risk appetite can actually be used as a dynamic management tool. EY can assist you in several ways. Our approach includes: includes: EY can assist you in several ways. Our approach includes: benchmarking; in a relatively brief time span we can benchmark your risk appetite framework against market practice on the basis of a quick scan review; design; facilitating interviews and/or workshops with management and risk owners to support the formulation or validation of risk appetite and providing templates and tools that are useful in formulating risk appetite; support on the implementation of the risk appetite methodology in the organisation including project management; allocation; providing techniques that are useful in cascading risk appetite to various dimensions and ensure alignment with existing limit/indicator structures; stress testing; reviewing or designing stress tests, and applying scenarios in relation to the boundaries of your enterprise s risk appetite, both top down on entity level and bottom up on particular risk areas; embedding; align risk appetite framework with existing internal control environment. Explicitly specifying and acting upon risk appetite strenghtens a financial enterprise s organisation 1

3 Risk appetite as as a a dynamic management tool Where organisations expressly wish to to use use risk risk appetite as as a a management tool, it it is is essential that that the the risk risk appetite process is is properly designed and and embedded into into the the organisation. The The overview below contains the the elements relevant in in this this respect. Design The The design of of a robust a risk risk appetite statement is based is on: on: a framework a approach a systematic a and and process-based justification balance between quantitative and and qualitative statements close close involvement of of the the board of of managing directors and and of of supervisory directors an annual cycle cycle tied tied in in with with strategic developments Allocation The The allocation of of risk risk appetite at at the the aggregate level level to to the the organisation comprises: the the design of of a methodology a for for cascading risk risk appetite to to various dimensions (types of of risk risk and and business units) and and in in different ways ways (quantitatively versus qualitatively) a framework a of of mutually tied-in policy documents, limit limit structures, procedures and and indicators alignment with with how how responsibilities have have been been assigned in in the the organisation and and the the annual budget and and planning cycle cycle the the implementation of of cascading and and testing (validation with with risk risk owners) Governance Enterprise-wide stress-testing Enterprise-wide stress-testing Design Framework approach Close Close involvement board board of managing of directors and and supervisory directors Allocation To types To types of risk of risk and and business units units Quantitative versus versus qualitative Embedding Culture, conduct and core values Culture, conduct and core values Quality Quality of infrastructure of for for measuring and and monitoring Management information Internal control control Framework Technology and and data data Enterprise Wide Stress Testing To support the risk appetite process, it is essential to carry out stress tests that can provide further clarity in the Enterprise Value at Risk (EVAR). Enterprise Wide Stress Testing is used in two ways: 1 Design phase: in this phase stress testing is used to support the design of the risk appetite, enabling the firm to consider the risk capacity. This comprises: design of various stress tests and scenario s including reverse stress testing; validation of scenario s; training at senior management and board level. 2 Embedding phase: in this phase stress testing is used to support the firm to remain within the risk appetite. This comprises: integrated stresstesting; regular review of validity of scenario s. Embedding & & Culture, conduct and and core core values To To properly embed the the risk risk appetite process, internal control environment quality is vital. is vital. This This comprises: the the quality of of the the infrastructure for for measuring risks risks the the design of of management information the the quality of of monitoring internal control framework quality budget and and planning cycle cycle quality IT IT infrastructure and and data data quality the the quality of of the the soft factors in in terms of of culture, conduct and and tone tone at at the the top top It It is is essential that that all all of of the the process elements are are properly implemented, so so that that people across the the organisation are are aware of of the the proper line line of of action while duly duly observing risk risk appetite, and and so so that that they can can support the the decision-making process. We We will will further discuss the the elements in in detail. 2 2

4 1. Design On the basis of market practices in the financial sector, there are various ways of formulating risk appetite in a systematic and process-based way. EY has developed a method that ties in with this. The core process for formulating risk appetite is as follows Mission, strategy, culture Expectations and interests of stakeholders Shareholders Investors Clients Financial parties Government bodies Rating agencies Employees Regulatory bodies Society Risk appetite process Formulating risk appetite Revising Embedding into organisation Monitoring and managing Integrated risk assessment Credit risk Market risk Liquidity risk Insurance risk Operational risk Strategic risk Element Top down Bottom up Communicating risk appetite X Defining risk appetite X X Measuring risks X Different roles for: Executive Board/Board of Managing Directors Board of Supervisory Directors/Supervisory Committee Division/BU management Risk management function The organisation s mission, strategic goals and culture (including the tone at the top) should be considered when defining risk appetite. They clarify and express the organisation s basic risk attitude. In addition, the organisation has to deal with several external parties - the stakeholders - that have different interests and expectations, which the organisation must consider. Together with the key risks ensuing from the organisation s operations, they are the basic elements for formulating risk appetite centrally. It is important to cascade risk appetite on the basis of this framework approach, as it will result in a systematic, structured justification for risk appetite at an organisation-wide level, based on a process-based approach. It is recognised that, in general, risk appetite as a concept is difficult to define. It is usually expressed as a set of considerations and principles, in a configuration of quantitative and qualitative statements. It is essential that the definition of risk appetite strikes a sound balance between a technically adequately justified quantification and qualification of risk appetite, on the one hand, and a clear, comprehensible description that is accessible to people at various knowledge levels, on the other. 3

5 2. Allocation The translation of risk appetite at the aggregate level for the different business units and types of risk is a complicated process demanding a systematic approach. Schematically this can be made clear as follows: Group Level Risk Appetite Statements Overall Vision Statements Business Strategy Statements Other Statements Risk types Geographies Divisional Level Risk Appetite Statements Retail Bank Corporate Bank Risk types Investment Bank Risk appetite should be cascaded along those lines. The policy documents When cascading, already there available should within be a sound this framework understanding constitute of the all material basic principle types of here, risk, in and respect an estimate of which should alignment be made with of the overall the impact risk they appetite have statement on the different should, risk obviously, appetite continue elements. to be Along guaranteed. these lines, The a cascading further development fleshed out needs by type to of take risk place. is to be It usually validated requires with risk a distinction owners. to be made between financial and non-financial risks, because the extent to which risk When appetite cascading, can be quantified there should may be differ a sound considerably. understanding of all The material existing types policy of documents risk, and an in estimate this framework should are be made the of the starting impact point, they in have which on of the course different the alignment risk appetite with elements. the Along overall these risk appetite lines, a further statement development should remain needs safeguarded. to take place. It The usually detailed requires cascading a distinction per risk to type be and made each between business financial and (in terms non-financial of limits, risks, procedures, because indicators) the extent is to validated which risk appetite by the relevant can be responsible quantified may risk differ owners considerably. (such as division The management, existing policy department documents heads). in this framework are the starting point, in which of course the alignment with the overall risk appetite statement should remain safeguarded. The detailed cascading per risk type and each business (in terms of limits, procedures, indicators) is validated by the relevant responsible risk owners (such as division management, department heads). Geographies 3. Enterprise Wide Stress Testing Stress testing is an integral part of the risk appetite process. To support the risk appetite process properly, it is essential to carry out stress tests that can provide further clarity in the Enterprise Value at Risk (EVAR). Reverse stress testing should be used to help define the risk capacity. To clarify the relationship between risk appetite and risk capacity, we use the following figure: Risk capacity The maximum level of risk an organisation can accept given its capital and liquidity position and any restrictions ensuing from financing and/or requirements set by regulatory bodies. Buffer Risk capacity Risk appetite Risk appetite The extent to which an organisation is prepared to accept risks in pursuing its goals within the boundaries of its risk capacity. Buffer The difference between risk capacity and risk appetite In determining the buffer, extreme circumstances and modelling errors should be taken into account. EVAR The enterprise level of loss. Enterprise Wide Stress Testing is used in two ways: 1. Design phase: in this phase stress testing is used to support the design of the risk appetite, enabling the firm to consider the risk capacity. This comprises: design of various stress tests and scenario s including reverse stress testing to identify the underlying fault lines and points of weakness at aggregated level and on portfolio level; validation of scenario s to ensure they reflect the macroeconomic environment; training at senior management and board level. 2. Embedding phase: in this phase stress testing is used to support the firm to remain within the risk appetite. This comprises: integrated stresstesting on a regular basis to test the potential performance of businessplans against risk appetite under certain scenario s; regular review of validity of scenario s. It is important that the scenario s are sufficiently severe but plausible and refreshed as required to remain reflective of the macroeconomic environment. The board and senior management should see the results of the stress tests on a regular basis. 4

6 4. Embedding & Culture, conduct and core values To properly embed the risk appetite process, internal control 4. Embedding & Culture, conduct and core values environment quality is vital. This comprises a number of elements, e.g.: To properly embed the risk appetite process, internal control the quality of the infrastructure for measuring risks; this is environment quality is vital. This comprises a number of important because it creates a proper understanding of the elements, e.g.: actual risk; the quality of the infrastructure for measuring risks; this is the design of management information, including important because it creates a proper understanding of the the extent to which the factual risk profile can be actual risk; unambiguously derived from it and the way in which an the design of management information, including understanding is gained of how such factual risk profile the extent to which the factual risk profile can be relates to the risk appetite formulated; unambiguously derived from it and the way in which an the quality of monitoring to the extent to which the actual understanding is gained of how such factual risk profile risk is related to the defined risk appetite. This includes relates to the risk appetite formulated; the way in which defects are treated and the actual the quality of monitoring to the extent to which the actual consequences people attaches to it; risk is related to the defined risk appetite. This includes internal control framework quality; This concerns the whole the way in which defects are treated and the actual of management measures taken to manage identified consequences people attaches to it; risks and how these measures are actually implemented internal control framework quality; This concerns the whole (effectiveness); of management measures taken to manage identified risks and how these measures are actually implemented (effectiveness); budget and planning cycle quality; ideally, the risk appetite will affect the budget and planning process. Divisions or departments often make their own annual plan and / or budget and planning cycle quality; ideally, the risk appetite budget as part of the planning and budget cycle in which will affect the budget and planning process. Divisions or the objectives for the coming year are included. This needs departments often make their own annual plan and / or to be done within the framework of the risk appetite; and budget as part of the planning and budget cycle in which IT infrastructure and data quality. This concerns the the objectives for the coming year are included. This needs overall support of the risk management process, including to be done within the framework of the risk appetite; and monitoring of risk appetite. IT infrastructure and data quality. This concerns the overall support of the risk management process, including Finally, the soft factors in terms of culture, conduct and core monitoring of risk appetite. values are vital. The quality of those factors and the tone at the top will be decisive in whether the risk appetite framework Finally, the soft factors in terms of culture, conduct and core will actually be complied with and impact day-to-day decisionmaking, in other words, really become a dynamic management values are vital. The quality of those factors and the tone at the top will be decisive in whether the risk appetite framework tool. Therefore, this aspect will require the necessary will actually be complied with and impact day-to-day decisionmaking, in other words, really become a dynamic management attention. tool. Therefore, this aspect will require the necessary attention. 5

7 Regulatory and corporate governance developments in the Netherlands relating Regulatory and corporate governance developments in the Netherlands relating to risk appetite to risk appetite The key trends in the areas of regulations and corporate The key trends in the areas of regulations and corporate governance relating the financial to risk appetite services industry het financial the governance relating the financial to risk appetite services industry het financial the Netherlands services industry are as in follows: the Netherlands are as follows: Netherlands services industry are as in follows: the Netherlands are as follows: Banks Banks The Banking Code specifically lays down the duties and The Banking Code specifically lays down the duties and responsibilities of the Board of Managing Directors and the responsibilities of the Board of Managing Directors and the Supervisory Directors in terms of risk appetite. In addition, the Supervisory Directors in terms of risk appetite. In addition, the Basel II provisions on ICAAP provide that capital calculations Basel II provisions on ICAAP provide that capital calculations must explicitly be consistent with the enterprise s risk profile, must explicitly be consistent with the enterprise s risk profile, based on an analysis of all material risks and the organisation s based on an analysis of all material risks and the organisation s related risk appetite. related risk appetite. Insurers Insurers Further to the Banking Code, the Insurers Code specifically Further to the Banking Code, the Insurers Code specifically - and virtually similarly - lays down the duties and and virtually similarly lays down the duties and responsibilities of the Board of Managing Directors and the responsibilities of the Board of Managing Directors and the Supervisory Directors in terms of risk appetite. In addition, Supervisory Directors in terms of risk appetite. In addition, the Solvency II provisions on the ORSA provide that capital the Solvency II provisions on the ORSA provide that capital calculations must be consistent with the organisation s risk calculations must be consistent with the organisation s risk profile. profile. Asset managers Asset managers Several publications contain recommendations as to how a Several publications contain recommendations as to how robust risk management system should be structured that robust risk management system should be structured that adequately manages all material risks and focuses on the adequately manages all material risks and focuses on the relationship between risks and performance/return. relationship between risks and performance/return. For the Netherlands, these are, among other publications, For the Netherlands, these are, among other publications, the risk management guidance for investment institutions the risk management guidance for investment institutions and investment enterprises published by DUFAS in 2011 (and and investment enterprises published by DUFAS in 2011 (and endorsed by the AFM) and the report published in 2011 by endorsed by the AFM) and the report published in 2011 by IVBN on risk management in the institutional property sector. IVBN on risk management in the institutional property sector. From a more international perspective, the AIFM Directive is From more international perspective, the AIFM Directive is relevant, on which explicitly is being monitored on risk profiles relevant, on which explicitly is being monitored on risk profiles of investment funds. The ICAAP obligations also play a role for of investment funds. The ICAAP obligations also play role for asset managers. asset managers. Pension funds Pension funds The recommendations made in early 2010 by the Investment The recommendations made in early 2010 by the Investment Policy and Risk Management Committee ( Frijns Committee ) Policy and Risk Management Committee ( Frijns Committee ) provide that the Board of Managing Directors should provide that the Board of Managing Directors should formulate the pension fund s risk appetite. The Investment formulate the pension fund s risk appetite. The Investment Policy Recommendations made in 2010 by the three pension Policy Recommendations made in 2010 by the three pension umbrella organisations endorse this. umbrella organisations endorse this. Overall Overall The financial services industry itself has developed activities in The financial services industry itself has developed activities in order to improve market practices to come. order to improve market practices to come. A recent contribution contains the report of the Institute of recent contribution contains the report of the Institute of International Finance (IIF) in June The report provides a International Finance (IIF) in June The report provides comprehensive analysis for robust risk appetite framework that comprehensive analysis for robust risk appetite framework that contributes to the strengthening of financial firms. Although this contributes to the strengthening of financial firms. Although this report mainly has been established from banking institutions, it report mainly has been established from banking institutions, it is expressly intended for the entire financial services sector. is expressly intended for the entire financial services sector. EY expertise EY expertise EY Financial Services Risk brings together specialist EY Financial Services Risk brings together specialist knowledge in an integrated team working in a broad, knowledge in an integrated team working in broad, international field of financial enterprises. We have experience international field of financial enterprises. We have experience supporting and assisting with the design and embedding supporting and assisting with the design and embedding of risk appetite frameworks in organisations. Grasping the of risk appetite frameworks in organisations. Grasping the full picture relatively fast is all in a day s work for us, as is full picture relatively fast is all in day s work for us, as is quickly establishing a link with parallel, relevant aspects in quickly establishing link with parallel, relevant aspects in organisations, such as capital calculations and stress testing. organisations, such as capital calculations and stress testing. Working with us gives you access to: Working with us gives you access to: specialist knowledge linked to an international network; specialist knowledge linked to an international network; a quick and proper insight into market practice trends; and quick and proper insight into market practice trends; and in-depth knowledge of risk management, risk governance, in-depth knowledge of risk management, risk governance, stress testing and economic capital calculations, and how it stress testing and economic capital calculations, and how it all comes together to embed risk appetite. all comes together to embed risk appetite. If you wish to receive more information about how we can If you wish to receive more information about how we can assist you, please contact our specialists: assist you, please contact our specialists: Nico Warmer Partner Nico Warmer Partner Tel.: +31 (0) Tel.: +31 (0) Mobile: +31 (0) Mobile: +31 (0) Fax: +31 (0) Fax: +31 (0) nico.warmer@nl.ey.com nico.warmer@nl.ey.com Lizette Bruidegom Senior Manager Lizette Bruidegom Senior Manager Tel.: +31 (0) Tel.: +31 (0) Mobile: +31 (0) Mobile: +31 (0) Fax: +31 (0) Fax: +31 (0) lizette.bruidegom@nl.ey.com lizette.bruidegom@nl.ey.com Don t let the speed of change leave you behind Don t let the speed of change leave you behind Alle rechten voorbehouden EY

8 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate Legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com Ernst & Young Accountants LLP All Rights Reserved. ED none This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global EY organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. ey.com/nl