It is my pleasure to make the opening comments at this event bringing together directors, senior executives and risk management professionals from both financial services and non-financial services organisations. The purpose of our forum is to facilitate discussion on the important topic of risk appetite and its role in commercial organisations, including of course financial firms.
One of the key reasons behind the financial crisis was the weakness of risk culture and the failure of effective risk management in many financial firms. While a good deal of progress has been made across the financial services industry in addressing such issues, both risk culture and risk appetite remain areas where there remains much to be learned and done. With this in mind, the Central Bank of Ireland and the Institute of Directors in Ireland are hosting this joint event to facilitate a broad discussion and sharing of ideas from theoretical, practical and regulatory perspectives. We look forward to hearing your opinions and experiences and we hope it will be an informative and thought-provoking forum.
What is Risk Appetite?
The Financial Stability Board’s (FSB) defines risk appetite as:
“The aggregate level and types of risk an organisation is willing to assume within its risk capacity to achieve its strategic objectives and business plan”.
In other words, the Risk Appetite Statement is the formal articulation of an entity’s willingness to take on and effectively manage certain risks and avoid, or minimise, other risks in the pursuit of its strategic objectives.
Why Establish Risk Appetite?
Exposure to risk is an inevitable part of doing business. Successful businesses take on and manage calculated risks in order to achieve their goals. The challenge is to identify the risks which the firm is able to take on, that is to say the risks which the executive team has the appropriate skills, knowledge and experience to manage, up to a degree which the firm has the wherewithal to withstand. A clearly defined risk appetite provides the directors, management and staff with a framework which facilitates the identification and management of risks. Strategic objectives should underpin the risk appetite statement. An effective risk appetite statement enables the assumption of risk in line with the strategic objectives of the organisation while giving the board and management confidence to avoid risks that are not in keeping with them.
Given the links between the strategy and risk appetite, the risk appetite statement should be viewed as a positive and dynamic document which will allow an organisation to demonstrate that deliberate choices are made within a consistent risk framework.
In the most effective risk cultures, risk management informs the decisions made throughout the organisation. Well defined roles and responsibilities of staff, for risk taking and incident reporting, together with appropriate training, will embed risk culture within the organisation. Decision makers must be accountable for their actions, and firms managed accordingly.
International Focus on Risk Appetite
Since the global financial crisis, there has been increased focus on risk management standards and, more specifically, on risk appetite as evidenced by work undertaken by the Financial Stability Board (FSB).
Following a peer review on risk governance, in November 2013 the FSB published “Principles for an Effective Risk Appetite Framework” which sets out key elements for an effective risk appetite framework, an effective risk appetite statement, risk limits, and defining the roles and responsibilities of the board of directors and senior management. The FSB Principles are broad enough to allow financial institutions to develop a framework that is tailored to their institution, that reflects their business model and structure, and that can be adapted to changes in the economic and regulatory environment. On the industry side, in 2009 the IIF published “Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions”, which noted that risk appetite frameworks are an essential tool of risk management and highlighted the need for extensive judgment and challenge on the part of Boards and management in this respect. It is the role of board of directors to which I now turn
The role of directors
The Financial Stability Board lists in its 2013 principles 12 tasks and responsibilities for the board of directors of financial firms with respect to the risk appetite framework. It starts with the approval of the framework, and ensuring its consistency with business and capital plans, continues with holding management accountable for the identification of risk exposures and for the escalation of breaches in risk limits, and ends with the establishment of internal and external safeguards and assessment of the risk framework.
In September 2014 the Financial Reporting Council in the UK published a revised Corporate Governance Code (“the Code”) along with two associated guidance documents. In respect of risk management the Code has been amended to require directors to “confirm in the annual report that they have carried out a robust assessment of the principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity”. It also requires directors to describe those risks and explain how they are being managed or mitigated. In addition, it assigns responsibility to the board for monitoring the company’s risk management and internal control systems.
Good corporate governance, including proper risk appetite framework, is needed in any venture. But it is even more critical in firms that have a fiduciary duty. Financial firms are regulated for a reason: they hold liabilities towards their clients in the form of client assets, funds, or sums necessary to pay claims. This means that directors are required to extend their responsibilities beyond shareholders and take full account of the interests of depositors, policyholders, victims of accidents, and savers This is in keeping with the Basel Corporate Governance Principles for Banks which provide that a bank’s board and senior management should “protect the interests of depositors, meet shareholder obligations, and take into account the interests of other recognised stakeholders”. Having a risk appetite cognizant of these wider responsibilities is a key part of meeting them.
Central Bank of Ireland Initiatives
From a Central Bank perspective, the Corporate Governance Code for Credit Institutions and Insurance Undertakings includes a requirement that the Board of Directors understands the risks to which an institution is exposed and documents the institution’s risk appetite. The Code requires that risk appetite be expressed in both qualitative and quantitative terms to facilitate tracking of performance and compliance with agreed strategy. Risk appetite is also subject to annual review by the board.
The Central Bank’s experience, based on thematic work and reviews, is that such documentation is of variable quality and that the risk appetite may not always be embedded throughout the organisation. Further, we have noted varying degrees of skills, experience and knowledge with respect to risk and its management.
In order to address these concerns the Central Bank has launched a series of initiatives aiming to advance understanding as to what an effective risk appetite encompasses and to establish what constitutes good practice in relation to setting risk appetite.
In mid-2014, we published a Discussion Paper to generate debate with stakeholders on risk appetite, its link with strategy and its importance for financial institutions. The Discussion Paper considered the main concepts and theories relating to risk appetite and its place within a risk appetite framework. It also provided suggestions as to what a risk appetite statement should contain. Responses to the Discussion Paper provided a useful insight into the current practices employed in the Irish financial services industry and the Central Bank would again like to acknowledge respondents’ contributions.
The Benefits of a Risk Appetite Framework
All respondents agreed that organisations benefit from a risk appetite framework and concurred that it is necessary to align risk appetite with the goals and strategies of the business. However, the majority of respondents stated that the development of a formal risk appetite within their organisation was driven by regulatory and legislative obligations. While it is, of course, necessary to fulfil the regulatory requirements in this regard, it is disappointing that the benefits arising from the successful implementation of risk appetite framework are not more widely appreciated. Indeed, it is these benefits that drive so many non-financial services organisations which are not bound by such requirements to invest considerable time and effort in implementing an effective risk appetite framework.
The Central Bank also recognises that there is no ‘one-size-fits-all’ approach to the implementation of risk appetite within an organisation. It is widely acknowledged that risk appetite is organisation-specific and should reflect the nature, scale and complexity of the entity.
It is this very diversity that prompted the Central Bank and the Institute of Directors in Ireland to invite you here today to open discussions regarding the role and benefits, as well as the challenges, of risk appetite and to share practical experiences and lessons.
The support for this Forum and the large number of attendees present this morning reflects the positive attitude of directors, senior executives and risk management professionals towards advancing the understanding of risk appetite.
Thank you for your attendance this morning and I hope that this morning’s discussions lead to a clearer vision as to both the role and the benefits of a clearly articulated and embedded risk appetite framework.
I would also like to thank Maura Quinn and her team at the Institute of Directors in Ireland for agreeing to co-host today’s Forum with the Central Bank and for their invaluable support and assistance arranging today’s event.