Risk Governance: Appetite, Culture and the Limits of Limits
November 14, 2012
Posted November 16, 2012
Michael Alix, Senior Vice President
Remarks at the Risk USA 2012 Conference, New York City

Thanks very much for that kind introduction and thanks to the conference organizers for the invitation to speak to this important group today.  I’d like to begin by stressing that the comments I make today reflect my own personal views, and not necessarily those of the Federal Reserve Bank of New York or the Board of Governors of the Federal Reserve System.

I plan on spending the next 20 or so minutes providing some observations on the continuing evolution in risk governance, and the importance of strong risk appetite statements supported by strong risk cultures.  I’ll also offer some caution on the use of risk limits, then at the conclusion of my talk I’ll be happy to take your questions.

Weaknesses in risk governance at financial institutions have been widely blamed for exacerbating the financial crisis.  Four years on from the depth of the financial crisis, risk governance remains a work in progress.  In my remarks today, I intend to expand on the following key points:

  • Since the crisis, larger firms have focused on improving risk governance but continuing revelations of control breakdowns, misconduct and other risk surprises suggest much more remains to be done.
  • The expression of risk appetite and its relationship with business strategy should be the responsibility of the board of directors, working with the chief executive officer (CEO) and others in the C-suite, and not solely delegated to the chief risk officer (CRO) and the risk management organization.
  • The firm’s risk appetite statement should be clear and simple, so that it can be described in the proverbial elevator ride, and should refer to desirable and undesirable risk types, not just the abstract quantification of risks.
  • Directors and management need to focus on strengthening risk culture, so that, put simply, there is clear and consistent understanding by management AND employees of what constitutes “good” and “bad” risk behavior.
  • Risk culture should be supported by appropriate incentives and penalties.
  • Risk limits, which are needed to support an effective risk appetite framework, are an important but limited tool, and so not a panacea.  In some cases, risk limits can become a crutch.
  • Supervisors will continue to engage with directors, business managers, risk managers and risk takers, and will look across the landscape of the financial industry, to assess the effectiveness of each firm’s risk appetite statement and risk culture.

Before I return to my more detailed comments on risk governance and risk appetite, I’d like to put the subject in the proper context.  Supervisors and risk managers alike learned —or more accurately, relearned—abundant lessons from the experience of the latest financial crisis, and many of those lessons informed changes in regulation, supervision and risk management practices both in the United States and throughout the developed world.   As is apparent from the program for this conference, as these new rules are designed and implemented, leaders of financial institutions are being forced to adapt business models and risk practices. 

Supervision is adapting, too.  The Federal Reserve has intensified its scrutiny of the largest, most systemically important bank holding companies under its jurisdiction, and focused its resources on three key interrelated objectives: enhancing resilience; reducing complexity; and improving governance—in effect, raising the bar for directors and management.

In promoting resilience, supervisors are assessing capital plans at large firms, seeking to understand how firm managements are considering all of the vulnerabilities their firms face in targeting capital levels and setting distributions.  As an important part of the exercise, supervisors gather data from firms to conduct consistent and independent stress tests to determine whether institutions have the capacity to withstand a large, adverse economic scenario—and for some, a severe market shock—and continue to provide needed credit to support economic activity.  This exercise is known formally as Comprehensive Capital Analysis and Review, but is more familiar to many of you by its acronym, CCAR.  As we continue to evolve the program, we will be looking more carefully at how firms design and implement scenarios that are tailored to the specific threats to their own business models.  

Federal Reserve supervisors are employing similar techniques in reviewing systemically important firms’ funding plans and assessing their ability to operate in the face of liquidity stresses.

With respect to complexity, the crisis highlighted the challenges of both managing and resolving institutions whose corporate structures span geographies and organizational types and whose interconnections make managing and, in extremis, resolving the institutions difficult, if not impossible.  Through ongoing review of recovery and resolution plans, supervisors will be engaging with boards and management to promote simpler, easier to manage and resolve institutions.  Firms, and, for that matter, the products they design and offer, should be no more complex than they need to be.

These objectives of building resilience in capital and liquidity, and reducing complexity, are joined by a continuing push for progress in risk governance.  Supervisors are stepping up their engagement with both C-suite managers and boards of directors, looking for more robust and more consistent discussions of the links among business strategy, competitive choices, and the vulnerabilities that result.  While it is also critical to continue to improve the stature and influence of the risk management organization, led by the chief risk officer, responsibility for enhancements to risk governance should not be fully delegated to the CRO.  The board must articulate both the business strategy and the risk appetite that comes from it, and senior management—including the CRO—must implement processes and systems that ensure that the board’s wishes are followed in every aspect of business activity.

In my discussion of risk appetite, it may be useful to define a few terms.

Risk appetite is the level and type of risk a firm is able and willing to assume in its exposures and business activities, given its business objectives and obligations to stakeholders.  This term is often used interchangeably with “risk tolerance,” though I prefer “risk appetite,” which suggests an active decision to take on risk, over tolerance, which may imply risk avoidance with its more negative, limiting and constraining feel.  The risk appetite statement is the expression of risk appetite, in both qualitative and quantitative terms; the risk appetite framework implements the statement through the policies, procedures and systems of a firm.

Risk capacity is the full level and type of risk at which the firm can operate and remain within capital and funding constraints. 

Risk profile is the actual point-in-time aggregate risks.  Some of the risks will be well-measured, others less so.

In practice, firms should ensure that risk appetite does not exceed risk capacity, and that risk profile remains within risk appetite.

The case for well-formulated and broadly communicated risk appetite statements and for robust, supporting frameworks is strong, yet firms have an at best uneven experience in this area.  This may be surprising, given the emphasis on risk appetite both from the industry as well as from supervisors.  One of the earliest formal references to risk appetite came in the third report of the private sector Counterparty Risk Management Policy Group (CRMPG), published as the crisis was unfolding in mid-2008.  The CRMPG introduced the topic as follows: “Estimating risk appetite and finding an adequate risk-reward balance must be a dynamic process that is built on a blend of qualitative and quantitative factors.”  The group emphasized that stress testing is an important but limited tool for estimating risk in a risk appetite framework.

The Senior Supervisors Group—lead supervisors for global systemically important banks—followed with its own call for improvements in risk governance and a review, in 2010, of the emerging practices at select firms.  That review revealed a diversity of practices and a still large gap in the capacity of firms to articulate risk appetite and to aggregate exposures to determine whether their actual risk profiles were consistent with stated risk appetite. 

More recently, earlier this year, a large consulting firm published results from a survey of global banks that revealed that less than 40 percent of respondents felt they had largely incorporated risk appetite considerations into day-to-day business management decision making.  In the same survey, less than half believed they were close to achieving a strong risk culture.  These results are consistent with the observations of supervisors.

So what might a reasonably good risk appetite statement contain?  As I’ve noted, various experts have stressed that risk appetite statements should address both the type and level of desirable risk, and I would argue that firms may find it useful to specifically call out undesirable risks.  Critically, these statements should consider the ability of senior management and the board to fully understand the nature and dynamics of the risks, and of the firms’ IT infrastructure to provide timely and accurate information about those risks.  The risk appetite statement can be quite positive, highlighting the types of risks firms will actively manage to fulfill their strategic objectives.

In describing “types” of risks, directors should be careful to describe acceptable risk types at a level of granularity sufficient to communicate the board’s wishes.  If, for instance, directors are willing to take one type of credit risk but wish to avoid another, they should say so.  If there is a risk that is an inevitable by-product of an important business activity, but which the board believes is undesirable, the expectation of mitigating that risk should be apparent.  In short, the statement should explicitly link to the firm’s strategy, describing the types of risks the board wants to take, contrasted with the types of risks it wants to avoid.  Properly crafted, this part of the statement will inform decisionmaking throughout the organization, helping to determine whether it makes sense for the organization to pursue new opportunities ranging from an individual transaction to a potential acquisition.

Once the board, working with management, has articulated the type of risks that the organization may take, it must attempt to describe the appropriate level of such risks.  In general, boards will need to weigh the returns expected from an activity against the potential downside, typically measured as the loss under stress, driven by the risk factors associated with that activity.  But they should also consider that there is an upper capacity for risks associated with even the most attractive business.  In describing the level of risk that they will tolerate, boards should be mindful of the challenges in measurement.  As seasoned risk managers know all too well, quantifying the interaction of risks in a stress scenario combines art and science, and boards should be careful to articulate their key assumptions in describing the level of acceptable risk.

If risk appetite statements are to resonate with individuals throughout an organization, they must contain both qualitative and quantitative features, and promote holistic rather than siloed evaluation of risks.  A risk appetite statement that features a clear and positive statement about acceptable risks can guide actions throughout an organization.  It should be sufficiently well understood from top to bottom of an organization, so that directors, C-suite management, risk managers and line risk takers are “on the same page.”  A clear and compelling risk appetite statement can be described in an elevator ride.

The best risk appetite frameworks will be ineffective if not supported by the right risk culture.  By culture, I mean the shared attitudes and behaviors of risk takers and risk managers (and for that matter, really all employees) responsible for the analysis, decision-making, and reporting necessary to effectively adhere to risk appetite and support the organization’s strategic mission. 

Staff in a good culture will smoothly and effectively fill in the inevitable gaps in risk policies and procedures, promoting actions that are fully consistent with the spirit, and not just than the letter, of the risk appetite statement.  Those in a weak culture may seek to exploit opportunities to take risks that are not expressly prohibited, or to work around the constraints that are designed to reinforce risk appetite.  Staff in a good culture will identify new and unexpected risks and will escalate problems quickly and clearly.  Those in a weak culture will stifle bearers of bad news.  I suspect that the risk managers among you will know, without a lot of new research, where on this continuum your risk culture falls.

To improve risk cultures – that is, to better align the actions of individuals with the wishes of the board – boards and managements must take stock of the incentives and penalties in place.  Does the performance management and compensation system reward good risk behavior, and punish bad or unethical risk behavior?  Are whistleblowers encouraged and protected?   How are disputes escalated internally?  How are audit or supervisory concerns handled?   Are new products or businesses openly vetted, directly considering risk appetite, and considering the views of all internal parties?  How are customer suitability issues handled? 

A weak risk culture may allow the risk appetite process to devolve into a “check-the-box” compliance exercise, where lower level control personnel test whether the policy is being followed.  A strong risk culture will judge the wisdom of opportunities by looking well beyond the nominal profits those opportunities may bring.  Firms should decide what is right or wrong without deferring to lawyers or regulators.

Clearly, a strong and supportive risk culture is critical for effective implementation of a risk appetite framework.  But strength of culture is difficult, perhaps impossible, to measure directly, ex ante.

Over at least the last 30 years, limits have been used as the primary means of control for risk taking at larger financial firms, whether for credit or trading or other risks.  So it is not surprising that in building out the comparatively new concept of risk appetite frameworks, firms have focused on incorporating within the frameworks ever more elaborate limit structures. 

Typically, the limit system is designed and implemented by the CRO’s organization, and reflects interpretation by the risk professionals of the risk appetite statement.  In theory, the combination of limits will, if respected, ensure that risk-taking, in the aggregate, will not exceed risk appetite.  In practice firms run the risk that measures and limits may proliferate to the point that directors and senior managers may find it very difficult to relate the specific limits, and that activity measured against those limits, to the desired risk management outcome.   Moreover, some risk types aren’t particularly well measured and therefore aren’t easily limited, quantitatively. 

As I noted earlier, effective risk appetite statements must address the appropriate level of risks, and limits on the right risk measures will serve to help implement the statements.  But limits are not a panacea and may become a crutch, creating the illusion but not the reality of a robust and effective risk appetite framework.

Practically, risk limits can’t possibly be fully comprehensive—there are risks that are difficult to measure, that are not easy to describe crisply in a limits framework, but which are nonetheless important.   One obvious example is reputational risk.  How do you set a limit on reputational risk?  While boards and managers are quick to say that damage to franchise from reputational risk is unacceptable—many risk appetite statements set a zero tolerance for reputational damage—it is impossible to operate without absorbing some reputational risk.  So firms should find other ways of describing and communicating limits on reputational risk, and here a supportive risk culture is critical.

One final concern about limits.  Limits mean different things at different organizations.  They may be expressed at the firm level, at the business unit level, and at the risk factor level.  They may set at the higher absolute risk tolerance level, where they pose few practical constraints, or at a low level, well below actual risk tolerance and calibrated to expected activity.  They may be a speed bump—a breach prompts a discussion, and perhaps a change in the limit—or a stop sign, which cannot be run.  Whether and how limits can be tied to risk appetite depends importantly on how risk limits are used and viewed within the organization.  

Given the diversity of risks faced by complex institutions, and the difficulty in measuring some important risk factors, a proliferation of limits raises the prospect that risk appetite frameworks will be overly focused on some types of readily measurable risks at the expense of others.  Conversations between risk managers and risk-takers can focus so much on the micro limits that the macro risks are missed.

Ideally, the risk appetite framework will be sufficiently well understood that risk takers and managers will understand whether a particular risk is acceptable, even where no explicit limit applies.

So I’ve described an important challenge for directors and managers of large financial firms.  Articulate, clearly and simply, the risk appetite that will guide the organization in effective implementation of its strategy.  Accept only those risks that you know well and can effectively measure and manage.  Assess and improve the risk culture to align behavior with objectives; provide consistent leadership with the right tone at the top.  And be wary of proliferation of measures and limits in the execution of the framework.  As risk managers, you can provide help and support to the board and other leaders.

Thank you for your attention.   Now, I think we have a few minutes so I’d be happy to take questions

By continuing to use our site, you agree to our Terms of Use and Privacy Statement. You can learn more about how we use cookies by reviewing our Privacy Statement.   Close