Risk Appetite Framework and Decision Making

This graph from Christopher Harris shows the possible shapes of the utility function, depending on the attitude towards risk of an individual:

Transposition of risk preferences from persons to institutions is conceptually simple. It must be a conscious process for corporates, widely expressed and communicated to ensure alignment throughout the organisation. Risk preference of an organisation will depend on its deciding level (Board of Directors, along with C-level executives) and will range from risk adverse to risk seeking. 

Because a rational business decision must be taken with risk preferences in mind, the organisation has to ensure that the overall strategy and risk preferences are aligned in their risk and reward perspectives.

There is a link between risk preference and preferred risk response. The more risk adverse the Board of an institution is, the higher the chances the organisation will resort to risk avoidance, risk mitigation or risk transfer. 

Risk avoidance is the most straightforward concept: “should we accept this risk?” is answered with “Yes” or “No”.
This decision does not have to be quantitatively justified. Indeed, as expressed by FSB, this part of the Risk Appetite Statement involves “(…) qualitative statements that articulate clearly the motivations for taking on or avoiding certain types of risk”. This makes it an obvious candidate for easy definition and clear communication within the company.

However, avoiding risk is not neutral from a business perspective; in fact, systematic risk avoidance will ultimately lead to a form of loss (e.g. market share, profitability or reputation). Avoidance of risks, despite apparent simplicity, should be the last resort option, when all mitigation options are ruled out. Cases where the decision would have an immediate negative impact on the company’s image (e.g. politically exposed individuals, recourse to short sales or investment in embargoed products or markets) are exceptions.
 
The more risk-adverse company can opt for risk mitigation or risk transfer. 
Either as a requirement for the institution to accept additional risky exposure, or a consequence of sudden changes in the macroeconomic environment or the portfolio / business risk profile. 
In a Risk Appetite Framework perspective, this becomes a balancing act: in search for additional revenues (or any other reward for the risk taken), the institution aware of its risk profile can estimate its risk capacity and tolerance, with all exposures outside of the tolerance range having to be neutralised, through risk mitigation or transfer. 

Application of risk mitigation measures usually requires an existing organised market and open interests. Mitigation (bringing the risk down to a residual level that is within tolerance) through e.g. guarantees or swaps, or transfer (passing ownership and reward of the risk on to another player) through e.g. securitisation or (re)insurance requires access to an active market. Additionally, regulatory bodies scrutinise quite intensely risk mitigation procedures, no matter what form they take. Therefore, defining the mitigation measures prior to building up the risky exposure is a best practice. 

Preparing the mitigation strategies also ensures that costs for mitigation - or the decrease in expected return in the case of a risk transfer, are lower than the gains from accepting the risk at origination. Otherwise, the unsuspecting institution could end up subsidising other market players to the detriment of its own survivability.

Conversely, risk-seeking institutions will accept that certain risks will be quantified, maintained at low materiality, but not actively managed (acceptance / contingency). 

Risk acceptance and contingency require extensive analysis of the risks at hand; risk acceptance needs backing by measurements and monitoring to ensure the risk-reward relationship of a new risk is sufficient, while risk capacity and tolerance allow the additional risk to be taken on a standalone basis. Contingency ensures that, for risks deemed non-material, potential costs of the realisation of the risk are properly estimated and provisioned.

Eventually, risk taking decision and its operational requirements remain driven by the strategy, perceived net gain, risk tolerance, profile, capacity and limits. An organization must consider its risk appetite at all time, as it decides which goals or tactics it pursues. 
 
This is where a risk appetite that is developed and formalised, communicated and monitored closely comes into play.
 

As an example of the complexities of establishing formal, unified views on risk appetite, the interested reader should turn to the Willis Towers Watson article “The surprising inconsistency of risk appetite and risk tolerance statements”  based on Willis Re’s research from 2016. 
Therein, the 10 main concepts expressed in risk appetite and risk tolerance statements of 48 US based insurance companies are provided. Not only are common concepts not so frequent, with the notion of “Surplus – Risk Limit”, the most widespread of the 10 representative concepts, reaching only 57% representation, but firms using similar concepts are sometimes implementing or defining these very differently.

In a public address in 2018, Danièle Nouy  made it quite clear that European banks still had room for improvement on their Risk Appetite Frameworks on four main topics:

• Although more risks were covered by the RAF, there was a general gap in dealing with non-financial risks (Compliance & Reputation, IT, …), be it using quantitative or qualitative indicators
• Generic governance: Board has to play a larger role on the definition and review of risk appetite
• Risk appetite limits down to the business line, entity and country levels with consistent levels when granularity changes are more the exception than the rule. Applications of limits and the reaction to limit breach still needs improvement.
• Risk Appetite Framework has to be embedded in the Risk Culture of the firm, part of the decision making and not just another tool

The parting words were quite clear:

“Risk is at the heart of banking. Banks need to find ways to deal with it. It seems however that, prior to the crisis, some banks were too busy taking on risks to be able to properly manage them. As a consequence, they took on more risks than they could cope with.
Risk appetite frameworks play a key role here; we take them seriously and so should the banks. After all, the frameworks help banks to define the level of risk they are willing to take on. This in turn helps them to keep their risks under control and manage them properly. My impression is that many banks have made good progress. However, there is still room for improvement. It’s in the banks’ own interest.”

Let us consider a bank looking to tap into a niche market or enter a given lending space to gain new revenues. 
We assume the decision is driven by a bottom-up feedback from business and operations that there is an opportunity to be seized, which is in line with the risk preferences of the firm and with its current strategy.

One way to reach the goal is to take an aggressive stance and relax its lending criteria relative to its peers’, thus on-boarding riskier prospects. Alternatively, charging lower interest rates than the competition on a comparable risk level, slashing its margin in the process, could be successful. 
We regard the choice as mutually exclusive, due to the high-risk level of pursuing both approaches concurrently.

The first approach will affect the cost of risk - and further down the road the regulatory capital requirements, when the second will be impacting the bank’s overall profitability. 

Risk tolerance and risk limits are set up, respectively in terms of new score limit for automatic acceptance of a file or minimal commercial rate to apply. In very limited cases, for specific customer profiles, exceptions can be allowed under strict conditions and monitoring.

A limit is set on the maximum envelope available for the campaign, with plan to securitise all standard loans if the portfolio goes above a certain threshold or if interest rates indices remain low or keep on decreasing; due to their nature, “exceptions” mentioned above will be kept on the bank’s balance sheet and not be securitised.

Note that the same business case could be drafted for an insurance company actively looking at gaining market shares or cash in on premiums from an untapped market space in non-life products. To ensure mitigation of the risk, the company could opt for re-insurance or syndication of the risk across players. By adding life / non-life product mix considerations, risks to manage would differ further - liquidity risk for non-life activities and interest rates for life insurance, therefore adding complexity.

The following graph, adapted from a Society of Actuaries research document, will help visualise the puzzle under another format, by showing the range of strategic plans (emerald green background) constrained by the limits (red lines) defining the risk tolerance surface (blue background), depending on the current risk profile (white oval) of a fictional insurance company: