For risk appetite, it pays to think more strategically
This is the fifth blog in a series of seven about the ways in which frequently used shortcuts can deliver poor outcomes for operational risk management teams within financial services firms.
It is surprising how many firms short-change themselves by taking a minimalist approach to risk appetite. The process of developing a risk appetite and then aligning the firm’s culture, processes and controls around it is one of the best ways of managing operational risk. This is because it welds together the strategic and the tactical, and it also enables information about risk and controls to flow through the business, ideally with risk management software. Some shortcuts that can result in risk appetite programmes failing to deliver the value that they should include:
Disconnecting RCSAs from risk appetite – Sometimes organizations just have a single risk appetite to cover the entire organization. It becomes difficult to align this one overarching risk appetite with risk and control self-assessments (RCSAs) that are conducted at the individual business line, team, or department level. It is also then tricky to map RCSA outcomes back to the overarching risk appetite. For example, it could be challenging for senior management or the board to understand just why a particular risk appetite item turns up red, if all the RCSAs are somehow combined to match up to one overarching risk appetite statement. This lack of transparency can be frustrating and lead to a perception that the information being presented is not useful. Instead, organizations should have a firm-wide risk appetite, and then individual risk appetites for these subsidiary areas, against which RCSAs are conducted.
Failing to engage in dialogue about KRIs – It’s important for risk management to always challenge the target levels that businesses set for the key risk indicators (KRIs), and not just accept them at face value. Along the same lines, risk management should not set KRIs just based on historical data, without talking to the business. Too often senior management, the board, or the risk teams try to set these in isolation. It’s important to speak with the business when setting the KRIs as well as the risk appetite for that business – these two things should be closely aligned, and then aligned with the business. For example, the risk team and the business should have a good conversation about all KRI thresholds, and how they relate to their risk appetite. The appetite, and KRIs, need to be set at the level that is right for the business and monitored with risk management software.
Ignoring a red KRI – Another shortcut is to just ignore a red KRI, by saying that “it’s been like that for nine months.” If that is the case – if a KRI has been showing red for a long period with no discernible impact on the business – then the KRI and the risk appetite are set at the wrong levels and need to be recalibrated.
Taking a firehose approach to KRI and KCI data – A third KRI shortcut is not taking the time to properly think through what the key risks and controls are for a particular risk appetite item. Instead, it can be tempting to take a firehose approach, tracking a wide range of indicators and other metrics, and then dumping all that data into a report for senior management or the board. Not aligning a risk appetite item with specific KRIs and key control indicators (KCIs) results in any real signal being lost within a blizzard of, often irrelevant, information. This kind of approach can also obscure the value that good risk management can bring – senior management will be overwhelmed with data, and unable to see the forest for the trees.
Setting one loss appetite level for everyone – It’s important to have thorough conversations about the appetite the organization has for loss, both overall and within specific business lines. It can be tempting to set loss limits at a common metric, such as one month of gross revenues. However, for a relatively conservative business line, this could be far too high, while for a rapidly growing business line, this could be too restrictive. Culture is also an important element to consider when setting the loss appetite – for example, how strong is operational resilience within a business line?
Not setting a rolling loss appetite – It’s essential, for loss appetite, to set a rolling 12-month loss appetite. Often, loss appetites are thought of as just applying to a one-off event. However, a series of smaller losses can accumulate and eventually reach the size of a large, single loss. So, organizations should also set an appetite for their rolling 12-month losses and track these losses, and this is also information that should be reported to key stakeholders on a regular basis.
Not setting an extreme event loss appetite – It can be difficult to talk about really big losses – no one wants to consider that something truly awful could happen to a firm. As a result, organizations often fail to consider putting in place a risk appetite for extreme events, which they model during scenario analysis and stress testing. Exceptional events will lead to exceptional losses, and so firms need to ask themselves, how big is too big? Beyond what loss threshold is the firm no longer capable of being resilient or surviving? This can be quite a challenging question for senior management to grapple with, but it’s important to have this conversation too.
Disregarding modelling – Today many firms are ignoring modelling of their operational risks completely, since regulatory focus has shifted away from this practice in many jurisdictions. This is a mistake – modelling can give organizations a much better idea of what their loss profile would look like under different circumstances, and over different time periods. It can show which risks may accumulate over time, or else take the firm by surprise. This can help senior management and the board – as well as the business – to understand how risk appetites and loss appetites should be set.
In summary, getting risk appetite – as well as loss appetite – right will help firms manage their risks better, and potentially give them more operational resilience too. Taking shortcuts can seriously undermine the entire operational risk programme. So, it pays to think more strategically about appetite, and the value that this concept can enable the op risk team to deliver to the organization overall.