Much is written regarding risk appetite yet the subject does not appear to be well understood.  In this INSIGHT we do not focus on the existing rules or regulations which are generally inconsistent and lack clarity, rather we propose the method of calculating risk appetite that is most suitable.  This article is extracted from Risk Management in a Nutshell (Business Press, UK).

A suitable definition of risk appetite is “the level of divergence form goals and missions which is unacceptable to the governing grouping”.  This general definition clearly shows that risk appetite is both negative and positive and that it is a top down concept.     It enables the governing grouping to develop controls and reporting to enable them to have confidence that the business will achieve its goals and objectives with reasonable certainty. 

The purpose of risk appetite modelling is to provide that management grouping with the assurance that they require.   It is the currency that creates a consistency of risk management across the entire business covering those risks which are relatively easy to measure and those where this is difficult to achieve.

How to calculate risk appetite

Given that we are defining risk appetite as a centrally designed concept it needs to be calculated by using metrics which resonate with the governing committee.  These metrics will provide them with guidance as to the level of divergence (risk tolerance) which they may need to accept with reluctance.  In these terms impact upon liquidity, profitability, Economic value, growth prospects or brand need to be identified which work for the specific firm.

It is clear that no single model could work for all firms.  Risk appetite is central to the way that the firm is operating and the metrics need to be designed to meet those expectations.  Of course the risk appetite value so calculated will be a single value.  In reaching this we tend to identify a series of values which fit each of the proposed metrics and identify the areas where they overlap.  This area we refer to as the zone of tolerance within which the risk appetite value will sit.  However as mentioned it is an all risk value and consequently a lot more modelling needs to be conducted to make it work for a firm.

Modelling Risk Appetite

For risk appetite modelling to make any sense it needs to be aligned to the risks that the business runs.  In these terms it makes no difference which industry the fiurm is involved with since the principles are likely to be the same.  Since risk appetite is essentially an all risk figure the first stage in the work is to deal with the risk correlations which surely exist between the key risk types within the business.   If a typical risk analysis at the highest level is as follows:

• Strategic risk
• Reputational risk
• Credit risk
• Market risk
• Liquidity risk
• Operational risk

Then the risk appetite value needs to be applied to each of these areas.  Clearly the full risk appetite value could not be applied to any risk alone since were that risk to materialise then were any of the other risks to also occur the level of loss would exceed the group risk appetite which is clearly unacceptable.

Consequently the value of the  risk appetites at the primary level for the risks above is likely to add up to perhaps 180% of the risk appetite  value.  The level is found through analysing what actually occurs and the extent to which multiple risks do tend to occur in reality.

Of course the risk analysis which the firm employs will not need to follow that suggested above.  However after the correlation work has been conducted, the next stage will be to cascade the risk appetite down to the level at which risk is actually managed.  Too often it is the failure to properly embed risk management within the business that leads to the failure of the concept to make any real difference.  So long as you remember that the goal of risk appetite is to ensure that risk is managed consistently throughout the business in accordance with the expectations of the governing committee then you will not go far wrong.

Of course at each stage of the cascade process correlation within the specific risk type will still need to be considered or you do run the risk of over controlling your business.  I am not suggesting that any of this is easy and again back testing using actual data held within the firm for things that have gone wrong needs to be applied,

Reporting Risk Appetite

It would not make sense for all limits and controls to be designed and set at the level of the cascaded risk appetite normally referred to as the unitary risk appetite.  This is the risk appetite which applies in a single business unit and is managed within the business.  Instead the business tends to apply a tactical risk limit which is a subset of the actual risk appetite.  Consequently when the tactical risk limit is exceeded it will not automatically result in a breach of the risk appetite requiring a higher level of reporting and action.

The result of this is that much of the risk appetite reporting is directional in nature showing trends leading to action being taken to prevent unacceptable levels of loss.

The Mistakes Often Made

As to why risk appetite gets such a bad press and is so poorly understood and managed, this is actually down to a lack of clarity in the definitions provided by various bodies.  They are inconsistent and often fail with the use test.  They cannot be used in practice.  A simple value based approach can be easily implemented within the business.  They will be given values which they must ensure they do not lose.  They will also be concerned if they make unexpected profits since these may not repeat resulting negatively in the growth pattern of the firm.

Too many firms are confusing elements of risk and control self assessment with risk appetite modelling.  Risk and control self-assessment by its nature is bottom upon.  It seeks to ensure that management really understand the nature oof their control environment and encourages them to seek its improvement.  The loss value resulting from the risk and control self assessment clearly cannot exceed the risk appetite but that is the only element of connectivity.  They are different concepts with different goals.  Accordingly a model developed for a single risk to consider the risk appetite of say operational risk is fundamentally flawed.

When risk appetite was first introduced by the Bank for International Settlements in their draft operational risk sound practices paper they did so without any form of explanation.  Approaches were designed by different firms some of which were at best confused and have resulted in some of the confusion which we still see today.  As we have mentioned we see risk appetite as a value which can be understood by the firm and all of its employees.  They all design their systems such that the level of additional loss or profit would not exceed this value and this provides the governing grouping with the level of assurance that they require.  

While the concept is easy its implementation is always fraught.  However the gain is worth it in terms of consistent risk management throughout the entire business.  It leads to discussions as to the level of staff required to apply controls in an area or the error rates which are acceptable.  Moving away from the zero errors culture which appears to apply to some risks  (perhaps operational risk) as compared to other risks where significant losses appear to be acceptable (for example credit risk)  is part of the goal here.  Consistency will reduce controls in some areas and increase them in others adding value to the business and improving its efficiency.  

Dennis Cox
DWC@riskrewardlimited.com