Risk appetite frameworks: good progress but still room for improvement

Similar documents
BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

OFFICIAL USE SLOVENIA. Assistance to the Bank of Slovenia for the Development and Implementation of Risk Appetite Guidelines for Banks

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

The Central Bank of Ireland Risk Appetite: A Discussion Paper

Susan S Bies: Lessons to be re-learned from recent breakdowns in corporate accounting

Introduction. The Assessment consists of: A checklist of best, good and leading practices A rating system to rank your company s current practices.

Ben S Bernanke: Modern risk management and banking supervision

Solvency II Where do we stand? Consumer Protection Where do we go?

INTEGRATED RISK MANAGEMENT GUIDELINE

Sharing insights on key industry issues*

ECB Guide to the internal liquidity adequacy assessment process (ILAAP)

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE. Nepal Rastra Bank Bank Supervision Department. August 2012 (updated July 2013)

Is it implementing Basel II or do we need Basell III? BBA Annual Internacional Banking Conference. José María Roldán Director General de Regulación

Basel Committee on Banking Supervision. Consultative Document. Pillar 2 (Supervisory Review Process)

Construction projects: manage risk to achieve success

EBF Response to FSB consultation on Funding Strategy Elements of an Implementable Resolution Plan

Talent and accountability incentives governance Risk appetite and risk responsibilities

BOARD OF GOVERNORS FEDERAL RESERVE SYSTEM

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Risk Report. 42 Introduction 43 Risk and Capital Overview 43 Key Risk Metrics 44 Overall Risk Assessment 44 Risk Profile

SOLVENCY AND FINANCIAL CONDITION REPORT EUROLIFE LTD

Sections of the ORSA Report

Basel 2. Kevin Davis Commonwealth Bank Group Chair of Finance Department of Finance The University of Melbourne

JFSC Risk Overview: Our approach to risk-based supervision

Risk Appetite Survey Current state of the Insurance Industry

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Annual General Meeting of CREDIT SUISSE GROUP Zurich, May 9, 2014

Better to be good and on time than perfect and late: replacing incurred loss by expected loss

Basel II: Requirements for European Integration Kangaroo Group Brussels, 6 October 2004

Heng Swee Keat: Corporate governance developments in Singapore

Practical aspects of determining and applying a risk appetite for SMEs

IIF s Final Report on Market Best Practices for Financial Institutions and Financial Products

SOLVENCY AND FINANCIAL CONDITION REPORT EUROLIFE LTD

Statistics for financial stability purposes

Liquidity Risk in Albania

Remarks by Nout Wellink Chairman, Basel Committee on Banking Supervision President, De Nederlandsche Bank

OCC s risk governance guidelines go beyond heightened expectations

The new FCA and PRA Senior Managers and Certification Regime and Code of Conduct. A guide to the current proposals. August

Stability and consumer protection The EIOPA view

Overview of ERM Assessment Viewpoints (June 2016) Overview

Solvency Assessment and Management: Stress Testing Task Group Discussion Document 96 (v 3) General Stress Testing Guidance for Insurance Companies

Solvency and Financial Condition Report Aegon Ireland

Building a Capital Markets Union Green Paper

Sound residential mortgage underwriting in a changing environment

Santander response to the European Commission s Public Consultation on Credit Rating Agencies

Cyber Risk Enlightenment through information risk management

THE ROLE OF THE BOARD IN RISK MANAGEMENT

Implementation of Basel II in Guernsey. This paper summarizes the key points in the first year (Year 1) of the implementation of Basel II in Guernsey.

Ladies and gentlemen,

Amidst such development, BPMB stays focused in fulfilling its mandated role whilst remaining steadfast in improving its asset quality.

Pillar 2 - Supervisory Review Process

The future of life insurance, Solvency II and investment strategies

RISK APPETITE FRAMEWORK

Does the ORSA add value? Challenges and initial achievements. Lukas Ziewer Risk Management Perspectives, 18/11/2014

Draft Guideline. Corporate Governance. Category: Sound Business and Financial Practices. I. Purpose and Scope of the Guideline. Date: November 2017

Fathom Wealth Management Advisors Ltd Risk Management Disclosures Year Ended 31 December 2017

B.29[17d] Medium-term planning in government departments: Four-year plans

Chapter 2: Introduction to FIRM

Ben S Bernanke: Risk management in financial institutions

Enhancing Our Risk Appetite Framework. A Case Study

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS MODULE

Speech at the Public Hearing "Public Procurement: costs we pay for corruption"

Principle 1: Ethical standards

GL ON COMMON PROCEDURES AND METHODOLOGIES FOR SREP EBA/CP/2014/14. 7 July Consultation Paper

Susan Schmidt Bies: A supervisory perspective on enterprise risk management

BERMUDA MONETARY AUTHORITY THE INSURANCE CODE OF CONDUCT FEBRUARY 2010

Jürgen Stark: Financial stability the role of central banks. A new task? A new strategy? New tools?

Critical Reflection of Two State-of-the-Art Risk Management Frameworks (SRM004)

Susan Schmidt Bies: An update on Basel II implementation in the United States

RETURN ON RISK MANAGEMENT. Financial Services

CAPTIVE BEST PRACTICE GUIDELINES

Risk Appetite. What is risk appetite?

Conflicts of interest: a guide for charity trustees

Enterprise Risk Management How much risk do you want to take? Mark Lim Risk Consulting and Software Towers Watson

Questions and Answers: Value Added Tax (VAT)

IV.1 Policy Paper Corporate Governance for Captive Insurance Companies

Perpetual s Risk Management Framework

Speech for the AIMA Global Policy and Regulatory Forum 18 May 2016, London. The Capital Markets Union, supervisory convergence and asset management

Financial Crisis & the Corporate Governance Solution: Moving Forward on Remedies

Headline Verdana Bold Managing tax Balancing current challenge with future promise The EYE, Amsterdam, 30 November - 1 December 2016

Susan Schmidt Bies: Enterprise perspectives in financial institution supervision

Challenges in the European Supervision of Asset Management

GUIDELINES FOR THE INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS FOR LICENSEES

Keynote Address Opportunities, challenges and regulatory developments

IAIS: Enterprise Risk Management for Capital Adequacy & Solvency Purposes. George Brady. IAIS Deputy Secretary General

RISK MANAGEMENT FRAMEWORK OVERVIEW

Opinion of the EBA on Good Practices for ETF Risk Management

WHITE PAPER. Solvency II Compliance and beyond: Title The essential steps for insurance firms

Plenary 3. Hedge Funds New Regulatory Challenges

Deutsche Bank (Malaysia) Berhad

ERM Implementation and the Own Risk and Solvency Assessment (ORSA)

OPRISK USA. New York 25 March The view from Europe. Arnoud Vossen, Secretary General of CEBS

Abank s risk management system is in jeopardy when its

Enterprise Risk Management Economic Capital Modleing and the Financial Crisis

Society of Actuaries - ERM Forum, 10 May 2016 A regulatory perspective on consumer risk

Comments on Public Consultation Document Addressing the Tax Challenges of the Digitalisation of the Economy

Timothy F Geithner: Hedge funds and their implications for the financial system

Banking and Capital Markets. The Journal. Risk: Getting appetite right* May *connectedthinking

Guidelines on credit institutions credit risk management practices and accounting for expected credit losses

Keeping Pace With Solvency II

Transcription:

Risk appetite frameworks: good progress but still room for improvement Speech by Danièle Nouy, Chair of the Supervisory Board of the ECB, at a conference on banks risk appetite frameworks, Ljubljana, 10 April 2018 Children sometimes eat too much. Their eyes can be bigger than their stomachs. The result can be quite unpleasant. For banks, it s much the same. They sometimes take on more risk than they can stomach. The results, however, can be worse than just a bellyache. Banks that take on too much risk can get into financial trouble and fail, and, in some cases, they might even damage other banks and the economy. So banks must know how much risk they can stomach and set their appetite for risk accordingly. Naturally, this takes more than guesswork: it requires comprehensive and well-developed risk appetite frameworks. These frameworks are a core element of risk culture and risk management. Banks must take them seriously and build them with great care. Today I would like to share with you our expectations, discuss some best practices and highlight some areas for improvement. How to make it work? Let s start with two questions. First: what is a risk appetite framework? Well, the term captures the overall approach banks take when establishing their risk appetite. This includes policies, processes, limits, controls and systems put in place by banks to define, communicate and monitor how much risk they are willing to take on. The second question is: how to judge the quality of risk appetite frameworks? As supervisors, we have four things in mind when doing so: they should be comprehensive, effectively governed, consistently used, and fully integrated into strategic decision-making. To be comprehensive, a risk appetite framework must include all relevant risks for the bank both financial and non-financial. I know that it s not easy to identify and quantify risks, particularly non-financial risks. But it s a challenge that banks must tackle if they want to monitor and mitigate the risks they take. A good starting point is a regular risk identification exercise. But not all such exercises are equally helpful. Banks are often tempted to look mainly at the outside world, asking themselves how the outside world can affect them. This is an important question and the answer is an important piece of the puzzle. But it is only half the picture. After all, risks aren t only external; they can be internal too. Banks need to identify what specific risks are associated with their business models and their strategies. What are the vulnerabilities of their business strategies? What are the concrete risks associated with them? Banks need to carefully examine all their risks and translate them into metrics, which they can then feed into their risk appetite frameworks. 1

But there is more. The idea of a risk appetite framework is to help the bank define its appetite for risk. And this needs to be articulated and put down in writing. In their risk appetite statements, banks should spell out how much risk, and of what kind, they are willing to take on. These statements are crucial to ensure consistent risk management throughout the bank. They also allow the board to have a holistic view of the risks that need to be managed. Of course, banks must adapt their risk appetite statements to their business models. With regard to Slovenia, we expect banks to focus on at least four things. First, they should concentrate on credit underwriting criteria. Second, banks should work on how they identify potential deterioration of credit risks; they must carefully monitor weak credits so they can take steps to keep the loans performing. Third, banks should ensure the proper management of collateral. Fourth, they should pinpoint concentration risks in their risk appetite statements. It is vital to have a comprehensive risk appetite framework. But defining one s risk appetite is just the first step. The next step is to act accordingly. This is where our second criterion for judging risk appetite frameworks comes into play: governance. According to the international standards transposed into the Capital Requirements Regulation and Directive and operationalised by the revised Guidelines published by the European Banking Authority, this is the board s responsibility. But before we continue, I would just like to clarify that I will use the generic term board in order to acknowledge the different governance structures in the euro area and will denote as senior management the people that carry out and manage the bank s activities, in a manner consistent with the business strategy, risk appetite and other policies approved by the boards. Regarding the risk appetite framework, the board should be involved from the start. It plays a key role in setting and approving the risk appetite framework. But the board members should also oversee its regular review, and crucially, its proper implementation. We thus expect the board to significantly influence the way in which the framework is set up and challenge whether it is being implemented in line with the bank s strategy. But of course the board cannot work in isolation. Banks risk management and internal control functions can and should help to develop and monitor the risk appetite framework. The experts working in these areas can ensure that all the risk measures are accurate. They can check whether the risk limits imposed on specific business activities or on specific risks are appropriate. They can answer questions like How can risks be reported?, What actions should be taken if limits are close to being breached or have been breached? It s important for banks to have clear answers to these questions right from the start. Internal audit also needs to regularly review how effective the risk appetite framework is. 2

So far, I have given you an idea of what we supervisors expect from banks with regard to the development and governance of risk appetite frameworks. But we do not stop here. It is also our job to ensure that banks put their risk appetite frameworks to good use. So how do banks deploy their framework? To begin with, banks certainly need to know how much risk they can stomach; they need to define their risk capacity. Using that as a basis, they can then develop an aggregate definition of risk appetite, applied at group level. And here the key point is consistency. It is our third criterion for judging risk appetite frameworks; namely, this aggregate definition must be applied at all levels of the organisation. Risk limits in particular should be applied, in a consistent manner, at group level and at subsidiary or branch level. So far, I have laid out how we expect banks to develop, govern and use risk appetite frameworks. But I am not quite done yet. Risk appetite frameworks do not function on a standalone basis. So, our fourth criterion for judging them is whether they are a part of strategic decision-making. And this requires a long-term perspective. The framework must be stable over time while still being flexible enough to allow banks to respond to changes in the external environment. However, not every change should lead the bank to completely overhaul its long-term strategy. Because of the low interest rates, some banks might be tempted to embark on a search for yield, a move which risks being an opportunistic drift rather than a considered decision to amend the strategy. They may drift away from the course they have set for themselves in their risk appetite framework. They might forget the mistakes of the past and the dangers of excessive risk-taking. To avoid such mistakes, banks need a sound risk culture. And risk appetite frameworks alone will not do the trick here. If they are to be meaningfully deployed, they must not be abstract processes for the banks employees. We would thus like to see banks finding ways to explain to each and every staff member how he or she affects the risk profile of the bank and how this needs to be reflected in the risk appetite framework. This is also achieved by aligning risk appetite frameworks with remuneration schemes. So, if the actions of an employee lead to a breach of risk limits, for instance, this might also impact his or her remuneration. This would give employees a greater incentive to take risk management seriously. When risk culture is sound, employees are accustomed to reflecting on how their actions affect the overall risktaking and risk management of the bank. Where do we stand? So we now know what we expect banks to do. But what in fact do we actually see? Well, we see that risk appetite frameworks are, on the whole, something new for 3

banks. In 2015, around 30% of banks risk appetite frameworks were less than two years old. Another 12% were still being developed. All in all, risk appetite frameworks differ widely across banks. At the same time, banks have made progress. Their risk appetite frameworks are now better structured and subject to clearer governance. For instance, most banks have clarified the role of the relevant stakeholders involved in the risk appetite framework. On top of that, in many banks, internal auditors have reviewed the effectiveness of risk appetite frameworks. Another thing to mention is that many of these frameworks cover a broader set of risks than before. And this leads to a fundamental question: how to measure risk in the first place? But don t worry; I am not going to explore the ins and outs of risk theory. Let me just say this: most banks now use a broader set of metrics to measure risks. Most banks go beyond the regulatory minimum to define metrics which are more suited to their business models. Now, once a bank has defined its risk appetite, it must align its risk profile. To facilitate this task, most banks now use what we call risk appetite dashboards. These dashboards compare actual risk exposures and risk limits to the risk appetite. This is helpful for discussions among senior management and within the board. Despite this progress, banks need to improve in some respects. If they don t, their risk appetite frameworks will not be as effective as they could be. So let me highlight four things that banks need to work on. First, risk appetite frameworks do indeed cover more risks than before but still not enough. Non-financial risks are often insufficiently covered or even completely left out, for instance. And this leads to a long list topped by risks such as compliance and reputational risks, IT risks, legal risks and conduct risks. If the bank cannot put concrete numbers to these risks, it should at least use qualitative statements. In this context, we appreciate the fact that some banks are working on relevant quantitative and objective indicators. Second, the governance of risk appetite frameworks must be further improved. Boards need to play a bigger role in the definition and review of risk appetite frameworks. The same is true for banks risk function. Many banks must enhance the role this function plays, in particular when it comes to defining and approving limits. And this brings me to the third item on my list: risk appetite limits. These limits need to be set and used in a comprehensive manner. Banks need to break these limits down to business lines and some banks don t do that. Banks also need to break the limits down to entities and countries. And where this is done, the local limits are sometimes not consistent with the limits at consolidated level. This is something banks need to work on. 4

They also need to work on how they calculate and actually apply limits. This is an issue for Slovenian banks, but also for banks in many other European countries. What we often see is that risk limits are in place but they do not sufficiently constrain risk-taking. The reason is that the limits are often set so high that there s virtually no possibility of breaching them. This calls into question the entire risk appetite framework. And even if limits are breached, this all too often triggers a report but no meaningful action. For example, the bank simply increases or reallocates limits, thereby undermining the very idea of a risk appetite framework. It is the responsibility of the risk functions I mentioned before to ensure that breaches of limits are handled properly. We expect banks to use risk appetite limits as a tool to monitor their risk profiles, keep risks in check and set the right incentives for the whole of the organisation. If the limits are set too high, they cannot achieve these objectives. In this context, some banks have defined early warning signals, enabling them to detect deteriorations in the bank s risk profile even before risk limits are actually breached. This is certainly good practice in my view. Now, the fourth thing banks need to work on is how they embed risk appetite frameworks in their strategic processes. Over the past three years, we have closely studied these issues. And we have realised in particular that the effectiveness of risk appetite frameworks does not depend on a bank s business model, its size or the country it operates in. What it depends on is how determined a bank is to make it work, to use it and to make it a core element of its risk culture and its decisionmaking. What does that mean? Well, it means that banks need to take a holistic approach to risk culture and risk management, including risk appetite. These things need to be perfectly attuned. And they need to be in harmony with the rest of the organisation with the business model and with remuneration schemes, among other things. Does it help, for instance, to define a certain risk appetite when, at the same time, the remuneration scheme sets incentives which target a different level of risk? Risk modifiers and key performance indicators play an essential role here; we thus expect the banks to align them with their risk appetite frameworks. Too many banks still wrongly see their risk appetite framework as a separate tool, unrelated to decision-making. This framework needs to be an integral part of the decision-making process. Also, most banks do not use risk appetite limits and statements as tools to facilitate discussion at various levels of the organisation. They need to change this approach. And more generally, they need to create better incentives for complying with risk appetite frameworks. Here, the tone from the top plays a crucial role. It is those at the top who have to promote a sound risk culture by putting it into practice, by acting as role models. 5

The board and the senior management must define values and set expectations for the risk culture. The board in particular must challenge the senior management and so ensure that each and every strategic decision is based on a sound risk analysis. Moreover, having a sound infrastructure for risk data would make this easier to achieve. Conclusion Ladies and gentlemen, Risk is at the heart of banking. Banks need to find ways to deal with it. It seems however that, prior to the crisis, some banks were too busy taking on risks to be able to properly manage them. As a consequence, they took on more risks than they could cope with. Risk appetite frameworks play a key role here; we take them seriously and so should the banks. After all, the frameworks help banks to define the level of risk they are willing to take on. This in turn helps them to keep their risks under control and manage them properly. My impression is that many banks have made good progress. However, there is still room for improvement. It s in the banks own interest. Thank you for your attention. 6

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback