If you have some experience with enterprise risk management (ERM) implementation and evaluation projects for community financial institutions, two things quickly become apparent: No two ERM processes are exactly the same, and very few institutions like to put their risk appetite down on paper. The common reason for the latter seems to be the fear of being restricted by formal documentation. Institutions seem to be fine with the idea that their risk appetite is inherent in the decisions they make, so why spend time on something that doesn’t really move the organization forward?
But we’ve all seen too recently and frequently what the failure to properly manage risks can do to a financial institution. That’s why defining your risk appetite is the starting point for communicating risk management—it gives you a common baseline for communicating across the organization and sets the tone for risk management throughout the bank. Without it, you’re just assuming everyone is on the same page when it comes to risk management. Can you afford to take this chance?
As with many things that present a challenge, it often comes down to where to start. Consider starting with a risk continuum, with “Accepting of Risk” on the left and “Not Accepting of Risk” on the right. Take the various risk events you’re reporting to the board (ideally somewhere between five and 15 events), and plot them on the continuum by asking yourself, “How willing am I to accept the risk related to each event?” Are you more or less accepting of the risk of losing customers for not having the technological capabilities of larger institutions? Are you more or less accepting of concentrations in construction loans of a certain type in a certain area? New products? Loss of executive management? Regulatory violations? An untested disaster recovery plan?
As you plot all these critical risks, the ones furthest to the right on the continuum (the Not Accepting of Risk side) are essentially what defines your organization. If you take those risks and incorporate them into a general statement such as the following, you’ve essentially defined your risk appetite:
“The bank operates within a low overall risk range. Its lowest risk appetites relate to credit risk and concentrations in construction loans. The bank has a marginally higher risk appetite toward its strategic goals, including developing new products and implementing new customer-facing technologies. This means reducing to reasonably practical levels the risks originating from construction lending will take priority over our other strategic goals.”
That’s all you need to do to get a risk appetite started. Your risk appetite really should be general in nature to start and should be thought of as the overarching guidance for the whole organization. As you continue to reevaluate and redefine your appetite, you can become more precise if needed. From this risk appetite, you can develop more defined and specific risk appetites as you move down the organization—perhaps even better, you can develop risk tolerances.
There’s often confusion between the terms risk appetite and risk tolerance. Keep it very simple and think of risk tolerances as the metrics that often coincide with the strategic metrics, such as establishing a level of nonperforming loans to total loans that shouldn’t be exceeded. The appetite guides the tolerances, and the tolerances are consistent with the goals of the bank, which can be used to establish triggers as you approach various risk tolerances, so that corrective actions can be taken proactively.
Don’t commingle risk tolerances in your risk appetite. Remember to keep your risk appetite overarching and allow the risk tolerances to be specific to the various established risk areas (for example, strategic, credit, interest rate, liquidity, reputation, operational, compliance and legal risks).
Also, don’t overcomplicate the process of defining your risk appetite. Leverage the ERM work you’ve already completed and think general in nature. By doing this, you’ll find that your risk appetite statement can provide the overarching guidance needed—without being restrictive to your institution.