How do we define a bank's risk appetite? Simply put, it is the level of risk that a bank is willing to accept to achieve its financial and strategic, goals and objectives. Risk appetite sets a clear strategic direction and sets tolerances in pursuit of earnings, adequate capital, and shareholder value.
It is a critical first step when beginning the journey to developing an enterprise risk management program. It is also something that can change and needs to be re-validated annually. A properly defined risk appetite, with a heat map, risk appetite statements, and mapped key risk indicator tolerances calibrates the ERM process and provides a foundation for your strategic priorities.
Each key risk category in your framework should be addressed. For example: credit, liquidity, interest rate, reputation, operational, strategic, and cyber. Considerations that should drive the acceptable level of risk in each category are growth, delivery channels, complexity, concentrations, asset quality, among others. But again, even if you are a proven leader in your banking specialty, it doesn't mean that you aren't taking on greater risk.
With the potential adverse impact of the pandemic and heightened regulator concerns; we feel now more than ever that defining, articulating, and documenting your bank’s risk appetite is a non-negotiable exercise for banks. CB Resource's Enterprise Risk Appetite module is part of our CB ERM solution. However, it can also be offered as a standalone service. Completed in two parts, an online assessment taken by management (and board if desired) and a virtual meeting which takes the results of the assessment, compiles and validates the findings, builds the heat map, writes the statements, and defines the key risk indicator tolerances. The result is a report that can be used by the board, management, and regulators.
Again, risk appetite is, not only, a stepping off point for an effective risk management program, but it also key to evaluating existing and potential lines of business within the strategic plan. Knowing and understanding the level risk your bank is willing to take to create value is key to making quality risk-based decisions. For banks needing to implement a full enterprise risk management program our CB ERM™ solution follows our own guidance that we call “The Five Non-Negotiables of an Effective ERM Program”. The first non-negotiable has already been covered: Risk Appetite.
The second is Risk Assessment. Any ERM system will have a library of assessments to cover the necessary categories laid out by the framework established in the Risk Appetite. We feel that an effective assessment system will leverage technology and will integrate qualitative and quantitative data. It will then aggregate this data at the key risk levels. Key considerations for the assessment are inherent risks, the adequacy of risk management and controls, the composite or residual risk, and lastly the direction of risk. We also feel that the assessment should integrate forward looking data to adequately assess emerging risks.
The third is Top Risk Mitigation. We feel that an effective ERM system should identify the top critical risks to earnings and value. Once these top risks are further studied to determine likelihood, potential severity, and the status of current controls. If residual risk exceeds an acceptable level, mitigating solutions are nominated. These mitigating solutions will then migrate to a risk mitigation action plan that is broken down into measurable milestones and subject to ongoing review by the risk management committee.
Enterprise Risk Management includes the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value
The fourth non-negotiable is Tracking & Reporting. A routine tracking and reporting system that provides useful trend analysis, forward looking considerations and management and board friendly interface. The dashboards and board and management reports should have easy to digest but actionable intelligence for all stakeholders.
The last non-negotiable is Manageability. An effective ERM program should be simply be a manageable system for which the effort required doesn’t outweigh the results achieved. Regardless of the size and sophistication of the risk management department, we warn against becoming a servant to the platform. We believe it should leverage automation and technology, but also subject matter expertise.
For us at CB Resource, we see that ERM and Risk Appetite goes beyond regulatory compliance. While regulation is a driving factor for adopting an ERM program, we feel it should also synchronize risk management and performance priorities. The forward-looking intelligence not only provides early warning insights but also illuminates opportunities. As COSO, states in their definition of ERM “Enterprise Risk Management includes the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.”
For a consultation and closer look at our process, feel free to contact us by visiting www.cb-resource.com .