Risk appetite frameworks: good progress but still room for improvement

Speech by Danièle Nouy, Chair of the Supervisory Board of the ECB, International Conference on Banks’ Risk Appetite Frameworks, Ljubljana, 10 April 2018

Children sometimes eat too much. Their eyes can be bigger than their stomachs. The result can be quite unpleasant. For banks, it’s much the same. They sometimes take on more risk than they can stomach. The results, however, can be worse than just a bellyache. Banks that take on too much risk can get into financial trouble and fail, and, in some cases, they might even damage other banks and the economy.

So banks must know how much risk they can stomach and set their appetite for risk accordingly. Naturally, this takes more than guesswork: it requires comprehensive and well-developed risk appetite frameworks. These frameworks are a core element of risk culture and risk management. Banks must take them seriously and build them with great care. Today I would like to share with you our expectations, discuss some best practices and highlight some areas for improvement.

How to make it work?

Let’s start with two questions. First: what is a risk appetite framework? Well, the term captures the overall approach banks take when establishing their risk appetite. This includes policies, processes, limits, controls and systems put in place by banks to define, communicate and monitor how much risk they are willing to take on.

The second question is: how to judge the quality of risk appetite frameworks? As supervisors, we have four things in mind when doing so: they should be comprehensive, effectively governed, consistently used, and fully integrated into strategic decision-making.

To be comprehensive, a risk appetite framework must include all relevant risks for the bank – both financial and non-financial. I know that it’s not easy to identify and quantify risks, particularly non-financial risks. But it’s a challenge that banks must tackle if they want to monitor and mitigate the risks they take. A good starting point is a regular risk identification exercise. But not all such exercises are equally helpful. Banks are often tempted to look mainly at the outside world, asking themselves how the outside world can affect them. This is an important question and the answer is an important piece of the puzzle. But it is only half the picture. After all, risks aren’t only external; they can be internal too. Banks need to identify what specific risks are associated with their business models and their strategies. What are the vulnerabilities of their business strategies? What are the concrete risks associated with them? Banks need to carefully examine all their risks and translate them into metrics, which they can then feed into their risk appetite frameworks.

But there is more. The idea of a risk appetite framework is to help the bank define its appetite for risk. And this needs to be articulated and put down in writing. In their risk appetite statements, banks should spell out how much risk, and of what kind, they are willing to take on. These statements are crucial to ensure consistent risk management throughout the bank. They also allow the board to have a holistic view of the risks that need to be managed.

Of course, banks must adapt their risk appetite statements to their business models. With regard to Slovenia, we expect banks to focus on at least four things. First, they should concentrate on credit underwriting criteria. Second, banks should work on how they identify potential deterioration of credit risks; they must carefully monitor weak credits so they can take steps to keep the loans performing. Third, banks should ensure the proper management of collateral. Fourth, they should pinpoint concentration risks in their risk appetite statements.

It is vital to have a comprehensive risk appetite framework. But defining one’s risk appetite is just the first step. The next step is to act accordingly.

This is where our second criterion for judging risk appetite frameworks comes into play: governance. According to the international standards transposed into the Capital Requirements Regulation and Directive and operationalised by the revised Guidelines published by the European Banking Authority, this is the board’s responsibility.

But before we continue, I would just like to clarify that I will use the generic term “board” in order to acknowledge the different governance structures in the euro area and will denote as “senior management” the people that carry out and manage the bank’s activities, in a manner consistent with the business strategy, risk appetite and other policies approved by the boards.

Regarding the risk appetite framework, the board should be involved from the start. It plays a key role in setting and approving the risk appetite framework. But the board members should also oversee its regular review, and crucially, its proper implementation. We thus expect the board to significantly influence the way in which the framework is set up and challenge whether it is being implemented in line with the bank’s strategy.

But of course the board cannot work in isolation. Banks’ risk management and internal control functions can and should help to develop and monitor the risk appetite framework. The experts working in these areas can ensure that all the risk measures are accurate. They can check whether the risk limits imposed on specific business activities or on specific risks are appropriate. They can answer questions like “How can risks be reported?”, “What actions should be taken if limits are close to being breached or have been breached?” It’s important for banks to have clear answers to these questions right from the start. Internal audit also needs to regularly review how effective the risk appetite framework is.

So far, I have given you an idea of what we supervisors expect from banks with regard to the development and governance of risk appetite frameworks. But we do not stop here. It is also our job to ensure that banks put their risk appetite frameworks to good use.

So how do banks deploy their framework? To begin with, banks certainly need to know how much risk they can stomach; they need to define their risk capacity. Using that as a basis, they can then develop an aggregate definition of risk appetite, applied at group level. And here the key point is consistency. It is our third criterion for judging risk appetite frameworks; namely, this aggregate definition must be applied at all levels of the organisation. Risk limits in particular should be applied, in a consistent manner, at group level and at subsidiary or branch level.

So far, I have laid out how we expect banks to develop, govern and use risk appetite frameworks. But I am not quite done yet. Risk appetite frameworks do not function on a standalone basis. So, our fourth criterion for judging them is whether they are a part of strategic decision-making.

And this requires a long-term perspective. The framework must be stable over time while still being flexible enough to allow banks to respond to changes in the external environment. However, not every change should lead the bank to completely overhaul its long-term strategy. Because of the low interest rates, some banks might be tempted to embark on a search for yield, a move which risks being an opportunistic drift rather than a considered decision to amend the strategy. They may drift away from the course they have set for themselves in their risk appetite framework. They might forget the mistakes of the past and the dangers of excessive risk-taking.

To avoid such mistakes, banks need a sound risk culture. And risk appetite frameworks alone will not do the trick here. If they are to be meaningfully deployed, they must not be abstract processes for the banks’ employees. We would thus like to see banks finding ways to explain to each and every staff member how he or she affects the risk profile of the bank and how this needs to be reflected in the risk appetite framework.

This is also achieved by aligning risk appetite frameworks with remuneration schemes. So, if the actions of an employee lead to a breach of risk limits, for instance, this might also impact his or her remuneration. This would give employees a greater incentive to take risk management seriously. When risk culture is sound, employees are accustomed to reflecting on how their actions affect the overall risk-taking and risk management of the bank.

Where do we stand?

So we now know what we expect banks to do. But what in fact do we actually see? Well, we see that risk appetite frameworks are, on the whole, something new for banks. In 2015, around 30% of banks’ risk appetite frameworks were less than two years old. Another 12% were still being developed. All in all, risk appetite frameworks differ widely across banks.

At the same time, banks have made progress. Their risk appetite frameworks are now better structured and subject to clearer governance. For instance, most banks have clarified the role of the relevant stakeholders involved in the risk appetite framework. On top of that, in many banks, internal auditors have reviewed the effectiveness of risk appetite frameworks.

Another thing to mention is that many of these frameworks cover a broader set of risks than before. And this leads to a fundamental question: how to measure risk in the first place? But don’t worry; I am not going to explore the ins and outs of risk theory. Let me just say this: most banks now use a broader set of metrics to measure risks. Most banks go beyond the regulatory minimum to define metrics which are more suited to their business models.

Now, once a bank has defined its risk appetite, it must align its risk profile. To facilitate this task, most banks now use what we call risk appetite dashboards. These dashboards compare actual risk exposures and risk limits to the risk appetite. This is helpful for discussions among senior management and within the board.

Despite this progress, banks need to improve in some respects. If they don’t, their risk appetite frameworks will not be as effective as they could be. So let me highlight four things that banks need to work on.

First, risk appetite frameworks do indeed cover more risks than before but still not enough. Non-financial risks are often insufficiently covered or even completely left out, for instance. And this leads to a long list topped by risks such as compliance and reputational risks, IT risks, legal risks and conduct risks. If the bank cannot put concrete numbers to these risks, it should at least use qualitative statements. In this context, we appreciate the fact that some banks are working on relevant quantitative and objective indicators.

Second, the governance of risk appetite frameworks must be further improved. Boards need to play a bigger role in the definition and review of risk appetite frameworks. The same is true for banks’ risk function. Many banks must enhance the role this function plays, in particular when it comes to defining and approving limits. And this brings me to the third item on my list: risk appetite limits.

These limits need to be set and used in a comprehensive manner. Banks need to break these limits down to business lines – and some banks don’t do that. Banks also need to break the limits down to entities and countries. And where this is done, the local limits are sometimes not consistent with the limits at consolidated level. This is something banks need to work on.

They also need to work on how they calculate and actually apply limits. This is an issue for Slovenian banks, but also for banks in many other European countries. What we often see is that risk limits are in place but they do not sufficiently constrain risk-taking. The reason is that the limits are often set so high that there’s virtually no possibility of breaching them. This calls into question the entire risk appetite framework.

And even if limits are breached, this all too often triggers a report but no meaningful action. For example, the bank simply increases or reallocates limits, thereby undermining the very idea of a risk appetite framework. It is the responsibility of the risk functions I mentioned before to ensure that breaches of limits are handled properly.

We expect banks to use risk appetite limits as a tool to monitor their risk profiles, keep risks in check and set the right incentives for the whole of the organisation. If the limits are set too high, they cannot achieve these objectives. In this context, some banks have defined early warning signals, enabling them to detect deteriorations in the bank’s risk profile even before risk limits are actually breached. This is certainly good practice in my view.

Now, the fourth thing banks need to work on is how they embed risk appetite frameworks in their strategic processes. Over the past three years, we have closely studied these issues. And we have realised in particular that the effectiveness of risk appetite frameworks does not depend on a bank’s business model, its size or the country it operates in. What it depends on is how determined a bank is to make it work, to use it and to make it a core element of its risk culture and its decision-making.

What does that mean? Well, it means that banks need to take a holistic approach to risk culture and risk management, including risk appetite. These things need to be perfectly attuned. And they need to be in harmony with the rest of the organisation – with the business model and with remuneration schemes, among other things. Does it help, for instance, to define a certain risk appetite when, at the same time, the remuneration scheme sets incentives which target a different level of risk? Risk modifiers and key performance indicators play an essential role here; we thus expect the banks to align them with their risk appetite frameworks.

Too many banks still wrongly see their risk appetite framework as a separate tool, unrelated to decision-making. This framework needs to be an integral part of the decision-making process. Also, most banks do not use risk appetite limits and statements as tools to facilitate discussion at various levels of the organisation. They need to change this approach. And more generally, they need to create better incentives for complying with risk appetite frameworks.

Here, the tone from the top plays a crucial role. It is those at the top who have to promote a sound risk culture – by putting it into practice, by acting as role models. The board and the senior management must define values and set expectations for the risk culture. The board in particular must challenge the senior management and so ensure that each and every strategic decision is based on a sound risk analysis. Moreover, having a sound infrastructure for risk data would make this easier to achieve.


Ladies and gentlemen,

Risk is at the heart of banking. Banks need to find ways to deal with it. It seems however that, prior to the crisis, some banks were too busy taking on risks to be able to properly manage them. As a consequence, they took on more risks than they could cope with.

Risk appetite frameworks play a key role here; we take them seriously and so should the banks. After all, the frameworks help banks to define the level of risk they are willing to take on. This in turn helps them to keep their risks under control and manage them properly. My impression is that many banks have made good progress. However, there is still room for improvement. It’s in the banks’ own interest.

Thank you for your attention.

Media contacts