The Risk Appetite topic is a recent issue: indeed the necessity of implementing a full framework with specific procedures and measures of risks in the financial industry, especially in the banking sector, turns out in response to the financial crisis that began in 2007. There are two reports made by the Senior Supervisor Group (SSG) [SSG09] and the Financial Stability Board (FSB) [FSB10], respectively in 2009 and 2010, that strongly suggest financial institutions, especially the Systemically Important Financial Institutions (SIFIs), to implement a proper Risk Appetite Framework (RAF).
The regulators/supervisors provided just the main concepts, allowing a lot of freedom on the practical choices of the financial institutions. In fact, they only provide high level tips to develop an effective RAF that is specific to the firm and that reflects its business model and organisation, as well as to enable the firm to adapt to the regulatory environment in order to manage new types of risk.
Among the most common features that a proper RAF measure should have, we highlight the following ones (taken, among the others, mostly from [SSG10], [BankIt13] and [FSB13]):
- It should refer to each specific type of risk.
- Following the logic of the capital requirements, it should be a quantitative measure in the case of the main specific risks (as Credit, Market, Operational and Liquidity). In the case of other harder to quantify risks, a qualitative measure could be adopted.
- If it is quantitative, it may relate measures of risk (such as Value at Risk, Expected Shortfall or liquidity measures) to general business measures, such as earnings, capital, liquidity, growth or volatility.
- It should reflect the current situation of the firm, and also has to establish an explicit forward-looking firm’s desired risk profile considering a variety of scenarios and the strategic choices already taken by the Board/CEO.
- It should allow to identify (implicitly or explicitly) the emerging risks and any risk-taking activities that could affect the institution’s risk appetite.
- It should give different values in terms of Appetite (target result), Tolerance (extreme value that the firm may accept in order to achieve its results), Capacity (extreme value that the firm could sustain) and Profile (current value). The Profile needs to be monitored regularly (at least quarterly).
- The RAF measure should be provided at Group level, and shuld be characterized by different granularities, depending on the firm and on the type of risk. Granularity refers to legal entities, business lines, geographical areas and, if it is possible, product level.
- The RAF measure should be coherent with the results of other processes (strategic plan, budgets and capital adequacy results).
The regulators/supervisors provide only high level insights allowing ﬁnancial institutions to develop an eﬀective RAF that is speciﬁc to the ﬁrm reflecting its business model and its organisation. The RAF should adapt to the changing economic environment in order to manage new types of risk. The regulators do not give any further directives on how to develop this framework, especially in relation with the specific risks, but, according to our opinion, further considerations on proper RAF measures are requested, at least regarding the perimeter of the Operational Risk (OpRisk) because of its peculiarities, as we will show in the next paragraphs.
In the following we will highlight the main points that emerge from our analysis regarding the RAF for OpRisk Management.
1 OpRisk measures should consider not only the losses, but also the related revenues
The measure should consider not only the losses, but also the related revenues. Rather than a pure risk measure, it is reasonable to use a performance one that evaluates also the business effects (earnings from the risks). We believe the losses (or the revenues) as a standalone measure are less important than how the management is able to maintain their ratio at acceptable levels. Moreover in the OpRisk (at least the one we will consider for RAF purposes) there is a stricter relation between the losses and the revenues (or more in general the volume of the business) than in other cases.
2 At least two different RAF OpRisk measures should be developed
One measure should cover the Compliance and Organizational Risks (we consider them when they intersect the perimeter of the OpRisk, that is in the majority of their cases) and in general the Legal Risk. The second one should cover the Information and Communication Technology Risk (ICTRisk).
The OpRisk losses come from a wide range of risks, so they are grouped in different Event Types (ETs), not all reflecting risks under the total control of the management.
The models for Capital Adequacy purposes use all the ETs of OpRisk. On the other hand, as said before, we think RAF measures need to be provided analytically on the main business areas separately, so that every top manager should respond of their own performance. In order to evaluate the management action we need to choose risks that are under the control of the management. For these reasons we suggest to use only the categories ET4, ET6 and ET7 (“clients, products & business practices”, “business disruption and system failures” and “execution, delivery & process management” using the definitions given by Basel II [BCBS04]). We recommend to exclude the ET3 and the ET5 (“employment practices and workplace safety” and “damage to physical assets”), because they are due to behaviour and actions outside the responsibilities of the managers. Also the ET1 and ET2 (“internal fraud” and “external fraud”) could be excluded because what the management could do about them is limited.
Anyway, we highlight that the ETs we suggest to consider are the most important ones, not only for their impacts, but also in the practitioners’ forecasts on the emerging risks in the OpRisk.
ET4 and ET7 losses are usually the heaviest in the OpRisk datasets. Recent events (e.g. the Libor and Forex fines in 2014 and 2015) and studies (for example a report of Credit Suisse in 2014 on the global Legal Risk [CS14]) suggest that their role will increase in the next few years, considering that they are related to the Compliance and Organizational Risks, respectively, themes that are particularly debated nowadays.
ET6, linked to the thematic of the ICTRisk, is also an important theme in today’s Risk Management best practice. We suggest to separate its measure from that of ET4 and ET7 because its nature could be quite different from the other losses as it is difficult to quantify them exactly. As a matter of fact, its main effects (the indirect ones, as, for example, missed earnings due for example to a failure of a system) may be not (or only partially) registered in the dataset, so these events could appear as providing extremely low impacts, even if it is not true.
As a consequence, we suggest that two different models (and so measures) should be elaborated: the first one should be related to ET4 and ET7 and should be based on the historical impacts in the OpRisk dataset, the second one should be related to ICTRisk, and should not only based on the losses in these datasets.
RAF OpRisk measures should model and forecast the expected losses, not the unexpected ones.
For Capital Adequacy purposes the interest is in the unexpected loss, the right tail of loss distribution (extremely rare events). On the other hand for RAF purposes it is needed to forecast expected losses (central quantiles of the loss distribution). Being interested in the evaluation of what reasonably will happen, the framework of extreme value theory, which is developed within the most of the advanced Capital Adequacy models, is not useful.
As the interest is in the current and future view (and risks) of the financial institution, the focus of RAF OpRisk measures is on the most recent information. As a consequence, we suggest using shorter datasets than the ones used in the Capital Adequacy models, that need longer datasets because of their focus on unexpected losses.
3 RAF OpRisk measures need to consider the distinction between financial and economic impact of losses, focusing on the former.
The data collected in the OpRisk dataset are usually all the manifestations booked in the balance sheet of the financial institution. Every single manifestation is called an Economic Manifestation (EcMan) and it has a specific booking date corresponding to the day on which it was signed on the balance sheet. Furthermore, EcMans are grouped into Events, that collect together the EcMans that were caused by the same problem and the Event’s booking date is that of the first EcMan.
Contrary to the Capital Adequacy models, that usually consider the Events, focusing on the cause-effect relation, we suggest using EcMans because they highlight both the OpLosses’ effect and their timing (the latter not present in the Events because of their unique booking date). Note that the gap between the origin (or first loss) of the Events and their heaviest manifestations may be of several years. So, if the Events are considered, this could distort the comparison between the forecasted results and the ones reported by the financial institutions, that refer to all the financial cash flows. The problem can be more relevant in the RAF than in the Capital Adequacy context because, as explained in the previous point, in the RAF we should use shorter datasets, that are more affected by time discrepancies.
4 RAF OpRisk measures should consider the periodicity of OpRisk losses.
OpRisk losses are characterized by relevant periodicities (generally annual, biannual and quarterly ones), as a matter of fact there are clusters of losses at the end of the accounting periods (more or less relevant in frequency and size depending on the specific trimester). The seasonality is not usually considered by Capital Adequacy models because, considering a 1 year horizon, there is not an interest in the seasonality of OpRisk losses because they are submultiple of the forecast horizon. On the other hand for quarterly results, as in the RAF for the Profile, we suggest considering the phenomena in the modelization.
For these reasons, according to our opinion, a straightforward extension of the Capital Adequacy models, even if the most advanced ones in the OpRisk, i.e. the Advanced Measurement Approach (AMA) ones, should not be used. It would be better to develop specific measures (obviously, where it is possible, homogeneous with the Capital Adequacy ones) focusing on the specific RAF purposes. This will be the topic covered in the next article.
[BankIt13] Banca d’Italia, “Nuove disposizioni di vigilanza prudenziale per le banche”, Circolare n. 263, December 2006. 15th Review, July 2013, partial version.
[BCBS04] Basel Committee on Banking Supervision, “International convergence of capital measurement and capital standards” (Basel II), Bank of International Settlements, June 2004. A revised framework comprehensive version, June 2006.
[CS14] Credit Suisse AG, “Litigation – more risk, less return”, Ideas engine series – Equity research Europe multinational banks, June 2014.
[FSB10] Financial Stability Board, “Intensity and effectiveness of SIFI supervision”, November 2010.
[FSB13] Financial Stability Board, “Principles for an effective risk appetite framework”, November 2013.
[SSG09] Senior Supervisors Group, “Risk management lessons from the global banking crisis of 2008”, October 2009.
[SSG10] Senior Supervisors Group, “Observations on developments in risk appetite frameworks and it infrastructure”, December 2010.