Non-financial Risk Management in the Financial Industry

To enable support for business decisions, a firm’s RAF should be underpinned by a strong governance framework, with clear roles for all stakeholders involved at every level of the institution (board, senior management, business lines, risk and control functions, legal entities etc.). [12]As was also highlighted by the Single Supervisory Mechanism, the responsibilities of all stakeholders should be clearly stated and described in the RAF documentation. [13]

As part of the overall corporate governance framework, risk appetite statements are expected to be used to promote robust discussions on risk and strategic issues not only on the board but also together with risk management and compliance functions.

The RAF should also be cascaded within the institution. This means that risk appetite statements should be established for business lines and entities in order to ensure that their strategy and risk limits, as relevant, align with the institution-wide risk appetite statement. The EBA has made clear that internal policies and the risk culture should convey the straightforward message that the management board expects activities not to go beyond the defined risk appetite thresholds. [14]The RAF is a group-driven exercise, usually performed annually.

A RAF’s components must be periodically reviewed, to guarantee that they are meaningful, thorough and up-to-date; periodicity of review, however, varies depending on the framework’s level. In addition, also the regulator mandates periodic independent reviews of the RAF by the internal audit function. [15]

Level 1: The overall Risk Appetite Statements (RAS) are reviewed ad hoc in case of senior management input or fundamental changes in business risk appetite or in the risk management framework. In general, variations at RAS level are less frequent than the tuning of other metrics because financial institutions should ensure stability and consistency to avoid strategic drift.

Level 2: Risk appetite metrics and corresponding thresholds are subject to periodic reviews – in general, annually – to account for major deviations in risk assessment results, new emerging risks or new business activities.

Level 3: KRIs and corresponding thresholds are reviewed more frequently – typically, on an annual basis – to ensure that changes in the risk categories are monitored, the regulatory framework and/or monitoring capabilities are embedded in a timely manner. For Level 3 indicators, any time new risk assessment results are published, it is verified whether there are changes in the residual risk level of the categories being monitored that require adjustments in the KRIs (e.g. new risk category with significant residual risk, requiring the identification of new operational indicators). Based on this preliminary assessment, control functions are expected to review the selection of indicators, based on predefined criteria (e.g. expert judgment):

For confirmed risk categories, indicators and related thresholds are updated, revised or changed based on new priorities, capabilities or control processes.

A risk committee with a representative from the board should usually approve any change to the RAF.

For ‘new’ risk categories, ad hoc indicators are selected, and related thresholds are preliminarily defined, based on relevant regulation, organisational ambition and available information.

For risk categories moving to ‘non-monitored’ levels, corresponding indicators are removed from the RAF.

RAF indicators are continuously monitored. However, the periodicity with which underlying data are provided can vary. While for some indicators the underlying data allow for continuous monitoring (e.g. rejected payments), in other cases calculations are periodic (e.g. quarterly, annually), based on the availability of the updated data.

Communications can be issued to inform key stakeholders and risk owners of the RAF indicators outcome, especially in cases in which values are deviating from expected trends and/or are approaching caution or limit thresholds. If thresholds are exceeded, however, specific escalation paths are provided.

1 – Large European BankThe compliance unit of a large European bank collects data related to CIB business. Information is provided: annually, for related KRIs that are calculated only for the risk assessment. quarterly, for related KRIs that are used and calculated on a continuous basis. Data is provided by the CIB business units, which also perform quality checks to ensure appropriate data quality. The compliance unit then shares the results with the key stakeholders and, if needed, triggers the escalation process. Figure 10: RAF monitoring and reporting process

In case a metric or an indicator breaches caution or limit thresholds, escalation processes are activated in order to manage related risks, and communications are sent to inform the impacted structures/divisions/entities, to notify them about the violation and to investigate its causes.

Different escalation processes are designed in order to reflect the specific urgency, timeliness and severity of the breach, thus differentiating between those activated by the breach of the caution threshold (usually involving risk committees) and those activated by the breach of the limit threshold (typically involving the management board or supervisory board, depending on the legal entity).

Escalation processes should be designed considering:

principles and criteria for escalation (e.g. confirmed materiality of risk, consistency with other alerts);

scope of escalation (e.g. at local, regional and group level);

involvement of appropriate risk type owners;

identification of potential risk strategies to adopt (e.g. no action/mitigation/avoidance/transfer).

When a specific indicator breaches the limit threshold: