@ the IERP® Global Conference, August 2024
The views and opinions expressed in this article are solely those of the featured speakers and do not necessarily reflect the official view or stance of the IERP®. The content is provided for informational purposes only.
In his three decades in the banking industry, presenter Jacob Abraham, now Group CRO of Alliance Bank Malaysia Berhad, said that he has seen risk appetite overused and misunderstood as if it is a be-all, end-all statement or magic wand that will somehow give clarity, and enable organisations to function better. “But this is not the case,” Abraham emphasised. “It is complex. It needs time to bring all the pieces together and make it tick. It is not one risk appetite statement that solves a problem; it is one risk appetite statement that encompasses many different things.”
Pointing out that the nature of banking, and its core business, was to take risks, he said that there were differences in institutions nevertheless when taking risks. “The nature of your gain is different; so the peculiarities of your business will have to be taken into account when you draw up your risk appetite,” he said. “There is no one-size-fits-all solution for risk appetites.” An organisation’s risk appetite is actually the connector between its strategic objectives and targets; it establishes the threshold in terms of what risks the organisation is willing to take, to achieve those goals.
He explained that all this is underpinned by a risk culture that permeates the organisation and sets values and behavioural expectations which will ultimately lead to accountability and performance management, with rewards as an incentive, or disincentives for the wrong behaviour. It is crucial for organisations to put all this together, consider their capacity, and then make the necessary tweaks. “Risk profile is looking at your inherent and residual risk, the profile of the risk you are willing to take,” he said. “Risk appetite is what you are willing to take, in addition.”
Abraham provided an engaging analogy to describe risk appetite, risk tolerance and risk capacity. “I am sitting at a bar, and I tell myself that the maximum number of drinks I can have is two. That is my risk appetite, that is what I am willing to take. When I finish my second drink, an old friend walks in and asks me to join him in another drink. I join him; that is my risk tolerance – the third drink. I did not intend to take the third drink; I was happy with two but I can still…deal with it. But three becomes four, and I am now at risk capacity. Risk capacity is that maximum threshold of pain.”
In the banking sector, breaching risk capacity means reaching the point of non-viability, where banks start to fail. “When banks fail, a lot of people suffer losses – depositors, taxpayers, stakeholders,” he said. “All of them will lose a tremendous amount…it is a heavy burden that these individuals have to carry.” While risk capacity is the maximum beyond which one cannot go, buffers or contingency plans can be put in place to take corrective action, in the event this capacity is breached. But speed needs to be considered as sometimes things happen too fast, and it may be too late to do anything.
Expanding on the evolution of risk appetite development, Abraham said that the first generation was primarily a check-box exercise. “The board would ask if you had a risk appetite,” he said, but would not ask questions about how effective it was, or whether it was fully connected. But by the second generation, a combination of qualitative and quantitative measures became evident, and risk appetite increasingly became the driver of risk culture. People started talking and thinking from a risk appetite perspective, and product design started taking into consideration elements of risk appetite.
“By the time you got to the third generation, people were considering forward-looking matrices, not just looking at the past but starting to take the future into account,” he said. Risk appetite statements even began to cover specific items, he said and were no longer limited to ‘motherhood’ statements. What was significant was the communication and transparency with which the risk appetite was shared across the organisation. “With transparency and consistency, you will find that people start to trust the process,” he said. “The journey starts to get a lot easier.”
This is important because it is really about the interconnectivity that is taking place. Boards, regulators and rating agencies are all asking questions about your risk appetite; not just whether you have it, but how you use it. Transitions are happening, and one of the big issues is trying to find where the starting point is. “Risk appetite is only when you start to connect all the dots,” he said. “If you are unable to integrate your setting processes with existing processes like your material risk assessment, then the connectivity is lost. But the more you connect, the more complicated it gets.”
Incorporating all the various types of risk complicates things and makes it more difficult to start quantifying, but there is no such thing as one-size-fits-all, Abraham said. For him, it starts with the material risk assessment, supplemented with stress testing. “Stress testing has to be the cornerstone of how to start your risk appetite setting because it will tell you your risk capacity, he said. He also introduced risk posturing, ie, the risk-reward paradigm pursued by the organisation, and stressed the importance of reputational risk, particularly from technology and social media.
He suggested rethinking the risk appetite statement to ensure conclusiveness, appropriate checks and balances, and proper governance. “Do not forget that risk management can be offensive,” he said. “It’s not always about being defensive. Risk management can actually challenge the business as to where they should grow…If you want to set risk appetite…you should start with risk capacity.” He advised organisations to benchmark themselves against industry standards, as they do not operate in isolation.
Organisations should take input from all levels. “You cannot have (only) the board telling everyone else what is to be done,” he said. “The input from the bottom counts. It will always be a mixture of the two.” Discussing material risk, he said those on an organisation’s list should be relevant and significant, and be cascaded down to the lines of business. He used his own experience at Alliance Bank to illustrate how the various components came together, and how the various concepts were applied. “We didn’t get it right the first time,” he admitted.
Ultimately, however, they developed calibrated, customised risk appetite statements that could be applied throughout the group, with emphasis on risk indicators and risk limits. “Remember that limits are important,” he said. “Get your limits and thresholds set properly.” Key enablers are clear governance and accountability, he stressed. “Ensure everyone’s role is clear,” he said. “Segregation of duties is important, or you will have…different people talking at the same time . Risk culture, values behavioural expectations – all need alignment with the right message from the top.”
If the board and senior management team are not aligned on this, neither will the people on the ground. With common alignment, the standards of accountability will be consistent; behaviour can be incentivised or disincentivised. People also need to be convinced to align. “If you get your risk appetite right, if…it is inclusive and covers all the key aspects of the business, you will have an effective tool that connects what the board wants, and (what) your capacities are,” he said. “You will be able to move forward as an organisation on a collective basis, as opposed to a fractured organisation.”