Learnings From Risk Appetite’s Evolution and Ideas for the Path Forward

This article is part of a larger effort to advance the approach to risk appetite in the financial services industry. Working with RMA’s Enterprise Risk Management Council, several practitioners from RMA member banks have also developed a risk appetite workbook that informed this piece, and which will be available in June. RMA would like to acknowledge the contributions of that group to both projects.

Articulating risk appetite may be the most important activity for any financial institution to get right. Clearly defining the nature and level of risk it is able and willing to accept in pursuit of its strategy and business objectives is particularly critical for a bank, which is ultimately in the business of risk transformation. A bank’s risk appetite statement is a guide and boundary to risk-taking behavior and plays a crucial role in informing the bank’s broader approach to risk management. In many ways, it is a covenant between the board and management, a guide for employees, and the central point of connectivity for key firmwide processes.

The Risk Management Association, in partnership with Oliver Wyman, recently organized a working group to understand the banking sector’s recent evolution and future ambitions regarding risk appetite. This group included six of the eight U.S. G-SIBs and nearly all U.S. banks with assets above $250 billion as of 2023. This article summarizes learnings from the working group, including the results of an informal survey of the group that provided an up-to-date view on the evolution of risk appetite practices and actions banks can consider to advance their risk appetite framework going forward.

Introduction

Over the past decade, most banks have worked to articulate their risk appetite and to establish necessary monitoring through risk metrics, reporting, and associated processes. Now, as customers, the industry, and the economy continue to evolve, banks are transforming their risk appetite perspectives and practices. They increasingly view risk appetite less as a static risk management statement and more as a “living and breathing” risk management tool that adapts to a bank’s circumstances and is the connective tissue within the broader risk management apparatus. When it comes to risk appetite, institutions have realized the importance of not only what they write down but also how it is used to make important business decisions.

Recent events have brought this realization into sharp relief. In spring 2023, as noted by regulators in post-mortem analyses, imprudent and weak risk appetite practices contributed to a series of bank failures. They included unreported or unaddressed risk appetite breaches and risk appetite statements that were inadequately comprehensive. The banking industry took notice—not just of the failures, but of the complexity and interconnectedness of the risks that led to them, including interest rate risk, deposit concentrations and correlations, and social media’s impact. Even before the turmoil, other shocks to the system such as COVID-19, geopolitical conflicts, and extreme climate events highlighted the importance of an appropriately articulated, dynamic, and well-governed risk appetite.

With that in mind, boards, management teams, investors, and clients are asking tough questions and inspiring a revisit of risk appetite. Meanwhile, the heightened supervisory focus on risk management frameworks has included risk appetite frameworks. And proposed regulations—notably related to capital adequacy—are further prompting banks to rethink business mix, risk measurement, and limit frameworks, particularly at the large regional banks that face the biggest regulatory changes.

All in, this presents a daunting backdrop against which risk appetite frameworks are reassessed and enhanced across the industry—and a call for action.

How Risk Appetite Has Evolved

As risk appetite frameworks evolved over the past decade, there has been a relatively high degree of convergence across banks in terms of core structure and governance aligning with regulatory guidance.

For most banks, this core structure includes a risk appetite statement, which consists of quantitative measures that can be translated into risk appetite metrics with hard boundaries such as limits and qualitative statements that articulate motivations for taking on or avoiding certain risks.

At many banks, risk appetite governance establishes clear roles and responsibilities across the three lines of defense for monitoring and reporting, escalating and remediating breaches, and cascading board-level risk appetite to business lines, often through limits.

The risk appetite framework is typically supported by key enablers—for example, data, technology, and culture—within a broader risk management framework. While precise implementation details may vary based on a firm’s organizational nuances, these core structures, governance, and enablers are generally consistent across large banks.

Risk Appetite Metrics

At the core of a risk appetite statement are quantitative metrics that define boundaries for measurable risk-taking. As risk management practices have evolved, the average number of metrics has risen. Most banks surveyed maintain roughly 50 to 100 board-level metrics. While each bank takes a distinct approach to determining an appropriate suite of metrics, the survey results suggest that the typical numerical range of metrics does not correlate with bank size.

For many banks, it has been challenging to strike the right balance between the comprehensiveness and volume of metrics. Multiple survey respondents want to decrease or consolidate the number of metrics. They say it will allow for more efficient and digestible board and management reporting that promotes rich discussion. The surveyed banks generally agree that for a risk appetite statement to be an effective risk management tool, metrics need to be thoughtfully selected, with high information value and supported by strong rationale.

Another challenge is the fact that the management of financial and non-financial risks are in different stages of maturity across the industry. Most of the early work on risk appetite metrics focused on the more visible and directly measurable financial risk metrics (credit, liquidity, and market risks), which are generally managed by mature risk appetite practices across most banks. Much of the recent evolution in financial risk metrics has included adopting more forward-looking considerations (scenario-driven stress loss measures as opposed to historical loss measures), including metrics related to earnings risk.

In comparison, non-financial risks—such as operational, reputational, compliance, and strategic risks—started to get more attention in the last decade. Non-financial risk metrics are naturally harder to define than financial ones given their more idiosyncratic nature, and focus on less directly observable drivers. Ever-accelerating shifts in technology such as AI and cloud computing add complexity. So does the fact that certain emerging non-financial risks do not fit neatly into existing risk taxonomies.

These trends have prompted banks to focus on non-financial risk metric choices, both in terms of volume and appropriateness. Across all 19 banks surveyed, operational risk metrics (including technology, cyber, data, fraud, and third-party risks) are now the largest component of risk appetite statement metrics (see Figure 1). About 70% of banks said they had recently enhanced non-financial risk metrics and capabilities. Another 10% plan to enhance non-financial risk metrics going forward, suggesting that the search for high-information-value metrics that offer objective, repeatable ways to assess the risk profile is far from over.

Recently, interactions across risk types in the risk taxonomy have become more prominent, particularly relating to concentration risk. The banking turmoil in 2023 highlighted the importance of metrics that address this concept, given the intertwining of liquidity risk, interest rate risk, capital, and the concentration risk posed by deposit customers. Earlier, the pandemic demonstrated that material concentration risk can occur in non-financial risk contexts, notably related to third-party operational dependencies including payment and cloud services. About 60% of survey respondents have a framework for considering concentration risk metrics in their risk appetite statement, a figure that is likely to grow.

Risk Appetite Governance and Connectivity

As noted, banks have generally converged on consistent approaches to govern risk appetite. Most banks surveyed seek board and/or board risk committee approval of their enterprise-level risk appetite statement annually. They complement this formal cadence with quarterly risk appetite reviews and monitoring. In light of the dynamic risk landscape, some banks have considered even more frequent revisions to their risk appetite statement, whether that means replacing risk appetite metrics or adjusting risk appetite levels.

In a push to further embed risk appetite in business decisions throughout the year, some institutions are applying techniques to thoughtfully engage with management- and board-level committees beyond static quarterly reporting. For example, some banks contextualize risk appetite within a broader discussion of their top and emerging risks, concentrations, and management actions on various portfolios (for example, stress testing and limit changes) to actively connect risk appetite to other key risk processes.

The cadences of these discussions are often aligned with strategic planning exercises. This ensures that emerging risks and limit breaches are exposed to the appropriate audiences and have an opportunity to shape and inform strategy. Notably, boards have become increasingly engaged during the review and approval of the risk appetite statement, especially where banks have strengthened the linkage between strategy and risk appetite.

To support effective management against metrics across risk types and business areas, the majority of institutions cascade board-level risk appetite metrics from the top down through a combination of direct (explicit allocation of limits/thresholds) and more indirect (less formulaic) approaches. As this occurs within a bank, discussion and engagement between the first and second line is critical, as first line businesses are responsible for executing the strategy within the approved appetite on a day-to-day basis.

Most banks strive to make their risk appetite more dynamic and aligned to other priorities. Over 60% of survey respondents said they had enhanced their risk appetite structure and policy over the past three years. Another 15% have plans to make further enhancements. Work on risk appetite governance and structure has included defining formal materiality thresholds for which metrics should be included at the board level, as well as increased linkages to other key business processes, which are discussed in greater detail below.

What’s Ahead in Risk Appetite?

Since the 2023 banking turmoil put risk appetite programs back near the top of board and management agendas, key focus areas have included financial risk limit frameworks (particularly for interest-rate risk and liquidity risk), risk appetite and limit escalation processes, and cross-risk interactions and concentrations. Beyond these more reactive themes in light of the specific events, banks are continuing to evolve their risk appetite practices in three key ways: 

1. Refining how risk appetite is structured to reflect the rapid emergence of complex risks that do not fit neatly into traditional risk taxonomies.
2. Advancing the approaches for non-financial risk appetite given new sources of risk, such as the increasing use of complex technology in operations and the rapid growth of AI and digital assets.
3. Strengthening the connectivity of risk appetite to related firmwide business processes so it more directly informs business strategy, execution, and culture.

Risk Appetite Structure and Complex Risks

Banks are rethinking their risk appetite and risk management practices to cover a more complex array of risks. As mentioned, certain emerging risks may not fit neatly into existing risk taxonomies due to the web of causes and effects. For example, climate risk can manifest in many ways, including credit losses on lending exposures, operational disruptions due to natural disasters, or reputational risk related to company policies and actions. Similarly, geopolitical risks, as exemplified by recent events in Ukraine and the Middle East, can manifest as credit risk through existing loans to affected parties, heightened risk of cyberattacks, or reputational risk based on the degree and nature of institutions’ involvement in the region.

Evolving risk appetite practices and limit-setting across risk types is advised. To do so, banks may need to consider new structures for their risk appetite statements and new methodologies for calibrating risk appetite that consider the increasing interconnectedness and velocity of emerging risks. Some banks are shifting their risk taxonomies and associated processes to orient less around risk types and more around discrete risk drivers and impacts. Finally, banks will need to carefully consider the organizational implications of changing existing risk management practices, including the alignment and specialization of their first- and second-line risk professionals, for effective risk management execution.

Approaches for Non-Financial Risk Appetite

Banks anticipate continued technological advancement and automation, as well as an increased reliance on such technologies. They also anticipate increased supervisory scrutiny of non-financial risk and operational resilience, with third-party risk, cyber risk, and data risk high on their near-term agendas.

Looking ahead, emerging and growing non-financial risks, such as the adoption of AI across business operations and the concentration of critical third-party providers, as well as use of digital assets, may create vulnerabilities for the industry. Meanwhile, cyberattacks are becoming increasingly salient. Methods to capture the risk of these considerations will require more expansive thinking than has traditionally been applied, particularly with respect to risk appetite metrics. These risks will also be difficult for institutions to systematize and manage, and firms may need to consider updates to related risk management practices, including risk identification and assessment, to effectively evaluate new risks against established risk appetite and drive appropriate board engagement and oversight.

Connectivity to Firmwide Business Processes

While many banks have increased the connectivity among their firmwide processes in recent years, there is still an opportunity for enhancement and maturity. Survey respondents indicate growing linkages between board-level risk appetite and key “business as usual” processes, including periodic forecasting, compensation, risk culture, training, and new activity governance (see Figure 3). For example, an effective risk culture should include a well-communicated and transparent risk appetite that provides for accountability and clear articulation of how employees are expected to manage risks. This can directly relate to performance management and compensation decisions, which act as accountability tools to incentivize employees to operate in a prudent manner within the bounds of established risk appetite.

While creating effective linkages across business processes does inherently entail a level of subjectivity, there has been a push to formalize these linkages—including through policy and governance—for repeatable execution that promotes more aligned outcomes, supporting the bank’s overall risk objectives and culture.

These advancements reflect the increasing trend by banks to shift their risk appetite frameworks and mindset from static approval and reporting processes to operating as “living and breathing” components of a dynamic business, impacting all levels of the bank’s operation.

The Next Steps on the Path Forward

Risk appetite work is never “done.” It requires continuous focus as individual banks, the industry as a whole, and the broader economy evolve. Given increasingly complex risks, heightened supervisory attention, and intensified industry competition, the static risk appetite practices of the past cannot adequately position banks for the future. Insights from industry collaborations, such as the RMA working group and survey, offer one way for banks to challenge current thinking and shape future approaches.

As institutions continue to enhance their risk appetite practices in line with the approaches outlined in this article, they should not only think of risk appetite as a risk management best practice, but also as a guiding principle for how they run their business. Risk appetite should play a greater role in shaping decision-making at all levels of the organization, from driving enterprise strategy, to choosing which clients to take on, to determining how the organization will incentivize and reward its people.

By further refining risk appetite frameworks, enhancing practices to better prepare for a complex and interconnected set of emerging risks, and strengthening and propagating linkages between risk appetite and business processes, institutions will be better positioned to manage the intersection between risk and business operations—and to succeed amid future uncertainty.

Disclaimer: The views expressed by the authors of this article may not necessarily reflect the views of their respective employers.

Tim Xu is a Partner in Banking and Financial Services at Oliver Wyman. Tim can be reached at tim.xu@oliverwyman.com.

Avani Parekh is SVP, Risk Executive Advisor, at TD. Avani can be reached at Avani.Parekh@td.com.

Deepak Kollali is a Partner and Co-Head of Finance & Risk at Oliver Wyman. Deepak can be reached at deepak.kollali@oliverwyman.com.

Kim Persaud is a Managing Director in Enterprise Risk Management at Citi. Kim can be reached at Kim.Persaud@citi.com.