ESTABLISHING RISK BOUNDARIES
Michel Rochette, MBA, FSA
Caribbean Actuarial Association Annual Meeting
Trinidad & Tobago
December 4th 2008
Context from 2006 to 2008
Risk appetite and ERM
Definition and its evolution
Value of articulating risk appetite
Stakeholders’ influence on risk appetite statement
Components of risk appetite and responsibilities
Ex. of a risk appetite statement: ING
Summary of methods to determine risk appetite
Risk Appetite: 2006 UK FSA
Most firms have documented their approach for risk
management through risk policies/procedures/risk
However, « risk appetite » is not well understood
throughout many firms to a level of clarity that
provides a reference point for all material decision
A big step exists between defining and applying risk
UK FSA Insurance Sector Briefing, Risk Management
in Insurance, 2006
Risk Appetite: 2008 UK FSA
For insurers demonstrating a strong integration of risk
and capital management:
Clearly articulated and quantified risk appetite,
tolerances, and trigger points for each risk.
Processes are set to assess on a continuous basis the level
of risk appetite.
Coherent and well articulated processes to actively
manage risk exposures that exceed risk appetite: risk
UK FSA Insurance Sector Briefing, 2008
Risk Appetite and ERM
Objectives: markets, products and services,
distribution channels, stakeholders
Capital goals in relation to solvency issues.
ROA and ROE without considering risk taking.
RAROC if integrating risk taking into the strategic
Value creation goals if objective is to maximize
shareholder’s: Embedded Value.
Non Financial goals: customer satisfication, corporate
social responsibility objectives.
Enterprise risk Policy:
All existing key risks: financial/operational/business/strategic
Emerging risks: « known and unknown risks »
Champion of Risk: CRO who can initiate a discussion of
risk appetite at the Board/top management level,
supported by a centralized risk unit.
Risk technology: control of risk taking through risk limits,
risk reporting through a dashboard.
Businesses: risk management at the unit level.
Audit/Compliance: independent oversight of the risk
Risk Appetite: Evolution
Turnbull Report: Risk appetite reflected indirectly by
« those risks which are acceptable » UK 1999.
COSO I: Focused on internal controls only. 1992
COSO II ERM: Give management reasonable assurance
that strategic objectives will be met within risk appetite.
CAS ERM Definition: Process to manage risks to create
value. Risk appetite not explicit but indirect.
Solvency II: Risk tolerance limits and business strategy
must be defined.
UK FSA Prudential Regulations: Risk appetite defined.
ISO 31000: Risk appetite is defined indirectly in relation to
value creation and risk acceptability.
Risk Appetite: Definitions
COSO II ERM: Amount of risk that an entity is willing
to accept in pursuit of value.
Would add: « in line with the firm’s strategic objectives
taking into the capability of its ERM framework.
Similar to a mission statement but focused on risk:
Impact that risk can have on the capacity of the firm to
attain its strategic objectives.
Defines boundaries of what is « too much » or « too
little » and what is « acceptable » or « non accpetable »
in relation to the firm’s strategic objectives.
Value of Articulating Risk Appetite
Allow a FI to:
Clarify desired risks: retained and non retained .
Set the tone from the Top. Preferable to a bottom-up
approach which tends to overemphasize exisiting risks.
Estimate/Assess their impact, both financial and non
financial – ex. social responsibility –
Evaluation of risks, not a valuation of risks!
Establish clearly the risk preferences of the company:
Are we risk averse, risk takers in light of potential
Value of Articulating Risk Appetite
Set a consistent communication - transparency - from
management to :
Business units/product lines
Shareholders: can diversify away if they don’t like it!
Regulators: Part of Pillar II and III of SolvencyII/Basel II.
Other stakeholders: Employees may not want to be part of
your organization. Ex. Army! Customers as well.
Recent example: AIG only mentions the word risk
appetite without ever elaborating about it in their
official published documents.
Value of Articulating Risk Appetite
Top –down approch is preferable because:
Stakeholders’ requirements are discussed explicitely among board
Allows a more balanced view of risks instead of just focusing on one
group: credit agencies, financial analysts, employees, shareholders,
regulators, customers, society at large!
More forward looking:
Introduces forward thinking in terms of desired risk profile, not just
existing risk profile!
Can link risk appetite with strategic goals and required capital to
support growth and risks.
Board members/management are on the same page on risk
Management can then react/take action if the risk profile exceeds/is
below its desired/target risk appetite.
Stakeholders’ Influence: Board
Risk preferences of individual board members/management:
Risk averse vs risk takers.
Risk Averse Type Board:
Focuses on « value preservation ».
Reduces earnings volatility.
Low impact of extreme events!
« Keep us out of trouble » We don’t want surprises!
Concerns about legal fines, external scrutinity if they take too much
Wants to keep their desired ratings.
Usually found in mutuals.
Wants to preserve capital. Less concerned about capital efficiency.
Incurring losses is perceived to be negative. Don’t consider the gains
realized before losses occured.
Stakeholders’ Influence: Board
Risk Taker Type Board:
Focused on « Value Enhancement ».
Considers risk vs opportunity relationship.
Focuses on higher returns and risks.
Anticipates « newer » risks, capitalizes on them, optimizes
the risk/return relationship. Concept of efficient frontier!
Optimizes use of capital. Capital management and risk
management are done proactively.
Usually found in public companies.
When risks materialize, board shouldn’t panic if within target
risk appetite! Risk and losses are not viewed as negative!
Stakeholders’ Influence: Regulators
Risk preferences of the local/global regulators:
Asian: stricter, more rules based.
European: more principle based.
US: more rules based…Stricter on Admitted assets, …
Single regulator - OSFI/UK FSA – vs a diversified group
of regulators – US SEC, NAIC, OCC, OTS, FED, FDIC –
My prediction: US will tend towards a « single
regulator model » common view, not one organization!
Internationally: Moving towards « college »
Stakeholders’ Influence: Rating Ag.
Risk preferences of rating agencies:
Impact on agencies’ rating:
Financial Strength or Claims Paying ability.
If risk appetite is expressed solely as « desired AA rating »,
constraints immediately risk appetite to a certain overal
probability of default/ruin.
SP’s ERM evaluation method:
Risk Appetite is part of their Governance evaluation:
« Clearly articulated risk tolerance is a key factor. »
Stakeholders’ Influence: Others
Risk preferences of :
Risk of loosing key employees if taking too much risk!
Will customers buy our products if the firm may not longer be
there to service them in the future? Ex. GM/Ford…
In a pension plan, ratio of projected active/retired employees
would certainly affect your desired risk appetite.
If long-term/passive investors, may be willing to tolerate more
Political groups/media/advocacy groups.
« Risk Appetite »: Components
Maximum amount of risk that an enterprise is able to accept
in line with its mission/values/strategic goals.
Risk appetite per se:
Overall statement about the amount and type of risk that an
enterprise is willing to accept in line with its strategic goals.
Risk Target: Optimal level of risk desired.
Risk Tolerance: Max/Min amount of risk for each
class/subclass of risk.
Risk Limits/Budgets: Thresholds not to exceed/min to
Not all firms have all these components!
Components: Risk Capacity
Influenced by the quality of its risk management framework and processes:
Overall ERM effectiveness: Sources could be an external view as assessed by a rating
agency, external governance score.
Management of past losses, especially unexpected and risk transfer options.
Influenced by the amount and quality of its capital structure or Value of the business:
Amount: measured by RBC, rating agencies’ required capital, economic view.
Quality: Tier 1 versus Tiers 2 & 3 capital.
Liquidity of capital: sources and availability particularly in times of stress.
Access to central banks’ liquidity facilities: US recent history with AIG for ex.
Systemic view by governments/markets:
Too big too fail! Too big to rescue!
Think of how Iceland was affected by the combined effect of risk appetite of its
banks on the country itself.
Value: Value of the business model to generate economic value.
Components: Risk Appetite
Lower than Risk Capacity and if focused on downside risk:
Defined as acceptable/non acceptable volatility of capital -
quantitative component/metric – over a certain horizon for certain
risks deemed to be acceptable/non acceptable. – qualitative component
Quatitative metric: prob of ruin/ certain target rating/ minimum
regulatory capital ratio
Golden rule on acceptable/non acceptable risks:
Would our stakeholders be surprised if we annonced losses due to this
risk? Think of AIG with credit derivatives!
Focused on existing balance sheet risks/preservation of capital.
Capital centric statement.
Ex. « Level of risk that results in no more than a 0,1% chance of failure
over a one-year horizon, where failure is defined as loosing 100% of
capital, measure by US GAAP. »
Components: Risk Appetite
If focused on downside/upside risk:
Defined as an acceptable/non acceptable volatility of
value - quantitative component/metric – over a certain
horizon for certain risks deemed to be acceptable/non
acceptable. – qualitative component –
Value metric: could be economic value/embedded value
based on discounted earnings/cash flows at WACC.
Focused not only on existing balance sheet risks but also
takes into account emerging risks in line with strategy.
Value centric statement, but not necessarily optimizing
risk/return relationship as it expresses risk preferences.
Tends towards a portfolio view of risks.
Components: Risk Target
Specifies the optimal level of risk that an organization
desires taking into account its risk capacity, risk appetite
and desired returns.
Efficient frontier concept: for a given level of capital –
capital centric approach – or returns – value centric
approach - where do I want to be in terms of risk given my
strategic goals? Target risk profile vs actual risk profile?
Set risk objectives so that if risk is outside target –
monitoring of risk profile – then actions are taken to
reduce/enhance/increase risk taking.
Could be done overall and by type of major risk class.
Not all firms have risk targets.
Components: Risk Tolerance
Sinceestimating risk capacity/appetite/target is not a perfect
exercise, tolerance sets bands around which company is
tolerating fluctuations of its risk appetite/target.
Similar to the statistical concept of estimating a mean from a
sample: Real mean = sample mean +/- Variability/Noize
Set so that the aggregation of total risk is within the overall
organization’s risk appetite/target.
Certain risks like SOX/Fraud/Legal Compliance: Zero Tolerance
Financial risks: Tolerance expressed as a +/- yearly IRR duration
mismatch, % of ALM, Greeks, GAP, Unexpected losses, yearly
expected losses above a certain threshold, % economic capital
depleted, volatility of embedded value
Non financial risks: min customer satisfaction rates, employee
retention rates, % of clients’ funds retained …
Components: Risk Limits/Budgets
Max not to exceed/min to accept.
Practical/day-to-day constraints on business activities with some risk
Limits/risk budgets can be set up for:
Business units, product lines, country, types of risks, concentration, market
limit of securities held, existing, future – derivatives -.
Ex. ABCP recent problems in Canada. CDP Capital held 1/3 of market…too
much..didn’t have a market limit…
Devising an overall limit system should be done so that it akes into account all
acceptable/non acceptable risks, correlation, aggregation of risks, & risk
tolerances in order to tend towards the firm’s desired risk target/risk appetite.
Risk limits should also be explained/negotitated with business units and
embedded into compensation schemes.
Limits should be established in the same units: Capital/Value
As much an art as science here!
Risk Appetite: Responsibilities
Approves, discusses & challenges the Risk Appetite Statement.
Reviews it annually & authorizes exception.
Communicates it to stakeholders.
Reviews/discusses the risk capacity exercise.
Proposes the risk appetite to the Board along with its components:
Negotiates/explains the limits with the business units.
Reports risk appetite to the Board. Frequency: quaterly.
Performs the risk capacity/appetite/target/tolerance/limits exercise.
Monitors the overall risk appetite/limit system.
Updates analysis with changes in external environment, strategy…
Examples of Risk Appetite: ING
Risk appetite measured along 3 dimensions:
Earnings at Risk, Capital At Risk, Economic Capital
Earnings at Risk (EaR) is a measure of the potential reduction in IFRS earnings
from expectations, assuming no mitigating management actions, during a
moderate (i.e. ‘1 in 10’) stressscenario.
Capital at Risk (CaR) is the potential reduction of the current net asset value
(based on fair values) of the balance sheet over the next year relative to the
expected value during a moderate (i.e. ‘1 in 10’) stress scenario, and assuming
no mitigating management action.
Economic Capital (EC) is the amount of capital required to absorb unexpected
losses in times of severe stress given ING’s AA target rating, 99,95%, (i.e. ‘1 in
Integrates shareholder’s point of view: EaR & CaR
Integrates rating agencies/debtholders point of view: EC
Integrates their banking and insurance operations/all risks
Risk appetite appears 34 times in their 2007 Financial Statements compared to
1 time in AIG’s 2007 Statements!
Risk Appetite: Methods
Simple like KPI/KRIs combined in a scorecard indicator.
Easy to set up and monitor.
Concept of the Green/Amber/Red zones.
Heat Map Approach: Evaluate Likelihood and Impact. Risk
Appetite is the boundary line.
Efficient frontier Approach: Investment Perspective.
« Sophisticated Approach » : EC/Enterprise/Embedded
Recommend: Combination of methods if sophisticated
Risk Appetite: Success Factors
Integrate both internal and external stakeholders’ different risk
tolerances into the process from value protection to value
Integrate process within the overall strategy, culture and risk
Consider past historical decision making, reactions to events to
assess risk appetite/tolerance. If CRO is fired all the time, maybe
risk appetite is lower than said! ING CRO is leaving?
Integrate non financial and financial risks: portfolio view of
Create a few measures that are practical and that represent the
most critical aspects of the business.
Communicate it through the firm! From top-down to bottom-up