2011 ssg risk_report


Published on


Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

2011 ssg risk_report

  1. 1. Senior Supervisors Group Observations on Developments in RiskAppetite Frameworks and IT Infrastructure December 23, 2010
  2. 2. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTURECANADAOffice of the Superintendent SENIOR SUPERVISORS GROUPof Financial InstitutionsFRANCEPrudential Control Authority December 23, 2010 Mr. Mario Draghi, ChairmanGERMANY Financial Stability BoardFederal Financial Bank for International SettlementsSupervisory Authority Centralbahnplatz 2 CH-4002 BaselITALY SwitzerlandBank of Italy Dear Mr. Draghi:JAPANFinancial Services Agency I am pleased to send you this report of the Senior Supervisors Group (SSG), Observations on Developments in Risk Appetite Frameworks and IT Infrastructure.THE NETHERLANDSThe Netherlands Bank The report summarizes the efforts of two SSG working groups to assess the progress that financial institutions have made in developing risk appetite frameworks and building robust information technology infrastructures. These assessments followSPAINBank of Spain up on two of the key weaknesses in risk management practice identified in our last report, Risk Management Lessons from the Global Banking Crisis of 2008.SWITZERLANDFinancial Market Our observations in this report indicate that while most firms have made progressSupervisory Authority in developing risk appetite frameworks and begun multiyear projects to improve IT infrastructure, financial institutions have considerably more work to do inUNITED KINGDOM order to strengthen these practices. In particular, we have observed that aggregationFinancial Services Authority of risk data remains a challenge for institutions, despite its criticality to strategic planning, decision making, and risk management.UNITED STATESBoard of Governors of the The effectiveness of risk management practices will be tested as financial institutionsFederal Reserve System adjust their business strategies to meet the continued challenges in the market andFederal Reserve Bank the evolving regulatory environment. As firms seek a forward-looking balanceof New York between risk and reward, we believe that vigorous leadership and a commitment to strengthening management’s ability to make judgments about risk will proveOffice of the Comptroller essential in the uncertain times ahead.of the CurrencySecurities and Exchange Supervisors will continue to monitor and review these practices periodicallyCommission to ensure their effectiveness going forward. Sincerely, William L. Rutledge ChairmanTransmittal letter
  3. 3. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTURETABLE OF CONTENTSI. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1II. SUMMARY OF KEY OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . . 2III. IMPLEMENTING A RISK APPETITE FRAMEWORK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 A. Background and Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 B. The Risk Appetite Framework as a Strategic Decision-Making Tool . . . . . . . . . . . . . . . . . . . . 4 C. Risk Appetite Governance: The Board, “C-Suite,” and Business Lines. . . . . . . . . . . . . . . . . . . 6 D. Promoting a Firmwide Risk Appetite Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 E. Monitoring the Firm’s Risk Profile within the Risk Appetite Framework . . . . . . . . . . . . . . . . 9IV. IMPLEMENTING A COMPREHENSIVE RISK DATA INFRASTRUCTURE . . . . . . . . . 10 A. Background and Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 B. The Importance of IT Governance in Strategic Planning and Decision Making . . . . . . . . . . 11 C. Automating Risk Data Aggregation Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 D. Prioritizing the Integration of IT Systems and Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 E. Maintaining Appropriate Systems Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14V. CONCLUDING COMMENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14APPENDIX A: MEMBERS OF THE SENIOR SUPERVISORS GROUP . . . . . . . . . . . . . . . . . . . . 15APPENDIX B: MEMBERS OF THE RISK APPETITE WORKING GROUP . . . . . . . . . . . . . . . . 16APPENDIX C: MEMBERS OF THE IT INFRASTRUCTURE WORKING GROUP. . . . . . . . . . 17
  4. 4. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTUREI. INTRODUCTIONOn March 6, 2008, the Senior Supervisors Group1 (SSG) For help in guiding those strategic decisions, financialreleased its first report, Observations on Risk Management institutions will need to make demonstrable improvementsPractices during the Recent Market Turbulence. The report in two key areas identified in the 2009 SSG report:assessed the risk management practices that helped make some 1) articulating a clearly defined risk appetite for the firm,firms better able than others to withstand market stresses in and 2) monitoring risk effectively through reliable accessthe autumn of 2007. On October 21, 2009, the SSG released to accurate, comprehensive, and timely quantitativea follow-up report, Risk Management Lessons from the Global information. The Financial Stability Board echoed thisBanking Crisis of 2008 (the “2009 SSG report”), which sentiment in a November 2010 report, Intensity andreviewed in depth the funding and liquidity issues central to Effectiveness of SIFI Supervision (the “SIE report”), whichthe crisis and explored critical risk management practices urged supervisors to ensure that systemically importantwarranting improvement across the financial services industry. financial institutions (SIFIs) develop and maintain state-of-In addition to pinpointing various risk management areas in the-art risk appetite and data aggregation capabilities.need of strengthening, the 2009 SSG report raised the concern Specifically, the SIE report emphasized that more stringentthat recent changes to firms’ risk management practices might criteria be applied to these areas, given the complex and broadnot be sustained as memories of the crisis faded and pressures array of financial services offered by SIFIs. In any case, allto pursue revenue opportunities increased. financial institutions will need to devote board and senior management attention, as well as significant financial andA number of environmental factors have changed since the human resources, to developing these tools for use in adaptingrelease of the 2009 report, including considerable progress strategies to a changing business landscape.toward raising global regulatory standards for capital adequacyand liquidity as well as a substantial easing of pressures in Since the issuance of its 2009 report, the SSG has continuedbroad financial markets since the height of the crisis. to meet regularly to discuss emerging supervisory and riskConcurrently, however, market uncertainty has grown issues and to work collectively on selected risk managementregarding the strength of sovereign finances and the resiliency weaknesses exposed during the crisis. This report deliversof the banking sectors in some countries. These changes to observations about the interdependence between formal riskthe financial and regulatory environment underscore the appetite frameworks and highly developed informationimportance of remediating the risk management weaknesses technology (IT) infrastructures and considers how elementsidentified in the 2009 SSG report. In particular, firms must be of those frameworks and infrastructures can be implementedable to make forward-looking and well-informed strategic effectively. We view these practices as crucial in providingdecisions that can shape their ability to remain profitable while the risk information that boards of directors and senioralso managing risk prudently in the face of material economic, management need to make well-informed judgments—notmarket, and regulatory events. only about risk management but also about their firms’ forward-looking business strategies.1 The Senior Supervisors Group currently includes senior supervisoryauthorities of major financial services firms from Canada, France, Germany,Italy, Japan, the Netherlands, Spain, Switzerland, the United Kingdom,and the United States. 1
  5. 5. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTUREII. SUMMARY OF KEY OBSERVATIONS of directors working closely with the chief executive officer (CEO), the chief financial officer (CFO), and the chief risk AND CONCLUSIONS officer (CRO), because these individuals have the strongest ability to influence business strategy and risk managementMost firms have made progress in developing risk appetite decisions. Furthermore, the CEO’s commitment to an RAFframeworks and have begun multiyear projects to improve IT was observed to be instrumental, as was the strength of theinfrastructure. These steps are clearly in the right direction, CRO’s relationship with the board of directors in explainingbut considerably more work is needed to remediate risk critical risk issues. Active engagement by directors and seniormanagement practices that were revealed as particularly management was observed to be critical in securing theweak during the height of the crisis. financial and human capital necessary to implement IT infrastructure projects. In particular, this level of managementIn particular, many firms have made progress in support was seen as critical for IT projects aiming to improveconceptualizing, articulating, and implementing a risk the aggregation of risk data.appetite framework (RAF) and have undertakensignificant IT projects to aggregate risk data more Supervisors also observed several additional elements of RAFsaccurately, comprehensively, and quickly. The extent of and comprehensive infrastructures for risk data that makeneeded improvements varies across firms, even in instances their implementation more effective.where firms have committed considerable financial andhuman resources to both efforts. While planned improvements Implementing a Risk Appetite Frameworkare in progress, it is unclear whether firms will have advanced 1. The implementation of an RAF necessitates strongthese practices sufficiently to be resilient in an increasingly internal relationships at the firm. Risk appetitecompetitive and changing regulatory environment. Con- frameworks are reinforced most effectively at firmssequently, developments in RAF and IT infrastructure will where close cooperation exists between the board ofrequire continued review by firms and supervisors alike. directors and the senior management team, between the senior management team and business line leaders,An effective RAF and a robust risk data infrastructure and between the CRO and the board of directors, othergreatly improve a firm’s strategic planning and tactical senior managers, and business line leaders. The role ofdecision making. Firms that have taken their RAF and the CRO and its relationships with others is particularlytechnology projects the most seriously acknowledge that these notable, because the CRO leads risk discussions amongpractices have improved their understanding of firmwide risk the board, the senior management team, and the busi-profiles and enhanced their decision-making capabilities, ness line leaders. Strong communication among theseallowing them to be more forward-looking, flexible, and individuals allows the management team to effectivelyproactive. In addition, more nimble organizations establish in translate the board’s expectations of risk appetite intoadvance their risk appetite parameters and take steps to ensure the firm’s day-to-day operations.that necessary quantitative risk information will be accurateand timely, improving the firm’s ability to adjust positions 2. The board of directors should ensure that seniorquickly during a market event and thus reducing the potential management establishes strong accountabilityfor financial loss. Nevertheless, many firms concede that their structures to translate the RAF into clear incentivesrisk data infrastructure requires considerably more work to and constraints for business lines. While risk limitsbe as flexible as that of their more advanced competitors. set boundaries, they do not by themselves offer enough accountability for operating within the RAF.Strong and active engagement by a firm’s board of The provision of positive incentives, such as careerdirectors and senior management plays a central role in advancement and compensation, for individualsensuring that RAF and risk data aggregation projects have demonstrating strong risk management abilities helpsa meaningful impact on the organization. RAFs were found promote a risk culture consistent with the RAF.to be more effective when generated by highly engaged boards 2
  6. 6. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTURE 3. A common risk appetite language across the firm, makers. If integration is not seen as a priority, critical expressed through qualitative statements and risk data may sit in legacy systems and be treated appropriately selected risk metrics, facilitates the separately from, and inconsistently with, the existing acceptance and effective monitoring of the RAF. firmwide risk metrics reviewed by the senior A consistent approach provides management with a leadership team. clear road map for execution and improves internal transparency. While firms with a common language The following sections emphasize our observations that can be more effective when discussing the RAF, well-developed risk appetite frameworks and risk data dialogues at the board level, the CEO, CFO, and infrastructures are key factors to ensuring effective strategic CRO level, and the business line level do differ. decision making. Furthermore, strong governance practices Accordingly, the metrics presented should be tailored that tie long-term business and risk management priorities to reflect these differences, in order to maximize the to RAFs and IT infrastructure projects are critical for their effectiveness of the discussion and the analysis of implementation. Each section outlines additional elements of the firm’s risk appetite and risk profile. implementation that we identified as important for firms to incorporate in their RAF and risk data aggregation efforts. Implementing a Comprehensive Risk Data Infrastructure 1. Firms with highly developed IT infrastructures exhibit strong governance processes, including III. IMPLEMENTING A RISK APPETITE strategic planning that thoroughly incorporates FRAMEWORK IT infrastructure issues, a commitment of appro- priate resources, established and accountable project management offices, the appointment A. Background and Approach of data administrators, and clear data owners. The partnership between business lines and IT Although institutions participating in the 2009 SSG report management is critical to initiating a project; had assessed their risk appetite practices as being fully or IT project implementation often falls short when partially aligned with industry and supervisory recommenda- the governance process is not clearly defined. tions, supervisors remained concerned that firms did not 2. The implementation of highly developed risk data provide evidence of the full scope and depth of improvements infrastructures requires more automation and needed for an effective RAF. fewer manual workarounds—two important • Most boards of directors and senior management conditions that can improve the accuracy and representatives did not actively articulate, measure, and timeliness of risk data aggregation. While some adhere to a level of risk acceptable to the firm. Overall, manual interventions might be necessary, a move the 2009 SSG report found little evidence that boards toward more automation and fewer manual processes received definitive information on their firms’ actual increases senior decision makers’ ability to rely on risk risk positions relative to their risk appetites. information. • At the time, most firms acknowledged some need for 3. As soon as is practically possible, disparate IT improvement in their procedures for setting and systems identified from a new business or through monitoring risk appetite, and many acknowledged the mergers and acquisitions activity should be need to revamp the way in which their boards were integrated with firmwide systems and infrastructure. receiving financial and risk information. Business line leaders and senior IT managers should make it a priority to develop an integration plan Subsequently, the Basel Committee on Banking Supervision, consistent with the goal of providing accurate and in its report Principles for Enhancing Corporate Governance, comprehensive risk reporting to senior decision outlined expectations that it is the board’s responsibility to 3
  7. 7. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTURE“approve and oversee the implementation of the bank’s overall While this decision is more difficult to reach when a businessrisk strategy, including its risk tolerance/appetite.” is profitable, the RAF can guide key decision makers seeking to trade short-term revenue or profits for reduced potential forTo better understand the progress firms have made in future risk. Conversely, an RAF can lead to a decision toimproving their risk appetite frameworks, the SSG formed a expand a business when it fits within the risk-taking activitiesworking group that met with board members, CEOs, CROs, outlined in the framework. Some observations from interviewsCFOs, and business heads at fourteen global financial that are worth noting include the following:institutions to gain insight into how firms are defining,communicating, and monitoring risk appetite and how they • One firm incorporated into its risk appetite statement the principle that the board and senior managementare meeting the challenges involved in implementing an RAF. must understand and be able to manage all risks. As aThe participating firms represent a broad cross-section of the result, the firm decided to exit a specific business whoseindustry in terms of geographic reach, business focus, and risk was not well understood, even though the businessexperience with risk appetite. was profitable at the time. That particular line of business would eventually generate significant lossesParticipating firms have taken a wide variety of approaches for other firms during the financial crisis.in adopting RAFs, which range from the high-level, brief,and qualitative to the complex, lengthy, and quantitative. • Another firm reduced its warehousing of subprimeThis variety reflects different views as to what an RAF should assets by half, following its RAF principles to scalelook like, as well as the different development stages of the down noncore businesses. When the crisis hit, not only had the firm scaled back its subprime warehousing,frameworks across firms. While some RAFs are more advanced but it was also more aware of the exposures thatthan others, no single firm was observed to have developed remained, the risks they posed, and the best methodsa fully comprehensive framework containing all the better- of addressing those risks.practice elements described in this report. Furthermore, mostRAFs are not particularly mature in their development. While • In another revealing comment, a firm reported thatthe majority of participating firms do have a risk appetite its RAF helped identify gaps in IT and humanstatement, more than half reported that the statement has resources. After having formalized its RAF, this firmbeen in effect for a year or less. hired significantly more risk personnel and built out its data infrastructure. • A number of firms interviewed noted that the process B. The Risk Appetite Framework of articulating risk appetite focused discussion on the as a Strategic Decision-Making Tool firm’s key strengths and competitive advantages, better positioned their boards to challenge business proposalsWhile most firms are still establishing a formal RAF, outside of the firm’s core competencies, and served as athose with a more developed RAF can typically point to better yardstick for discussing risk on a forward basis,examples where the framework has helped drive strategic rather than simply comparing the results of risk modelsdecisions and right-size the risk profiles. The majority of and limits.firms interviewed indicated that their RAF is clearly linked to • While many firms lauded the importance of an RAFtheir strategic planning and budgetary process. Using the RAF in aiding decisions about acquisitions and divestitures,to frame decisions, firms have established a common language some firms—usually those with less developedfor assessing the risk, budgetary, and strategic implications of frameworks—were unable to provide concrete examplesa business opportunity or external event affecting the firm’s of how the RAF influenced specific decisions.risk profile. A number of managers have taken concreteactions based on the comparison of their risk profiles with An RAF establishes an explicit, forward-looking view oftheir risk appetites, such as rescaling the size of a certain a firm’s desired risk profile in a variety of scenarios andbusiness or adjusting compensation to reflect risk embedded sets out a process for achieving that risk profile. An RAFin a particular business line. In some cases, a more developed establishes practices that link the expressed desires of directorsand formal RAF has helped influence the exit from a business and senior management to the actions of individualsthat was not well aligned with the firm’s desired risk profile. throughout the organization, ensuring that the firm’s actual 4
  8. 8. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTURErisk profile stays within the parameters set within the Since it is difficult to forecast with any certainty marketframework. It codifies which types of risk the firm is willing conditions over time, the more developed RAFs are flexibleto bear and under what conditions, as well as which risks the and responsive to environmental changes; however, riskfirm is unwilling to assume, and it translates these expectations appetite must also be definitive and consistent enough tointo supporting processes and actions.2 The RAF helps in contain strategic drift. To ensure that any adjustments aremeasuring risk, monitoring the risk profile, transmitting risk tracked and understood, more advanced RAFs incorporate aappetite to internal and external stakeholders, and reassessing process whereby management documents decisions made onperiodically the risk appetite level of the firm. the basis of the RAF as well as changes made to the framework. A firm’s RAF is useful at many levels of the organization inThe RAF typically begins with a risk appetite statement framing discussions and decisions about strategic direction,that establishes boundaries for the desired business focus including deliberations concerning possible acquisitions,and articulates the board’s desired approach to a variety of new business lines, or new products. Often, these strategicbusinesses, risk areas, and, in some cases, product types. opportunities cannot be anticipated, and the decision to takeDriven by the board of directors and supported and them on may require adjustments to risk appetite or to theimplemented by senior management, the risk appetite RAF. For this reason, it is important that the RAF be flexiblestatement is essentially a risk philosophy—or, as one firm and that the articulation of risk appetite be iterative, allowingput it, a “mission statement for risk.” When issued by the a firm to respond to changing or unanticipated circumstances.board of directors, a risk appetite statement provides senior However, the RAF clearly loses utility if its goals are constantlymanagers with both guidance and constraints as they pursue adapted to justify every emerging opportunity. Indeed, thethe firm’s strategy. Across firms, risk appetite statements speak framework should serve as a reminder to management, as wellto some of the following elements: desired business mix as to the board, of the original core risk strategy. This meansand composition of the balance sheet, risk preferences that any movement away from that core strategy will be(for example, “we focus on retail credit risk, tolerate some recognized as a deliberate decision to move outside of or towholesale credit risk, and hedge market risk”), the acceptable alter the firm’s risk appetite, which should limit any gradualtrade-off between risk and reward, tolerances for volatility, unconscious drift. It is a challenge for firms to strike ancapital thresholds (including regulatory capital, economic appropriate balance: RAFs are meant to establish boundariescapital, and leverage ratios), tolerances for post-stress loss, without becoming too rigid. The formalization andtarget credit ratings, and optimum liquidity ratios, among documentation of any changes will help ensure that thisothers. A useful risk appetite statement is relatively simple, process is a conscious one.easily communicated, and resonates with multiple stake-holders. Furthermore, and very importantly, it is referenced RAFs help firms prepare for the unexpected. Firms with afrequently. more developed RAF set an expectation for business line strategy reviews and conduct regular discussions about2 To establish common expectations in its discussions with management, how to manage unexpected economic or market eventsthe SSG working group provided participating firms with the following in particular geographies or products. Those discussionsindustry definitions of risk appetite, risk capacity, and risk profile:• Risk appetite is the level and type of risk a firm is able and willing to assume consider how business strategies may affect the consolidatedin its exposures and business activities, given its business objectives and entity. Firms with more seasoned RAFs have also createdobligations to stakeholders. Risk appetite is generally expressed through both a forward-looking process that establishes expectationsquantitative and qualitative means and should consider extreme conditions, about the firm’s consolidated risk profile in a variety ofevents, and outcomes. In addition, risk appetite should reflect potential impacton earnings, capital, and funding/liquidity. circumstances based on stress tests and scenario analyses. The• Risk capacity is the full level and type of risk at which a firm can operate and use of stress tests and scenario analyses on a consolidated basisremain within constraints implied by capital and funding needs, as well as can test the RAF as well as help firms identify where their riskother obligations to external stakeholders. Risk capacity is a maximum profiles are most vulnerable. In response, an RAF can helpmeasure and is not necessarily intended to be reached, meaning that a firmmight set a buffer between risk capacity and risk appetite and manage that on establish a road map for risk taking, loss mitigation, andan ongoing basis. the employment of contingency measures.• Risk profile is a point-in-time assessment of actual aggregate risks associatedwith a firm’s exposures and business activities, through the use of several tools Despite a consensus among firms on the usefulness of stressand measures. Generally, a firm should aim to have its risk profile remainwithin its stated risk appetite and should ensure that its risk profile does not testing and scenario analyses in helping to measure risk levelexceed its risk capacity. and prospective risk appetite, firms still face significant 5
  9. 9. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTUREchallenges in relying on a comprehensive risk data infra- • The CEO, CRO, and CFO translate those expectationsstructure to produce accurate results. A number of firms, into incentives and constraints for business lines, andhowever, are investing substantially in consolidated the board holds the businesses accountable forstress-testing capabilities. A few have already established performance related to the expectations.enterprise-wide stress-testing functions, which can produce • Business lines, in turn, manage within the boundariesinternal stress-testing metrics and reporting using a variety of these incentives and constraints, and theirof macroeconomic indicators and market variables across performance depends in part on the RAF’sdiffering levels of severity (for example, base, moderate, and performance.severe). A flexible system can conduct these stress tests onan ad hoc basis, even during periods of financial stress. Board of Directors3 At leading firms, engaged boards with solid expertiseThe following observations from interviews are noteworthy: support the formulation, assessment, and monitoring of • The use of stress-testing results in setting limits was not the firm’s RAF. An engaged board is accountable for the a common practice among many of the interviewed RAF and uses it to frame strategic decisions. While the firms, although most acknowledged that integrating board or its risk committee cannot be expected to monitor the two was a worthwhile goal. every facet of a firm’s risk profile, boards that invest a significant amount of time and effort in articulating a firm’s • At those firms where stress tests did influence the RAF risk appetite statement will have a greater stake in ensuring and limit setting, senior managers emphasized that no single stress test would capture all elements of a firm’s that the process for adhering to that statement is properly risk profile. More developed RAFs included a periodic implemented and guides decision making throughout the review of whether the risk elements used in stress firm. Many directors describe their role as one of challenging scenarios continued to be relevant. management until they are comfortable that management both understands the risk profile and is running the business • Further complicating matters were the significant in a manner consistent with the RAF. In practice, the board’s challenges in aggregating data comprehensively to critical review of management can be overly backward ensure that the risk metrics reported captured as looking—that is, focused on past actions rather than strategic, many important risks as possible. forward-looking issues. Effective board members need to “get ahead of the issue” by articulating their expectations in advance so that management can establish strategic plans C. Risk Appetite Governance: The Board, accordingly. This practice is not as widespread as it could be. “C-Suite,” and Business Lines To drive an effective RAF, stronger boards employ anAn RAF is an explicit effort to describe the boundaries active, iterative process of review. They shape the firm’swithin which management is expected to operate when risk appetite statement and work regularly with manage-pursuing the firm’s strategy. Firms that implement an RAF ment to align the framework with that statement. Bettermost effectively are those that communicate and champion practice indicates that when a board or its risk committeethe framework throughout the organization, starting from challenges management and insists on a thorough vetting ofthe top. Significantly, the strength of the relationships among the RAF, the institution ultimately develops a more complete,the directors, the CEO, the CFO, and the CRO will play 3an instrumental role in the RAF’s effectiveness. Firms with While this report refers to a governance structure consisting of a boardmore effective frameworks have increasingly focused on the of directors and senior management, the SSG acknowledges that different jurisdictions—even among SSG member countries—apply differentdistinctive mandates and responsibilities of each of these levels governance structures as a result of divergent legislative and regulatoryof governance. Specifically, firms with more developed RAFs frameworks. In some SSG countries, a two-tier governance structure is in place,assign roles in this basic but fundamentally important way: in which a supervisory board has a supervisory but not an executive function while a management board carries out the executive function. Other SSG countries use a one-tier structure that combines the two functions. For • The board of directors, with input from senior purposes of this report, “board of directors” refers to the role of a board management, sets overarching expectations for that provides a broad oversight function. Readers should interpret these the risk profile. observations consistently with the applicable law in each jurisdiction. 6
  10. 10. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTUREwell-considered product. While nearly all boards report supported by a sophisticated knowledge base. However, notspending more time on risk issues than they did before the all firms have introduced formalized training programs, andfinancial crisis, many do not actively participate in the while both training and cross-membership are certainlyarticulation of their firm’s risk appetite statement and fewer positive practices, they should complement existing expertise.still take part in defining the RAF. At those firms where the One CEO, whose firm requires all board members to serve onboard is more engaged, once management has built or adapted the risk committee, made the point succinctly: “If someone isthe RAF according to the board’s established risk appetite, going to serve on the board, that person needs to understandthe board’s risk committee enters into an iterative process with the business of the bank, which is taking risk.”senior management through which multiple versions of theRAF are presented until all are satisfied with the approach. Engaged boards indicate a need to receive the right levelOnce the RAF is decided upon, there is ongoing challenge and and type of information in order to set and monitordiscussion to ensure that the risk appetite continues to be adherence to risk appetite. To achieve this objective,relevant and reflects the thinking of the board. Having a clear boards need to be clear about what kind of informationprocess for discussing and determining when the RAF should they require and how frequently they need it. Many firmsbe adapted to changed circumstances, as described above, also faced challenges during the crisis because information wasis a leading practice we have observed. This regular not fully consolidated, and therefore boards were not in acommunication helps management ensure that board position to discuss the firm’s aggregate risk profile. Thismembers—and, critically, the chair of the risk committee— shortcoming can be attributed in many cases to poor reportingare fully conversant with the firm’s risk profile. systems, a topic considered later in this report. Regardless of systems capabilities, it can be a challenge for both managementEngaged board members have a sophisticated under- and board members to determine what subjects should bestanding of financial and risk concepts. In the interviews, discussed at the board level and at what level of detail. Theone explanation provided for some board members’ weaker more engaged board members generally agree that reportinginvolvement in setting the risk appetite and RAF of a firm is should be comprehensive and complete, and not be over-their lack of risk management expertise. Appropriate board simplified for the board. At the same time, some boardcomposition is critical to effective performance of duties, and members insist that management communicate with them insome firms have adjusted board composition since the crisis business terms and not just in technical terms, a practice thatto ensure that members have a suitable level of expertise to has proved useful at these firms. Only a few boards, however,set expectations and monitor risks. However, even though have shown that they are trying to actively reshape thesome firms see a role for board members who are not intelligence they get from management. Most continue tofinancial experts, reasoning that these members are be too passive in accepting the types of information chosensometimes the ones who “ask the obvious but important by management.questions that the experts overlook,” firms continue tostruggle with finding the right knowledge base. It is typical Finally, the crisis has reemphasized the importance offor a firm to rely on a handful of board committee members reputation risk as a key focus at the board level. Virtually allwho understand the firm’s risk exposures, while the firms attempt to incorporate assessments of reputation riskremaining members lack the background to fully engage in their RAFs to protect their brand, but they often find itin the discussion and inquiry. One board member voiced difficult to quantify this risk. Efforts to measure reputationfrustration at the fact that he still could not depend on many risk qualitatively have proven useful, such as monitoringof his board colleagues to think through particularly difficult industry headlines and reporting trends to the board, engagingrisk issues with him. Board composition must be balanced to third parties to conduct surveys, and creating reputation riskensure a broad and common under-standing of the firm’s committees to assess environmental changes and approverisks and to avoid “two-speed boards.” particular transactions based on geography or product line. Indeed, roughly one-third of the firms interviewed indicatedTo address shortcomings in board expertise, many firms that they now have a reputation risk committee, while manyprovide extensive training to board members on subjects others reported that this type of risk is discussed as part ofranging from derivatives to processes for assessing internal some form of new-product review committee. Severalcapital adequacy. Some firms have also introduced participating firms have explicitly identified businesses orrequirements for cross-membership among risk, audit, and geographies that they will avoid because of potentialcompensation committees to ensure that key functions are implications for reputation risk. 7
  11. 11. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTURE The “C-Suite” statement. The CRO’s discussion can be very strategic andNot surprisingly, the review team observed that strong broad-gauged, whereas the CFO’s perspective is more likelysupport at the CEO level is crucial for the RAF’s successful to provide specific insight into the framework’s impact onimplementation throughout the firm. This view includes budgeting, liquidity, and funding. In cases where the firmempowering the right people—notably, the CRO—and does not comply with the framework, the CRO or CEOensuring that the board has access to these individuals. outlines to the board the corrective action that managementWhile it is accepted that the CRO and the risk management is undertaking to address the deficiencies.function will usually be responsible for developing the riskappetite framework, the process does not appear to be as Business Lineseffective in cases where the CEO does not strongly support the A critical element in the process of building an RAF is theRAF. CEOs who refer to and use the RAF in support of link with the business strategy and budgeting process. Indifficult risk and strategic decisions send a strong message this regard, the RAF is a useful tool to ensure that eachabout the importance of the framework. The CRO’s stature business line’s strategies align with the firm’s desired riskand decision-making power were found in prior SSG work to profile. In many cases, business lines propose a medium-termbe areas for improvement within the industry. The CRO has business plan that is assessed by senior management (andalso proved important to achieving the firm’s risk appetite sometimes the board’s risk committee) to determine whethergoals, as he or she usually manages the RAF’s implementation. it fits with the firm’s RAF. Stress testing and scenario analysesAt some interviewed firms, the CEO’s willingness to give the serve as useful tools to assist in this determination. The RAFCRO the final word on many risk decisions has strengthened then dictates the cascading of limits to the business lines,the stature of the risk management function. depending on the desired risk profile for each business.The relationship between the board or board risk committee The RAF helps the board and senior managementand the CRO is also very important. The CEOs at some of the understand how much one business line’s medium-termfirms with more developed RAFs encourage board members to business plan needs to adapt in order to allow anothercontact the CRO directly. In some cases, this relationship is business line’s proposal to go forward. To the extent thateven formalized, and the board’s risk committee plays a direct a particular business line’s plan proposes opportunities thatrole in the CRO’s review and compensation. At one firm with would require loosening the RAF constraints for thatextensive board engagement in risk issues, the value-at-risk particular business, senior management and the board’s risk(VaR) limit was breached at the height of the financial crisis. committee may decide to “borrow” from the risk appetiteWhen the business requested that the board increase the limit, allotment of another business line to make room for the giventhe risk committee refused; instead, the committee chair opportunity or, alternatively, to build up the firm’s riskbegan to engage in weekly conversations with the CRO to capacity (for example, through an increase in capital). In manydiscuss the progress of measures for pushing VaR exposures cases, firms have noted that the existence of a clear RAF thatback to within the limit. These discussions took place until the is well communicated to the business lines sharply reduces theexcess exposure had been managed down. Another firm even occurrence of proposals that are well outside those parameters.reconvened the board risk committee to discuss a key decision This may also prevent a firm from drifting unknowingly frombecause the CRO was not able to attend the initial meeting at its initial risk appetite as market conditions change. Whenwhich the issue had surfaced. a firm has a formalized risk appetite, revisions are well documented and they can be more easily monitored byA strong alliance between the CRO and CFO helps all stakeholders.increase the framework’s transparency and dissemination.The alliance between these functions reflects the interplay Discussions of new business initiatives are seen as anand critical linkage between risk strategy and budgetary opportunity to “say who we are and how we operate,”considerations, as well as the common approach the RAF according to one participant, while another saw them as a wayengenders from multiple perspectives within the firm. A better to embed the framework within the firm. The majority ofpractice that we observed was that of the CRO and CFO firms indicated that their RAF is (or is being) integratedreporting to the board or board risk committee at every with their process for new product initiatives.meeting on the firm’s risk profile relative to the risk appetite 8
  12. 12. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTURE D. Promoting a Firmwide Risk is functioning as intended. Two observations from our Appetite Framework interviews are particularly noteworthy: • Firms with more developed RAFs have a clear,By establishing a set of incentives and consequences, firms documented, and regular process for reviewing theirwith more developed RAFs ensure that the entire firm is risk profile against their risk appetite.committed to a successful framework. In particular,directors and senior managers at these firms consider carefully • One firm used the discipline of assessing the fair valuehow to incentivize adherence to the RAF and how to of all its risk exposures as a way to compare risk profilecommunicate the consequences of ignoring it. Some with risk appetite, as the mark-to-market changes to profit-and-loss (P&L) statements provide a real-timeapproaches included promotions based on adherence to the window into the evolution of risk.RAF, career advancement through postings to higher levelcontrol functions, compensation explicitly linked to the RAF RAFs should not simply be a set of loss tolerances or limits;(on the upside and the downside), and even dismissals for they should include a wide array of measures to monitorthose who disregard the framework. At one firm, the CRO the firm’s risk profile. A common shortcoming shared byregularly reported to the board’s compensation committee on firms in the beginning stages of creating an RAF is to reviewbusiness line performance measured against the RAF. only the high-level risk limits measured against point-in-timeNonetheless, the emphasis on promoting the RAF through regulatory capital levels or simple liquidity buffers.incentives and consequences remains limited at most firms. Firms with more developed RAFs combine multiple riskAmong the senior leaders interviewed, there was no clear metrics that help in managing or mitigating downside riskagreement about the scope and reach that the RAF should in a thoughtful, deliberate way. The metrics used shouldhave within the organization. One firm indicated that morethan 200 town hall meetings had been held with staff over the range from the dynamic and forward looking to the static andcourse of the year to help socialize the RAF. Other practices point-in-time; they could include (but not be limited to):included involving new staff in risk and capital committee • capital targets beyond solely regulatory measuresmeetings to ensure a strong understanding of the risk culture (economic capital, tangible common equity, and totaland decision-making process. Many firms, however, leverage) or capital-at-risk amounts;communicated the RAF on a “need-to-know basis,” based on • a variety of liquidity ratios, terms, and survivalthe belief that the RAF would be meaningless to employees at horizons;lower levels of the firm and that they would focus too muchon limits and constraints. • net interest income volatility or earnings-at-risk calculations; • VaR limits; E. Monitoring the Firm’s Risk Profile within the Risk Appetite Framework • risk sensitivity limits; • risk concentrations by internal and/or externalThe assessment of a firm’s consolidated risk profile against credit ratings;risk appetite should be ongoing and iterative. Some firms • expected loss ratios;conduct quarterly reviews of the RAF and monitor the linkbetween the firmwide risk profile and risk appetite. These • the firm’s own credit spreads;firms test whether the consolidated risk profile continues • asset growth ceilings by business line or exposure type;to align with the business practices, limits, and stress • performance of internal audit ratings;performance expectations that constitute their RAFs. Asa result, the firms are able to determine early and often • economic value added; andwhether their risk profile is straying from the desired path • post-stress-test targets for capital, liquidity,and can make informed decisions about whether the RAF and earnings. 9
  13. 13. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTUREFirms agreed that the risk metrics to be monitored must substantial projects to improve IT infrastructure—indirectly meet the needs of the audience, be it the directors, particular, projects to address the aggregation of risk data.the “C-suite,” or business line leaders. The metrics used tomeasure firmwide aggregate risk at the board level will, of A number of factors have led to the fragmented IT infra-necessity, be significantly different from those used to measure structure that is currently slowing risk managementand limit risk at the business level. For example, we have remediation projects at firms:observed that the risk metrics that matter most for directorswere typically high-level metrics that reflect the firm’s key • A lack of agreement between business lines and IT management on a long-term strategy, often driven byvulnerabilities. When directors received reports that contained competition within the firm for financial resources,too many detailed risk metrics, the ensuing discussion makes it difficult to implement key IT infrastructuredistracted the directors from their principal concerns. One projects.director pointedly told us that it is critical for management tospeak with the directors in language they can understand, and • Decisions that favor short-term financial considerationsthat risk management jargon can impede a more intuitive have often led to budget reductions for IT infra-understanding of the firm’s risk profile. While risk metrics structure projects. In addition, turnover in key ITused at different levels of the organization should relate to management areas has exacerbated delays in projectone another, it is reasonable to keep them “high level” for execution.directors, increasingly “more detailed” for the “C-suite,” and • Weak data governance processes can contribute to“appropriately pointed” for business line leaders. Firms that inconsistent approaches to the upgrading of systems.parsed out metrics in this way found their internal dialogues Similarly, the lack of a firmwide framework for dataabout risk appetite and actual risk profiles to be more robust management can lead to inconsistencies across businessand meaningful. units and/or regions. • Mergers and acquisitions have increased the numberAs highlighted above, the interdependence between an of legacy systems in place at newly consolidatedeffective RAF and a robust IT infrastructure is critical to organizations. Multiple system platforms often containstrategic decision making. Section IV outlines observations on their own unique data taxonomies, making aggregationcurrent efforts to improve IT infrastructure—in particular, the across products and business lines difficult.aggregation of risk data—that are key to helping boards andsenior management assess whether their actual risk profiles The system fragmentation that can result from suchare in line with the stated risk appetite. environments often requires a significant number of manual processes to aggregate data firmwide. Some firms still require days or weeks to accurately and completely aggregate risk exposures; few firms can aggregate data within a singleIV. IMPLEMENTING A COMPREHENSIVE business day. RISK DATA INFRASTRUCTURE Observations in this report are drawn from the SSG’s collective supervisory work undertaken in 2010, which A. Background and Approach included formal examinations conducted by individual supervisory agencies, meetings with firms’ management,The 2009 report underscored the importance of the IT and detailed reviews of firms’ remediation plans. While weinfrastructure in effective risk management. Inadequate IT did not formally survey firms on their progress, a numbersystems hindered the ability of many firms to manage broad of SSG members have been conducting supervisory work tofinancial risks as market events unfolded rapidly and intensely. benchmark firms’ progress in remediating the risk manage-The report endorsed the need for firms to build “more robust ment gaps identified in the self-assessments described in theinfrastructure systems [that may] require a significant 2009 SSG report. The SSG members’ observations revealcommitment of financial and human resources on the part of that most firms still need to achieve significant progress onfirms” because supervisors view these efforts as “critical to the their existing multiyear technology projects before they canlong-term sustainability of improvements in risk management.” implement a comprehensive risk data infrastructure.Since publication of the 2009 report, many firms have begun 10
  14. 14. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTURE B. The Importance of IT Governance in that they give to the funding of projects that emphasize Strategic Planning and Decision Making front-end revenue generation and speed to market. • Revenue-generating infrastructures for new businessesFor firms to make effective business and risk management and products often outstrip associated risk infra-decisions, it is critical that they be able to aggregate timely and structures that are critical to manage these operations.accurate data for reporting on credit, market, liquidity, and The lag between the development of front-office andoperational risks. As the financial and regulatory environment risk infrastructures can stretch from a few months tobecomes increasingly complex, this capability within the firm a few years.is of paramount importance to senior decision makers. They • Most notably for new products, technologyneed the proper information to make judgments about the infrastructure and capacity assessments are critical tostrategic direction of their firms, to help set risk appetite, and the strategic planning process. While it is good practiceto manage risk according to rapidly changing economic or for firms to require assessments of IT infrastructure andmarket circumstances. capacity prior to approving new products, it is also a leading practice for firms to conduct reviews six toStrategic planning processes should include an assessment eighteen months after implementation to ensure thatof risk data requirements and system gaps. Firms with the technology projects have met the needs of the riskhighly developed IT infrastructures are able to clearly professionals.articulate, document, and communicate internal risk • Firms that rely on outsourced IT activities that affectreporting requirements, including specific metrics, data- infrastructure, data aggregation, and internal riskaccuracy expectations, element definitions, and timeframes. reporting should apply the same level of governanceThese requirements also incorporate supervisory expecta- to these activities as if they were performed in-house.tions and regulatory reporting requirements, such as Furthermore, outsourced activities should not limit thesegmenting financial and risk data on a legal-entity basis. effectiveness of implementation or access to data.The technology planning process has to align both businessand IT strategies to ensure that a productive partnership Firms successful in aligning IT strategies with the needs ofexists and that it values the investments made in financial business line managers and risk management functionsand human resources to complete the project. We have have strong project management offices (PMOs) to ensureobserved that strategic business expansion at most firms that timelines and deliverables are met. Many firms haveoccurs before they have fully incorporated IT requirements, numerous projects in progress to remediate gaps in IToften putting IT implementation plans far behind the infrastructure that can span multiple functions, businessbusiness plans and creating volume and data capacity lines, and legal entities. Firms that have achieved moreissues when the business or product grows. successful project implementation have established high- level PMOs for firmwide projects, such as post-merger ITFirms with leading, highly developed IT infrastructures integration, and concentrate on specific project manage-bring together senior IT governance functions, business ment functions for key business line or product efforts.line units, and IT personnel to formulate strategy. Thesefirms have defined standards and internal risk reporting One firm appointed a dedicated individual from the riskrequirements to ensure that business lines and IT units operate management function to oversee the PMO and monitorwithin an enterprise-approved framework. The requirements issues and corrective actions through to completion. Thisestablish the basis for effective IT infrastructure and internal firm has shown that having a single person as the focal pointreporting. Firms operating in a less coordinated and more for program oversight results in better coordination and communication among project staff and, by extension,fragmented way do not have technological systems and better project implementation and execution. In contrast,platforms that meet their strategic needs. Several key elements some firms have chosen a committee-based approach tounderpin an effective IT partnership at a firm: project management. We have found that this approach • Firms with leading IT infrastructures commit lacks the high levels of accountability and focus required for budgetary resources to developing IT infrastructures for effective execution, leading to a fractured and slow—and internal risk reporting with the same level of priority therefore often more costly—implementation effort. 11
  15. 15. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTUREFirms with effective IT project implementation appoint a Firms with leading practices have very limited reliancedata administrator and a data owner with responsibility on manual intervention and manual data manipulation.and accountability for data accuracy, integrity, and These firms have largely automated their risk dataavailability. The data administrator oversees all aspects of aggregation, which increases the timeliness of internal riskbusiness databases, including initial design of the database reporting and minimizes operational risks linked to humanarchitecture, project implementation, backup, and support. error. Many firms, however, still rely heavily on spreadsheetA centralized data administration function has proved environments, which significantly delay report processingparticularly useful for firms. A data owner is an individual while raising concerns about accuracy.or group of individuals, usually within a business line,responsible for developing and implementing the data Supervisors have observed that an inability to aggregategovernance framework and internal risk reporting. The role risk data in an accurate, timely, or comprehensive mannerof a data owner aligns the interests of the business—accurate can undermine the overall value of internal risk reporting.and timely information—with the need for accountability For example, whereas most firms focus on establishing ain execution, resulting in the owner taking an active role in management information reporting framework to meetensuring that projects meet the goals of end-users. operational requirements, internal risk reporting standards do not articulate the type of critical reporting that would beFirms with high-performing IT infrastructures ensure that required in a crisis or the speed at which these reports wouldthe board committees institute internal audit programs, have to be produced. We believe that in order to meet theas appropriate, to provide for periodic reviews of data needs of the business line and risk management staffs, firmsmaintenance processes and functions. Leading firms’ should establish standards, cutoff times, and schedules forinternal audit departments assess the adequacy of risk internal risk reports.management information systems (MIS). Their activitiesinclude planning and consideration of risk MIS requirements Consolidated platforms and data warehouses that employand assessments of risk MIS in terms of timeliness, accuracy, common taxonomies permit rapid and relatively seamlessconsistency, and completeness. Leading internal audit data transfer, greatly facilitating a firmwide view of risk.departments review specific efforts and projects to remediate Centralized static databases with single identifiers and/orinfrastructure gaps noted from assessments that are compared unified naming conventions for legal entities, counterparties,against recommendations made in SSG and other supervisory customers, and accounts enable a consistent approach tocommunications. Some internal audit departments employ pulling multiple records of risk data across the firm in a timelycontinuous monitoring in this area while others conduct manner. Consistent identifiers and naming conventions alsospecific examinations, often at the product or business line permit segmentation in cases where it may be necessary tolevel. Prompt remediation of internal audit findings in this identify risk concentrations or to meet a supervisory or legalarea helps reinforce the governance objective of a consistent, requirement. We have observed that most firms have not yetenterprise-wide approach to data governance. adopted these common conventions, but rather are addressing them in the context of larger IT infrastructure projects, whose implementation is planned over the next one to three years on C. Automating Risk Data average. Specifically, we have observed the following: Aggregation Capabilities • A number of firms have implemented or have projectsSupervisors observe that while many firms have devoted under way to build comprehensive data platforms with unified customer and asset data that can quicklysignificant resources to infrastructure, very few can aggregate and report information. We have observedquickly aggregate risk data without a substantial amount that the more robust designs are single-platform onesof manual intervention. In particular, firms’ multiple that can include trading, pricing, the general ledger,infrastructure platforms have made it difficult to compre- and risk management reporting.hensively aggregate critical risk data and effectively monitorand report on exposures in a timely way. One key attribute • One firm has built a system that can aggregate allthat allows risk data to be aggregated quickly is the ability necessary data within a few hours.to automate data flows and reduce the amount of manual • Another firm has constructed a system that acts as aintervention necessary to compile this critical information. gateway to credit risk and market risk applications, 12
  16. 16. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTURE using web-based tools, reports, and data. Reporting measures such as delta, vega, and gamma to compare covers all issuer and counterparty exposures, including risk management data such as VaR calculations with derivative and loan-equivalent risk, as well as exposure P&L data reported by the back office on a daily basis. by asset class for ongoing monitoring and reporting of risk. While we believe strongly that aggregation of risk data • One firm is creating a global liquidity platform to must occur on a firmwide basis, increasingly there is a need aggregate the firm’s liquidity profile worldwide. Other for firms to be able to compile internal risk data on a legal- firms are creating global general ledgers to consolidate entity basis, as systems have been largely designed along their balance sheets and income statements. business lines. While risk data aggregation efforts should support the goal of providing firmwide data to senior decision • Several firms have or are constructing data warehouses makers, the financial crisis clearly demonstrated that firms to produce MIS or regulatory reports. A data warehouse must also manage the geographic and legal risks associated will take feeds from different subsystems, including a general ledger, and store all the information in the with a global, cross-border financial marketplace. The ability “warehouse.” Data in a warehouse are typically cleaned to segment risk data by legal entity can become important and catalogued under common taxonomies before when a global counterparty defaults, as Lehman Brothers did being made available to users. Custom reports are then in 2008. The few firms that can currently parse data by legal developed that can pull specific information from the entity tend to have inherently simpler legal vehicle structures warehouse. Some firms have employed centralized or have not undergone numerous mergers or acquisitions; teams in charge of controlling data collected in the such firms often have the ability to produce reports on an warehouse. This control supplements controls at the ad hoc basis as well as in a standardized way. local business level and includes a review for missing data and analysis of significant variances. Other firms conduct self-assessments to certify information in the D. Prioritizing the Integration of IT Systems warehouse. and PlatformsLeading firms implement data aggregation processes The lack of integrated systems and platforms is a key challengecovering all relevant transactional and accounting systems to ensuring that firmwide aggregation of risk data is accurateand data repositories to maintain comprehensive coverage and comprehensive. Specifically, we have observed theof MIS reporting. Leading practice in this area includes following practices at firms having a highly developed ITautomated reconciliation wherever possible to reduce the infrastructure that can aggregate risk data effectively:risk of manual error or truncation of information reported.It is also critically important to include all off-balance-sheet • business practices that prioritize the integration of legacyinformation in the reconciliation of financial statement data systems from mergers or acquisitions as soon as isto risk MIS. Trailing firms do not effectively reconcile off- reasonably possible after the transaction is completed;balance-sheet data to risk MIS. and • new product approval procedures that includeLeading firms’ MIS practices also include periodic technology operations personnel to ensure that systemsreconciliation between risk and financial data. The nature, can process and aggregate data from new products orscope, and frequency of such reconciliation practices are initiatives.commensurate with the firm’s business and risk environment,but some reconciliation is essential with a view to ensuring Significantly, firms with a single firmwide data taxonomy,accuracy and periodic validation of the firm’s MIS. For as described above, can facilitate the integration of disparateexample: systems and platforms with the firm’s existing architecture. Thus, development of this taxonomy will directly improve • Well-developed systems for capital market activities firms’ ability to address the otherwise difficult task of include strong daily profit-and-loss attribution and integrating legacy systems. reconciliation processes, wherein firms use sensitivity 13
  17. 17. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTURE E. Maintaining Appropriate Systems Capacity V. CONCLUDING COMMENTSStrong MIS is essential for effective business and risk The observations in this report indicate that most firms havemanagement in steady-state environments and in periods of made progress in developing risk appetite frameworks andeconomic volatility or stress. Capacity constraints, particularly have begun multiyear projects to improve IT infrastructure.during periods of economic volatility or stress, significantly These steps are clearly in the right direction, but considerablyundermine the ability of management to produce and use more work is needed to strengthen those practices that wereMIS. For example, during the financial crisis, the capacity revealed to be especially weak at the height of the crisis. Inconstraints of risk systems inhibited VaR calculation at certain particular, we have observed that aggregation of risk datafirms; in some cases, firms found errors in VaR reporting for remains a challenge for institutions, despite its criticalityprevious end-of-day risk reports. Leading firms are able to to strategic planning and decision making.process VaR calculations within hours. The effectiveness of risk management practices will be testedMost firms are currently able to establish appropriate as financial institutions adjust their business strategies toplanning, policies, and testing to handle volumes for both meet the continued challenges in the financial marketplacesteady-state and stressed-volume scenarios. These firms opt to and the evolving regulatory environment. As firms evaluateinclude the business lines, risk management, and IT staff in this forward-looking balance between risk and reward,the tasks of capacity assessment, planning, and testing. Most vigorous leadership and a commitment to strengtheningfirms employ forward-looking volume assessments, define management’s ability to make judgments about risk will likelycapacity-related failure, and conduct stress tests to that level. prove essential in the uncertain times ahead.However, in their capacity planning and testing, most firms Along those lines, it is important to note that even the leadingstill have to include scenarios involving sharp fluctuations in or more effective practices identified in this report could stillvolume. They also have to plan for and test the ability to meet benefit from further enhancement. Supervisors will continueprocessing windows under stress scenarios, including the to review these practices periodically to ensure effectivenessability to make risk MIS available on short notice (such as going forward.during crisis situations) and at any given time. For most firms,additional work is required to understand the true impact that We welcome further engagement with industry representa-outages of critical systems will have on other key systems. tives and other public authorities on our observations. 14
  18. 18. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTUREAppendix AMembers of the Senior Supervisors Group CANADA SPAIN Office of the Superintendent of Financial Institutions Bank of Spain Karen Badgerow Manuel Caro Ted Price Alberto Alonso de Linaje FRANCE SWITZERLAND Prudential Control Authority Financial Market Supervisory Authority François-Louis Michaud Urs Bischof Patrick Montagner Tim Frech Roland Goetschmann GERMANY Federal Financial Supervisory Authority UNITED KINGDOM Claudia Grund Financial Services Authority Ludger Hanenberg Alastair Hughes Frauke Menke Arran Salmon ITALY UNITED STATES Bank of Italy Board of Governors of the Federal Reserve System Stefano DePolis Timothy Clark Andrea Enria Patrick Parkinson Federal Reserve Bank of New York JAPAN Michael Alix Financial Services Agency Arthur Angulo Hideo Hashimoto Brian Peters Ryozo Himino William Rutledge (Chair) Mamoru Yanase Office of the Comptroller of the Currency Kenneth Peyer THE NETHERLANDS Kurt Wilhelm The Netherlands Bank Securities and Exchange Commission Petri Hofste Denise Landers Armand Schouten Michael Macchiaroli Secretariat Toni Dechario, Kyle Grieser, and Bronwen Macro, Federal Reserve Bank of New York 15
  19. 19. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTUREAppendix BMembers of the Risk Appetite Working Group CANADA Office of the Superintendent of Financial Institutions Karen Badgerow (Co-Chair) Jacqui Campbell FRANCE Prudential Control Authority François-Louis Michaud (Co-Chair) GERMANY Federal Financial Supervisory Authority Maik Esser ITALY Bank of Italy Giampiero Longo UNITED STATES Board of Governors of the Federal Reserve System David Palmer Office of the Comptroller of the Currency Kenneth Peyer Molly Scherf Securities and Exchange Commission Denise Landers Secretariat Toni Dechario, Federal Reserve Bank of New York 16
  20. 20. OBSERVATIONS ON DEVELOPMENTS IN RISK APPETITE FRAMEWORKS AND IT INFRASTRUCTUREAppendix CMembers of the IT Infrastructure Working Group CANADA THE NETHERLANDS Office of the Superintendent of Financial Institutions The Netherlands Bank Abhilash Bhachech (Co-Chair) Evert Koning FRANCE SWITZERLAND Prudential Control Authority Financial Market Supervisory Authority Christian Masson Tim Frech GERMANY UNITED KINGDOM Federal Financial Supervisory Authority Financial Services Authority Simone Bock Jill Savager Joerg Vahlenkamp UNITED STATES ITALY Board of Governors of the Federal Reserve System Bank of Italy Adrienne Haden Vincenzo Re Federal Reserve Bank of New York Ronald Stroz (Co-Chair) JAPAN Financial Services Agency Office of the Comptroller of the Currency Hideo Hashimoto Joel Anderson Nobuyasu Sugimoto 17