The Knowledge Exchange / Risk Management / CRO: Your risk appetite challenge

CRO: Your risk appetite challenge

Defining the roles and rules

risk appetiteAt first glance, “risk” always seems like a bad thing that enterprises want to reduce or eliminate at every opportunity. After all, doesn’t risk mean an imminent possibility or danger of failure or loss? But in financial services – as in life, generally – few rewards are attained without willingly incurring some level of risk. In fact, every business in every industry manages a wide range of risks in pursuit of its business goals.

Problems arise only when the delicate balance between risk and reward is skewed or falls out of alignment. That’s why it’s essential for each company to define its risk appetite – the amount of risk embedded in the strategic plan. In other words, what losses are you willing to absorb as a consequence of your pursuit of those goals?

I believe it falls to the Chief Risk Officer (CRO) to lead the enterprise in this crucial process. It’s not the goal or responsibility of other senior managers to define the risk profile of the organization. The CRO has the cross-business perspective regarding liquidity ratios, risk-return curves, capital constraints, portfolio concentration, and other factors. To succeed, the CRO will certainly need the full cooperation and support of the executive management team

Translating high-level definition of risk appetite

One of the key challenges for any CRO is translating the high-level, board-level declarations about risk tolerance into lower-level actionable plans, decisions and actions. In my opinion, every employee of a financial services institution is a risk manager, and there should be no tolerance for deviation from procedures that control or manage risk. Creating this culture can be among the most challenging tasks for the CRO.

For example, a conservative bank might have a low tolerance for losses and a part of its definition of risk appetite might be that any strategic plan must not involve a loss greater than the average annual profit for the past 10 years. How can we cascade that down into the business units? It becomes a question of risk culture and measuring behavior. The CRO then works with the business units to assess credit risk, portfolio concentration, and the other key metrics to figure out how much risk (in loss terms) is embedded in the annual board plan if everything is executed. Then it’s feasible to compare that number to the goal set forth by senior management and we can see what the bottom-up aggregated risk is compared to the top-down goals. This will lead the bank to either reduce its risk – or potentially even increase it (to the risk appetite level at most). After setting the game field borders, we can analyze if the return compensates for the risks taken and how can we optimize performance by changing the capital allocations to the business units.

Monitoring risk-adjusted return on capital (RAROC)

The goal of the CRO is to optimize the performance of the firm’s capital assets by managing risks – which can fluctuate. That means continuously monitoring asset performance and allocating assets (capital) to those areas of the business that are delivering a higher risk-adjusted return on capital (RAROC). In simplest terms, the CRO should be advocating to place capital into business areas that have the highest RAROC – and those areas shift dynamically.

Of course, quantifying and monitoring the firm’s risk appetite is a significant data analytics challenge. Our firm uses an analytics dashboard that presents different measurements and indexes. But the challenge here is not about aggregating the information – the data is there. It’s about defining the conditions in the business that merit intervention. That means setting thresholds and limits with the ability to drill down into greater detail to diagnose or troubleshoot any incipient problem that may be emerging – long before it develops into a critical threat. If we can measure risk, we are in a dramatically stronger position to manage it.


Download this IDC Financial Insights Report to learn how you can “institutionalize improvements in risk management, reduce the focus on ‘event management’ in preference to working toward a more proactive outlook and begin to deliver an ‘on-demand’ risk management enterprise.”


  • Facebook
  • Twitter
  • Digg
  • LinkedIn
  • email