You can’t be a quality banker unless you have your head straight about risk. For that matter, if you don’t have a clear view and clean language about risk, you really can’t manage risk accurately. Solid risk management starts with having a common and accurate language about risk and the risk you are willing to take. For example, “risk tolerance,” “risk appetite,” “risk target,” “risk capacity” and “risk limit” are often used interchangeably, but they mean different things. In this article, we promote our framework that we learned from talking to not only hundreds of banks but many Fortune 500 risk managers as well.
Defining The Nature of Risk
First and foremost, banks need to be crystal clear on what “risk” is. Risk means different things to different banks, so it is important that everyone is on the same page. Are you just concerned with capital loss? Earnings volatility? Failure to execute on your strategic plan? Does your bank take return into account when talking about risk? More importantly, does your organization talk just about residual risk (as in after mitigation such as reserves) or does it talk about total risk? Can risk ever be an unexpected event that impacts your bank in a positive fashion (hint: some of the most advanced risk organizations do)? Having a clear foundation about the word “risk” itself is step one.
Defining The Level of Risk
The other aspect is how your bank talks about the level of risk. CECL has given us a step in the right direction but even that framework mainly has some major flaws as it is almost impossible to compare banks or even compare your bank over a time series since assumptions, data models and methodologies can change. When your board says they are happy with the current level of risk, how do they know what that level of risk is? Is that the right level of risk? How does your bank measure risk on a consolidated and aggregate scale?
There are many ways to talk about aggregate risk but unfortunately, few banks take the time to develop a methodology to be able to discuss the combination of credit, interest rate, operating and other types of risk on a bank-wide basis.
Using Risk Definitions
Next, banks should consider a framework for risk definitions. Here are some common definitions used by some of the best risk managers in banking:
Risk Appetite: This is the type and amount of risk that the bank would like to take in order to produce a target return. Note that this is a range that starts with a risk measure greater than zero in recognition that not taking enough risk is the same as taking too much risk.
Risk Target: This is a bank’s optimal positioning within the risk appetite. Every strategic and tactical objective has a certain return and a certain level of risk. The target is where the bank is aiming for both. Once the Risk Target is reached, this is the threshold where the bank starts to take steps to bring risk back within the Risk Appetite. This could mean selling off risk, insuring, increasing monitoring, changing pricing, adding capital, increasing reserves or instituting some other mechanism for bringing risk in-line.
Risk Tolerance: This is a bank’s maximum risk that the board and management are willing to take. Where exceeding your risk target means management has to take steps to reduce risk, your Risk Tolerance is your hard, do-not-exceed stop.
Risk Capacity: This is the total amount of risk a bank can take. This may be the level of risk dictated by capital, by regulatory edict or by operational constraints. This defines the question of not what cumulative risk the bank should take, but what cumulative risk the bank is able to take. When understanding risk limits and tolerances, it is important to know when the bank could be in terminal peril.
As you advance in your risk management thinking, your language should expand as well since the language you choose shapes how you think. Send this around to your board and management and have a discussion about your risk terms at your next meeting. Reach an agreement on what each term means and you will find that not only will you have a more intelligent risk framework, but communication will improve as well.
Submitted by Chris Nichols on July 23, 2019