Risk Appetite Guidance
Risk Appetite Guidance
Risk Appetite Guidance
Practitioners’ View
December 2013
Full Members: Aegon, Allianz, Aviva, AXA, Achmea, Ageas, Generali, Groupama, Hannover Re, ING, Munich Re, Prudential, Swiss Re, Zurich Financial Services
Associate Members: Lloyds Banking Group, Manulife Financial, Old Mutual, RSA, Unipol, ACE, Legal and General, Chartis
This page is intentionally blank
Table of contents
Section 2 : Introduction 3
Section 6 : Conclusions 24
Section 7 : Appendices 25
This page is intentionally blank
Section 1: Executive Summary
Search for “risk appetite” on any popular Internet search engine and you will receive well over one
million results. The topic has exploded in recent years, especially since the global financial crisis. One
can easily find numerous materials on risk appetite statements, definitions, metrics, and even
examples of statements. The Financial Stability Board has stepped into the act with their recent
releases, Thematic Review on Risk Governance, and Principles for an Effective Risk Appetite
Framework, both of which are very good pieces that provide information for insurance supervisors
when reviewing risk management practices.
Given the myriad of resources available, what contribution could the CRO Council and CRO Forum
possibly add to the discussion? While it’s true much has been published on risk appetite
fundamentals, the much harder task of operationalizing and embedding risk appetite throughout an
organization has not received much attention. Developing a risk appetite statement is only the first
step. Effectively embedding a common risk language throughout the organization is truly more
challenging. At times, changing the corporate culture is required and this can take years.
Starting with the premise that an effective risk appetite statement exists, this paper presents a variety
of sound practices that can enable an organization to create an effective risk appetite framework. In
addition, a healthy discussion surrounding sound practices on embedding risk appetite into the
organization is presented. Insights from a CRO Council/CRO Forum member survey1 are added to
give tangible perspective to actual practices. Different approaches to operationalize and embed a risk
appetite framework are discussed, as there is no one “best” answer, but rather several options from
which to examine and determine what would be best for your organization. The size, complexity, and
nature of business operations will also weigh in determining what is “best” for any individual company.
This paper gives you food for thought on making your risk appetite statement an integral part of your
organization.
Before you begin reading the paper, it may be helpful to provide some background about the CRO
Council and CRO Forum. The CRO Council is a professional association of Chief Risk Officers of
leading insurers based in the United States, Bermuda, and Canada. Member CROs represent 30 of
the largest Life and Property and Casualty insurers in North America. The Council seeks to develop
and promote leading practices in risk management throughout the insurance industry and provide
thought leadership and direction on the advancement of risk-based solvency and liquidity
assessments. The CRO Council shares its views through publications and papers that can be found
on the Council’s website (http://www.crocouncil.org). The CRO Forum is an association that was
formed in 2004 to provide insights on emerging and long-term risks, to advance risk management
practices in the insurance industry and to seek alignment of regulatory requirements with best practice
in risk management. The CRO Forum member companies are large multi-national insurance
companies headquartered across the world with a concentration in Europe. The CRO Forum shares
its views through publications and papers that can be found on the Forum’s website
(http://www.thecroforum.org/).
This paper is the first jointly authored by the CRO Council and CRO Forum.
1
The survey was conducted during a Joint Industry Meeting CRO Council and CRO Forum in London, 21st March 2013
Appropriately establishing and embedding a risk appetite framework (RAF) for an insurance company
is one of the most difficult tasks to do because it means implementing an infrastructure that will oblige
a company to control itself. Companies often develop control frameworks that allow them to monitor
their activities, personnel, and performance; however, it comes far less naturally to a company to build
a framework that places limits (or preferences) around its own decisions. Largely because the global
financial crisis has placed risk appetite and risk management in the spotlight as a developing concept,
RAFs have become key to linking a company’s2 strategy with its management of risk.
Building a RAF that creates value is not only conceptually but also technically difficult due to the
difficulty in aligning quantitative metrics and qualitative statements between strategy and risk, and
cascading these down to more granular levels that can be monitored and managed in a practical way.
Much has been written about the components of a RAF and goals that should be pursued, whether
under the form of regulatory sound principles for risk management, or under the form of research on
economic capital or performance measurement. Less discussed is the more operational aspect of
implementing and embedding a RAF.
Questions as to whether RAFs should set limits or provide incentives, how granular should risk
appetite be, and how to allocate risk appetite are all being currently debated. We believe that these
concepts are foundational in nature to building an effective RAF within a company. Conscious that
there is no one-size-fits-all, this paper has been conceived to provide different views that, as
practitioners, we have experienced in the set up of RAFs, and explore the possible options that are
currently in practice in our own companies to operationalize an effective RAF. It does not have the
ambition of providing a recipe, but will hopefully pinpoint the areas where companies need to take
decisions about operationalizing which best fits their nature, size, and ambitions.
In this paper, we first set the scene by introducing the Core Principles that drive the design and
implementation of a RAF. We describe the components of a RAF, suggesting standard definitions for
each component with the goal of avoiding ambiguity in the terms used (rather than setting industry
standards). We also explore different views of organizing, governing, and communicating on the RAF
to stakeholders.
The second section, of the paper concentrates on how to embed risk appetite in decision making
processes. We discuss how risk appetite can be an integral part of strategic decisions, and the
different approaches to enforcing adherence to the limits that are set. Finally, we discuss best
practices in terms of reporting on risk appetite.
2
Throughout this paper we refer to ‘company’ as a generic term for the scope of the risk appetite framework. It can be a legal
entity, a business unit, or the entire enterprise. A distinction of the different levels will be made when their interplay is relevant
for discussion.
A company’s RAF serves as a tool for the Board and senior management to establish boundaries
around risk taking to achieve company objectives. As a key element of the wider system of
governance, a RAF has both strategic and tactical dimensions. Before discussing methods for
establishing and embedding an effective RAF within a company, we provide the following basic
principles.
In establishing a risk appetite framework, companies should consider the following core
principles.
Establishing a comprehensive risk appetite framework is a complex endeavor, and should be
crafted via an iterative process, which requires diligence, patience, collaboration, and flexibility;
The diverse interests of parties relevant in achieving company objectives should be considered;
The risk appetite framework should identify and quantify risk preferences for material risks;
Risk appetites should be reassessed after significant events and reviewed by the Board at least
annually.
When embedding risk appetite, companies should consider the following core principles.
The risk appetite framework should be cascaded to business segments to ensure decisions are
consistent with enterprise objectives, tolerances and limits;
Measurements should be used to provide evidence of risk appetite and strategy alignment at the
enterprise and business segment levels;
For risks that are inappropriate to quantify, qualitative boundaries should be developed and
assessed.
As basis for a sound RAF, the principles also underlie the content of this paper. They are addressed
and expanded upon in the following sections either explicitly or implicitly.
A company’s RAF is the framework of policies and processes that establish and monitor adherence to
the company’s risk appetite. A company’s RAF serves as a tool by the Board and senior management
to establish boundaries around risk taking to achieve company objectives. As a key element of a
company’s wider system of governance, RAFs have both strategic and operational dimensions.
Guided by its mission, vision and values, a company’s Board and senior management develop a
business strategy and plan to deliver on business objectives. Generally speaking, the objectives of
business and risk management are as follows:
Preservation of capital;
Maintenance of liquidity;
Each of the strategic objectives contain elements of risk that need to be managed by solving a
delicate balancing act: on one hand, management of the risk elements should support the business
goals to help create value, and on the other, it should play a warning role by sounding alarms to help
avoid big surprises. As a tool for the Board and senior management, the RAF helps establish
boundaries around these risk elements, thereby turning the balancing act into something far more
concrete.
Risk Appetite
A company’s risk appetite establishes boundaries for
the aggregate level or types of risk a company is willing Acknowledges sources of risk
to assume in order to achieve its business objectives. Expresses unacceptable risks
Risk appetite may have multiple qualitative and Expresses preferred risks
quantitative dimensions, resulting in multiple ways of
Sets risk tolerances
expressing risk appetite. Risk appetite statements reflect
the combination of risk acknowledgment, including Is formalised in a statement
preferences to and unacceptability of specific risks, and
Risk Tolerances
company-wide tolerances for those risks. In its most
general form, a risk appetite would describe the pertinent Should be measurable
risks to which the company is exposed and the amount of Should be actively monitored
exposure it is willing to assume from those sources of Typically are set at enterprise level
risk. An example of a risk appetite statement is included
in the appendix.
Underlying a company’s risk appetite are their risk tolerances. Risk tolerances are the quantitative
measures and qualitative assertions for the maximum risk allowed by the appetite. Risk tolerances
should be measurable and are typically limited to a few key metrics. They should be actively reported
and monitored by the Board and senior management. Risk tolerances are typically set at the
For the sake of simplicity, the paper has generally assumed risk tolerances to be established at the
enterprise/group level. It intentionally does not discuss the ability for companies to set risk appetite
tolerances and draft risk appetite statements at the level of business units or legal entities and the
issues this may raise, especially when considering special purpose business units or legal entities.
Not to be confused with risk tolerances, risk capacity is the maximum level of risk a company can
assume before it breaches regulatory constraints (e.g. breach of solvency or liquidity ratios) or other
stakeholders’ constraints (e.g. inability to fulfil pension scheme obligations). For some companies, risk
capacity is closely aligned with their risk appetite. For other companies, the risk capacity is viewed as
a starting point for setting risk appetite: the latter is likely more stringent than the absolute risk
capacity. For example, a company may not have the appetite for its solvency ratio to fall below a level
well above the level that would breach regulatory constraints.
Risk limits are measurements based on forward-looking assumptions that cascade the company’s
aggregate risk tolerances to lower levels of granularity. For many companies, risk limits provide
operational controls at the level of the organization that manages the risk on a day-to-day basis. They
are expressed in metrics that are locally relevant and convenient to monitor and are often thought to
“act as a brake against excessive risk-taking”.3
A company’s risk profile is a point-in-time assessment of risk exposures, expressed in relation to risk
limits, risk tolerances, and risk capacity. If a company is operating within its risk limits at a more
granular level, the company is then presumably operating within its risk tolerances and maintaining a
risk profile that is within its risk appetite.
Ultimately, a company’s risk appetite framework should be established with consideration for practical
use and application.
The graph below serves as a reference to the different components of the risk appetite framework
expressed above.
3
“Principles for an Effective Risk Appetite Framework”, Financial Stability Board, 18 November 2013; Section 1.1.d
http://www.financialstabilityboard.org/publications/r_131118.pdf
For example, shareholders will naturally be concerned with long term earnings growth and efficient
deployment of capital, while policyholders and debtholders will naturally be concerned with the
company’s ability to satisfy obligations as due, seeking a high level of solvency. Risk appetite can
then be linked to the needs of the stakeholders by using risk tolerances consistent with how the
company prioritizes the expectations and needs of its stakeholders. Table 1 summarizes metrics of
particular importance to various stakeholder groups, as well as related valuation frameworks.
Reconciling different stakeholder priorities in terms of risk is therefore the first difficulty companies are
confronted with when building their RAF. Trying to address the multiple constraints and priorities of
stakeholders are important inputs to choosing which risks to place focus on in a company’s risk
appetite statement.
To add to the complexity, the way stakeholders perceive the company’s value can be through the
prism of different valuation frameworks. It is not the view of this paper that these need to be, or even
can be, reconciled. Companies acknowledge that they are faced with increasingly numerous and
complex valuation frameworks, leading to difficulties in establishing consistent RAFs. This is later
developed in section 5.3.
As part of the risk appetite statement, risk tolerances play a prominent role of expressing precisely
what level of risks the company is willing to assume. Establishing risk tolerances involves specifying
the scope of the risk appetite statement, the choice of the metrics, and the appropriate boundaries for
these metrics.
Comprehensive: it should have the appropriate breadth, reflecting coverage of risk landscape,
and depth, meaning granularity within company structure;
Concrete and Practical: all material risks should be identified and quantified via risk tolerances.
For risks inappropriate to quantify, qualitative boundaries should be established;
Consistent and Coherent: tolerances throughout the company need to form a balanced system
of relevant boundaries, avoiding excessive allowance in some areas and excessive restrictions
in others, and should align with the business model of the company.
Comprehensiveness Does the appetite sufficiently address the key risks that would
inhibit company objectives?
How do we know a risk is material if it can’t be measured?
To what extent should the scope include ancillary or non-material
activities?
Concreteness and Practicality How quickly should it be possible to report on results? Does this
influence our choice of metrics?
Should speed be prioritized at the expense of accuracy?
Should qualitative statements have some measure of risk?
Consistency and Coherence What metrics reflect similar measures of risk across different
types of activities?
How can I link these measures to the business model?
It is useful to distinguish quantifiable risks from less quantifiable risks. The highest level of quantifiable
risk consideration can start with a company’s financial statements. The table below lists examples of
metrics for quantifiable risks. Among the three financial statements, the balance sheet draws the
highest attention as it represents a view on the shareholder capital available to absorb downside
shocks. Thus, it forms the basis of regulatory solvency requirements and agency assessment of credit
worthiness. When considering the balance sheet, attention should also be drawn to the off-balance
sheet items, which may bear considerable risks. Note also that off-balance sheet items may serve as
important sources of capital, providing a buffer against risks.
Balance Sheet Capitalization level depending on target solvency ratio and/or target rating
Two common types of risk metrics are value-at-risk (VaR) and Expected Shortfall (ES). Both metrics
measure the risk associated with a time horizon for the loss distribution and a confidence level (or
probability). VaR is a common risk measure often already calculated for the total capital requirement
25%
4%
1. Earnings volatility targets
2. Formal risk limits
1 2 3 4 3. Strategic Risk Appetite Statements (“we will not take exposure in…”)
4. Statements on exposure to reputational risk
5. Liquidity Targets
6. Others
While well-established risk metrics exist for quantifiable risks, the less quantifiable risks (or qualitative
risks) are mostly out of the reach of mathematical modelling. These pertain, in particular, to the
qualitative aspects of a company. Examples of these risks include reputational risk and confidence of
the stakeholders in the company. Another example of qualitative risk is strategic risk (i.e. unexpected
losses due to improper strategy or its implementation). In this case, more qualitative risk measures,
such as specific indicators (e.g. number of customer complaints) or key findings of risk assessments
(e.g. how well processes and accountabilities are defined throughout the organization) can be used
as the basis for risk assessment. If these risks are included in a risk appetite, they should be
measured and monitored against the most appropriate indicator available.
Strategic risk Exposures, earnings volatility, company share price volatility, key
findings of opportunity and process optimization assessment, etc.
Emerging risks Expert assessments of identified risk's impact, velocity, and probability.
Market risk Funded yield vs. portfolio/plan yield, pricing interest margin, current
and projected reserve margin, duration mismatch, sensitivity of MV
surplus, and accounting to risk factors such as interest rates, FX,
equity, commodity indices, VaR
Companies should organize roles and responsibilities related to establishing and embedding the risk
appetite framework in a manner that is most relevant to its specific structure; as such, we do not
prescribe specific segregation of duties or attribute specific roles to designated corporate figures. The
Board should be actively engaged in assessing the effectiveness of the risk appetite framework, with
discussion of more material changes to the framework and current risk appetite levels possibly
delegated to an executive or Board sub-committee. The Board and/or Board sub-committee would
A company’s CEO, CRO and CFO share responsibility for establishing and embedding risk appetite
and should work jointly on the risk appetite framework, but specific allocation of responsibilities would
be left to the company’s discretion. In a mature and effective framework, the CRO and the CFO would
work together in ensuring that the risk appetite of the firm is consistent with its strategy, business and
capital plans, risk capacity and compensation program and would be equally responsible for aligning
risk appetite to supervisory expectations. Appropriate checks and balances should be utilized to
optimize development, use and ongoing maintenance of a company’s risk appetite framework.
To embed the risk appetite into the organization, senior management should facilitate cascading; use
and adherence would be encouraged through performance expectations for employees at all levels.
The RAF, including the roles and responsibilities of all levels of management, should ultimately be
developed in consideration of a company’s nature, scale and complexity. For example, the framework
may be adapted to suit the organizational structure of a company divided into business units. A
pragmatic approach may be to embed risk appetite over the span of several years rather than trying
to implement a comprehensive framework at once. Regardless, the key aspects for a successful RAF
are ownership and support of risk appetite at senior levels, clarity of governance and roles and
responsibilities, and the fundamental goal of developing a risk culture that supports the strategic
direction of the company.
basis so that localized decision making is in line with 1. One format Risk Appetite Statement at company level,
supported by a simple set of metrics, communicated to all
the company’s appetite. stakeholders in the same format.
2. One single set of metrics on Risk Appetite, but communicated
differently to different stakeholders
Risk appetites should be submitted to the Board 3. Different sets of Risk Appetite metrics, depending on
stakeholder group. Targets set on different metrics must be
annually, or after significant events causing the coherent.
4. Different sets of risk appetite metrics, depending on stakeholder
company to reconsider its risk appetite. While many group. Targets set on the different metrics must not necessarily
be coherent
companies do not communicate the specifics of risk
With respect to public disclosures, many companies disclose their limit setting philosophy together
with the tolerances associated with their most material risks (e.g., CAT limits), and disclose peak risk
exposures related to certain key risks at different levels of confidence. Many companies disclose the
existence of a RAF in their public filings, and provide insight on the elements of the RAF without
necessarily giving details on the quantitative features of the RAF itself.
Of course this last statement does not necessarily hold true for every company and for each type of
risk appetite statement. For example, it is natural for rating agencies to understand the company’s risk
appetite statements and framework and related governance processes in greater detail. Further, as
part of an earnings call, or as part of its financial disclosures, some companies disclose long term
ROE expectations, hurdle rates or capital buffers (versus either a regulatory or a rating agency
standard). While discussions about RAF are occurring more frequently in financial disclosures, there
remains a fair amount of variability across companies as to the level of detail provided.
In this section, we take a more practical approach to risk appetite and provide more detail on how a
RAF would work operationally. Embedding risk appetite in the culture of the business is not a simple
compliance exercise, but rather part of a company-wide effort to change the way the businesses
perceive risk by considering it as an integral part of their decision making processes, whether at
strategic levels or more operational (i.e. day-to-day) levels, according to the company’s approach to
managing risk.
The Board and senior management likely take a strategic perspective with a view of what risk appetite
means to them over an extended timeframe, and how it relates to performance. Management should
strive to fully embrace the RAF and use risk appetite explicitly in their thinking and in decision-making
processes. A company with a strong risk culture has a Board thinking in terms of risk appetite, and
everyone else in terms of what drives the company’s risk profile versus its risk appetite and how
decisions impact the profile.
✗
Possible Strategies to get from A to B
Early stages of embedding a RAF are likely led by units in charge of strategic and business planning
in collaboration with the company’s ERM function. Risk appetite might be seen as a constraint (often
established with the goal of compliance with regulatory requirements). Focus may be on controlling
whether the plan is compliant with risk appetite, measured by expectations regarding how risk factors
might evolve. Stress testing would be utilized to set the expectations and monitor against them. For
example, stress testing might be used to highlight risk exposures allowing management to determine
its appetite for each. Then once risk appetite is set, stress testing would be used to monitor
adherence. If a company seeks to maintain net assets equivalent to 120-130% of its economic capital
requirement, stress testing (or reverse stress testing) could be utilized to understand what might draw
net assets down below 120%. Alternatively, sensitivity tests calibrated to a tail event (considered to be
unusual yet plausible, e.g. a 1-in-20 to 1-in-200 year event) could be applied to determine if they
would bring the level of net assets out of compliance with risk appetite. In this case, non-compliance
might lead to an iterative process resulting in revisions to the business plan.
• Limits business risk taking to within the opportunities to improve capital • Likely to drive pursuit of unachievable
overall Group risk appetite efficiency or expensive rewards
• Allows EU regulated entities / group to
help demonstrate S2 compliance and
can move to support the “use test” by
incorporating economic capital metrics
into business decision making
As the business model matures, the RAF becomes more embedded in the company. Risk appetite will
increasingly become an important input to the strategy informing management of decisions that best
optimize the likelihood of delivering on business objectives. For example, a company’s risk tolerances
which set the amount of longevity risk desired would set
bounds to the amount of annuity business that can be Putting it into practice…
written; in turn, the risk appetite might encourage the
When asked how risk appetite and
company to focus on writing life insurance business strategy where integrated in their
within its given risk limits that maximizes its return. The companies, CROs indicated by a large
net result might be a mix of annuity and life insurance majority that there existed a timely
business with offsetting risks, and optimized value feed-back loop between both.
65%
requiring fewer resources (in this case capital).
12%
Scenarios of material shifts in market conditions: As 4%
8% 8%
If tolerances are breached, risk appetite could be reviewed temporarily or permanently in accordance
with ultimate risk capacity. As discussed in section 4.1, risk capacity and risk appetite may be closely
aligned for some companies while for other companies, risk appetite is more stringent than the
absolute risk capacity. In any case, the ability for a company to stretch beyond its risk appetite
As a tool for the Board and senior management to establish boundaries around risk taking to achieve
company objectives, the RAF should be subject to change and evolution as conditions and
opportunities require so long as a robust governance and escalation process exists, including
articulating the following:
What has changed between the time when the RAF was last approved and the new opportunity
or threat that presents itself;
The commercial profit opportunity in terms of the expected risk/return tradeoffs or the impact on
profit of the threat that has changed the expected risk / return tradeoff;
Why the potential losses associated with the additional risk taking are acceptable or not;
We believe that as a matter of sound governance, Boards should review and/or approve the request
for expanded risk tolerances and the associated change in risk appetite.
Approaches to developing risk limits vary, due to different basis for the measurement of risk
exposures driven potentially by different regulatory regimes and different methodologies and
infrastructures employed, as well as different data availability. Although the primary purpose of a limit
system is to support meeting the risk tolerances by braking excessive risk taking, some companies
also employ limits in support of risk-based return optimization as well (e.g. tighter limits where risk-
return is low).
Companies with the ability to measure risk exposures based on risk-sensitive indicators (e.g. internal
model approaches for economic capital) may define risk limits on, for example, the amount of
economic capital allocated to business units and/or risk exposures. Other risk exposures may be
measured on an indirect basis, utilizing premiums, reserves or sums assured, for instance. In such
cases, the RAF would be embedded on the basis of limits in regard to indirect indicators. In fact, the
RAF should be broad enough to allow for the cascading of economic measures of risk as well as
other measures of risk derived using other approaches.
Legend
Board Excess resources
Set strategy Resources necessary to meet targets and limits
Risk appetite
P Phase 1: planning process
T Phase 2: set final targets and risk limits
Discussion/ Phase 3: resource allocation, where applicable*
Approval
*Risk appetite metrics leading to resource allocation typically are capital
related but could also be applicable to any type of metric that would
Executive Management allow transfer of risks from one business unit to another.
1
2 3
Planning
Set final Process Resource
Targets and allocation
Risk Limits
Group
excess resources
BU 1 BU 2 BU 3
Discussion Discussion Discussion
Available resources
Available resources
Available resources
T
P
T
T P
Desired
Desired
profile
profile
profile
profile
Final
Final
profile
Desired
Final
profile
1 2 1 2 1 2
In this process of cascading and setting risk limits at increasing levels of granularity within the
company structure, and depending on how complex a company is (e.g. multiple geographic zones,
importance of non-insurance activities, variety of product mix, etc.), it is faced with equally increasing
difficulty in keeping the overall risk limit framework consistent. Suppose a company has managed to
strike an appropriate balance among the risk tolerances it fixes according to stakeholder priorities. If
on one hand the company wishes to maintain a direct link between higher and lower level limits it will
gradually lose the ability to maintain consistency with the limit and control infrastructure that may
already exist at the business unit levels. If on the other hand it chooses to maintain a consistent
approach at granular levels, it will be faced with the challenge of maintaining the link to the strategic
goals. Contributing to this complexity are the multiple valuation frameworks (Local GAAP, IFRS,
market consistent, etc.) and the non-harmonized regulatory regimes (Solvency II, ComFrame, NAIC,
etc.).
Given the above, we would argue that, although it is a goal to strive for, limit frameworks will not
necessarily be consistent across all metrics used. Top down consistency for each individual metric
should be sought down to the level of granularity commensurate with the level at which decisions are
being made (see section 5.4). Where the links at the lowest levels are indirect, it is important that
harmony exists between these levels and the overarching risk tolerances; a bottom up reconciliation
process can be used to ensure this. In addition, where consistency across metrics is not fully
established, it should at least be possible to assess the impact that the variation of one metric will
potentially have on the others. However, companies should acknowledge that there might be areas
where they choose not to optimize risk because of the cost and complexity of maintaining a link
between aggregate and granular limits.
In addition, determining the dynamic nature and granularity of risk limits should also be based on the
materiality of the risk to the company and the volatility of the risk and/or the basis of the limit.
Setting and managing dynamic limits is dependent upon robust risk management technology.
Underlying data must be developed, complete, and validated. To this end, having adequate model
validation is critical to the process to assure that systems, vendors, and technology are adequate for
the level of monitoring the company requires.
Many companies also employ a framework of “soft limits”. Distinguishing between hard and soft limits
is useful in determining when discussions around revising risk limits are warranted. In contrast to hard
limits, soft limits relate to an exposure level that should trigger discussions, but for which remedial
action is not yet necessary unless otherwise decided upon. The conditions that existed when the risk
appetite was established can change, and good governance leads the company to understand the
Increase risk monitoring (e.g. increase in reporting frequency) and de-risking (e.g. trigger of
approved reinsurance or hedging programs) are actions typically available to decision makers
at operational levels, whereas
Resource reallocation (e.g. capital transfer), or revised risk appetite (e.g. increase in tolerance
on earnings volatility) should only be available to senior management and to the Board.
Limit breaches are anticipated rather than reported on once they are breached. This is often
achieved by reporting on the projected risk profile as well as the profile at the report date (e.g.
End of year projection of economic capital consumption as of Q2). Other techniques include
analyzing adverse trends or identifying and explaining emerging risks, particularly in a constantly
changing environment.
Education should be provided regarding how to interpret and use data included in quantitative risk
reporting; many different types of risk exposures and metrics can be confusing to individuals outside
of the risk management function. To be effective, risk reports should include the following:
Definitions of material risks, and clearly identified confidence levels, accounting methods, time
horizons, and other factors impacting results;
Executive summaries giving highlights of main conclusions, with drill down in more detailed parts
of the report;
Calibration of the level of detail of the report on the amount of “new” information available (i.e.
first quarter reports may not need to be as detailed as half year reports).
Because the frequency and timing of risk reporting plays a key role in the interpretation of a
company’s exposure to risk, the following factors should be considered:
Type of risk: The appropriateness of the report frequency will depend on the type of risk. For
example, market data can change significantly from day-to-day; therefore, exposures may need
to be monitored and reported daily.
Risk mitigation technique: Another factor is matching the frequency of reporting to the risk
mitigation techniques. For example, hedging will require more frequent monitoring and reporting
than mitigating with reinsurance.
Volatility of environment: The more volatile the environment, the more frequent and potentially
ad hoc the reporting could be required (e.g. severe catastrophe event, market volatility). In
normal operating environments, it may be appropriate to provide monthly reporting to senior
management, and perhaps less frequent to the Board; however, it is the quality and timeliness of
the data that will determine its usefulness. Given constantly changing environments, presenting
stale information may lead to poorly informed decisions.
In short, a company should determine which risk factors, metrics and/or characteristics are most
pertinent to their particular risk profile and position, at a level granular enough to detect trending, and
on which to perform appropriate analyses. After determining the monitoring level and frequency, a
reporting framework should be used to draw together the data across all risk areas, and present a
clear and comprehensive picture for senior management and the Board.
Developing a risk appetite statement is an endeavor in and of itself. Coalescing board and senior
managements’ thoughts around appropriate types and amounts of risk to take is no easy task.
Following simple principles stated at the beginning of this paper help in that process. But, once
completed you cannot stop there. Operationalizing and embedding an entire risk appetite framework
throughout the company is required to have any success in managing toward your established risk
appetite statement.
This paper has shown the need to develop a risk appetite statement that includes metrics and
provided several examples. In addition, the importance of quantifying and measuring the established
risk metrics to enable you to address the myriad of stakeholders’ interests has been identified as a
requirement of any risk appetite framework. Cascading risk tolerances throughout the organization is
important to successfully embedding a risk appetite mindset throughout the company. If these steps
are successful, the integration of risk management and business strategy will become apparent.
Business strategy development and business decisions will be seen through the lens of the
established risk appetite and risk management will become embedded in business strategy. This will
benefit the long term viability of the company and enhance value.
Think about your company’s risk management strategy and risk appetite statement. Do you have
established risk limits that are monitored through well-defined metrics? Is your risk appetite framework
embedded within business strategy development and day-to-day business decisions? The process to
accomplish this goal is challenging given the varied interests within any company, but the end result
will provide a comprehensive and cohesive framework to make strategic and tactical decisions.
The company takes and manages risks to achieve our objectives, and the following risk appetite
statement broadly describes the types and amounts of risk the company is willing to take in pursuit of
these objectives.
With regard to the types of risk we take in order to seek return, XYZ Company accepts and manages
strategic, credit, and insurance risks in accordance with our corporate strategy, investment policy, and
annual business plans. The company seeks to minimize potential exposure to market, capital &
liquidity, and operational risks.
Underlying the company’s risk appetite are risk tolerances, high level quantitative and measures and
qualitative assertions for the maximum risk allowed, set at the enterprise level and in line with the
needs of our stakeholders. At the highest level, they are intended to assure we maximize the
likelihood of delivering on our mission, strategy and objectives.
1. Earnings: Our business should be monitored and managed so that we have 95% confidence that
earnings will be no more than 5% lower than expected and 99% confidence that earnings will be
no more than 10% lower than expected.
2. Capital
a. Regulatory: We seek to maintain a level of capital that is 375-400% NAIC RBC, but have a
long term target to operate at 350% RBC. An early warning threshold of 300% RBC is
established to initiate heightened monitoring and review. If the level falls below the early
warning threshold, then causes and potential contingency plans will be reviewed at the next
quarterly executive risk management committee meeting. Our desired absolute minimum
level of capital is 250% RBC, which represents a 50% point margin over the regulatory
intervention level of 200%. If the consolidated actual capital level falls below the minimum
level, then immediate remedial action plans will be implemented.
b. Economic: We seek to maintain assets in excess of 130% of economic capital. The early
warning threshold is 120%, and the minimum level of capital is 100%.
c. We manage risk exposures so that each single risk has a maximum loss exposure of less
than $500m of statutory capital at a 95% confidence level.
4. Franchise value: Operational risks that could lead to material reputational, legal, or regulatory
problems should be minimized. We seek to maintain appropriate compliance with all applicable
laws, have no tolerance for criminal or fraudulent activities, and maintain strict data security and
privacy controls to protect customer information.
Under a group view, individual risk exposures can be aggregated into a group measure of required
capital, accounting for the benefit of full diversification of all exposures in the company. Implied in this
view is that the aggregate value of the company is fully accessible to cover all risks; that is, capital is
fully fungible (not to be confused with fully liquid). Capital can be accessed sufficiently quickly to cover
unexpected losses in all parts of the company. The group view is consistent with the perspective of
'one company / one capital base' and, on a purely economic basis, reflects the most efficient provision
of risk pooling.
The following two strategic goals promote fully allocating diversification benefits to all levels of the
organization:
Capital and liquidity allocation should be driven by global impacts of the business / product on
the group-wide consolidated capital requirements. Shareholder value is reflected in the total
market value of the company and is represented by shares in the top holding company.
Therefore, the impact of a risk exposure on the amount of capital the entire company needs to
hold is the most precise driver of value creation.
In general, management should be incentivized to maximize shareholder value. Where a ‘group’ view
on risk appetite is employed, it follows that there is a group view on the cost of capital and, therefore,
it is natural to measure management performance against the diversified capital base. By applying a
fully diversified capital charge, local management is incentivized on their "contribution to the company
value".
For many companies, a fully fungible capital base is not a reality due to local regulatory or managerial
constraints. Under a more local view on risk appetite, full group diversification benefits may not be
allocated.
One reason why a company may not allocate the full company’s diversification benefit is because the
business faces local constraints that are binding and so lacks the fungibility of capital implied by 'one
company / one capital base'. The constraints may reflect regulatory realities over certain time
horizons; the regulator might require a clear risk appetite definition for both legal entity and group.
Local regulators might have a special interest in the local exposures (i.e. to ensure that the domiciled
legal entities can meet their local risk capital requirements); therefore some resources might be bound
locally (e.g. ring fenced funds to cover certain liabilities), which will not be fungible, inhibiting the
'realization' of full diversification inherent in the consolidated risk appetite. Properly managing local
constraints may require locally focused risk appetite constraints and local management should
manage value to optimize against the diversification present in the risks that aggregate to the local
constraint.
A final consideration for allocating the diversification benefit generated by risk pooling is the element
of time. A company’s risk profile changes over time and its risk appetite should be forward looking.
Planning for expected changes to the portfolio and the resultant impact on diversification benefits is
important. For example, a business that is under run-off might provide increasingly less diversification
benefits. Because projecting future diversification benefit is technically difficult and subject to ever
greater uncertainty, companies often ignore the effect and assume 'constant' diversification benefits in
the future. Although understandable, this assumption could lead to an unreasonable estimate of risk
for long-tailed lines (e.g. casualty and life) that are experiencing strong growth. Where business plans
show large changes to future business mix, the allocation of diversification benefit should account for
these.
In practice, companies are often faced with both local and group constraints. The allocation of
diversification benefits may need to differ depending on the application or decision. Alternate
approaches can be applied such as:
Fully allocating diversification benefits at the start of a planning cycle and then "freezing" these
benefits over the course of the cycle. This practice minimizes concerns of diversification benefit
'surprises' due to decisions made by other areas of the company in between planning cycles.
Adding additional local charges to entities where the fungibility of capital is considered to be
exceptionally low.
Managing multiple capital constraints and different levels of diversification benefits is a challenge to a
successful operationalization of a RAF.
This publication was written by members of the CRO Council and CRO Forum. The content of this article
reflects the view of the majority of the Council and Forum members and not necessarily the opinion of every
member company.
The CRO Forum is supported by a Secretariat that The CRO Council is supported by a Secretariat
is run by KPMG Advisory N.V. that is run by Towers Watson.
Laan van Langerhuize 1, 1186 DS Amstelveen, or For more information, please contact
PO Box 74500, 1070 DB Amsterdam [email protected]
The Netherlands
www.croforum.org www.crocouncil.org
1
CRO Council and CRO Forum – Risk Appetite - December 2013