The first is a set of Principles for an effective risk appetite framework (click here to access), following the recommendations in the FSB’s peer review on risk governance published in February 2013. The second is a consultative document on Guidance to supervisors on assessing the risk culture of financial institutions (click here to access).
These papers are directed primarily at the supervisors for systemically important financial institutions (SIFIs), not just banks. They are therefore relevant, to some extent, to all regulated financial institutions. However, in our view, senior management should start to benchmark themselves soon, as it seems likely that the messages for supervisors will be read across more generally.
The risk appetite Principles can be used with immediate effect by supervisors as a basis for assessing firms’ risk appetite frameworks.
Comments on the consultative document on assessing risk culture are due by 31 January 2014.
This is important for financial institutions because:
These two papers represent a further ratcheting up of supervisory expectations in the area of risk and governance, following the FSB’s series of papers (from November 2010 to November 2012) on the intensity and effectiveness of SIFI supervision; the FSB’s statement of sound practices in risk governance (February 2013); and the Basel Committee’s Principles for Effective Risk Data Aggregation and Reporting (March 2013).
Moreover, the FSB has made it clear that SIFIs should be at the “leading practice” end of the spectrum in these areas, not just minimally compliant with the Principles and sound practices.
Many financial institutions will struggle to meet the Principles for an effective risk appetite framework, in particular with respect to:
- Defining a risk appetite for non-financial risks;
- Setting risk limits across business units and entities; and
- Embedding risk appetite within a wider risk culture.
Meanwhile, the increased supervisory interest in risk culture may expose fault lines in the extent to which financial institutions can demonstrate that they have:
- embedded a clear set of values and culture at all levels of the organisation;
- learnt from risk culture failings;
- clearly allocated risk ownership;
- encouraged internal challenge to perceived poor behaviours; and
- implemented a remuneration framework that genuinely reflects performance against compliance and risk management.
To discuss the implications further please contact Giles Williams or Clive Briault.