Professional Documents
Culture Documents
How A Well Defined Risk Helps Improve Business Performance
How A Well Defined Risk Helps Improve Business Performance
© Getty Images
October 2023
In 2022, losses, fines, and legal expenses for identification and assessment processes, data and
nonfinancial risks cost the banking industry analytics capabilities, and a risk aggregation and
$19 billion, bringing the total price tag for nonfinancial prioritization logic based on risk materiality. Risk
risks to more than $460 billion since 2010. appetite needs to be integrated into risk governance
and oversight, reporting, and risk decision making
Nonfinancial risks—those that emerge from people, and mitigation actions (Exhibit 1).
processes, systems, and external events—are
challenging to manage for all institutions, and At financial institutions, setting risk appetite for
executives are faced with a constantly changing financial risks is an extensive, regulatory-driven
landscape of risk events and disruptions. Despite practice to manage risks to the balance sheet,
the inherent challenges, it is important to clearly profit-and-loss statement, and cash flows. The
define an appetite for these risks to limit the risk objective is to limit the credit, market, and liquidity
taking in areas that go beyond a company’s risk risk capacity of financial assets and liabilities in
capacity and threaten its business objectives. This relation to capital and funding. At the same time,
appetite needs to be balanced against return executives need to trade off allocation of scarce
optimization by investing in activities that offer the capital and funding with risks to optimize returns,
highest yield. which are measured by the return on equity and
risk-adjusted capital.
For financial institutions, risk appetite is a
particularly important component of an end-to- For nonfinancial risks, setting risk appetite is a
end risk management framework. It needs to be much more elusive and theoretical concept than for
supported by other risk management components, financial risks.
such as a comprehensive risk taxonomy, robust risk
Web <2023>
<RiskAppetite>
Exhibit
Exhibit <1>1of <3>
Risk
taxonomy AREA WHERE BOARD INVOLVEMENT IS REQUIRED
Data-driven
analytics
OTHER Appropriate level of monitoring,
Monitoring data and remediation as needed
RISKS
Key performance
indicators, key risk
indicators
Findings, issues,
events
Shifting focus from management of In many ways, the impact of nonfinancial risks on
financial to nonfinancial risks financial institutions is more threatening than that
The focus of the financial industry has, in recent of financial risks: these risks cannot be passed on
years, shifted from management of financial risks to customers, have more extensive reputational
to nonfinancial ones, such as operational risk, effects, and often require more complex
regulatory compliance, and the compliance and remediation efforts at higher costs than financial
conduct necessary to prevent financial crimes. risks. In some years, the nonfinancial-risk losses
have equaled or exceeded the cumulated credit risk
The shift has been driven by major industry provisions or impairments at banks. As mentioned,
trends such as the mis-selling of products, losses, fines, and litigation expenses have cost
facilitation of tax evasion, breakdown of controls the biggest European and US banks more than
to protect institutions against money laundering, $460 billion since 2010 (Exhibit 2).
Web <2023>
<RiskAppetite>
Exhibit 2
Exhibit <2> of <3>
Operational losses, fines, and litigation costs for nonfinancial risks have
cumulated to approximately $460 billion over the past 14 years.
Operational losses, fines, and litigation Operational losses, fines, and litigation
costs 2010–23,¹ $ billion (annually) costs 2010–23, $ billion (cumulative)
80 500
70
400
60
50
300
40
200
30
20
100
10
0 0
2010 2015 2020 2023² 2010 2015 2020 2023²
1
Includes operational risk losses (eg, unauthorized trading), fines, settlements, and expenses for provision buildup (eg, provisions for compensating customers).
Based on incidents settled/expensed and gathered through news and press search. Sample of European and US banks totals 304, comprising 830
event/fine/cost entries.
2
Year-to-date Jan–Aug 2023.
A global bank implemented a business- — Thresholds and tolerance levels specific appetite was formulated, and the
driven risk appetite framework with a specific should be complemented with control- underlying risk drivers were identified to
risk appetite for top nonfinancial risks. based key performance and inherent track and understand the exposure to the
risk indicators to unlock business top risks. Specific risk-type statements
The bank redesigned its nonfinancial- management relevance. were articulated on which risks to take
risk-appetite framework to strengthen its and not to take and the expectations on
effectiveness by defining the risk appetite — Governance process for risk appetite risk-specific control frameworks and
from a business perspective, rather than breaches should be formalized by processes. Risk-specific metrics to monitor
from a control function perspective. The predefined actions and timelines top risks were based on their identified
risk appetite definition was proposed to for getting back within the threshold drivers. Thresholds for the metrics were
the board at the outset by the risk and to trigger real consequences for based on historical data, benchmarks, and
compliance functions, but the business the business. discussions between the business and the
did not find this risk appetite actionable to control functions. Ultimately, the thresholds
guide decision making in the day-to-day The risk appetite was defined on a business were cascaded to the region or desk level
business operations. unit level. Each unit described its business where appropriate (exhibit).
model and strategy and how its client
The bank based its framework on a set of segments, distribution channels, products A business unit dashboard was built to
five core principles: and services, infrastructure, and external track the development of the risk profile of
factors—such as market conditions and the unit, covering both generic risk metrics
— Not all risks are of equal importance. regulation—create inherent risk. and specific risk-type metrics for top
Risk appetite should focus on top risks risks. A breach review process with “hard
that matter the most for each business Each business unit set an overarching, triggers” for residual risk metrics indicates
unit and these risks’ specific drivers general risk appetite applicable for all its a potential risk appetite breach. Exceeding
to maximize the effectiveness and nonfinancial risks (including risks for which a hard trigger initiates a formalized review
usefulness of the risk appetite for management had been delegated to a to determine whether the risk appetite has
the business. support function, such as cybersecurity). For been breached and, if so, to decide on the
these risks, each unit formulated overarching appropriate remediation measures. “Soft
— Qualitative statements, metrics, and qualitative statements on accepted and triggers” are set for metrics monitoring
limits or thresholds should be linked rejected risks, and expectations on the effectiveness of controls and development
to the true drivers of each business control environment. Specific non-risk-type of inherent risks that may warrant further
unit’s top risks to make the risk metrics were defined as applicable for all risk preventative or preemptive actions but do
appetite operational. types in the risk taxonomy, such as material not trigger a risk appetite breach.
issues identified by regulators or an internal
— Risk appetite should be embedded in audit and operational losses. If a risk appetite breach is confirmed, the
the business and its strategic decisions business unit can develop a remediation
by putting the business in the lead for The business units defined the seven plan that is reviewed, challenged, and
proposing risk appetite to avoid making to ten top risks driving most of their risk agreed to by the relevant control function
it an exercise run by the control function. profiles. For these risks, a risk-type- or functions. The remediation plan is based
Web <2023>
<RiskAppetite>
Exhibit
Exhibit <3> of <3>
For top risks, risk drivers are defined, specific qualitative statements are
developed, and metrics and thresholds are selected.
Illustrative AML/KYC¹ Number of “We conduct Change in the >+–% change in % change in new
example PEPs² business with number of new new number of PEPs in
Suitability PEPs, which PEPs onboarded PEPs onboarded
Proportion of X% in Region 1
Product risks present height- (inherent risk) during the last
high-risk ened money- period Y% in Region 2
customers laundering risk,
Number of but place these
clients clients under
domiciled in stricter
high-risk monitoring and
countries controls.”
A leading international insurance risk events. Severity is best observed in the were translated into a single quantitative
company sought to uplift the quality of its potential economic and reputational impact scoring logic.
nonfinancial-risk management in response seen in the frequency of external or internal
to recent litigation cases and regulatory breaches. The key to using such a system, The combination of the risk exposure
inquiries. On first reading, this looked then, was twofold. First, the insurer needed and the controls metrics yields a residual
puzzling, as the management of risk was to identify metrics for suitable quantitative risk matrix. However, the insurer desired
the very nature of the insurance business. and qualitative data (for example, the to report the current nonfinancial-risk
But quantifying vast amounts of dispersed sum of internal operational losses per exposure in a single metric, which was
qualitative information is different from annum such as fines) and apply industry- achieved by taking the average of the sum
evaluating actuarial data and requires a wide adjustments (for example, from the of squared residual risk scores.
clearly steered transformative effort. operational risk loss database ORX).
Second, the identification and application The effects of introducing such a system
The institution opted for a top-down risk needed to be harmonized into one single were multiple. By adopting an annual
assessment starting from an existing scoring logic and weighed according to or quarterly standard process, analysis
taxonomy of nonfinancial risks. To allow their relevance. efforts dropped drastically. The increased
for greater manageability, these were quantification led to greater comparability
split into a dozen risk domains composed To form an opinion of the adequacy of the across business units and periods and,
of approximately three times as many internal-controls system, the company eventually, better prioritized investment
risk vectors. For each risk, the institution turned to a set of proactive (for example, decisions. Lastly, by involving top
calculated in a recurring cycle, first, audits, regulatory inspections, internal management—by means of an interactive
the inherent risk exposure; second, the regulations, training) and reactive reporting dashboard allowing for slicing
adequacy of the internal controls system; (for example, customer complaints, and dicing—far higher levels of ownership
and, third—after data quality adjustments whistleblowing allegations, litigations) risk and integration into strategic decision
and weighing of factors—the residual risk. management metrics. Using existing data making were achieved.
to the maximum extent was paramount
Intuitively, inherent risk exposure is a to increase acceptance across the
function of the severity and the likelihood of organization. Again, the outcomes
technology make up most of the material risks Information needs to be timely. Monitoring
around which risk appetite is formulated. information should be provided on at least a
monthly basis. Both drawn from a single source of
Principle 4: Develop a monitoring dashboard truth, information and data can be in different cuts,
based on a single source of truth across the first such as by division responsible for the overall risk
and second lines profile of the business, by shared or corporate unit
Dashboards are important for monitoring owning the process, or by risk type to create an
compliance with the risk appetite set and can be aggregated view. The latter is particularly important
defined at group and divisional levels front to back from a group perspective for sensitive risk areas
or by risk type. such as cybersecurity, regulatory compliance, and
transformational risks.
At leading institutions, the risk function most often In addition to flexibility, a mandate is equally
monitors and reports on risk appetite dashboard as important. Leading institutions give control
metrics and compliance with appetite set. Reporting functions the mandate to review, challenge,
on risk appetite is often done on a monthly or and approve the risk appetite proposed by the
quarterly basis. business or first line. That authority helps prevent
risk appetite from becoming a compliance or risk
Principle 5: Establish a flexible governance exercise led by the control function. At the same
that continually reviews processes and time, the above-described approach ensures
realigns metrics business ownership by using business knowledge
Governance on risk appetite for nonfinancial risk is and insights to derive top risks and risk appetite and
critical. Risks emerge, evolve, and are managed on clear accountability.
a different timescale against an operating model,
sourcing model, and technological and regulatory Similarly, the chief risk officer or risk committee
requirements that are constantly changing. typically makes the ultimate decision on the
proposed risk appetite before it is approved by the
A centralized risk committee, particularly if also executive board and board of directors.
tasked with financial risks, can become too crowded,
blindsided by second-line dominance and formalities. Leading institutions also formalize governance on
Such a committee is unable to constantly balance risk risk appetite breaches through a predefined set
appetite against the status of the organization and of actions and timelines for getting back within
the maturity of its operating model. the threshold to trigger real consequences. These
can include stopping new business, allocating
By contrast, an effective approach to risk appetite more capital, strengthening temporary controls,
and nonfinancial risks incorporates discussions of accelerating control remediation, or accepting
each business unit’s risk profile, the risk profile of temporary risk.
shared services, and specific risk categories with
a clear perspective on the need to intervene and to Responding fast is critical. Institutions typically
adjust risk appetite or acceptances. require a remediation plan to be in place within
three months in case of risk appetite breaches, but
A carefully crafted nonfinancial risk governance the time frame also often depends on the scale or
embeds these questions into the financial complexity of the remediation required.
institution’s overarching governance; the divisional
Björn Nilsson is a partner in McKinsey’s Stockholm office, Thomas Poppensieker and Sebastian Schneider are senior
partners in the Munich office, and Jan Peter Schmütsch is an associate partner in the Hamburg office.