What is Your Institution’s Risk Appetite? How to Identify and Measure Risk

written by Blair GrovesSeven years past the beginning of the largest financial crisis in the United States since the great depression, the fallout of community banks continues. Regulatory scrutiny continues to heighten, requiring the board and bank management to take additional steps to meet these increased expectations.According to the Comptroller’s Handbook on Large Bank Supervision, generally, a risk is deemed effectively managed when it is identified, understood, measured, monitored and controlled as part of a deliberate risk/reward strategy, known as risk appetite. Having a clear risk appetite strategy to guide bank management is a critical component to prepare for the increased scrutiny. This article will focus on the steps of identifying and measuring risk, and the importance of a risk appetite statement in the process of doing so.Where to start? A good place to start is by developing a risk appetite statement. A risk appetite statement is a narrative that describes the bank’s level of risk tolerance. Or in other words, how much risk are the Board and management willing to put on the balance sheet? The risk appetite should directly correlate with the capital position of the institution. It is simple, the larger your capital cushion, the more risk you can take on, if you so choose to do so.A compass in the world of risk identification If the institution does not have a risk appetite statement developed, it has nothing to compare, or align, its risk profile with. This is key in the first step of identifying your risk. Your institutions risk appetite works as a compass to gauge where you are on the map of risk. Are you within your appetite? Are you outside of your appetite? If so, what do you do to reign it back to an acceptable level?Regulators and external stakeholders are now expecting institutions to have formal risk appetite statements in place. While these statements are setting out acceptable risk for the bank as a whole, each department or division should have their own risk profile that should align with the overall risk appetite of the institution.There are 8 primary categories of risk that are inherent in bank activities:

• Strategic Risk
• Reputation Risk
• Credit Risk
• Interest Rate Risk
• Liquidity Risk
• Price Risk
• Operational Risk
• Compliance Risk

All divisions in an institution can touch these 8 risk types; though some may have more of an impact than others. Because of that, overall risk management should extend enterprise-wide, across the entire organization, in order to develop a “big picture” risk analysis. Seeing the “big picture” is key. For instance, is mortgage risk exacerbated by a high concentration of mortgage loans in consumer lending and a high concentration of mortgage-backed securities in the investment portfolio? Are extended durations in the investment portfolio to maximize yield increasing enterprise risk when combined with high concentration of long-term fixed-rate mortgages?Granularity in risk measurement Once you have your risks identified, it is time to measure them. A good way of measuring risk is to apply risk ratings to ensure management is aware, and able to quantify, risk exposure at both a department and product level. Most likely, your institution already does this, but to what granularity?Take, for example, your asset quality ratings. All banks have the standard ratings of pass, special mention, substandard, doubtful and loss. The best way to add granularity to this rating system is to break the “pass” category into sub-categories that further define each loan’s risk level. For example, the risk of a fully CD secured loan is less than that of a real estate secured loan with a loan to value of 75% and a borrower that has a good ability to service the debt. While both may be a “pass” loan, one is substantially less risky than the other. This should be designated within the asset quality ratings. This idea of granularity can be applied to measuring risk throughout the institution for different products and practices. It will aid in the demonstration of how risks are changing over time. In other words, is your portfolio becoming more or less risky over time?Communication is key Clearly communicating your bank’s risk appetite to your staff is just as important as drafting a risk appetite statement. Without guidance and reinforcement of your institution’s risk tolerance level, staff, such as lenders, tend to default to the behavior that is most incentivized for them – which may or may not correspond with the institution’s stated risk appetite.Contact our office at 417-881-0145 for more information regarding risk appetite statements.