Managing risk appetite and tolerance in a dynamic banking environment

Today’s banking environment presents unprecedented challenges to successfully managing risk and establishing a platform for achieving predictable and sustainable earnings. With the exception of the recent banking crisis, even during stressed economies, bankers had been able to effectively sense and respond to the risks inherent in their business. Certainly, there have been notable instances in which banking organizations did not sufficiently identify or effectively respond to the risks at hand. The results were unfavorable for those institutions and, as we have recently experienced, for the industry as a whole. Even the most sophisticated of organizations found themselves searching for answers in response to increasing risks and limited effectiveness in managing those risks. Given the current state of the banking industry and the emergence of a "new economy," one in which traditional risk-reward relationships will become irrelevant, managing risk is not likely to become any less challenging in the foreseeable future.

As bankers look to reinforce their risk management capabilities, many are reassessing two of the fundamental components of an effective risk management platform – risk appetite and risk tolerance.

  • Risk appetite represents that list of identifiable risks an organization is prepared to take. For banks, by necessity, most of these are pre-defined – credit, interest rate, liquidity, operational, compliance, strategic, and reputational. It is through the effective management of these risks that banks generate sufficient interest margins, collect fee income, and maintain non-interest costs at an acceptable level.
  • Risk tolerance represents the amount of each of these risks an organization is willing to accept, as well as the aggregate effect of these risks upon some critical measurement of success, such as earnings, capital, or shareholder value. The complex nature of banking causes the effective determination of risk appetite and risk tolerance to be difficult. Faced with economic and regulatory environments that are both unpredictable and unrelenting, bankers are presented with the challenge of identifying risks and establishing manageable tolerance levels.

Risk in the new economy

The new economy has moved bankers to challenge the components of their risk appetite and the historical measurements of risk tolerance. Most notably, in addition to a heightened focus on the traditional bank risk categories, bankers are elevating the importance of systemic risks arising from counterparty exposures and the existence within an industry that has proven to be critically dependent upon its aggregate health and financial performance. The assessment of risk associated with key counterparties, such as correspondent banks, and critical service providers, such as information technology companies, requires substantially more attention than it has in previous years. Banks must be able to fully define the risk they are accepting through these relationships and be prepared to manage these risks within a much more dynamic environment. The new economy also has elevated the importance of a comprehensive understanding of risk relationships affecting all aspects of a bank. As part of defining risk appetite, bankers must be cognizant of key risk relationships such as those that exist between credit and liquidity, operations and strategy, and, possibly most importantly in the new banking environment, the relationship of compliance to all areas of a bank.

The new economy also presents some significant challenges to establishing measurable risk tolerance levels. Industry risk metrics may no longer be measurable against traditional benchmark levels. Included among the most significant of these risk metrics are interest rate margins, the adequacy of the allowance for loan losses, operating efficiency, and capital levels. The most sophisticated bank risk managers have historically measured targeted and enterprise risk tolerance levels in relation to reliable industry standards. Traditional banks generally could measure their exposure against a 3% net interest margin, an allowance for loan losses that represented 2% of the loan portfolio balance outstanding, a 60% efficiency ratio, and a 6% Tier 1 Capital ratio.

Measureable departures from these benchmarks, during normal economic circumstances, would generally be an indicator that the bank was accepting a greater level of risk than may be warranted or intended. Today, these same benchmarks may not apply, and the ability to measure risk against them is certainly much less dependable. Because of the sustained high level of volatility in the banking market, new benchmarks have not yet been identified and may not be for quite some time. That does not lessen the banker’s responsibility to sense and understand when individual or aggregate risks are inconsistent with the organization’s stated risk tolerances. These revised enterprise risk management processes must be pervasive and frequently updated to provide both comprehensive and current risk monitoring and risk response capabilities.

Compliance risk takes a leading role

Compliance risk has emerged from the recent banking crisis as a leading area of critical exposure. Although banks have maintained responsive and comprehensive compliance functions for some time, due to the proliferation of new and updated regulations, as mandated by Dodd-Frank, and the elevation of the enforcement of compliance rules and regulations by the Consumer Finance Protection Bureau (CFPB), compliance risk tolerance levels need to be reduced to at or near zero. Further, the consequences of compliance violations have been dramatically increased, thereby significantly increasing the level of human and operational effort necessary to maintain risk at an acceptable level.

The risk of compliance violations is not limited to prospective banking activities. As seen in recent settlements in the mortgage industry, bankers are being asked to absorb a significant portion of the cost related to the high level of mortgage defaults and foreclosures on the basis that they may have violated rules or regulations, intentionally or unintentionally, over an extended period of time prior to and during the recent recession. Right or wrong, the risks associated with not being in compliance, past, present, and future cannot be overstated. Bankers must incorporate this all-encompassing risk management strategy into every aspect of their business and elevate its consideration to the highest level.

Risk appetite gains attention

There are a number of resources available today on enterprise risk topics, including a whitepaper titled Enterprise Risk Management – Understanding and Communicating Risk Appetite by COSO, the Committee of Sponsoring Organizations of the Treadway Commission. COSO is a joint initiative of AICPA, IIA, IMA, FEI, and American Accounting Association. The Committee provides thought leadership on enterprise risk management, internal control, and fraud deterrence. The risk appetite whitepaper is available at

Baker Tilly enterprise risk management insights

As a key component of their risk management activities, bankers must give timely and comprehensive attention to their risk appetite and risk tolerance. In doing so, we believe senior management and boards of directors should:

  • Specifically identify the risks they are willing, or required, to accept in their business
  • Incorporate key risk relationships into the determination of risk appetite
  • Re-evaluate the benchmarks by which risk tolerance levels are measured
  • Develop a reliable measurement methodology to understand when tolerance levels are approached or exceeded
  • Identify all compliance applications within the bank and understand the risks associated with noncompliance – past, present, and future

The best enterprise risk management platforms incorporate frequent iterative processes to continually reassess the items noted above. These processes must include all relevant business unit leaders and result in timely communication and escalation to senior management and the board of directors. Responsive actions must be promptly identified and executed to be effective.