Love RAFs? CRO Forum's Risk Appetite survey

The CRO Forum have recently published the results of their 2014 survey on Risk Appetite development in insurance entities. It is perhaps the oldest drum in Risk Management Town, but one we are always happy to hear the beat of, and while we shouldn't expect a forum with such luminary members to deliver any shocking results, a careful sift through the carcass is always a smart idea.

The Cure - to tolerance breaches?

The final presenter at the PRA's recent NED briefing noted that Risk Appetite is "no longer an aspiration", a comment I felt was further behind the times than Nana wearing Juicy Couture. That said, on page 8 it suggests that less than a quarter of firms are "very satisfied" with their RAF maturity, and over a third feel they have "a lot of work to do", so perhaps he hit the nail half on the head...

This document should clarify whether that caution is justified, and with 48 responses from the top table, it should be a reliable benchmarking tool. Despite starting like a GCSE essay ("the topic of Risk Appetite has exploded"?), it contains some useful, if a little dry, benchmarks, such as;

• Principles for a RAF (p3-4) - hard to argue with
• Main goals - dominated by preserving capital, while only a third are looking to "improve shareholder value" or "optimise capital"
• Main stakeholder list (p5) seems good in breadth and priority
• Almost everyone is using regulatory capital in some way as a Risk Tolerance measure (p9)
• Stress and Scenario testing is being used by 80% to set Risk Tolerance levels, which feels at the right end of expectations
• 60% report quarterly, with most others slightly more or less frequent

It takes a few odd turns, in particular;

• One of the main objectives cited (p4) seem to be centre around boiling down things into a single document. I appreciate that pressure, but surely we feel that a RAF has a more substantial objective that document consolidation?
• "Development of a Risk Appetite Statement is an evolution" (p6) - don't agree at all, it is a task, otherwise it would never get done.
• Coverage of Risk Appetite Statements as "regulatory requirements", in particular under Solvency II. Just because the industry is choosing to discharge its obligations in EIOPA's Guidelines (SoG 15 & 16) by producing a single statement document, it doesn't make a Risk Appetite Statement a requirement.
• Less than half are using a "1-in-x" loss that would breach regulatory capital in their Risk Tolerances - just feels like a very obvious one to use, so suprised by that number

Some of the more practical issues faced by firms are well covered, for example;

• Difficulties for Groups when setting risk appetite. Does the parent/head-office set overall appetite, and the children sub-divide it by business unit/risk category/Both? Do the children set their own appetites and feed them up for aggregation?
• Listing Risk Concentration targets looks awkward across the board (p5). While firms seem to be able to quantify Liquidity and Capital targets in their Risk Appetite Statements, other categories are much less consistently quantified. Market, Credit and Insurance Risk appear to be quantified by less than a third of respondents, preferring to address these in separate policies/guidelines (a Solvency II by-product perhaps?).
• Setting Risk Tolerance levels is highlighted as a "minor" improvement required by over 60% of respondents.
• There is a veritable bombsite of Earnings at Risk metrics in use, which is healthy for the industry I guess (p10).
• What does one do when Risk Tolerance level is breached? Around a third are not OK with limit breaches and demand immediate rectification, while two thirds allow for a "Cure Period" to return the Risk Profile to its required form. A "Cure Period" seems the fairest breach rectification approach to me - after all, I don't care if Monday's blue...

A worthy benchmarking document, so fill those boots.