Daniel Nouys interesting speech on risk appetite frameworks contributes to an important but largely implicit debate about risk management in financial services. Its implicit nature is due, I think, to an instinctive reticence in airing too openly a subject that potentially reveals considerable differences of approach. An honest discussion about the "buyer beware" doctrine would probably fall into the same category.
Regulators tend to see risk differently from the firms they regulate. This stems from them having different objectives, and from the reality that, because they get most involved after an event has happened, regulators tend to have a more backward looking perspective.
In many ways these different perspectives are just facts of life, simply part of the deal. The real problem is that much of this reality gets lost in translation and so the extent of the difference is under-appreciated or, at worst, entirely forgotten.
Here are three of the key areas of difference where firms could take some steps to help bridge the divide:
1. Understand how "regulatory" risk fits with other business risks: Too often, both firms and (increasingly) regulators treat regulatory risk distinctly from other categories of risk. This may make sense on a practical level but only if the dependencies on the underlying business risks are properly recognised. To take a simple example, SM&CR might easily be viewed solely as a set of implementation risks but should also (as a minimum) be connected to risks around culture, accountability, governance and crisis management.
2. Define impact more broadly: There are many advantages to approaching risk appetite predominantly through the potential for financial loss. However, it also has some downsides, one of which is that it undervalues many of the risks the regulator will be most concerned about. Typically these will focus more on the customer impact and on potential harm to the market rather than the firm's bottom line.
3. Think outside the silo: Most organisations approach risk predominately through their own structure, and aggregation only really takes place at ExCo level. Partly as a result, there is usually little attention paid, either to risks that in combination aggravate each other’s probability, or to those risks that may be relatively small at local level but whose aggregate impact can be very significant when viewed cross-firm. These sorts of risks, which often include culture issues, have a much higher priority with the regulator.
For their part, regulators often don't appreciate how complex and fraught risk management is on the ground, and how difficult it is to get into a position to challenge when key decisions are made. Similarly, the level of technical knowledge required to properly understand a firm's risk profile continues to climb.
Against this background, Daniel Nouys' speech is helpful but is really only a potential starting point for stripping away the misunderstandings that still exist on both sides.
So banks must know how much risk they can stomach and set their appetite for risk accordingly. Naturally, this takes more than guesswork: it requires comprehensive and well-developed risk appetite frameworks.