Skip to main content

Risk Appetite Framework for Emerging Risks

In light of the ECB's priorities for 2023-2025, we outline a framework to comply with the ECB guidance

The ECB recently published its supervisory priorities for 2023-2025. Priorities are identified based on an assessment of the risk and vulnerabilities faced by supervised banks.

  • Priority 1: Strengthen the resilience of banks against immediate macroeconomic and geopolitical shocks (including filling gaps in credit risk management, specifically, leveraged transactions)​.
  • Priority 2: Meet the challenges of digitalization and deal with cyber threats​.
  • Priority 3: Intensify efforts in the fight against climate change, by elevating practices relating to climate and environmental risks.

Banks are expected to renew efforts to strengthen their risk appetite framework (“RAF”) within their organizations: They can leverage several initiatives to drive their risk management capabilities forward.

Banks should adhere to supervisory expectations to comply with the ECB guidance by: ​

  • Establishing a robust RAF and clarifying the risks that banks wish to assume within their risk capacity to achieve their strategic objectives and business plan.​
  • Effectively implementing and integrating the RAF with relevant business processes.​
  • Incorporating RAF into banks’ risk management capabilities for decision-making, strategy execution, and business planning.​
  • Articulating risk appetite through metrics and limits.​

Sia Partners has developed several capabilities and expertise to assist you in your transformation.

Key levers to succeed in your RAF transformation

You should leverage the following initiatives to drive your risk management capabilities forward: 

Establish a robust Risk appetite Framework

  • Determine your risk profile in ESG and cybersecurity, and leverage transactions.
  • Strengthen your risk awareness.
  • Align with your strategic goals and long-term business planning.

Effectively implement and integrate the RAF with relevant business processes

  • Cover a large spectrum of risk-related activities, operations and systems.
  • Develop resilience capabilities to achieve robust business continuity and efficient crisis response plans (e.g after cyber-attacks).
  • Appropriate risk mitigation strategies and an effective evaluation of risk management plans.

Incorporate RAF into decision-making, strategy execution and business planning

  • Embed RAF into strategy definition and day-to-day business decision-making.
  • Build an agile and resilient RAF and take advantage of it to manage disruptions, support business strategy and transformation initiatives to make confident decisions in the race of advantage.

Articulate risk appetite through metrics and limits

  • Establish robust risk monitoring capabilities and escalation procedures to guarantee an efficient crisis response plan.
  • Upgrade your IT systems and invest in new technology to enable the quick availability of real-time risk-related data insights.

Key success factors

1. Structuration and Decomposition of Risks

  • The identification of risks components should be aligned with regulatory definitions (or guidelines), and/or with the Group’s standards and policies.

2. Risk Appetite Metrics

  • The risk appetite metrics (or indicators) must be relevant and should measure the risk level.
  • The choice and calculating modalities of the indicators should be documented and shared with all group entities / business lines.

3. Calibration of Limits and Thresholds

  • Calibration must be appropriate and relevant within the Group.
  • The limits accepted at Group level should be documented and then applied by entities or businesses.
  • The risk limits for specific entities or business lines cannot be wider than those defined at Group level.

4. Process of Review & Reporting for Risk Governance

  • The risk appetite framework must be reviewed at least once a year.
  • It must integrate the operational teams and/or business experts to update the limit levels or set up new indicators.
  • The validation of the review is under the responsibility of the Risk Committee.
Our generic approach - Project Planning

Contact us to learn more

Sia Partners integrates this data in its client database to send you marketing communications (invitations to events, newsletters and new commercial offers).
This data will be kept for 3 years before being deleted and you can withdraw your consent to the processing of your data at any time.
To learn more about the management of your personal data and to exercise your rights, please consult our Data Protection Policy.

CAPTCHA

Your data are used by Sia Partners to process your contact request. Please note that you have rights regarding your personal data. For more information, we invite you to read our data protection policy