Determining and monitoring risk appetite. Methods and procedures for assessing the risk appetite of a credit institution. Link between national culture and risk taking

A key component of any company's risk management philosophy is determining its risk appetite. Risk appetite reflects the amount of risk that a company can take depending on its financial and operational capabilities, growth rate and expectations in terms of profitability from stakeholders (i.e. shareholders, sellers, creditors, etc.)

If you turn to the Google search engine for a definition of the term "risk appetite", you can find a number of definitions of this concept.

Deciding how much risk a company is willing or unwilling to take is a corporate-level decision. The following pages will be devoted to how companies are able to decide how much risk to take and what kind of risk companies are willing to take. For example, many companies own the confidential information of their customers (for example, credit card number, customer addresses, etc.), and the greater the cost and risk of losing this confidential information, the more carefully control over the IT service must be for fear of damaging business in the event that such a situation arises.

Finding a balance between risk appetite and control is not an easy task, but every company should strive for it and constantly work to find this balance. For example, if your company is a financial institution and is active in financial instruments (for example, forwards, futures, options, swaps, and other types of derivatives), you should be aware that senior management (the Board of Directors and CEOs) is aware of the function of these instruments and why the company uses them. Maybe the purpose of the derivative is to hedge against changes in interest rates or changes in the foreign exchange rate, or perhaps, as in the case of AIG, use this as a means to increase profits (for example, MBS, CDO, CDS, etc. .d.). If you know your company's risk appetite, then you have a basis from which you can determine whether there is alignment of purpose between the Board's desires and management's actions. The following is an example (case study) of what happens in the absence of a congruence goal.

Bankruptcy Case Study in Orange County

Congruence exists when everyone in the company is on what is called the “same page”, moving in the same direction towards the same goal. This gives confidence that the activities of each department, unit and all employees will contribute to the implementation of the main goals of the organization on the way to their implementation. However, target congruence can become problematic if a company deals with complex financial products. Some financial instruments can be so complex and difficult to understand that only a few people in the company really understand what the essence of the instrument is, let alone how to capture it. If people don't understand what a specific tool is, it's very difficult to get the tool to match the company's goals. This situation is confirmed in the case of the bankruptcy of Robert Citron, which occurred in Orange County in 1994.

Robert Citron was the "star" of the Orange County Treasury, which was (and still is) one of California's most prosperous counties. Citron was considered a treasury genius, overseeing a $7.5 billion investment pool of district schools, cities, neighborhoods, and Orange County itself. The function of the county treasury is "to act as a bank for the county, school districts, fire departments, water utilities, and other local government departments. The Treasurer's office receives, distributes, invests and reports on the use of funds from each government enterprise (investors)." Various government departments contribute funds from tax revenues and other sources to the pool, hoping to multiply their funds by that time when they have to spend it on vital public needs.These investment pools are supposed to represent a conservative, but profitable, way of managing the cash flow of the county and other government agencies.However, in reality, this turned out to be not at all what was happening in Orange County.

Citron had a reputation as an investor who earned higher returns than his peers. Its return was at least 2 percent higher than the state funds. Be that as it may, Citron received more profit, since he took more risks. Citron often borrowed short-term and invested long-term, and since such a strategy offers higher returns, it also means greater liquidity risk. His strategy was based on short-term interest rates, which were lower than those on long-term investments. Thus, at the moment when interest rates went up in February 1994, the value of the investment pool went down. This decline was exacerbated by Citron's use of various financial levers to increase its investment pool to a value of $20 billion. This financial adjustment increased its positive returns, but it also increased its risk. And by the end of 1994, Citron's actions led to a liquidity trap that resulted in a $1.6 billion loss.

At the time, the bankruptcy of Orange County was the largest local government financial crisis in US history. Citron's investment practice should have been subject to strict independent oversight, but due to the fact that Citron had a good track record and his supervisors were not sophisticated financial experts, allowed him to invest without control and oversight. This lack of control was a major factor in the loss of $1.6 billion in public funds.

There are at least two lessons to be learned from the Orange County bankruptcy.

1) One should be vigilant when dealing with a "star", even if such a star is Robert Citron himself. Sometimes the real reason for higher returns can be overlooked: the use of financial leverage. Adequate control and oversight should be established.

2) Risk reporting should be complete and easily understood by independent professionals. Investment or financial strategies that cannot be explained to third parties should be avoided. Again, adequate control and oversight should identify situations where something more complex (risky) happens than what the organization is willing to accept.

Just because Citron could produce amazing results, the district leaders, instead of providing adequate oversight of his activities, wanted to see what they wanted to see. If the county had strict oversight and control, bankruptcy in Orange County might not have happened. In order to ensure a well-functioning internal control system, the first step was to ascertain the Board's and senior management's attitudes towards risk appetite and risk acceptance. Based on this, appropriate controls could be formulated and implemented to ensure that the behavior and activities of the company are consistent with its goals and objectives.

It is often said that risk appetite is a measure of how a company conducts its business. However, the amount of risk that a company (or department or unit) is willing or unwilling to take is in the eyes of the owner. For example, because of the fact that equity investors are interested in a return on their investment, they would be willing to take on more risk than, say, a pension fund that invests pension funds that may be needed in the near future. Therefore, the decision on the amount of risk a company is willing and able to accept or tolerate must be made at the corporate level, following a top-down approach.

Risk appetite, risk tolerance, risk tolerance

In order to better understand a company's appetite for risk, two more additional terms should be introduced: risk capacity and risk tolerance. Diagram 1 shows and defines the interconnectedness of the terms.

Scheme 1. Risk capacity, Risk appetite, Risk tolerance

As the diagram above shows, in order for a company to determine its risk appetite, it must first determine its risk tolerance. Simply put, it is an absolute limit, the limit that a company is willing to lose without "wrapping" itself. Based on this, the company is able to determine how much it is willing and able to lose. This is a very important concept, as the diagram shows that the risk appetite must be set within its risk capacity.

Once a company has decided on its risk tolerance and its risk appetite, it can then decide what its risk tolerance, i.e. the actual level of risk the company is able to take, given a specific risk factor (see Risk Categories). Based on this, it can be expected that the amount of risk within the category should not exceed the overall risk appetite of the company. For example, if a company makes loans to its customers, then the company exposes itself to credit risk, which is the risk that the customer may not repay the loan. Given this risk, company management must understand how much bad debt the organization can and is willing to tolerate. The level of risk tolerated has an impact on the financial statements, as the company must calculate how much bad debt it is going to have.

Different Approaches to Risk

Business is inherently risky, which means that organizations must take on some risk in one way or another if only to survive. The amount of risk a business takes will depend on whether the organization is risk seeker or risk averse. Being risk averse does not mean that the business is trying to avoid risk altogether, instead, it means that the business is focused on earning sufficient recovery from the risks it takes. On the other hand, risk seekers in business are those who are more focused on maximizing profits, and thus less concerned about the level of risk they are willing to take in order to maximize profits.

The range of business attitudes towards risk taking can be seen in the Risk Continuum (Figure 2) below. Two ends are two extremes, while organizations that are closer to the real life situation will be somewhere in the middle. On the left side, the extreme point shows businesses that are afraid to take risks and whose strategies are chosen in such a way as to avoid risk. On the right side are businesses that are actively seeking and boldly taking risks.

Scheme 2. Endless Risk (Risk Continuum)

Wherever a business is located along this line, it should in any case try to reduce risk, but not try to eliminate it completely. The function of risk appetite, in this regard, is to show the business where it is on this line, whether on the right or on the left.

The following is the story of an entrepreneur who is a big risk taker.

A contractor working in the defense business involved in software protection decided that the risk of falling behind in software technology was so great that it literally put the company's existence at stake, so the company must develop new software that could protect sensitive information in the field. defense industry from external viruses and penetration (hackers). In case of non-receipt of a contract for the protection program, the company may become bankrupt. The risk that the company took (risk appetite) was very high, but everyone involved in the process understood this, including the Board of Directors. The risk they were taking was widely discussed at the Board, and was agreed with the decision of the management. This decision demonstrates the company's high risk appetite. Investors also realized the riskiness of this venture when they lowered the value of the company's shares. The main point here is that business strategy and risk appetite are under intervention so both must be taken into account. In particular, this is important when assessing risk appetite during strategy development and formulation.

What influences a company's risk appetite

As already noted, the company's strategy must take into account risks. When accounting for risk and risk appetite, there are many factors that can affect a company's risk appetite, such as:

At what stage in the development of its life cycle is the company. Where a company is in its life cycle can, and very often does, affect a company's risk appetite. For example, companies that are at the start-up stage are inevitably exposed to greater risk by the mere fact of starting a business. These companies are just trying to survive. Their main task is to effectively manage cash flows. Statistics show that 50% of companies in the US do not survive the first 5 years of their existence. Startups are associated with entrepreneurs, who in turn are associated with risk taking.
If a company is able to get out of the start-up phase and move into the growth phase, the company needs to strengthen the control system to manage risks. Companies at this stage may establish internal controls as a function to oversee control processes and assess risks. Once a company has entered the maturity phase, sales tend to level off, forcing the company's management to focus on cost control. This can be done through productivity gains. Companies at this stage may also focus on entering foreign markets or developing other types of product. This means that these companies must have tight control over the entire business process.
Opinions of key stakeholders, including major shareholders, bondholders, borrowers, analysts and many other shareholders. Each shareholder may have a different opinion on how much risk a company should be willing to take. For example, stockholders who expect higher returns are likely to put pressure on the company to take more risks. Whereas a bank that has lent money to a company is likely to prefer that the organization limit its risks.
Whether the point of view of an individual shareholder is taken into account will depend on how much influence that person has within the company and the decision-making structure. For example, if a bank lent a company a large amount, then the bank will be very interested in the company continuing its existence. If the bank feels that the company is taking unjustified risks, then it can voice its concerns and doubts to management and the Board. How powerfully the bank will voice its concerns will directly depend on how much the bank can suffer in the event of a company default. However, just because a bank is voicing these concerns does not always mean that the board will listen or care about the bank's concerns.

The following is an example of how one person's personal attitude to risk can be reflected in the strategy of the organization that that person manages. The example given here is about Richard Branson, Chairman of the Virgin Group.

Richard Branson is the founder and Chairman of the Virgin Group Ltd. The group includes about 400 companies of various profiles scattered around the world. All travel-related operations are carried out by Virgin Atlantic Airways, 51% owned by the Group. This company operates in 30 directions around the world and is the largest money generator. It would take a long time to list all his business ventures and projects, both successful and unsuccessful. But Branson was never afraid of failure. He owns the statement: “The meaning of the word “entrepreneurship” can be reduced to another word, “game”.

To build a company like Virgin, Richard Branson obviously had to take a lot of risks. In fact, Richard is known for his risk taking, and has the nickname "adrenaline junkie". In support of this nickname, he takes on the most daring and risky projects, one of which is the creation of a branch with the loud name of Virgin Galactic, whose plans include offering space flights (space tourism) to anyone willing to pay; $200,000 per flight. You can imagine the risk this venture takes. The project will require huge investments and there is definitely no guarantee that the project will be successful. The risk of a catastrophic outcome is quite likely.

There is no doubt that the risk appetite of this company comes directly from its Chairman, who, by the way, owns most of the company. As a result, Richard Branson is not under particularly strong pressure from shareholders.

Accounting factors such as volume of transactions, complexity of the accounting system, changing rules and regulations, etc.
The likelihood of fraud. This includes issues relating to the nature of the business, the control of the business, and the ethical aspects of the business environment within the company.
External factors such as changing economic conditions, changes in industry, changes in technology, etc. For example, if a country is going through a recession, a company may decide that it would be more appropriate to set aside a larger allowance for bad debts, given that there will be more consumers of bad debts. Or, if the industry is under scrutiny due to environmental concerns, the company must decide whether to lay a provision for anti-pollution stocks. Also, a company may decide that it must enter a large risk zone in order to maintain profitability levels in a declining economy.
government restrictions. Depending on the industry, the state can play a role in how much risk a company can take. Some industries, such as insurance and banking, are usually subject to more restrictions and restrictions than organizations in other industries because they use public money. The current crisis has increased the need for government regulation, especially in banking.
Factors that depend on the level of the enterprise, such as the number and quality of hired personnel, the quantity and quality of training, gaps in the system of processing and processing information, changes in the organizational structure, changes in key positions, etc.

Finally, cultural factors often play a role in determining a company's appetite for risk.

Link between national culture and risk taking

Researchers have always believed that there is a relationship between the cultural characteristics of the country and the behavior of the company in developing a risk strategy. When thinking about risky people, the thought immediately comes to mind about entrepreneurs, people who want to take on projects that require a lot of risk. Entrepreneurs are by nature individualists and innovators. If we rely on this provision, then it is quite reasonable to assume that countries with individualistic traits, more pronounced in the character of this or that people, will be more entrepreneurial. Based on the results of his research in the field of the relationship between national traits and the "entrepreneurial vein" of individual peoples, the Dutch scientist Geert Hofstad came to the conclusion that the United States of America ranks first in the ranking of the most individualistic cultures, while the countries of Latin America considered the most collectivist. This concept is important for taking into account national behavioral cultures when considering options for expanding a company's activities outside its own country when making decisions and developing behavioral policy.

For example, managers in "individualist" countries tend to be more autonomous and independent than managers in "collectivist" countries. However, if your business belongs to a more collective type of activity, then a collective decision is more acceptable within the organization. If, on the other hand, your business culture is one in which individualism is welcomed and promoted, then management can make riskier decisions based on experience and better judgment. For organizations, this can mean a higher level of risk in the hope of getting more returns.

As can be seen from this: one should strive for a balance between the cultural environment of the company and the national culture of the country in which the business is conducted. It is not hard to imagine that this is not an easy task when doing business in an environment with two distinct cultural differences. In such cases, for a better understanding of the culture of the country in which the organization operates, it would be useful to conduct trainings and seminars on intercultural communication (cross-cultural). Such activities are designed to understand the influence of different cultures on each other and to overcome difficulties.

Formulating Risk Appetite

If an organization (whether large or small) has not made a formal statement about its risk appetite, then it is likely to run into control problems in the future. Without such a statement, managers cannot effectively manage the company at a level of risk that they can take or are allowed to take and not miss important opportunities where needed, believing that taking additional risk is frowned upon when this is exactly what is needed. .

Formalization of risk appetite means putting it on paper. This is done with the intent that there is less misunderstanding about what the Board and senior management think about risk. It is generally understood that the larger and more complex an organization is, the more specific its policies and procedures (also risk appetite). Formalization of the risk appetite facilitates communication with everyone to whom the information is directed.

For example, large financial services companies such as Citibank, Bank of America, BNP Paribas, ING, HSBC, and others are expected to have more sophisticated formal risk appetite statements than SMEs. This all happens, probably, due to the restrictions and pressure of the provisions of the Basel III document, or some other regulation. In small and medium-sized businesses, a company's risk appetite statement can be expressed in one or two sentences, for example: project investments should not exceed 20% of the book value or IFRS revenue should not be adversely affected by more than 50% of estimated income.

Risk appetite can be expressed either numerically (in dollar terms) or qualitatively (by description). Below are a few examples of risk appetite quantification.

Solvency - The company does not want to lose more than a certain amount of money from its capital, so that it is not in constant anxiety that in the event of force majeure events or combinations of extreme situations, it will suffer huge losses.
Capital Coverage - Requires a company to have enough capital to cover a specified level of damage repeatedly, such as 1 in 100 per year.
Earnings - The company does not want to lose more than a certain percentage or amounts of income in accordance with GAAP standards, for example, (US GAAP or IRFS)
Company value - The company wishes to calculate the amount and types of risk that will maximize the value of the company (risk adjusted represents the value of future cash flows)

Below is a table that illustrates the quantitative measurement of risk appetite at ING:

On the other hand, there may be such assets at risk that cannot be quantified, but the risks still need to be voiced. In this case, the term “risk preferences” is used to express risk appetite. Risk preferences define risks that your company is unwilling to take, such as not investing in subprime mortgages or not accepting variable annuity loans.

Risk Appetite Assessment Process

After briefly describing the conceptual foundations of risk appetite, I would like to proceed to the next stage. Once the concept of risk appetite is understood, the next step should be to assess whether the risk is right for your company and whether decision makers understand the amount of risk they can take to achieve goals and company tasks.

This evaluation process should include the following factors:

Has the company documented its risk appetite. You want to know whether a formalized risk appetite is justified for the activities in which the company is involved.
Management (with the approval of the Board) communicated information about risk appetite and risk tolerance to all divisions of the company (in departments, divisions, branches, etc.).
Risk appetite and risk tolerance are reviewed on a regular basis and updated based on changes in the business environment. Risk appetite cannot be set once and for all and remain unchanged.

Figure 3 shows the process for conducting a risk appetite assessment. Each feature is discussed in detail on the next page.

Scheme 3. The process of conducting a risk appetite assessment

1) Checking documentation for risk appetite

You begin the process of conducting a risk appetite assessment by reviewing all documentation held by the company for risk appetite. As noted above, a company that does not document its risk appetite may face control problems in the future. However, a simple formalization of risk appetite is only the first step. It often happens that the risk appetite is not understood enough to provide the basis and foundation for making the right decisions.

It often happens that companies mistakenly define their risk appetites. Here is an example of such a case: the risk is documented in such a way that “the company came to the conclusion that it was risk hungry in IT technology, which led to the relaxation of some of its normal development system control processes. As a result, the company failed, at least , in two cases of systems implementation, because elementary and simple control procedures were not followed. These failures of the system were so catastrophic that most of the Council were either forced to resign or were fired. Based on this, the lesson that has been taught is that risk appetite has two components, risk and control, and taking into account only one component without considering the other will invariably lead to suboptimal decisions.

The assessment process consists primarily of making sure that the board/management has determined and documented its risk appetite, and then making sure that this information has been communicated to all levels of the organization. For example, if management has set a specific monetary limit on capital acquisitions, then the appraisal process will be to ensure that the limit has not been exceeded.

Organizations typically document their risk appetite in a formalized statement, the "risk appetite statement". The function of the statement is to ensure that risk behavior within the organization reflects the interests of the company's shareholders, the Board and management. The statement can be used to ensure that the company has chosen the right tone for itself. When reviewing an entity's risk appetite statement, it should be kept in mind that the entity must decide for itself what that risk appetite should be.

The list below is a useful exercise in evaluating a company's claim of risk appetite. It allows you to understand whether the Board and management of the company are “on the same line” in their tasks when taking into account risk appetite.

Has the company identified its shareholders and is aware of their expectations
Has the company (company-wide) established a broad risk appetite.
Has the company defined its tolerance for specific types of risk?
Whether the company has reconciled its risk appetite with its current risk profile.

Illustrative Risk Appetite Statement: SCOR Se

Our proven ability to absorb shocks, along with SCOR's current competitive position, allows us to moderately increase our risk appetite for 2010-2013 and see future improvement in both profitability and solvency. The following three main objectives follow from this.

Risk profile optimization.
"AA" level of financial security provided by our clients,
ROI that is 1,000 points above the risk-free base point for the entire cycle.

As an organization matures, the likelihood of new risks increases. How much risk is acceptable for the company in this case? The answer to this question lies in the concept of "risk appetite".

risk appetite determines the level of risk an entity can accept to retain in order to achieve its operational and financial objectives. Risk appetite depends on external and internal factors. To external factors include market conditions, the macroeconomic state of the economy, government regulation requirements, ongoing changes in the industry. Internal factors are the financial capabilities of the organization, the current stage of its life cycle, the opinions of the main stakeholders (shareholders, bondholders, analysts). Also, an important factor is the expectation regarding the development of the company in the medium term: the forecast of profit, revenue, market share, etc.

Risk capacity defines the maximum risk limit an organization can accept. In other words, this indicator corresponds to the maximum level of losses at which the organization will not be declared insolvent (bankrupt).

It is obvious that the risk appetite should not go beyond the limits of the risk capacity, therefore, first, as a rule, the risk capacity is determined, and then the level of risk appetite.

The value of the risk appetite is set by the company's management with the obligatory justification of the compliance of the risk appetite level with the strategic objectives of the organization. When formalizing the risk appetite, its value is fixed in the internal documents of the organization, which determine the internal risk management policy. For example, the risk appetite can be established in the Regulations on risk management of the organization, which also sets out the goals, principles and approaches in the field of risk management. The organization should clearly define who is responsible for monitoring and adhering to the risk appetite.

Having a set value for risk appetite simplifies the organization's risk management process. In this case, it comes down to controlling that the current risk value does not exceed the entered risk-annetite level. If the current risk value exceeds the risk appetite, the organization takes measures to manage the risk in order to reduce it to the risk appetite level. If such an excess occurs, the organization takes the necessary measures to reduce the risk to the level of risk appetite.

When deciding on the management of a specific risk, the ratio between the cost of risk management measures and the risk assessment is taken into account. In exceptional cases, the organization's current risk level may exceed the risk appetite value if the cost of risk reduction measures exceeds the risk value.

Thus, the risk appetite allows: 1) to determine what risks the organization can accept; 2) formulate a clear management position regarding risks; 3) simplify the risk management process; 4) to avoid cases when the amount of loss from the occurrence of risk can lead the organization to bankruptcy.

The scheme of using the concept of risk appetite is shown in fig. 2.10.

Rice. 2.10.

The function of the risk appetite in risk management becomes easier to understand if we consider an axis where two opposite ends characterize the two extremes in risk taking (Figure 2.11). On the left side, the extreme point shows a conservative strategy, when the organization is completely risk averse. The right side of the axis, on the contrary, corresponds to the maximum risk strategy. The role of risk appetite is to determine which point on this axis corresponds to the organization's strategy.

On fig. 2.12 shows a risk map. On one axis, the probability of the occurrence of risk is plotted, on the other, the size of the loss from the occurrence of the risk. The straight line, corresponding to the risk appetite, divides the matrix area into two parts: all projects (tasks) of the organization that lie below the direct risk appetite are acceptable, and vice versa, all projects above the risk appetite straight line have an unacceptable level of risk. This figure shows low-risk and high-risk organizations. For each company, the project marked with a dot in the figure 1, is valid, and the project 3 both organizations must reject due to an unacceptable level of risk. However, the project 2 for an organization with a low level of risk is unacceptable, while for another organization it is acceptable.

Rice. 2.11.

Rice. 2.12.

Risk appetite can be defined in quantitative and qualitative terms. In the first case, the absolute value of the possible risk or its relative value (for example, the permissible deviation of the indicator from the planned one) is set. At the same time, the risk appetite is determined depending on the goals of the organization. These goals may be to achieve financial targets, meet financial regulations and other performance indicators of the company. They may consist in compliance with financial standards, in achieving the established financial and other performance indicators of the company. A qualitative expression of risk appetite is used when risk cannot be quantified. In this case, the risk appetite is established in a descriptive way.

Examples of quantitative risk appetite.

1. The organization must not lose more than 10% of annual income. If the potential losses exceed this value, it is necessary to refuse to accept the risk.
2. The size of the organization's capital must be sufficient to cover five losses of a certain level in a specified period of time. If there is not enough capital, the risk cannot be accepted.
3. The ratio of the financial debt of the organization to the value EBITDA at the 3:2 level.

Examples of qualitative risk appetite.

1. The organization should not operate in countries with increased currency risks.
2. The organization should not work with partners whose financial strength rating is below a certain level.

Each organization has its own way of defining risk appetite. Only the overall level of risk appetite can be set. In this case, the value of the current risk of the organization (taking into account the acceptance of new risks) is compared with the value of the overall risk appetite. With another approach, in addition to the general risk appetite, the maximum value of losses for each type of risk is set. In this case, along with the control of the overall risk of the organization, control is also carried out for each type of risk.

There are different methods in determining risk appetite. Let's consider some of them.

Method, based on the cost of risk management activities. In this method, the only criterion for assessing risk appetite is the ratio between the cost of risk management measures and the amount of risk in a certain period of time. The risk is accepted by the organization in any case, if the potential losses from the occurrence of the risk do not exceed the cost of risk management measures. The level of risk appetite in this case corresponds to the cost of risk management measures.

Method, using the organization's current level of risk. With this method, the overall risk appetite of the company is summarized from the individual components. For this, indicators are calculated, with the help of which the maximum allowable losses of the organization for each type of risk are determined. Such indicators may include the company's total debt portfolio, the company's market value, the company's equity, the amount of liabilities in foreign currencies, counterparty credit ratings for existing financial transactions, and other risk indicators.

The overall risk appetite of an organization in a certain period of time is calculated as the sum of possible losses for each type of risk:

where lj- assessment of losses associated with the onset of risk (1 - credit risk, 2 - liquidity risk, 3 - currency risk, 4 - interest rate risk, 5 - stock risk), taking into account the probability of risk occurrence.

The overall level of risk appetite can be expressed both in absolute terms and in relative terms. For example, risk appetite is set as a certain percentage of an organization's equity capital or its market value. Further redistribution of risk appetite for each risk is carried out taking into account the weight of each risk calculated by the formula

where lj- assessment of losses associated with the occurrence of the i-th risk in a certain period of time, taking into account the probability of the occurrence of the risk; R- the overall risk appetite of the organization in a certain period of time.

A method that uses the organization's historical level of risk. In this method, as in the previous one, the risk appetite is calculated as the sum of possible losses for each type of risk. The difference is that in this case, the historical dynamics of the risk indicators of the organization is considered.

For each type of risk, a period is selected in which the organization assumed an increased risk. This may be, for example, a crisis year with unfavorable market conditions or any other period at the discretion of the company's management. Periods should not be considered when the onset of risk led to serious consequences for the organization, requiring a radical revision of the chosen development strategy.

The absolute value of risk appetite is calculated as the sum of possible losses for each type of risk in different periods of time:

where Lj(tj)- assessment of losses associated with the occurrence of the i-th risk at time f, taking into account the probability of the occurrence of the risk, i- 1, 2..., 5.

Method based on data from similar organizations. With this approach to determining risk appetite, statistics are used for similar organizations. The criteria by which comparable organizations are selected are established by methodological documents and may include such indicators as the territory of the company, its market value, the amount of revenue, the ratio of own and borrowed funds, etc.

In this case, risk appetite is defined as the overall risk level of an organization that does not lead to a deterioration in the organization's performance, but compared with the average of peers.

Method, based on stress testing. To use this method, the factors that have a significant impact on the organization's activities are first selected. Both internal indicators of the organization and external ones are considered as factors. External factors may include interest rates, macroeconomic indicators, commodity prices, government regulation requirements, etc.

Then a model of the organization's behavior is built depending on different scenarios of the dynamics of the selected factors. After that, a combination of factors leading to the worst acceptable state of the organization is established. Based on these factor values, the level of risk appetite is determined.

Method of expert opinion of specialists. In this case, the risk appetite is established based on the opinions of the owners of the organization, its management and other experts.

Combined method. This approach combines various methods for determining risk appetite. For example, an organization's overall level of risk appetite is calculated using a peer-to-peer method, and the allocation to each risk is made using weights calculated based on the organization's historical level of risk.

In many companies, risk appetite is the starting point for developing a strategy for its development and capital planning. When determining the risk appetite, management proceeds from the objectives of the organization. For example, a bank aims to achieve a high rating with a low risk appetite or to achieve a high level of income, implying a high level of risk appetite. The entity should consider how the identified risk annetite is acceptable in the current period and how it will be acceptable in the future.

Risk appetite affects the corporate culture and style of the organization. Its use helps to choose the directions for the development of the organization that correspond to the established level of risk appetite.

Many government regulators recommend using the concept of risk appetite in the activities of organizations. In particular, in the banking sector, the Basel Committee on Banking Supervision and Regulation (Basel II) considers the use of risk appetite as one of the main principles of bank risk management.

The disadvantage of using risk appetite in managing a company's financial risks is the presence of subjective assessments in its determination. The absence of the necessary financial components for calculating the risk appetite makes it necessary to rely only on expert opinion.

In addition, there are no precise statistical models for quantitative risk assessment to calculate the current risk level. Therefore, an organization can only establish a risk appetite for certain types of risk, where its value can be calculated with a fairly high degree of accuracy. In addition, using the concept of risk appetite requires that the internal business processes of the organization are built in an appropriate way, ensuring that it is easy to calculate the current level of risks of the company at any given time. The management of the company should have timely and sufficient information about the nature and level of risks taken.

Basel II: International Convergence of Capital Measurement and Capital Standards: ARevised Framework - Comprehensive Version, BCBS, Jun 2006.

A key component of any company's risk management philosophy is determining its risk appetite. Risk appetite reflects the amount of risk that a company can incur depending on its financial and operational capabilities, etc.

If you turn to the Google search engine for a definition of the term "risk appetite", you can find a number of definitions of this concept. Here is one of them “The level of risk that the company's management considers acceptable in the process of achieving overall financial and solvent goals” (Society of Actuaries ERM Symposium, from April 2010).

Deciding how much risk a company is willing or unwilling to take is a corporate-level decision. How are companies able to decide on the amount of risk they take, and what risks are companies willing to take? For example, many companies own the confidential information of their customers (for example, credit card number, customer addresses, etc.), and the greater the cost and risk of losing this confidential information, the more carefully control over the IT service must be for fear of damaging business in the event that such a situation arises.

Every manager, every director, every company has a risk appetite, whether it has been clearly stated or not. Risk appetite is expressed in the actions or inactions of management and directors that are taken or not taken in order to achieve the goals and objectives of the company.

Risk is a necessary consequence of running any business, however, those companies that think through and formalize their risk appetites have a chance to be more successful in the long run. The purpose of this paper was to encourage thought on how to formalize your risk appetite in such a way that the company has a better chance of surviving in the future.

There are many valuable tools and techniques that can help mitigate risk and manage earnings volatility.

It is useful to divide the cost of risk into two categories – retained risks and transferred risks. The category into which a given risk falls depends on the organization's appetite for risk. The term “risk appetite” also has several meanings, but according to the most common, risk appetite covers more than the concept of insured risks, and is a method that helps determine the possible profit or loss that a company is willing to incur. Risk appetite can be measured in a variety of ways, from enterprise performance analysis to executives and boards of directors' intuitive sense of the right direction.

What is important about the concept of risk appetite is that it clearly indicates the risks that the company can bear and the risks that it should transfer. When risk appetite is aligned with all stakeholders, both inside and outside the organization, it can provide:

1) better strategic decision making (due to more efficient allocation of financial and human capital);

2) introducing a culture of risk management with a tradition of transparency and more effective corporate governance practices;

Retained risks can also be divided into two categories:

Business, project and investment risks – this category considers risk as an uncertainty relative to expectations and thus captures a company's ability to make a profit or incur a loss. To succeed, organizations need to take risks. However, this approach implies that the risks taken are measured and carefully studied in order to make the best strategic decisions. Useful techniques in dealing with such risks are the study of uncertainty over time, discounted cash flow analysis, decision tree analysis, and many other special techniques.

Loss prevention and risk mitigation – this category is used for loss risk management. The techniques used in this case include quality control, safety oversight, loss control, traditional risk management, and asset protection. Among other things, these measures include risk prevention, their reduction, and financial risk management techniques for the effective management of funds allocated to cover the remaining losses after the implementation of all measures.

The cost of transferred risks can be managed in whole or in part through methods such as entering into a contract with the necessary conditions or entering into a strategic alliance. The cost of risk can also be managed through financial risk transfer techniques such as insurance, hedging and derivatives. This aspect of risk management is traditionally strong in insurance companies, brokers and banks.

18. Risks in the formation of a portfolio of securities .

Let us now consider the role of risk in the formation of a portfolio of securities. The risk associated with the acquisition of certain types of securities is due to the fact that the expected income from them is a random value; it can take on various numerical values with certain probabilities.

Probability characterizes the degree of certainty of the occurrence of some event. The probability of a guaranteed event is taken as one, and an impossible one is taken as zero. The probability of a random variable is greater than zero, but less than one, and the sum of the probabilities of all its possible values is equal to one.

There are two main ways to determine the probability of a random event: objective (historical) and subjective (predictive). An objective estimate of the probability is derived from the data of statistical processing of the results of observations of repetitive processes that generate random events. Thus, it is possible to determine the probability that in April of the current year in Moscow the average monthly temperature will be above zero or that on December 31 there will be no traffic accidents in the city. Sometimes an objective estimate of the probability of a certain random event can be given a priori: for example, the probability of getting the number 3, like any other from 1 to 6, when throwing a six-sided die is 1/6. A subjective estimate of probability is reduced to a more or less justified forecast of the frequency of occurrence of possible values of a random variable. In investment calculations, one usually has to deal with new technologies, and therefore with subjective estimates of probability.

Based on the given probabilities of random variables, various algorithms for determining their average expected values are built. Most often, the expected value is calculated as a probability-weighted average value. So, if in the next year the profit of the company with a probability of 0.1 can be equal to both 15 and 30 den. units, with a probability of 0.2 - and 18, and 24 den. units and with a probability of 0.4 - 20 den. units, then the expected value will be
0.1(15 + 30) + 0.2(18 + 24) + 0.4 20 = 20.9 den. units

Since quantitative estimates of probability are not always reliable, the actual value of the predicted value may not coincide with the expected one. This is where the concept of risk comes in: there is a risk that the actual value will not match the expected value. The probability of deviation of the actual value from the expected one is the greater, the wider the spread of values of the random variable. Therefore, as a measure of the risk inherent in a decision with a probabilistic outcome, the so-called standard deviation () is used - the root-mean-square absolute deviation of the possible values of a random variable from the expected one. In the example above, the risk of not making a profit of $20.9 next year. units will be

= [(20,9 - 15) 2 + (20,9 - 18) 2 + (20,9 - 20) 2 + (20,9 - 24) 2 + (20,9 - 30) 2 ] 0,5 = 11,7.

The value 2 is called dispersion or variation.

19. Games with nature.

In some tasks leading to gaming, there is uncertainty caused by the lack of information about the conditions in which the action is carried out (weather, consumer demand, etc.). These conditions do not depend on the conscious actions of another player, but on objective reality. Such games are called games with nature. A person in games with nature tries to act prudently, the second player (nature, consumer demand) acts randomly.

The game conditions are given by the matrix .

Let the player have a strategy BUT 1 ,BUT 2 , …, A m, and nature - states AT 1 , AT 2 , …, In n. The simplest situation is when the probability is known pj every state of nature In j . In this case, if all possible states are taken into account, p 1 + p 2 + … + pj+ … +p n = 1.

If player A chooses a pure strategy And i , then the mathematical expectation of the payoff will be p 1 a i 1 + p 2 a i 2 + … + p n a in. The most profitable strategy is the one that achieves

(p 1 a i 1 + p 2 a i 2 + … + p n a in).

20. Matrix game analysis example .

Matrix games, concept of game theory. M. i. - games in which two players (I and II) with opposite interests participate, and each player has a finite number of pure strategies. If player I has m strategies, and player II - n strategies, then the game can be given ( m ´ n)-matrix BUT = ||a ij ||, where a ij is the payoff of player I if he chooses the strategy i (i = -1, ..., m), and player II - the strategy j (j = 1, ..., n). Following the general principles of behavior in antagonistic games (of which M. and. are a special case), player I seeks to choose such a strategy i 0, on which

;

player II seeks to choose a strategy j o, on which

;

If a v1 = v2, then pair( i 0 , j 0) constitutes the saddle point of the game, that is, the double inequality

; i = 1, ?, m; j = 1, ?, n.

The number is called the value of the game; strategies i 0, j0 are called the optimal and pure strategies of players I and II, respectively. If a v1 ≠ v2, then always v1 < v2; in this case, there is no saddle point in the game, and the optimal strategies of the players should be sought among their mixed strategies (that is, the probability distributions on the set of pure strategies). In this case, the players already operate with the mathematical expectations of the payoffs.

The main theorem of the theory of M. and. (Neumann's minimax theorem) asserts that in any M. and. there are optimal mixed strategies X*, y*, on which the achieved "minimaxes" are equal (their total value is the value of the game). For example, the matrix game has a saddle point at i 0 = 2, j0= 1, and the value of the game is 2; the matrix game has no saddle point. For her, optimal mixed strategies are X* = (3 / 4 , 1 / 4), y*= (1 / 2 , 1 / 2); the value of the game is 1 / 2 .

For the actual finding of optimal mixed strategies, the possibility of reducing M. and. to problems of linear programming. It is possible to use the so-called Brown-Robinson iterative method, which consists in sequential fictitious "playing" of a given game with the players in each given game choosing their pure strategies, the best against the opponent's strategies accumulated up to that moment. Games in which one of the players has only two strategies are easy to solve graphically.

M. i. can serve as mathematical models for many of the simplest conflict situations in the field of economics, mathematical statistics, military affairs, and biology. Often, one of the players is considered "nature", which is understood as the whole set of external circumstances unknown to the decision maker (another player).

21. Difficulties in testing complex analytical hypotheses.

Retail lending: portfolio management technology. Retail Lending: How to Manage Portfolios

Risk manager: in dreams of management

Sometimes it seems that risk management has reached a dead end. Risk managers “measure, record the presence or document risks, assuring everyone around them that risks and their reduction are the main goal of managing an organization”, as Aleksey Sidorenko wrote in his series of articles. The last point, convincing everyone around that risk reduction is the main goal of business management, is very useful from the point of view of self-positioning and self-promotion of risk managers. Global initiatives like Basel I-II-III-etc are the cash cows of consultants (we really love them!).

But risk managers are often just annoying to business leaders. Therefore, business unit leaders often try to ignore risk managers, and sometimes they are simply fooled. At best, they view risk management as an inevitable cost of being in business, and require risk managers simply not to have problems with regulators.

Isolation from the real world where profits are made makes the day-to-day work of risk management dull, pointless, and merciless to the people who do it. And these people are qualified: they are good at building mathematical models, predicting, and identifying patterns. Ignoring this experience, wasting working time by these people is an unaffordable luxury in the era of declining margins, fintech and the growth of objectively existing risks.

So, how do you make risk management business-oriented, but still remain risk management? What are the real problems (beyond regulatory compliance) that business risk management can address? How can risk managers help improve business performance? How to make sure that business units and risk management work in one team? What managerial decisions need to be made to achieve these goals?

One of the answers to all these questions is the Declaration of Appetite for Risk.

Risk appetite declaration: what is it?

The risk appetite declaration is a formal document that lists risks, risk factors, their target values, threshold values, upon reaching which certain decisions are required. This document also formally establishes the target level of economic capital adequacy covering risks, the volume of the required liquidity buffer, as well as the target return on capital.

This definition is a tribute to dead letters and is capable of destroying any sound idea in the bud. It makes no sense in terms of real business development needs. Everything that is mentioned in this definition is either invented or imagined by risk managers. In order for a risk appetite declaration to be worth more than the paper it is printed on, it needs to be specified.

A list of specific managerial decisions and actions can breathe the breath of life into this document. The main source of management actions is business goals. The risk also does not exist in itself, but represents the failure to achieve these goals. Therefore, the Declaration of Appetite for Risk should contain a list of objectives. The management actions listed in the Declaration are tied to goals, but have different conditions for their application. They also depend on our attitude towards risks.

Attitude to risks is a key moment in building a risk management focused on managerial actions. It is not possible to manage all risks. You don't need to manage all the risks. If we minimized all risks, there would be no sources of profit left. Therefore, you need to decide from the very beginning:

What risks do we accept (and transfer to our shareholders, leaving them to manage these risks);

What risks do we manage, that is, what risks are in the area of our business and our competence;

What risks do we and our shareholders prefer to avoid that our shareholders are not prepared to take under any (reasonable) circumstances.

By classifying risks in this way, we can focus on those that we manage and (to a lesser extent) those that we accept. The cause of any risk is a change in risk factors. Risk factors may have different qualitative characteristics and quantitative measures. Some of these characteristics and measures are tied to probability, some to the impact that the realization of the risk has on the organization. Some risk measures are expressed in units of the financial result (the amount of profit or loss), some are risk-oriented in a narrower sense of the word.

Management actions and decisions depend on the situation. Some of them are simply planned in advance depending on the stage of the portfolio or transaction life cycle. Some should be taken in response to an external event. Actions can be natural in the normal course of business, or they can be extreme anti-crisis. An example of the latter type of action is stop loss selling.

Procedures for regularly monitoring a transaction or portfolio we manage should also be described in the Risk Appetite Statement.

Thus, the Declaration of Appetite for Risk is not only and not so much about risks. It's about business in general. A valid Risk Appetite Declaration is more of an investment declaration created to address all internal management challenges.

Declaration of appetite for risk in bank management

A valid Risk Appetite Declaration permeates the bank management process. It sets the starting point for planning, since it defines the target characteristics of the portfolio that the bank forms.

It also regulates the lending process. The image of the target borrower, lending and risk acceptance rules are an integral part of the Declaration.

It defines the rules and methods of portfolio management. Managing an established portfolio of retail loans is a complex task. This is much more difficult than managing portfolios of securities. Loan conditions are fixed and cannot be changed unilaterally. The secondary market for loans is not liquid. Their sale requires long and scrupulous preparation. Therefore, selling as a portfolio management tool in a crisis situation is practically an inaccessible tool. But sometimes the Declaration of risk appetite in terms of prepayment risk may dictate the need for unilateral easing of credit conditions and set the rules for such easing.

Because the Risk Appetite Statement sets out the objectives of a retail loan portfolio, it can be used to evaluate the performance of that portfolio. Profits and losses of business units, risk-adjusted financial result are calculated based on the assumptions specified in the Declaration. Moreover, if some risks materialize, onlyThe risk appetite declaration distinguishes between bad luck and risk management failure.

Key risk indicators for retail lending

Widely used indicators of the risk of a retail loan portfolio include the average rate of provisions for possible losses in the portfolio, the share of overdue loans, 0 + 3mob (the share of loans falling into arrears during the first three months after issuance), 30 + 6mob (the share of loans whose maturity overdue exceeds 30 days overdue in the first six months after issuance), the volume of loans written off in the portfolio. All these indicators are relatively easy to calculate. However, they all have one drawback: they are not leading, and therefore their use in portfolio management is difficult.

Instead, we recommend using more complex indicators, such as LTS, specific LTS, forecasts of reserves for possible losses, forecasts of delinquency volumes and delinquency frequencies. The computational complexity of these indicators is easily offset by specialized information systems such as . However, in return, the risk manager gets the ability to manage.

For example, as a portfolio matures, the amount of reserves for possible losses increases, and therefore the economic capital available to the bank to cover the risks it takes decreases. At the same time, the generation of young loans brings good returns, which initially cover the costs associated with reserves and capital. The optimal choice of the timing of the sale of loans (securitization) allows you to double the profitability of the bank's capital.

The most important characteristic of a loan portfolio is LTS (loss-to-sale). This value represents the accumulated losses over the generation of loans. LTS grows, maturing throughout the lifetime of a generation and depends on the initial contractual term of loans and the credit quality of borrowers. Specific LTS is a derivative characteristic of the credit quality of borrowers (the influence of the initial contract term of loans has been removed). The concept of specific LTS was originally developed by Vladimir Babikov. In essence, the formation of rules for issuing loans is a procedure for linking the specific LTS to the characteristics of customers (debt-to-income ratio, borrower's region, level of education, industry affiliation, etc.). Therefore, when formulating the Declaration of Appetite for Risk, the risk manager must determine the target level of specific LTS.

Analytical procedures (for example, those implemented in the Roll Rate Analytic System®) allow you to model the impact of GDP growth, unemployment and other macroeconomic factors on the level of delinquency, LTS and specific LTS. According to the requirements of the Basel Committee, credit ratings must be assigned to borrowers taking into account possible deterioration in economic conditions or unexpected events (see §§414-416 in International Convergence of Capital Measurement and Capital Standards, paragraph 12.13 of Regulation 483-P of the Bank of Russia). Objective analysis of LTS is a practically efficient way to ensure that this requirement is met.

Issuance of loans

Lending procedures should be based on the Declaration of Appetite for Risk and ensure that the resulting portfolio is consistent with its objectives. The cornerstone of these procedures are scorecards. With their help, the diversity of characteristics of borrowers is converted into an aggregate score. This allows you to form an unambiguous decision whether to issue a loan to this client or not. However, the decision rule should take into account not only the current characteristics of borrowers, but also their possible evolution over time. This is not only a requirement of common sense, but also of regulatory standards. Therefore, the scoring system must link the characteristics of borrowers to the specific LTS of the portfolio that the bank wishes to build.

Moreover, scorecards need to cover more than just credit risk in terms of unit LTS. They must also take into account the behavior of customers, in particular, their early repayment of loans. Why is it very important? If the value added of the loan portfolio is initially 10% of the loan amount, early repayment of 30% of the portfolio per year reduces the value added to negative -40% of the loan amount. In other words, a borrower who repays loans ahead of schedule brings losses to the bank. The experience of our clients shows that taking into account the behavior of clients when building scorecards (together with taking into account their credit quality, of course) allows you to increase profits by five times while reducing the volume of new loans by half (which reduces the bank's costs when attracting resources).

Risk Appetite Declaration: A Working Example

As mentioned above, the Risk Appetite Declaration governs all aspects of banking portfolio management, namely:

Target return on capital and other key portfolio performance indicators;

Risk targets;

Portfolio size and other characteristics;

Indicators that should be constantly monitored, as well as their threshold values, the violation of which entails the adoption of managerial decisions.

These principles are illustrated in the figure.

Forming a Declaration of Appetite for Risk is a difficult task. But it is worth solving. The result of using hidden reserves, which will be released as a result of the correct organization of the business process, justifies all costs. The combination of portfolio objectives and management procedures facilitates the management of the bank. As a result, returns on capital are rising even in an era of increased competition, economic crises, tighter regulations and a resurgence of barriers to entry. High-quality risk management guarantees business owners good nights. True, some amateurs call it luck for some reason.

He who has ears, let him hear! Those who have risk management, let them profit!