What is a ‘Risk Appetite Statement’ and why do I need one?
20 November 2019
‘Financial crime is illegal and I have zero appetite and/or zero tolerance for it’. Over the years I have heard this or similar statements from many clients of various seniority within financial services organisations – it is a fair and understandable statement. However, as set out in my first blog of this series it is not one that is implementable in any organisation. By being in business you are, of necessity, exposed to financial crime risk – perpetrated by your clients but facilitated (unknowingly) by you or through the activities of your staff and associates. Therefore whilst you can have a ‘zero appetite’ for financial crime risk you must tolerate some risk or you cannot engage in any business activities.
A financial crime Risk Appetite Statement therefore defines the residual risks that an institution is prepared to tolerate.
A financial crime Risk Appetite Statement is arguably the fundamental part of the financial crime risk management framework. It should dictate the types of clients and the business undertaken by the institution as well as the policies, procedures, controls and broader framework used to manage the risk.
The financial crime risk appetite statement must be specific to the institution and should include both quantitative and qualitative measures. It should consider both intolerable and tolerable risks.
Intolerable risks are those risks that you are not willing to tolerate in their entirety such as dealing with arms dealers, shell banks, clients with bearer shares etc. These intolerable risks should be defined and are a key constituent of a risk appetite statement.
As set out above, by being in business an organisation is exposed to inherent risks. The organisation therefore needs to define the parameters for the inherent risks they are exposed to, and are prepared to tolerate, as a result of their business activities: those parameters will look different for, say, a UK based building society compared to a global investment bank whose businesses activities expose them to very different inherent risks. These are the ‘tolerable risks’ and are defined and set out in the Risk Appetite Statement.
Examples parameters that may be used to define ‘tolerable risks’ could include: ‘I am prepared to have a third of my clients as high risk clients’; ‘I am prepared to operate in higher risk jurisdictions’; ‘I am prepared to offer higher risk products’.
Depending on the approach, an institution may choose to be very prescriptive about which products, countries and percentages of clients it is prepared to accept (e.g. ‘I will have no more than 20% of PEPs in my population’) or it may choose instead to have guidelines that it follows (e.g. ‘I will seek to have about 20% of PEPs in my population’): either way the parameters applied to the inherent risks must be defined.
By defining the intolerable risks and the inherent risks that will be tolerated, the institution is able to focus its risk management framework (i.e. risk assessment, policies, procedures, controls, governance structures etc.)
What the measures are and how the risk appetite statement is defined and operationalised is critical to enable the financial crime risks facing an institution to be fully understood and managed.