Banks have a precarious relationship with their key risk indicators (KRIs) at the best of times. Regulators have put pressure on the industry to tighten up the metric since the financial crisis, ensuring they are explicitly linked to underlying risk exposures and are used to alert senior management to changes in risk profile. But many banks have struggled to perfect the process; often collecting thousands of KRIs, but failing to make good use of them in their risk reports.
An unlikely exception is Atlanta’s SunTrust Bank, a consumer and wholesale banking specialist with assets of $205 billion. Over the past two years, SunTrust has developed an enhanced risk appetite and KRI framework that has gained recognition for its equal focus on financial and non-financial risks, enabling more accurate risk reporting to the bank’s top brass.
“The framework gives senior management and the board a unique portfolio view of risk exposure across the company, so they can make informed decisions on where they need to allocate resources to either increase returns or mitigate risk. We monitor risk appetite and risk tolerance side-by-side, so we can determine and implement the appropriate levels of risk,” says Spyro Karetsos, executive vice-president and head of enterprise risk services at SunTrust Bank.
Karetsos joined SunTrust in 2016, having previously been director of enterprise risk management at Vanguard. Before that, he had held senior roles at Goldman Sachs and the Federal Reserve Bank of New York. At SunTrust, he was given a mandate to breathe new life into the risk framework, recognising operational and business practice failures can pose just as much risk to a bank as traditional financial risks.
In fact, in the years since the financial crisis, it has been operational failures that have caused banks the most pain. While regulators cracked down on the management and capitalisation of market, credit and liquidity risk, the most high-profile – and costly – missteps that have laid banks low have come from non-financial risks: market manipulation, fraud and other business practice failures.
The new framework uses quantitative indicators and qualitative expert opinions to ensure our risk appetite is consistently implemented across the businessSpyro Karetsos, SunTrust Bank
SunTrust’s new risk appetite framework addresses this issue by measuring and managing operational, technological and compliance risks on an equal footing with mature financial risks. The framework refines the bank’s risk appetite using both quantitative values and qualitative assessments, comparing actual risk results within the business to the desired risk appetite, so adjustments can be made on the fly to either reduce risk or put more risk on. Risk is managed by setting every individual exposure into the context of overall risk appetite.
“We had historically indicated that we had a moderate risk appetite, but previously, different business leaders might have had their own views and interpretations as to what exactly that meant,” Karetsos says. “The new framework uses quantitative indicators and qualitative expert opinions to ensure our risk appetite is consistently implemented across the business.”
“When we aggregate our analysis of different business units we can determine whether our actual risk exposure matches our risk appetite. If it significantly exceeds or falls short of the moderate risk appetite, we will look to make changes either to the risk appetite or the risk exposure, and can develop risk response plans accordingly,” he says.
Karetsos uses an analogy of managing cars on a multi-lane highway, with each car representing a particular risk within a business unit (a ‘unit of measure’). A moderate risk appetite might be achieved by keeping every single car in the middle lane, but the new framework allows for a more dynamic approach, which takes into account the size and risk of every unit of measure, and keeps all of the cars in an appropriate lane to achieve the prescribed risk appetite at the enterprise level.
Without a clearly articulated risk appetite statement that is endorsed by the board and senior management, this approach would be almost impossible to achieve as there would be no vision for business and risk functions to pursue. Setting a framework for risk appetite, including both financial and non-financial risks, was therefore the most critical part of the process.
“After the financial crisis there was a natural focus on market risk, credit risk and liquidity risk, but our risk appetite framework strategy has allowed us to also sharpen our focus on operational risk and business practices, in addition to financial safety and soundness. It is critical that non-financial risks are now given appropriate weightings in the portfolio of exposures,” says Karetsos.
While the initiative is still bedding down – as implementation only began last year and is still being extended across business lines – the results look strongly encouraging. Risk appetite has already become much more integrated with strategic planning across the bank, according to Karetsos. A large and beguiling set of risk indicators and metrics has also been distilled into a concise set of just over 200 indicators that more accurately portrays the bank’s risk in real time.
“Streamlined reporting of risk indicators and metrics has been another tangible benefit,” he says. “More concise, but more meaningful indicators now tell the complete story of risk in our organisation, and enable us to manage our risk exposure in tandem with our risk appetite much more efficiently and effectively.”