At the front of any information pack that explains what's going on in treasury and risk, you often see a long list of limits. These are frequently accompanied by colour coding: red, amber, and green. The purpose is to translate risk appetite into a measure that you can use to monitor and control the effect an unknown future can have on your business.
Limits are generally seen as helpful, but they have grown in number beyond anything that would have been envisaged only a few years ago. Whether this is beneficial is questionable. Let's look at things in a little more detail.
I'm sure you've encountered hard and soft limits. Hard limits are those we feel compelled to act upon when they are breached, while soft limits provide more in the way of management information. You could argue that all limits are self-imposed by the firm. However, because we operate in a constrained environment, a large proportion of the so-called hard limits are imposed by the regulatory regime. Changing these requires convincing regulators that what you propose is sound, which is not an easy task.
Here, we see a situation where the regulator is imposing its risk appetite on your business, for better or for worse.
Risk appetite is often assumed to be a fixed measure that can be calculated and calibrated precisely. But this is not the case. Many firms use a mixture of quantitative and qualitative measures to arrive at their risk appetite and connect these to the limits in place. This leads to an important question.
When you break a risk limit, is it serious or not? This depends on its importance.
Moreover, risk appetite is indeed variable. When profits rise, risk appetite increases, and when profits fall, the willingness to take risks diminishes (at least that's what I've seen). This behavioural feedback loop, often reinforced by groupthink, creates significant variability, even on a day-to-day basis. If we conclude that risk appetite is variable, it's difficult to assert that the limits themselves are anything but the same.
What about the situation where you never breach a limit? Is that good? Serious questions need to be asked. There is likely a mismatch between the risk appetite that dictates the limit and what is actually going on in the business. This may show a failure at the grassroots level to take on the level of risk agreed upon by the board. Investigating why and how this happens is worthwhile. There's also something else.
When limits are never breached or never even come close to being breached, oversight can become lax. People may pass over what's in front of them because every time they see it's okay. But it's not. It discourages people to dig into the business and understand the principal drivers of what's going on.
At the other end of the spectrum, limits that are continually breached but not addressed create another problem. Each time the breach is presented, it is passed over, leading to a collective view that if we ignore it, it will go away. This is unhelpful. If a limit is continually breached, the exposure needs to be reduced, or the limit increased.
We've also got into a habit that every time a new risk is identified, a limit is needed to capture it. This leads to an excessive number (of limits) that are difficult to remove once in place.
This false sense of security can filter into high-level management reporting, where senior executives receive pages of detailed information that is unhelpful. The governing body should have a few key limits to focus on. Think in terms of credit, liquidity, market, operational risks and also capital and P&L.
Overall, limits can be extremely useful tools in managing risk. However, they are just tools and should not run the business. Thoughtful and intelligent discussions about what you are doing are essential.
Next time you see a long list of limits, ask whether they are truly needed. In a survival-of-the-fittest way, remove those that serve no purpose so that genuinely helpful ones remain.
Comments