IR Global kodulehel avaldati jurist Raiko Pajula artikkel


Main aspects on completing risk appetite framework for financial institutions

Risk appetite framework – RAF

This article is formed in combination with the Estonian Money Laundering and Terrorist Financing Prevention Act and Estonian Financial Supervision Authority (Finantsinspektsioon) guide: “Organisational solutions and preventive measures for credit and financial institutions to take against money laundering and terrorist financing”, which was implemented on the 3rdof January 2019.

This article aims to give financial institutions an overall view on risk appetite and the necessary requirements and aspects that are vital in the risk appetite framework. Although it must be noted, that every risk appetite framework varies between different financial institutions, as every institution has different strategic risks and their business methods are diverse.

Financial institutions have the legal obligation to compile a risk appetite framework. This framework includes risk profile and analysis, that form part of the process of development and implementation of the financial institutions’ strategy of the risks undertaken in relation to the institutions risk capacity. Mainly it determines what are the financial institutions’ risks that they must combat in order to reach their strategic goals.

To have a complete and functioning RAF, it should be aligned with the financial institutions’ business plan, capital planning and compensation mechanisms. An effective RAF should provide a common framework and comparable measures across the financial institution for senior management and the board to communicate, understand, and assess the types and level of risk that they are willing to accept and the risks they want to avoid.

RAF implementation requires an appropriate combination of internal policies, processes, controls and procedures to accomplish a set of objectives, that have been set in their business plan. As such, an effective and efficient RAF should be closely linked to the development of information technology (IT) and management systems in financial institutions.

RAF should be clearly linked to the institutions’ strategy, material risks under both normal and stressed situations and market volatility and set clear boundaries and expectations by establishing quantitative limits and qualitative statements for risk that are difficult to measure.

Quantitative measures should establish the loss or negative outcomes that can be aggregated and disaggregated. These measures may be expressed in terms of earnings, capital, liquidity-at-risk, or other appropriate metrics (e.g. growth, volatility). Qualitative statements should complement quantitative measures, they should set the overall tone for each of the financial institution’s approach to risk taking and articulate clearly the motivations for taking on or avoiding certain types of risks.

There usually are four different risk categories: i. products/services, ii. clients, iii. sales channels and iv. geographical location. These four categories should be analyzed in combination with each other to determine the risk level and set appropriate mitigation measures.

For quantitative and qualitative measures, institutions can use risk matrixes as a way of determining the risk level and the appropriate mitigation measures. Qualitative measures are the overall stated facts, that the financial institution wants to take or avoid. These are statements that need to be analyzed and linked to the quantitative analysis,

Having risk limits through quantitative and qualitative analysis can prevent a financial institution from unknowingly exceeding its risk limits as market conditions change, business plan changes or there are new competitors in the market. Stated and accepted risk limits can be an effective defense against excessive risk-taking. When a financial institution sets its limits, they need to consider the interaction between risks across its business line and the corresponding impact on exposure and outcome. To mitigate this problem, institution-wide stress-testing should occur. The number of chosen limits should balance the trade-off between comprehensiveness, and the monitoring costs and effectiveness.

To establish an effective institution-wide RAF, it is necessary to develop the RAF in collaboration with the chief executive officer (CEO), chief risk officer (CRO) and chief financial officer (CFO). They interpret the direction the institution must take, the risks these directions hold and how to mitigate the risks. For example, the CFO’s input is the recourses the institution can allocate for the risk mitigation measures (ex. IT-development). Co-operation between the executive officer has major effect on the effectiveness of the RAF.


Lawyers Raiko Pajula and Cristen Helendi performed a presentation on the main aspects of risk appetite framework in Finance Estonia seminar on January 24, 2019. Finance Estonia is a financial sector representative organization with the aim to support and enhance financial sector development and innovation in Estonia.

Finance Estonia event can be seen here: