Business strategy and risk culture

It is understandable – but mistaken – to conflate strategy implementation with the achievement of economic targets.

For a bank, financial objectives will normally include growth in income, balances or market share and this will normally be an outcome of how successfully strategy is executed. But for banks in particular, the achievement (or otherwise) of financial goals can never be divorced from its chosen risk boundary. The systemic importance of banks means that it must always maintain sufficient capital, liquidity, control capability and organizational discipline for business continuity.

For these reasons, regulators worldwide treat strategy, risk appetite, governance and culture as parts of a single system. The Basel Committee for Banking Supervision, for instance, defines risk appetite as the aggregate level and types of risk a bank is willing to assume within risk capacity to achieve its strategic objectives. It defines risk culture as the norms, attitudes and behaviors that shape day-to-day risk decisions. Ultimate responsibility on the board for strategy, governance, culture and risk oversight lies with the board.

Table of contents

 

This article is also available in podcast/video form. Watch the video below from our YouTube channel, or follow The Intuition Finance Digest on Spotify, Apple Podcasts, or Amazon Music.

Risk capacity as a strategic boundary

Banking strategy can never be divorced from risk capacity. A strategy that takes on more credit, market, liquidity, operational or conduct risk than the bank can actually absorb is not ambitious; it is reckless. The special position of banks means that a functioning risk framework is mandatory: the Financial Stability Board’s (FSB) risk appetite principles requires appetite to be linked to strategy, capital and financial projections, and to be forward-looking under both normal and stressed conditions.

The successful implementation of strategy in the context of risk management implementation is both top-down and bottom-up.

  • The board sets the enterprise boundary;
  • senior management translates that boundary into business-line;
  • legal-entity and product-level choices;
  • and the front line must conduct operations within those choices day-to-day.

These are not vague or aspirational notions. Rather, observance means implementation of institution-wide appetite statements with further, consistent statements or specific limits for business lines and legal entities, and serious breaches to be notified to the board and supervisor. Practically, this results in commercial constraints as targets and associated risk must be recognizable, measurable and subject to escalation where appropriate inside the bank’s formal risk architecture.

When risk appetite is applied poorly, risk can be perceived as a barrier rather than a decision partner. Read: Why risk teams are still seen as growth blockers.

in-article image

Risk capacity defines the outer limit of how far a bank’s strategy can safely go.

Turning risk appetite into action

Risk appetite sets the boundary of execution. A good risk appetite framework identifies several things that banks sometimes fail to distinguish: risk capacity, risk appetite, risk tolerance, operational limits and exceptions.

Capacity is the frontier of what the bank can bear in risk terms; appetite is the smaller amount of risk it runs; limits and tolerances translate that choice into operations and day-to-day decision-making.

The FSB says an effective risk appetite statement should incorporate several qualities. It should be:

  • Easy to communicate
  • Directly linked to strategy
  • Cover material risks in normal and stressed conditions
  • Combine quantitative measures with qualitative boundaries.

 

To explore how risk teams can apply frameworks, judgment and communication more effectively in real situations, read: How to build stronger risk capability in practice.

From measurable limits to controlled exceptions

The statement should be clear and unambiguous. If the statement is vague, staff will fill the gaps themselves: the result is poor decisions and self-serving interpretations.

In practice, risk appetite need to be broken down into measurable limits that can be aggregated and disaggregated across the bank. Supervisory guidance expects limits to be applied to business lines, legal entities, specific risk categories and concentrations. At the same time it has to be sensitive enough to show when the bank is moving towards the edge of appetite or capacity.

This is what is needed to validate strategy in risk terms. Broad statements about “prudent growth” are hopelessly insufficient. Instead, the language must specify exposure limits, concentration boundaries, loss triggers, escalation thresholds and qualitative off-limits areas that staff can understand and management can monitor.

Yet, there must be space for exceptions. These should be rare, justified and time-bound: once breaches become frequent or routine, the issue is usually no longer defined as a single transaction. Exceptions need to be genuinely exceptional, approved at a higher level, rapidly closed and transparently reported – otherwise they end up becoming a parallel channel where the business quietly rewrites the rules.

in-article image

A bank’s risk framework is the operating system that keeps strategy, controls and accountability connected.

The framework behind strategy execution

The risk management framework is the operating system through which strategy is executed. The framework is the combined structure of governance, authorities, control functions, processes, committee arrangements, data, systems and people that allows the bank to identify, assess, accept, monitor and, where necessary, exit risk in line with appetite.

There are commonalities in framework design: the business owns day-to-day risk in the first line; independent risk management and compliance provide challenge in the second line; and internal audit provides assurance in the third line. Overall, the framework architecture must be proportionate to the bank’s size, complexity, business model and risk profile.

For more on this, read: What does a future-ready financial risk function look like?

Conclusion

Last, none of the above is possible without an effective risk culture. Again, culture may seem an abstract concept but ultimately it amounts to a series of behaviors in very real situations. In short, it governs how people behave when faced with a risk decision, a warning sign, a limit pressure point, or an uncomfortable fact.

Without a sound risk culture, the ability of a bank to execute an agreed risk strategy within its defined appetite is seriously compromised.

To understand how small gaps in judgment, escalation and application can weaken risk culture over time, read: Fixing capability leakage in risk teams.

How risk capability is built in practice

This document outlines how we work with risk teams to develop problem-solving and critical thinking capability in practice. It shows how we help risk professionals move from risk avoidance toward risk intelligence, and from rule enforcement toward informed decision support, using real scenarios, practical frameworks, and learning designed to scale.

CTA image

Frequently asked questions

What is risk appetite in banking?

Risk appetite is the aggregate level and types of risk a bank is willing to assume within its risk capacity in order to achieve its strategic objectives. It sets the boundary of execution for a bank's strategy and must be directly linked to capital and financial projections. It should be forward-looking under both normal and stressed conditions, as defined by the Financial Stability Board's risk appetite principles.

What is the difference between risk capacity and risk appetite?

Risk capacity is the frontier of what a bank can bear in risk terms, while risk appetite is the smaller amount of risk it actually chooses to run. Limits and tolerances then translate that appetite choice into day-to-day operations and decision-making. A strategy that takes on more risk than the bank can absorb is not ambitious — it is reckless, given the systemic importance of banks to financial stability.

What should an effective risk appetite statement include?

According to the Financial Stability Board, an effective risk appetite statement should be easy to communicate, directly linked to strategy, cover material risks under both normal and stressed conditions, and combine quantitative measures with qualitative boundaries. It must specify exposure limits, concentration boundaries, loss triggers, escalation thresholds, and qualitative off-limits areas that staff can understand and management can monitor — broad statements about "prudent growth" are insufficient.

How is risk appetite translated into operational limits?

Risk appetite must be broken down into measurable limits that can be aggregated and disaggregated across the bank. Supervisory guidance expects these limits to be applied to business lines, legal entities, specific risk categories, and concentrations. The framework must also be sensitive enough to signal when the bank is approaching the edge of its appetite or capacity, enabling timely escalation through the bank's formal risk architecture.

What role does the board play in risk governance?

The board holds ultimate responsibility for strategy, governance, culture, and risk oversight. It sets the enterprise-wide risk boundary, which senior management then translates into business-line, legal-entity, and product-level choices. The front line must conduct day-to-day operations within those choices. Serious breaches of risk appetite are required to be notified to both the board and the supervisor, making board-level accountability a regulatory expectation, not merely good practice.

How does risk culture affect a bank's ability to execute its strategy?

Risk culture governs how people behave when faced with a risk decision, a warning sign, a limit pressure point, or an uncomfortable fact. Without a sound risk culture, a bank's ability to execute an agreed risk strategy within its defined appetite is seriously compromised. Culture translates governance frameworks and appetite statements into real day-to-day behaviors, meaning that even a well-designed framework will fail if the underlying behavioral norms do not support it.