When Risk Appetite Meets Reality: Reporting on Risks Out of Appetite

  • November 03, 2025

Major failures in the financial services industry don’t typically happen out of the blue. Management may already know problems have been festering, but other priorities overtake meaningful review of key risks. Many banks implement detailed risk appetite frameworks (“RAFs”) that articulate limits for various risk exposures and related operating parameters; however, in practice, some risk exposures remain above stated limits month after month, quarter after quarter.

At global and super-regional banks, risk appetite statements (“RASs”) have evolved over the last 15-20 years, from largely simple, top-of-the-house statements about total appetite for broad risk types to a more fine-tuned articulation of day-to-day tolerances across a wide range of risk types. Historically, chief risk officers (“CROs”) would report to the board on “key exposures,” “special situations,” or policy exceptions. What was often lacking in these reports, however, was a view into specific risk exposures remaining above stated tolerance levels in RASs and trends over time. Thankfully, risks out of appetite (“ROOA”) reporting is a welcome trend that has the potential to significantly address this problem.

Reporting on Risks Out of Appetite

Many regional banks are now following the lead of global banks in adopting and refining ROOA reporting, which is quickly becoming a focal point in quarterly risk reviews – a sharp contrast to the “set-it-and-forget-it” view of RASs in the past.

ROOA reporting remains a nascent topic at many smaller community banks (i.e., under $10 billion in assets) and many credit unions: in the recent FTI Consulting poll of almost 50 entities within that cohort,1 70% did not have ROOA reporting in place. Within that same group, only 22% had risk appetite statements scoped at the business-line level, an important enabler for actionable ROOA reporting. These statistics demonstrate that even those organizations that are maturing their approach to RASs have an opportunity to expand their ROOA monitoring and reporting, thereby adding value to their organizations.

Some common limits and parameters included in RASs are itemized in Figure 1 below:

Figure 1 – Common Calibrated Terms Within Risk Appetite Statements (Illustrative)

Key Limits and Triggers Parameters
Risk Capacity Limits:
  • Simultaneous default by top N borrowers; what value of N results in insolvency?
  • Impact of severe shocks to key market and macroeconomic factors; what combination of percentage shocks to those factors causes insolvency?
  • Deposit runnability: What is the maximum short-run drawdown that could be borne?

Risk Tolerance Limits/Matrices:

  • Single-name credit risk limits
  • Sector credit concentration limits
  • Illiquid collateral limits
  • Treasury portfolio market risk limits (e.g., value-at-risk, long/short limits)
  • Compositional percentage limits in the asset stack, specifically lending versus investment portfolios
  • Compositional percentage limits in the liability stack: client deposits, brokered deposits, wholesale funding, etc.
 Operational Parameters:
  • Quality targets, e.g., number of customer complaints
  • Process efficiency targets, e.g., vendor vet/onboarding time
  • Employee satisfaction, regrettable turnover
  • Regulatory engagement (e.g., number days to respond to supervisory inquiries

Financial Parameters:

  • Degree of volatility in revenue or costs
  • Return on assets (“ROA”)
  • Return on invested capital (“ROIC”)
  • Target debt rating, target debt/equity ratio
  • Target cost of funds

Strategic Parameters:

  • Customer concentrations
  • Optimal product/service mix attained
  • Runway for success KPIs during expansion into new products, geographies or channels
  • Whether M&A or capex is accretive

Typical Business Unit-Level Risk Appetite Statement

ROOA tracking and reporting can and should exist within RASs. By leveraging the fields noted above, and assessing risk level, the risk function can monitor progress and identify emerging ROOAs. Additionally, an aging analysis, a separate table that rank orders risks that have been in ROOA status, is another helpful tool for leadership and the board to make informed decisions. Many ROOA reports include trend reporting that identifies and highlights any risks resulting from appetite over time. Those cases usually belong near the front of the triage queue in remediation efforts.

ROOA reporting can also be created in conjunction with amendments to existing risk appetite settings which formalize a known problematic situation that wasn’t previously reflected in the RAS. ROOA reporting reports on the overage and begins to track it over time. As an example, we have observed cases where certain data and IT operational risks that were significant issues for revenue-generating businesses were better addressed when added to ROOA reporting.

If a RAS states that any factor is near “risk capacity,” meaning the maximum risk the entity can bear while remaining solvent, it should be classified as ROOA and cannot wait for periodic reporting – it requires immediate escalation.

Interpreting and Responding to Reporting

Accurate and timely ROOA reporting can be a highly actionable tool for management to bring impactful change to the business. It can also help coordinate thinking across the enterprise regarding some of the entity’s toughest challenges and focus attention on more detailed operational risk problems that may be less frequently discussed by senior management and the board.

Before evaluating ROOA reporting needs, review language in the risk appetite policy. More specific requirements, procedures and reporting with respect to ROOAs may be needed. When a RAS metric is breached, there should be a specific protocol followed to develop and escalate a resolution plan for approval. ROOA reporting should then cover all such cases – nothing in ROOA reporting should appear unexpectedly to senior management or the board.

Below are some key considerations when implementing ROOA reporting:

  • Start with roles and responsibilities within the first line of defense (“1LoD”). Each material residual risk identified in the risk inventory should have at least one “owner” in the first line. Any risk identified as out-of-appetite should require an elevated degree of care in the 1LoD and more frequent interaction with enterprise risk or operational risk central teams in the 2LoD.
  • ROOA concerning operational (or “non-financial”) risk types may dovetail with issue and exception management processes, which have been a development area at many midsized institutions over the past few years. Issue owners vary across different institutions and may include change/transformation teams and enterprise risk personnel. We suggest seeking opportunities to reconcile the current issue and exception management list with identified ROOAs.
  • Monitor any interim (or “contingency”) controls in place as transformation programs are implemented to reduce specific ROOA exposures. Consider whether any interim controls are data-driven and tested, and whether there are any key control indicators (“KCIs”) that could be monitored until the transformation is complete.
  • ROOAs should be reflected in the institution’s capital plan. Some capital should be allocated for the exposure, which may be reduced as the exposure is mitigated over time.
  • Persistent ROOAs may raise candid questions about assumptions in the strategic and financial plans, documents not easily revisited mid-cycle in many entities. The board should encourage staff in control functions to speak up and offer views on changes in the risk profile, even (perhaps especially) if it’s something the revenue-generating leadership doesn’t want to hear.

Conclusion

A common feature of many historic banking failures is that senior management and boards passively viewed awareness of a problem as somehow curative in itself. Often, a problem area would be well known for a long period of time before major consequences developed. That was true of both the 2008-09 crisis and the more recent banking failures of 2023. Longitudinal reporting on ROOA, particularly on those aging or trending worse, has the promise to bring greater rigor to re-rationalize exposures as conditions change, and to identify cases where controls may need refinement.

ROOA’s greatest impact can occur when its forces a candid review into whether risk appetite levels are set correctly in the first place. With strategic plans and financial planning and analysis reflecting risk appetite assumptions that might need to change during prolonged stress periods, ROOA can force discussions that may not always have taken place in the past.

Footnote:

1: Financial Managers Society (“FMS”), Up-Level Your Risk Appetite Framework: Bridge the Gap Between Risk Management and Strategy (webinar hosted by Caitlin Holmes and Paul Feldman), July 15, 2025.

Related Insights

Related Information

Published

November 03, 2025

temp Key Contacts

Caitlin B. Holmes

Senior Managing Director

Paul Feldman, FRM, CERP, CCAS

Senior Director

Most Popular Insights

  1. Navigating Tariffs: 10 Strategies to Protect the Bottom Line
  2. The Hidden Risk for Data Centers That No One is Talking About
  3. It's La La Land Again in Financial Markets
  4. Geopolitical Risk Management: No Longer Just a “Nice to Have”, But a Corporate Imperative
  5. Corporate Sustainability Report

Sign up to get access to FTI Consulting Insights

Subscribe