Financial firms have made some progress in developing risk appetite frameworks and building their information technology infrastructures in the wake of the global financial crisis, but they have “considerably more” work to do to strengthen these practices, according to a group of global financial regulators.

In particular, the aggregation of risk data remains a challenge for financial institutions, concludes the latest report by a group of 12 senior supervisors from 10 countries. The Senior Supervisors Group includes the U.S. Securities and Exchange Commission, the Board of Governors of the Federal Reserve System, the Federal Reserve Bank of New York, and the Office of the Comptroller of the Currency.

The Dec. 23 report, “Observations on Developments in Risk Appetite Frameworks and IT Infrastructures,” follows up on two weaknesses in risk management practice identified in the SSG's last report, Risk Management Lessons from the Global Banking Crisis of 2008: articulating a clearly defined risk appetite for the firm, and monitoring risk effectively through reliable access to accurate, comprehensive, and timely quantitative information.

The report includes observations about the interdependence between formal risk appetite frameworks (RAFs) and highly developed IT infrastructures and how to implement elements of those frameworks and infrastructures effectively, practices the SSG says are “crucial in providing the risk information that boards of directors and senior management need to make well-informed judgments—not only about risk management but also about their firms' forward-looking business strategies.”

“While some RAFs are more advanced than others, no single firm was observed to have developed a fully comprehensive framework containing all the better practice elements described in this report,” the SSG observed. The report also noted that most RAFs aren't mature. Although the majority of firms assessed have a risk appetite statement, more than half reported that it's been in effect for a year or less.

Among other things, the report observes that “Strong and active engagement by a firm's board of directors and senior management plays a central role in ensuring that RAF and risk data aggregation projects have a meaningful impact on the organization.”