The compliance trap: why most risk appetite frameworks do not work
Ask the board of almost any Swiss private bank whether the institution has a risk appetite framework, and the answer will be yes. Ask them whether that framework actively shapes the decisions made by relationship managers, credit officers and business line heads on a daily basis, and the honest answer is almost always no.
This gap — between having a risk appetite framework and having a risk appetite that functions — is the central challenge of risk appetite management in Swiss private banking. It is not a documentation problem. Most frameworks are technically adequate: they contain a risk appetite statement, a set of risk metrics with thresholds, and a review process. The problem is that they were designed to satisfy FINMA rather than to guide management, and the difference in design intent produces frameworks that are reviewed annually, approved by the board, filed — and then ignored for the remaining eleven months of the year.
A risk appetite framework that is not used is not merely useless. It is actively dangerous. It creates the illusion of risk governance without the substance, gives the board false assurance that risk is being managed within articulated limits, and leaves the institution exposed to exactly the risks the framework was designed to constrain. When those risks materialise — as they periodically do in any bank — the framework's failure becomes a governance failure, and governance failures carry personal accountability consequences for board members.
FINMA Circular 2017/1 (Corporate governance — banks) requires that the board of directors define and regularly review the institution's risk appetite, expressed in quantitative and qualitative terms, covering all material risk categories. The risk appetite must be integrated with the institution's strategic planning, translated into operational risk limits, and monitored against actual risk-taking on an ongoing basis.
The key word is integrated. FINMA does not expect a risk appetite document sitting alongside the strategy — it expects a risk appetite framework that is embedded in how the strategy is executed and how individual business decisions are made. Institutions that cannot demonstrate this integration are not meeting the governance standard, regardless of how comprehensive their written framework is.
Defining risk appetite: precision matters
The term "risk appetite" is used loosely in banking governance, and the imprecision causes genuine practical problems. A board that has not agreed on a clear, shared definition of what risk appetite means — as distinct from risk capacity, risk tolerance and risk profile — cannot make consistent decisions about it. Before designing a framework, the definitional question must be settled.
The relationship between these four concepts is the foundation of an effective framework. Risk appetite must be set below risk capacity — the board should never be comfortable operating at the limits of what the institution can absorb. Risk tolerance defines the operational band around the appetite. And the risk profile is what management monitors daily and reports to the board periodically, with escalation when it approaches the tolerance boundaries.
In many Swiss private banking frameworks, these four concepts are conflated. Risk appetite is set at risk capacity, making it effectively meaningless as a management constraint. Risk tolerance is not defined, so there is no escalation trigger. And risk profile reporting is produced periodically but never explicitly compared to the appetite — so the board has no systematic way of knowing whether the institution is operating within its stated risk appetite or not.
The growth-regulation tension: what makes private banking different
Risk appetite management in Swiss private banking operates against a structural tension that does not exist in the same form in other banking sectors. Private banking growth — attracting new clients, expanding AUM, increasing fee income — is driven by relationship managers who are commercially incentivised to bring in business. The risks that accompany this business — client suitability, AML exposure, cross-border regulatory risk, reputational risk from client conduct — are managed by compliance and risk functions that are structurally separate from the commercial engine and often under-resourced relative to it.
This tension is not pathological. It is inherent to the private banking model and can be managed effectively. But managing it effectively requires a risk appetite framework that explicitly addresses the commercial-compliance interface — that sets clear limits on the categories of business the institution will and will not pursue, defines the escalation process for borderline cases, and gives relationship managers clear guidance on where the boundaries lie before they bring a client relationship to the credit or compliance committee.
"Risk appetite is not a constraint on growth. It is the definition of the growth the institution wants — and the protection of the franchise that makes that growth sustainable."
The client acceptance dimension
No element of risk appetite is more consequential for Swiss private banks than the parameters around client acceptance. The client risk appetite — which client profiles the institution will and will not serve, which jurisdictions it will and will not accept business from, which source of wealth categories require enhanced due diligence versus which are simply excluded — is the decision that most directly determines the institution's AML exposure, its reputational risk, its FINMA supervisory relationship, and its long-term franchise value.
Yet in many Swiss private banks, the client risk appetite is described in general terms in the risk appetite statement and then operationalised through a compliance policy framework that relationship managers navigate case by case. The gap between the board-level statement and the operational reality is where risk accumulates — in borderline client acceptances that individually look defensible but collectively represent a portfolio of elevated risk that the board has never explicitly approved.
Effective client risk appetite management requires the board to make explicit decisions about client risk categories — not just "we accept PEPs with enhanced due diligence" but "we accept Category A PEPs from jurisdictions X, Y and Z with enhanced due diligence, and we do not accept Category B PEPs regardless of jurisdiction or AUM." The more specific the board's appetite statement, the less room there is for the accumulation of undisclosed risk at the client acceptance level.
The regulatory environment dimension
Swiss private banking operates in one of the world's most demanding regulatory environments — and that environment has shifted materially over the past decade, in ways that have permanent implications for risk appetite calibration. The era of bank secrecy as a client attraction proposition is over. Automatic exchange of information has fundamentally changed the compliance risk profile of cross-border private banking. FINMA's enforcement capacity and willingness have increased substantially. The reputational consequences of AML failures — for the institution and for its senior leadership — are now existential rather than manageable.
These structural changes mean that the risk appetite calibration appropriate for Swiss private banking in 2010 is not the calibration appropriate for 2026. Institutions that have not systematically reviewed their risk appetite in light of this changed environment — particularly their client risk appetite, their cross-border risk appetite, and their AML risk tolerance — are operating with a framework designed for a world that no longer exists.
Designing a risk appetite framework that works: the architecture
An effective risk appetite framework for a Swiss private bank has three levels — board, management and operational — with clear connections between them. The failure of most frameworks lies in the disconnection between these levels: the board approves a high-level statement, management produces operational risk limits, and the two are never explicitly linked. When the risk profile approaches a limit, there is no clear path back to the board's stated appetite, and the governance function of the framework is lost.
The risk appetite spectrum for Swiss private banking
Not all risk categories deserve the same position on the appetite spectrum. A disciplined Swiss private bank should be willing to take measured amounts of some risks — credit risk in lombard lending, market risk in proprietary positions, liquidity risk within regulatory limits — while having near-zero tolerance for others. The most consequential calibration decision for Swiss private banks is the explicit acknowledgment that some risks are structurally incompatible with the franchise.
The risk categories that demand explicit board attention
Five risk dimensions in Swiss private banking warrant explicit board-level risk appetite decisions — not delegated management positions, but decisions that the board has genuinely debated and owned.
| Risk dimension | Why it demands board attention | The appetite question the board must answer | The failure mode if it is not answered |
|---|---|---|---|
| Client risk | Determines AML exposure, FINMA relationship and reputational risk profile more than any other decision | Which client categories, jurisdictions and source-of-wealth profiles will and will not be served — with specificity? | Accumulation of elevated-risk client relationships that individually pass compliance review but collectively exceed the board's implicit appetite |
| Concentration risk | Single-name, sector and geographic concentrations can threaten institutional viability in stress scenarios | What are the maximum tolerable concentrations by client, sector, geography and product — and at what point does escalation to the board occur? | Concentrations build gradually below management radar until a stress event reveals their scale — by which point the governance failure is complete |
| Cross-border regulatory risk | Swiss private banks serving clients in multiple jurisdictions carry regulatory risk in each — risk that has grown materially with automatic information exchange and foreign regulator assertiveness | Which jurisdictions will be actively served, which will be accepted on an inbound basis only, and which are excluded entirely? | Relationship managers serve clients from excluded jurisdictions on an informal basis, creating unmanaged and undisclosed regulatory exposure |
| Reputational risk | Franchise value in private banking is built over decades and destroyed in weeks — yet most risk appetite frameworks treat reputational risk as a residual rather than a primary category | What client, counterparty or business conduct would the institution consider reputationally incompatible — and who has authority to make that determination? | Individual decisions that are legally defensible but reputationally damaging are approved because the governance framework has no mechanism to catch them |
| Digital and technology risk | As private banks digitalise, technology risk moves from an operational concern to a strategic one — with implications for client data, operational resilience and competitive positioning | What is the board's appetite for technology investment risk, third-party technology dependency and digital operational disruption? | Technology investment decisions are made on commercial grounds without explicit risk appetite governance — leaving the board accountable for risks it has not approved |
Embedding risk appetite in daily decisions: the missing link
The most common failure in risk appetite frameworks is not in the design — it is in the embedding. A board-approved risk appetite statement that is not translated into the daily decisions of relationship managers, credit officers, product teams and compliance functions is a governance artefact, not a governance tool.
Embedding risk appetite requires four operational mechanisms that most frameworks lack:
- Pre-decision risk appetite checks. Material business decisions — new client acceptances above a risk threshold, new product launches, significant counterparty relationships, geographic expansion — should be assessed against the risk appetite framework before approval, not after. The risk appetite is not a post-hoc constraint; it is a pre-decision filter.
- Risk appetite-linked escalation triggers. When the risk profile in any category approaches the tolerance boundary, there must be a defined, automatic escalation pathway — from first line to second line to risk committee to board. Escalation cannot be at the discretion of management; it must be structural and rules-based.
- Management information aligned to appetite metrics. The board and risk committee MI pack should present the institution's risk profile explicitly against the appetite metrics — showing not just where the institution is, but where it is relative to where the board said it wanted to be. The gap between profile and appetite is the governance information that matters.
- Relationship manager-level guidance derived from the appetite. The client-facing team should have practical, specific guidance derived from the risk appetite — not a reference to a policy document, but operational clarity about what they can and cannot do, and what they need to escalate. This is the translation that turns board governance into business behaviour.
If relationship managers and business line heads in your institution cannot describe, in plain terms, what the board's risk appetite means for their day-to-day decisions — the framework is not embedded. It is documented. The distinction matters enormously when things go wrong, because a regulator investigating a risk management failure will ask exactly this question of the people closest to the business decisions.
The test of a working risk appetite framework is not whether the board can describe it. It is whether the relationship manager can.
Risk appetite in a growth phase: the calibration challenge
Swiss private banking is, in structural terms, a growth industry. The accumulation of wealth among high-net-worth and ultra-high-net-worth individuals globally — and particularly in Asia, the Middle East and Eastern Europe — continues to expand the addressable market for Swiss private banking services. Every Swiss private bank faces the strategic question of how aggressively to pursue this growth and what risks to accept in doing so.
The risk appetite framework is the governance mechanism through which this question is answered. Done well, it allows the board to define the growth it wants — which client categories, which geographies, which products — and to set the risk parameters within which management pursues it. Done poorly, it allows commercial pressure to override risk constraints by stealth, as individual decisions that nominally comply with the framework collectively expand the institution's risk profile beyond what the board intended.
The calibration challenge in a growth phase is to set an appetite that is genuinely ambitious — that does not constrain commercial activity unnecessarily — while being honest about the risk consequences of that ambition. Boards that set unrealistically conservative risk appetites in response to regulatory pressure, only to watch management quietly manage around them, have created a worse governance outcome than a more realistic appetite would have produced. The appetite needs to reflect the board's genuine intentions, not its regulatory performance.
The annual review: making it meaningful
FINMA requires annual review of the risk appetite framework. In most institutions this review is a process: the risk function updates the metrics, the risk committee reviews them, the board approves them. The substance of the board's engagement is limited and the output is largely incremental — the same framework with minor parameter adjustments.
A genuinely meaningful annual review starts from a different question: given what we know now about our risk profile, our competitive position, our regulatory environment and our strategic objectives, is this the risk appetite we would design if we were designing it from scratch today? This question produces a materially different board conversation from "do we approve the updated metrics?" It forces the board to engage with the substance of the risk appetite — the strategic choices embedded in it — rather than the process of its approval.
The annual review should be preceded by a management assessment of how the risk appetite has functioned over the preceding year: where the risk profile approached or breached tolerance boundaries, how those situations were managed, whether the escalation triggers worked as designed, and whether the appetite metrics were genuinely predictive of the risk outcomes that materialised. This retrospective assessment — what the framework was supposed to do and what it actually did — is the most valuable input to the annual review, and it is the input most commonly absent from the process.
Risk appetite, ultimately, is the board's answer to the question: what kind of institution are we building, and what are we willing to risk to build it? That question deserves a genuine answer — one that reflects the board's strategic convictions, the institution's genuine risk capacity, and the regulatory environment in which Swiss private banking operates. The framework is the mechanism through which that answer is translated into governance. Its quality determines whether the board's answer actually shapes the institution's behaviour — or merely describes it.