Financial institutions, having to focus on risk regulation, often end up being content with identifying risk and maybe engaging in some mitigation measures after a significant mishap has occurred or when regulatory authorities get nervous. Keeping potential impacts within risk capacity limits becomes the key. However, whilst it keeps everybody at their jobs most of the time, this does not lead to risk optimization.

We detail a framework for handling identified risks, highlighting the measures that are apt to merely satisfy regulators and the measures that fully take into account tail risks as well as routine risks, and the costs and benefits of controls. We also highlight the measures that merely consist of blindly throwing resources at risks. This framework can be applied to market risk and credit risk, where risks and rewards are mostly proportional to the volume of activities, and to operational risks, where the relationships between activities and risks can be less clear.

Using the whole set of risk management tools, financial institutions can aim at a better understanding of potential profits and risks, likelihoods and potential impact, and hence be able to take the right amount of the risks that need to be taken, within their own risk appetite.

Both terms are often taken interchangeably. However, there are critical differences, which are all too often neglected.