1 Developing Your Risk Appetite Enterprise Risk Management Vendor Management Business Continuity William C. Hord IT GRC Internal Audit V.P. of Enterprise Risk Management Services Regulatory Compliance Manager Complaint Management March 26, 2017 Solutions Track 6: 4:00pm –5:00pm Definition of Enterprise Risk Management (ERM) The Committee of Sponsoring Organizations of the Treadway Commission (COSO): Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designedtoidentifypotentialeventsthatmayaffecttheentity,andmanagerisktobewithin its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. EnterpriseRiskManagement—IntegratedFramework,©[2004]CommitteeofSponsoringOrganizationsoftheTreadwayCommission (COSO).Allrightsreserved.http://www.coso.org/ermupdate.html Definition of Risk Capacity Risk Capacity working definition: The maximum level of risk at which a company can operate, while remaining within constraints implied by capital and funding needs and its obligations to stakeholdersinpursuitofitsobjectives. Definition of Risk Profile Risk Profile working definition: The company’s entire risk landscape reflecting the nature and scale of its riskexposuresaggregatedwithinandacrosseachrelevantriskcategory. Definition of Risk Appetite Risk Appetite working definition: The risk a company is willing to take in the pursuit of its strategic objectives. Definition of Risk Tolerance Risk Tolerance working definition: The level of risk which, if breached by the company’s risk profile, would require immediateescalationandcorrectiveaction. Definition of Risk Appetite Trigger Risk Appetite Trigger working definition: The level at which escalation occurs to a committee or level of authority because the risk profile is sufficiently close to the risk tolerance that correctiveactionshouldbeconsidered. Definition of Risk Appetite Statement Risk Appetite Statement working definition: A company’s risk appetite should be articulated and communicated so that employees understand the need to pursue objectives within acceptablelimits. Risk Appetite Benefits • EnhanceReputation; • ImprovedCompliance; • ImprovedGovernance; • ShareholderProtections; • ImprovedBusinessPerformance; • PromoteRiskAwarenessCulture; • AligningRiskstoStrategicObjectives; • EnhancedRisk‐BasedDecisionMaking; • OptimizedSpendingforIncreasedValue; • MeetRegulatoryandAuditExpectations; • DeterminationofHowMuchRisktoTake; • GuideandInformStrategicPlanningandBudgetingand; • TranslateBoardStrategyintoBusinessUnitStrategyandObjectives. Risk Appetite Considerations COSOoutlines four that need to be taken when considering the risk appetite of the company: 1. Existing Risk Profile: What are the current risks across the company in the various risk categories? 2. Risk Capacity: How much risk is the company able to handle in order to achieve its objectives? 3. Risk Tolerance: What is the acceptable level of deviation the company is willing to accept in achieving its goals? 4. Attitudes Towards Risk: What is the risk culture in the company? EnterpriseRiskManagement:UnderstandingandCommunicatingRiskAppetite,2012,©Dr.LarryRittenbergandFrankMartens, researchcommissionedbytheCommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO).Allrightsreserved. Risk Appetite – Qualitative & Quantitative MixtureofBOTH; Risk Acceptance Low Low‐Med Medium Med‐High High • Qualitative: Compliance; $/% $$/% $$$/% $$$$/% $$$$$/% Reputationand; Capital X Strategic. Compliance X • Quantitative: Credit X Capital; Interest Rate X Credit; Liquidity X InterestRateand; Liquidity. Reputation X Strategic X Others could include: Concentration –Credit and/or Investments; Price/Market; Operational –General / Technology / Third Party / Information Security, etc. Risk Appetite Process & Checklist DefineYourRiskCapacity: Whatisyouroverallabilitytoabsorbpotentiallosses; Whatareyourcashandcashequivalentstomeetliquiditydemandsandintermsofcapital andreservestocoverpotentiallosses. Determinemaximumcapacitylimitforuseinriskappetiteprocess. Risk Appetite Process & Checklist DefineStrategicObjectives: SampleStrategicObjectives: 1. EarningsGrowth; 2. ShareholderReturns; 3. MaintaintheReturnonEquity; 4. RetainSkilledandQualifiedWorkforceand; 5. CapitalAdequacy/ExternalCreditRatings. Include business plan outlining how the business intends to meet its objectives and stakeholderexpectations; Include capital management plans outlining capital requirements for achieving strategic objectives. Risk Appetite Process & Checklist DefineCurrentandProposedRisksWithinStrategicObjectives,BusinessandCapitalPlans: RiskCategories: • Strategic; • Operational; • Complianceand; • Financial/Reporting. RisksThatAreAcceptable; RisksThatAreUn‐Acceptable; DetermineTotalAggregateRiskProfile; PotentialRiskstoAchievingStrategicObjectives; CurrentRiskBeingTakenRelatedtoRiskCapacity; Determine Total of unexpected losses that the company is willing to accept in the event a risk materializes. Determine available capital between the risk capacity and the aggregate risk profile; including provisionforunexpectedlosses. Theriskappetiteofthecompanywilldeterminethesizeofthecapitalrequired.Thecompanyhasto balance between its availability of capital versus cost of capital. The strategic objectives if clearly articulatedshouldprovideastrongguidelineforthelevelofanticipatedriskappetite. Risk Appetite Process & Checklist DetermineandCreateRiskTolerances: Having determined the capital available to withstand risks and the current level of risk exposure,thenextstepistheidentificationoftolerancerangesforspecificrisks(toensurethe appetiteremainswithintheboundsofthecapitalmanagementand/orbusinessplan). Risktolerances,arethetypicalmeasuresofriskusedtomonitorexposurecomparedwiththe statedriskappetite.Inpracticetheyenablethehigh‐levelriskappetitetobebrokendownand communicatedintomeasuresthatareactionableatthebusinessunitlevel. Developingrisktoleranceshelpstoensureappropriatereportingandmonitoringprocessescan beputinplacefortheeffectivemanagementoftheserisks.Assuch,thesethresholdsshould beclearlyarticulatedandmeasurable. Risk Appetite Process & Checklist CreateandApproveRiskAppetiteStatement: Create a formalized Risk Appetite Statement utilizing the information determined from the process; ProvidetoBoardforfinalapproval. Risk Appetite Process & Checklist CommunicateRiskAppetiteStatement: Determinethebestwaytocommunicateriskappetite; Threemainapproachesforcommunicatingriskappetite: 1. Expressingoverallriskappetiteusingbroadstatements; 2. Expressingriskappetiteforeachmajorclassoforganizationalobjectives,and; 3. Expressingriskappetitefordifferentcategoriesofrisk. Specificenoughthatoperationalleaderscanmonitorwhetherrisksarebeingmanagedwithin riskappetite. EnterpriseRiskManagement:UnderstandingandCommunicatingRiskAppetite,2012,©Dr.LarryRittenbergandFrankMartens, researchcommissionedbytheCommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO).Allrightsreserved. Risk Appetite Process & Checklist MonitoringandUpdatingRiskAppetite: Management,withboardsupport,mustrevisitandreinforceRiskAppetite; Cannotbesetonceandthenleftaloneforextendedperiods; Reviewedandincorporatedintodecisionsabouthowthecompanyoperates.(Especiallyimportantifthe company’sbusinessmodelbeginstochange); Management should monitor the company’s activities for consistency with risk appetite through the specificsidentifiedwithrisktolerances; Use key performance risk metrics to measure performance by integrating risk tolerances into the monitoringprocessusedtoevaluateperformanceand; Internalauditingcanprovideindependentinsightontheeffectivenessofmonitoringprocesses. EnterpriseRiskManagement:UnderstandingandCommunicatingRiskAppetite,2012,©Dr.LarryRittenbergandFrankMartens, researchcommissionedbytheCommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO).Allrightsreserved. Risk Appetite Example Risk Profile is within Risk Profile is within Low Tolerance limit: High Tolerance limit: Risk Profile is less Corrective action Corrective action Risk Profile is more than Low Tolerance discussions required. “Sweet Spot” discussions required. than High Tolerance limit: Corrective Risk Profile functioning as limit: Corrective action must be taken action must be taken expected. immediately. immediately. ACTION Low Tolerance Risk Appetite High Tolerance ACTION Risk Capacity Low Tolerance Risk High Tolerance Risk Appetite Triggers Appetite Triggers Board and Management Responsibilities 1. Managementestablishesriskappetite; 2. Boardoverseesriskappetite; 3. Appliesthroughoutorganization; 4. Alignswithstakeholdersandmanagers; 5. Managesrisksandriskappetiteovertime; 6. Monitorstoensureadherencetoriskappetite; 7. Supportsculture; 8. Considersresources; 9. Communicatesthroughstrategiesandobjectivesand; 10.Clearlycommunicateshowmuchrisktheorganizationiswillingtoacceptatalllevels. Enterprise Risk Management: Understanding and Communicating Risk Appetite, 2012, © Dr. Larry Rittenberg and Frank Martens, research commissioned by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved.
Description: