ebook img

Risk “appetite” and risk “tolerance” PDF

42 Pages·2011·1.96 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Risk “appetite” and risk “tolerance”

Risk Appetite & Tolerance Guidance Paper Foreword Risk appetite today is a core By providing practical advice on While the Financial Reporting Council consideration in any enterprise how to approach the development has kick-started the debate on risk risk management approach. and implementation of a risk appetite and risk tolerance in the UK, appetite framework we believe we it is a debate that resonates around As well as meeting the requirements will be helping boards and senior the world. As an integrated global risk imposed by corporate governance management teams both to manage consulting business, I can testify to the standards, organisations in all sectors their organisations better and to fact that our clients are debating risk are increasingly being asked by key discharge their corporate governance appetite. That is why we are pleased stakeholders, including investors, responsibilities more effectively. to support the work of the Institute analysts and the public, to express of Risk Management in moving this clearly the extent of their willingness to We are particularly pleased that a debate forward. We look forward to take risk in order to meet their strategic large number of professional bodies are actively engaging with IRM and others objectives. supporting this work – risk is everyone’s in promoting this thought-provoking business and a common understanding The Institute of Risk Management, document and turning risk appetite into and approach helps us work together now in its 25th year, has a key role to a day-by-day reality for boards and risk to address this challenging area. play in establishing sound practices management professionals around the in this area and building consensus in Alex Hindson world. what has, for too long, been a nebulous Chairman Larry Rieger subject. The Institute of Risk Management CEO, Crowe Horwath Global Risk Consulting 2 The Chartered Institute of Internal All successful organisations need to This document is an important Auditors welcomes this contribution be clear about their willingness to contribution to a key area of board from the Institute of Risk Management accept risk in pursuit of their goals. activity and helpfully addresses one of to the debate on risk appetite and Armed with this clarity, boards and the issues highlighted in the Financial risk tolerance. In theory, the idea of management can make meaningful Reporting Council’s Guidance on deciding how much risk of different decisions about what actions to take at Board Effectiveness. ICSA is pleased to types the organisation wishes to take all levels of the organisation and the support the work started here by IRM, and accept sounds easy. In practice, it is extent to which they must deal with and looks forward to a well-informed difficult and needs ongoing effort both the associated risks. But defining and debate and some useful conclusions. from those responsible for governance implementing risk appetite is work in Seamus Gillen in agreeing what is acceptable and progress for many. CIMA therefore Director of Policy from all levels of management in warmly welcomes this new guidance Institute of Chartered Secretaries and communicating how much risk they from the Institute of Risk Management Administrators (ICSA) wish to take and in monitoring as a sound foundation for developing how much they are actually taking. best practice on this critical topic. Anything that stimulates debate on the Gillian Lees practical challenges of risk management Head of Corporate Governance is to be welcomed. Chartered Institute of Jackie Cain Management Accountants (CIMA) Policy Director Chartered Institute of Internal Auditors This paper will be helpful to senior CIPFA is pleased to endorse this work This paper sends out a clear statement managers in public service organisations by IRM on risk appetite and tolerance that the principle of risk appetite who are trying to understand risk which provides welcome leadership emanating from the board is the appetite in the context of their own on a challenging subject for both the only effective way to initiate an strategic and operational decision public and private sectors. We look ERM implementation. Charterhouse making. In its recently published Core forward to taking the debate further Risk Management is delighted to be Competencies in Public Service Risk with our membership in pursuit of associated with the launch of this paper Management, Alarm identified the our commitment to sound financial after contributing to the consultation need to understand the organisation’s management and good governance. process. Our own experience with risk appetite and risk tolerance, as clients confirms that this approach is Diana Melville part of the key function of identifying, not only critical, but that the whole Governance Adviser analysing, evaluating and responding to process must be undertaken with Chartered Institute of Public Finance risk. The ‘questions for the boardroom’, a practical rather than theoretical and Accountancy set out in this paper, could easily be vigour. This is an essential ingredient translated into ‘questions for the of our delivery capability. References to public organisation’s senior executive ‘appetite’ and ‘hunger’ only reinforce committee’ and as such may be of value the living nature of the required to many Alarm members and their approach. organisations. Neil Mockett Dr Lynn T Drennan CTO Chief Executive Charterhouse Risk Management Alarm, the public risk management association 3 Introduction This guidance paper has been prepared The full version of this document is Members of the under the overall direction of a available for free download from the Working Group working group of the Institute of Risk website of the IRM and from partner Management. The group has held a series organisations. Printed versions of the Richard Anderson, deputy of meetings supplemented by much executive summary are also available. chairman of IRM and managing virtual debate to explore ideas and agree The original intent of this paper was in director of Crowe Horwath Global the direction of the paper. We have had the first instance to provide guidance to Risk Consulting healthy discussions, and given the nature directors, risk professionals and others of the topic, there have been areas Bill Aujla, CRO at Etisalat tasked with advising boards on compliance that have proved contentious. We have with the part of the UK Corporate Gemma Clatworthy, senior risk presented the outline of the thinking in Governance Code that states that “the consultant at Nationwide Building various meetings and we circulated an board is responsible for determining Society early draft of this paper to in excess of the nature and extent of the significant fifty individuals. We have also exposed it Roger Garrini, audit manager at risks it is willing to take in achieving its for a much wider consultation from which Selex Galileo strategic objectives” (Financial Reporting we received many responses (see list of Council, 2010). However, feedback from Paul Hopkin, director of IRM people and organisations responding in the consultation process has shown that and technical director of AIRMIC Appendix B). there is considerable interest in this topic Steven Shackleford, senior From this development process, we are in the public sector as well as the private academic in audit and risk confident that we are dealing with a sector and beyond the UK. While some management at Birmingham City topic that is relevant to many people in specifics might differ, the underlying University many organisations of different types principles hold true for all sectors and all in all sectors and that there is sufficient geographical locations. John Summers, chief advisor – risk consensus on issues and approaches at Rio Tinto We have found that the approach emerging to be able to publish this contained in here has far reaching Carolyn Williams, head of thought guidance. We know that future editions resonance with anyone who is interested leadership at IRM of this guidance may well be subject to in the subject of risk appetite and major revisions. That will be a sign of tolerance. This is not a subject with an good and healthy progress. It is in that untarnished history: most UK banks would context that we present this paper to have been expected to define their risk assist in boards’ deliberations on the appetite, but not a single bank would subject of risk appetite and tolerance. The have said that it wished to court (and paper consists of an executive summary, in some instances succumb to) oblivion which is designed to provide an overview in the form of the financial crisis. We on the subject for general use, particularly are now poised to move beyond that by board members, and a more detailed thinking. Whether it is a matter of document which is primarily designed setting, monitoring or overseeing risk to assist those whose task it is to advise appetite, this is a subject that has proved boards on these matters. to be somewhat elusive - it means many different things to many different people. For example, some see it as a series of limits, some see it as empowerment, some see it as something that has to be expressed in terms of net risk and others gross. For this reason the subject deserves serious attention. One of the purposes of this document is to begin to provide a common vocabulary for people who wish to discuss this subject both within their organisations, and also in comparing organisations. 4 In writing this paper, we are conscious It is our view that risk appetite, correctly At a personal level, I would like to that we may appear to have come at this defined, approached and implemented thank the numerous people who have originally from a UK, quoted company- should be a fundamental business contributed to this paper, ranging from centric perspective and that this is counter concept that could make a substantial the working group, through various to IRM’s broad sectoral appeal and difference to how businesses and IRM meetings which debated early international ethos. In fact, while this organisations are run. We fully expect versions of the thinking to Carolyn guidance was originally written with the that the initial scepticism about risk Williams, head of thought leadership at UK Corporate Governance Code in mind, appetite will be gradually replaced as IRM, and of course, all of those people, comments and revisions arising from boards and executive directors gain clients, fellow risk professionals, internal the consultation process mean that it is greater insight into its usefulness. We auditors, and many, many others, who applicable to all sectors in all geographies. also anticipate that analysts will soon be have discussed this subject with all of the We continue to welcome feedback from asking chief executives, chairmen and members of the Working Group. I am, readers in this regard. finance directors about risk appetite. of course, particularly pleased that other After all, this subject is at the heart of the professional bodies of considerable repute Our objective in writing this document has organisation: risk-taking, whether private, agree sufficiently with our approach to been to give: public or third sector, whether large or put their names also to this document. 1. A theoretical underpinning to the small is what managing an organisation Richard Anderson subject of risk appetite; but is about. The approach of the new UK 2. More importantly, to provide some Corporate Governance Code represents Deputy Chairman guidance for those who need to deal an opportunity to place risk management, The Institute of Risk Management with the subject, either for their and in particular risk appetite, right at September 2011 the centre of the debate on effective corporate governance statements, or, corporate governance and the role of the alternatively, simply because they think board in running organisations. the discussion would inform the way their organisation is run. We would like to know whether or not This guidance is not definitive: we do not the approach in this paper has been think that we have written the last word helpful to you as you work through the on the subject. Thinking on the subject ramifications of risk appetite and risk of risk appetite and risk tolerance will tolerance in your own organisation. continue to develop and, if, as we hope, Please take the time to tell us so that we this booklet is superseded before too can both keep abreast of developments many reporting seasons come and go, and make sure that we are sharing best then we will know that the concept is practice. At IRM we are passionate about beginning to take root. leading the profession, and this is one way that we can do so. About IRM About the Author The Institute of Risk Management (IRM) is Richard Anderson, the principal author of this the world’s leading enterprise risk management booklet, is Deputy Chairman of IRM. Richard is also education Institute. We are independent, well- Managing Director of Crowe Horwath Global Risk respected advocates of the risk profession, owned by Consulting in the UK. A Chartered Accountant, and practising risk professionals. We provide qualifications, formerly a partner at a big-4 practice, Richard has short courses and events at a range of levels also run his own GRC practice for seven of the last from introductory to board level and support risk ten years. Richard has been professionally involved professionals by providing the skills and tools needed with risk management since the mid-nineties and has to deal with the demands of a constantly changing, broad industry sector experience. He wrote a report sophisticated and challenging business environment. for the OECD on Corporate Risk Management in the We operate internationally with members and banking sector in the UK, the USA and France. He is students in over 90 countries, drawn from a variety of a regular speaker at conferences and contributes to risk-related disciplines and a wide range of industries many journals on risk management and governance in the private, third and public sectors. issues. 5 Contents Introduction 4 Balanced risk 26 Table of Figures About IRM 5 Risk management clockspeed 26 Figure 1 - Performance over time 14 About the Author 5 Control issues 27 Figure 2 - Possible outcomes 14 Executive Summary 7 Measurement 27 Figure 3 - Risk Universe 14 Principles and approach 7 Strategic 29 Figure 4 - Risk Tolerance 14 Risk appetite and performance 8 Tactical and operational 29 Figure 5 - Risk Appetite 14 Putting it into practice 9 Data 29 Figure 6 - Risk Appetite in Context 16 Five tests for risk appetite Constructing a risk appetite - Figure 7 - Risk Culture Diagnostic 22 frameworks 9 questions for the boardroom 29 Figure 8 - Risk Appetite - Main Issues 23 Questions for the boardroom 10 IV Implementing a risk appetite 30 Figure 9 - Shareholder Value Model (1) 28 I Background 11 Sketch 31 Figure 10 - Shareholder Value Model (2) 28 The UK Corporate Stakeholder engagement 31 Figure 11 - Shareholder Value Model (3) 28 Governance Code 11 Develop 32 Figure 12 - Stages of Development Risk appetite and risk tolerance 14 Approve 32 of Risk Appetite 30 A word of caution 15 Implement 32 Figure 13 - Governing a Risk Appetite 33 Key terms and phrases 15 Report 32 Background - questions for Review 32 the boardroom 15 Implementing a risk appetite - II Designing a risk appetite 16 questions for the boardroom 32 Risk capacity 17 V Governing a risk appetite 33 Risk management maturity 19 Governing risk appetite - Multiple risk appetites 21 questions for the boardroom 34 Risk culture 21 VI The journey is not over 35 Key terms and phrases 21 The journey is not yet over - final Designing a risk appetite - questions for the boardroom 35 questions for the boardroom 22 Bibliography 36 III Constructing a risk appetite 23 Appendix A: Determining the risks Levels of risk appetite 23 the board is willing to take 37 Strategic 23 Responsibilities for risk taking 37 Risk taxonomies 24 Process for managing risk taking 38 Tactical 25 Appendix B: List of respondents Project or operational 25 to consultation 39 Propensity to take risk 25 Propensity to exercise control 25 6 Executive Summary Principles and approach “It is often said that no company can make a The following key principles have underpinned our work on risk appetite: profit without taking a risk. The same is true 1. Risk appetite can be complex. Excessive risk management maturity. Risk for all organisations: no simplicity, while superficially attractive, management remains an emerging leads to dangerous waters: far better discipline and some organisations, organisation, whether in the to acknowledge the complexity and irrespective of size or complexity, do private, public or third sector deal with it, rather than ignoring it. it much better than others. This is in can achieve its objectives 2. Risk appetite needs to be measurable. part due to their risk management without taking risk. The Otherwise there is a risk that any culture (a subset of the overall only question is how much statements become empty and culture), partly due to their systems vacuous. We are not promoting any and processes, and partly due to the risk do they need to take? individual measurement approach nature of their business. However, And yet taking risks without but fundamentally it is important until an organisation has a clear view consciously managing those that directors should understand of both its risk capacity and its risk risks can lead to the downfall how their performance drivers are management maturity it cannot be impacted by risk. Shareholder value clear as to what approach would work of organisations. This is the may be an appropriate starting or how it should be implemented. challenge that has been point for some private organisations, 5. Risk appetite must take into account highlighted by the latest stakeholder value or ‘Economic differing views at a strategic, tactical UK Corporate Governance Value Added’ may be appropriate for and operational level. In other words, Code issued by the Financial others. We also anticipate more use while the UK Corporate Governance of key risk indicators and key control Code envisages a strategic view of Reporting Council in 2010.” indicators which should be readily risk appetite, in fact risk appetite available inside or from outside the needs to be addressed throughout organisation. Relevant and accurate the organisation for it to make any data is vital for this process and we practical sense. urge directors to ensure that there 6. Risk appetite must be integrated with is the same level of data governance the control culture of the organisation. over these indicators as there would be Our framework explores this by over routine accounting data. looking at both the propensity to take 3. Risk appetite is not a single, fixed risk and the propensity to exercise concept. There will be a range of control. The framework promotes appetites for different risks which need the idea that the strategic level is to align and these appetites may well proportionately more about risk taking vary over time: the temporal aspect of than exercising control, while at the risk appetite is a key attribute to this operational level the proportions whole development. are broadly reversed. Clearly the 4. Risk appetite should be developed relative proportions will depend on in the context of an organisation’s the organisation itself, the nature of risk management capability, which the risks it faces and the regulatory is a function of risk capacity and environment within which it operates. 7 Risk and control The innovation is in looking at the implementation of strategy. In the interaction of risk and control as detailed paper we have included a We think that this dual focus on taking part of determining risk appetite. few suggestions as to how boards risk and exercising control is both Proportionately more time is likely to might like to consider these dual innovative and critical to a proper be spent on risk taking at a strategic responsibilities. Above all, we are understanding of risk appetite and level than at an operational level, very much focused on the need to risk tolerance. The innovation is not in where the focus is more likely to take risk as much as the traditional looking at risk and control – all boards be on the exercise of control. One pre-occupation of many risk do that. word of caution though, we are not management programmes, which equating strategy with board level and is the avoidance of harm. operations with lower levels of the organisation. A board will properly want to know that its operations are under control as much as it wants to oversee the development and Risk appetite and The illustrations on these pages show Risk tolerance can be expressed in terms the relationship between risk appetite, of absolutes, for example “we will not Performance tolerance and performance. Diagram expose more than x% of our capital to 1 shows the expected direction of losses in a certain line of business” or Our view is that both risk appetite and performance over the coming period. “we will not deal with certain types of risk tolerance are inextricably linked to Diagram 2 illustrates the range of customer “. performance over time. We believe that performance depending on whether Risk appetite, by contrast is about while risk appetite is about the pursuit of risks (or opportunities) materialise. The what the organisation does want to do risk, risk tolerance is about what you can remaining diagrams demonstrate the and how it goes about it. It therefore allow the organisation to deal with. difference between: becomes the board’s responsibility to Organisations have to take some risks • all the risks that the organisation define this all-important part of the and they have to avoid others. The big might face (the “risk universe”- risk management system and to ensure question that all organisations have diagram 3) that the exercise of risk management to ask themselves is: just what does • those that, if push comes to shove, throughout the organisation is consistent successful performance look like? This they might just be able to put up with with that appetite, which needs to remain question might be easier to answer for (the “risk tolerance” - diagram 4) and within the outer boundaries of the risk a listed company than for a government tolerance. Different boards, in different • those risks that they actively wish to department, but can usefully be asked by circumstances, will take different views on engage with (the “risk appetite” - boards in all sectors. the relative importance of appetite and diagram 5). tolerance. We believe that the appetite will be smaller than the tolerance in the vast majority of cases, and that in turn will be smaller than the risk universe, which in any case will include “unknown unknowns”. Where you might get to if some mance Current direction ance “good” things happen mance Perfor of travel for performance erform Perfor Risk P Universe t0 Time t1 t0 Time t1 t0 Time t1 Where you might Wgeht etroe iyf osoum mei ght get to if some “bad” things happen “bad” things happen Diagram 1 Diagram 2 Diagram 3 nce nce ma ma Perfor RToislkerance Perfor RAipskpetite t0 Time t1 t0 Time t1 Where you might Where you might get to if some get to if some Diagram 4 “bad” things happen Diagram 5 “bad” things happen 8 Putting it into Consultation - in our paper we have Flexibility - all of this needs to be set out an illustrative process for the carried out with the basic precept in practice development of an approach to risk mind that risk appetite can and will appetite. This includes appropriate change over time (as, for example, the We have sought to develop an approach consultation with those external and economy shifts from boom to bust, or to risk appetite that: internal stakeholders, with whom the as cash reserves fall). In other words, board believes it appropriate to consult breaches of risk appetite may well • is theoretically sound (but the theory on this matter. It also includes a review reflect a need to reconsider the risk can quickly disappear into the process by the board, or an appropriate appetite part way through a reporting background) committee of the board, and finally it cycle as well as a more regular review • is practical and pragmatic: we do not includes a review process at the end of the on an annual cycle. Rapid changes in want to create a bureaucracy, rather cycle so that appropriate lessons can be circumstances, for example as were we are looking to help find solutions learned. witnessed during the financial crisis in that can work for organisations of all 2008-9, might also indicate a need for Risk Committees - in his 2009 Review shapes and sizes an organisation to re-appraise its risk of Corporate Governance in UK Banks • will make a difference. appetite. In a fast changing economic and Other Financial Industry Entities, climate, it is especially important Boardroom debate - we suspect that in Sir David Walker recommended that for firms to have not only a clearly the early days particularly, a successful financial services organisations should defined strategy, but also a clearly approach to reviewing risk appetite make use of board risk committees. The articulated risk appetite framework and risk tolerance in the boardroom Economic Affairs Committee of the House so that they are able to react quickly will necessarily lead to some tensions. of Lords recently suggested that large to the challenges and opportunities In other words we think that it should organisations in other sectors should also presented during such times. make a difference to the decisions that consider creating such committees. We are made, otherwise it will diminish into think that the creation and monitoring a mere tick-box activity – and nobody of approaches to risk appetite and needs any more of those in the board risk tolerance should be high on the room. It is essential that the approach agenda of these committees. In the that we are setting out in the detailed detailed document, we have included guidance can and should be tailored a brief section on the role of the board to the needs and maturity of the or risk committee: we are suggesting organisation: it is not a one-size-fits-all that governance needs to be exercised approach. over the framework at four key points: approval, measurement, monitoring and learning. Five tests for risk appetite frameworks In summary, there are five tests that 3. Are both managers and executives “The risk appetite statement is Directors should apply in reviewing their clear that risk appetite is not constant? generally considered the hardest part organisation’s risk appetite statement: It changes as the environment and of any Enterprise Risk Management business conditions change. Anything 1. Do the managers making decisions implementation. However, without approved by the board must have understand the degree to which they clearly defined, measurable tolerances some flexibility built in. (individually) are permitted to expose the whole risk cycle and any risk the organisation to the consequences 4. Are risk decisions made with full framework is arguably at a halt.” of an event or situation? Any risk consideration of reward? The risk Jill Douglas, Head of Risk, appetite statement needs to be appetite framework needs to help Charterhouse Risk Management practical, guiding managers to make managers and executives take an risk-intelligent decisions. appropriate level of risk for the business, given the potential for 1. Do the executives understand their reward. aggregated and interlinked level of risk so they can determine whether it is We believe that by following the guidance acceptable or not? set out in detail in our document, directors will be able to be confident that they can 2. Do the board and executive leadership pass all of those five tests. understand the aggregated and interlinked level of risk for the organisation as a whole? 9 Questions for the boardroom Below we set out some questions that we think boards may want to consider, as part of an iterative process over time, as they develop their approaches to risk appetite and which will enable them to remain at the forefront of the discussion. One clear outcome from our consultation exercise was that, despite the expected variation in views on the technical aspects of risk appetite, there was a common acceptance of these questions as a useful starting point for board discussion. Background Constructing a risk appetite Governing a risk appetite 1. What are the significant risks the 12. Does the organisation understand 20. Is the board satisfied with the board is willing to take? What are the clearly why and how it engages with arrangements for data governance significant risks the board is not willing risks? pertaining to risk management data to take? 13. Is the organisation addressing all and information? 2. What are the strategic objectives of relevant risks or only those that can 21. Has the board played an active the organisation? Are they clear? What be captured in risk management part in the approval, measurement, is explicit and what is implicit in those processes? monitoring and learning from the risk objectives? 14. Does the organisation have a appetite process? 3. Is the board clear about the nature framework for responding to risks? 22. Does the board have, or does it need, and extent of the significant risks it is a risk committee to, inter alia, oversee willing to take in achieving its strategic Implementing a risk appetite the development and monitoring of objectives? the risk appetite framework? 15. Who are the key external stakeholders 4. Does the board need to establish and have sufficient soundings been clearer governance over the risk The journey is not over - final taken of their views? Are those views appetite and tolerance of the dealt with appropriately in the final thoughts organisation? documentation? 23. What needs to change for next time 5. What steps has the board taken to 16. Has the organisation followed a round? ensure oversight over the management robust approach to developing its risk 24. Does the organisation have sufficient of the risks? appetite? and appropriate resources and 17. Did the risk appetite undergo systems? Designing a risk appetite appropriate approval processes, 25. What difference did the process make 6. Has the board and management including at the board (or risk and how would we like it to have an team reviewed the capabilities of the oversight committee)? impact next time round? organisation to manage the risks that 18. Is the risk appetite tailored and it faces? proportionate to the organisation? 7. What are the main features of the 19. What is the evidence that the organisation’s risk culture in terms organisation has implemented the risk of tone at the top? Governance? appetite effectively? Competency? Decision making? 8. Does an understanding of risk permeate the organisation and its Hungry for risk? culture? 9. Is management incentivised for good The word “appetite” brings connotations of food, hunger and satisfying one’s risk management? needs. We think that this metaphor is not always helpful in understanding the 10. How much does the organisation phrase “risk appetite”. When those two words appear together we think it is spend on risk management each year? more appropriate to think in terms of ‘fight or flight’ responses to perceived risks. How much does it need to spend? Most animals, including human beings, have a ‘fight or flight’ response to risk. In 11. How mature is risk management in the humans this can be over-ruled by our cognitive processes. Our interpretation of organisation? Is the view consistent at risk appetite is that it represents a corporate version of exactly the same instincts differing levels of the organisation? Is and cognitive processes. However, since these instincts are not ”hardwired“ in our the answer to these questions based corporate “nervous and sensory” systems we use risk management as a surrogate. on evidence or speculation? 1100

Description:
approach. Neil Mockett. CTO. Charterhouse Risk Management. This paper will be helpful to senior managers in public service organisations who are has substantially removed references to risk appetite to bring it in line with. ISO31000. This leaves something of a vacuum on the subject, which this.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.