SlideShare une entreprise Scribd logo

Irm Risk Appetite

Hassan Zaitoun
Hassan Zaitoun
1  sur  42
Télécharger pour lire hors ligne
Risk Appetite & Tolerance Guidance Paper
Foreword Risk appetite today is a core By providing practical advice on While the Financial Reporting Council consideration in any enterprise how to approach the development has kick-started the debate on risk risk management approach. and implementation of a risk appetite and risk tolerance in the UK, appetite framework we believe we it is a debate that resonates around As well as meeting the requirements the world. As an integrated global risk will be helping boards and senior imposed by corporate governance consulting business, I can testify to the management teams both to manage standards, organisations in all sectors fact that our clients are debating risk their organisations better and to are increasingly being asked by key appetite. That is why we are pleased discharge their corporate governance stakeholders, including investors, to support the work of the Institute responsibilities more effectively. analysts and the public, to express of Risk Management in moving this clearly the extent of their willingness to We are particularly pleased that a debate forward. We look forward to take risk in order to meet their strategic large number of professional bodies are actively engaging with IRM and others objectives. supporting this work – risk is everyone’s in promoting this thought-provoking business and a common understanding document and turning risk appetite into The Institute of Risk Management, and approach helps us work together a day-by-day reality for boards and risk now in its 25th year, has a key role to to address this challenging area. management professionals around the play in establishing sound practices in this area and building consensus in Alex Hindson world. what has, for too long, been a nebulous Chairman Larry Rieger subject. The Institute of Risk Management CEO, Crowe Horwath Global Risk Consulting 2
The Chartered Institute of Internal All successful organisations need to This document is an important Auditors welcomes this contribution be clear about their willingness to contribution to a key area of board from the Institute of Risk Management accept risk in pursuit of their goals. activity and helpfully addresses one of to the debate on risk appetite and Armed with this clarity, boards and the issues highlighted in the Financial risk tolerance. In theory, the idea of management can make meaningful Reporting Council’s Guidance on deciding how much risk of different decisions about what actions to take at Board Effectiveness. ICSA is pleased to types the organisation wishes to take all levels of the organisation and the support the work started here by IRM, and accept sounds easy. In practice, it is extent to which they must deal with and looks forward to a well-informed difficult and needs ongoing effort both the associated risks. But defining and debate and some useful conclusions. from those responsible for governance implementing risk appetite is work in Seamus Gillen in agreeing what is acceptable and progress for many. CIMA therefore Director of Policy from all levels of management in warmly welcomes this new guidance Institute of Chartered Secretaries and communicating how much risk they from the Institute of Risk Management Administrators (ICSA) wish to take and in monitoring as a sound foundation for developing how much they are actually taking. best practice on this critical topic. Anything that stimulates debate on the Gillian Lees practical challenges of risk management Head of Corporate Governance is to be welcomed. Chartered Institute of Jackie Cain Management Accountants (CIMA) Policy Director Chartered Institute of Internal Auditors This paper will be helpful to senior CIPFA is pleased to endorse this work This paper sends out a clear statement managers in public service organisations by IRM on risk appetite and tolerance that the principle of risk appetite who are trying to understand risk which provides welcome leadership emanating from the board is the appetite in the context of their own on a challenging subject for both the only effective way to initiate an strategic and operational decision public and private sectors. We look ERM implementation. Charterhouse making. In its recently published Core forward to taking the debate further Risk Management is delighted to be Competencies in Public Service Risk with our membership in pursuit of associated with the launch of this paper Management, Alarm identified the our commitment to sound financial after contributing to the consultation need to understand the organisation’s management and good governance. process. Our own experience with risk appetite and risk tolerance, as clients confirms that this approach is Diana Melville part of the key function of identifying, not only critical, but that the whole Governance Adviser analysing, evaluating and responding to process must be undertaken with Chartered Institute of Public Finance risk. The ‘questions for the boardroom’, a practical rather than theoretical and Accountancy set out in this paper, could easily be vigour. This is an essential ingredient translated into ‘questions for the of our delivery capability. References to public organisation’s senior executive ‘appetite’ and ‘hunger’ only reinforce committee’ and as such may be of value the living nature of the required to many Alarm members and their approach. organisations. Neil Mockett Dr Lynn T Drennan CTO Chief Executive Charterhouse Risk Management Alarm, the public risk management association 3
Introduction This guidance paper has been prepared The full version of this document is Members of the under the overall direction of a available for free download from the working group of the Institute of Risk website of the IRM and from partner Working Group Management. The group has held a series organisations. Printed versions of the Richard Anderson, deputy of meetings supplemented by much executive summary are also available. chairman of IRM and managing virtual debate to explore ideas and agree director of Crowe Horwath Global The original intent of this paper was in the direction of the paper. We have had Risk Consulting the first instance to provide guidance to healthy discussions, and given the nature directors, risk professionals and others Bill Aujla, CRO at Etisalat of the topic, there have been areas tasked with advising boards on compliance that have proved contentious. We have Gemma Clatworthy, senior risk with the part of the UK Corporate presented the outline of the thinking in consultant at Nationwide Building Governance Code that states that “the various meetings and we circulated an Society board is responsible for determining early draft of this paper to in excess of the nature and extent of the significant Roger Garrini, audit manager at fifty individuals. We have also exposed it risks it is willing to take in achieving its Selex Galileo for a much wider consultation from which strategic objectives” (Financial Reporting we received many responses (see list of Council, 2010). However, feedback from Paul Hopkin, director of IRM people and organisations responding in the consultation process has shown that and technical director of AIRMIC Appendix B). there is considerable interest in this topic Steven Shackleford, senior From this development process, we are in the public sector as well as the private academic in audit and risk confident that we are dealing with a sector and beyond the UK. While some management at Birmingham City topic that is relevant to many people in specifics might differ, the underlying University many organisations of different types principles hold true for all sectors and all in all sectors and that there is sufficient geographical locations. John Summers, chief advisor – risk consensus on issues and approaches at Rio Tinto We have found that the approach emerging to be able to publish this contained in here has far reaching Carolyn Williams, head of thought guidance. We know that future editions resonance with anyone who is interested leadership at IRM of this guidance may well be subject to in the subject of risk appetite and major revisions. That will be a sign of tolerance. This is not a subject with an good and healthy progress. It is in that untarnished history: most UK banks would context that we present this paper to have been expected to define their risk assist in boards’ deliberations on the appetite, but not a single bank would subject of risk appetite and tolerance. The have said that it wished to court (and paper consists of an executive summary, in some instances succumb to) oblivion which is designed to provide an overview in the form of the financial crisis. We on the subject for general use, particularly are now poised to move beyond that by board members, and a more detailed thinking. Whether it is a matter of document which is primarily designed setting, monitoring or overseeing risk to assist those whose task it is to advise appetite, this is a subject that has proved boards on these matters. to be somewhat elusive - it means many different things to many different people. For example, some see it as a series of limits, some see it as empowerment, some see it as something that has to be expressed in terms of net risk and others gross. For this reason the subject deserves serious attention. One of the purposes of this document is to begin to provide a common vocabulary for people who wish to discuss this subject both within their organisations, and also in comparing organisations. 4
In writing this paper, we are conscious It is our view that risk appetite, correctly At a personal level, I would like to that we may appear to have come at this defined, approached and implemented thank the numerous people who have originally from a UK, quoted company- should be a fundamental business contributed to this paper, ranging from centric perspective and that this is counter concept that could make a substantial the working group, through various to IRM’s broad sectoral appeal and difference to how businesses and IRM meetings which debated early international ethos. In fact, while this organisations are run. We fully expect versions of the thinking to Carolyn guidance was originally written with the that the initial scepticism about risk Williams, head of thought leadership at UK Corporate Governance Code in mind, appetite will be gradually replaced as IRM, and of course, all of those people, comments and revisions arising from boards and executive directors gain clients, fellow risk professionals, internal the consultation process mean that it is greater insight into its usefulness. We auditors, and many, many others, who applicable to all sectors in all geographies. also anticipate that analysts will soon be have discussed this subject with all of the We continue to welcome feedback from asking chief executives, chairmen and members of the Working Group. I am, readers in this regard. finance directors about risk appetite. of course, particularly pleased that other After all, this subject is at the heart of the professional bodies of considerable repute Our objective in writing this document has organisation: risk-taking, whether private, agree sufficiently with our approach to been to give: public or third sector, whether large or put their names also to this document. 1. A theoretical underpinning to the small is what managing an organisation Richard Anderson subject of risk appetite; but is about. The approach of the new UK 2. More importantly, to provide some Corporate Governance Code represents Deputy Chairman guidance for those who need to deal an opportunity to place risk management, The Institute of Risk Management with the subject, either for their and in particular risk appetite, right at September 2011 corporate governance statements, or, the centre of the debate on effective alternatively, simply because they think corporate governance and the role of the the discussion would inform the way board in running organisations. their organisation is run. We would like to know whether or not This guidance is not definitive: we do not the approach in this paper has been think that we have written the last word helpful to you as you work through the on the subject. Thinking on the subject ramifications of risk appetite and risk of risk appetite and risk tolerance will tolerance in your own organisation. continue to develop and, if, as we hope, Please take the time to tell us so that we this booklet is superseded before too can both keep abreast of developments many reporting seasons come and go, and make sure that we are sharing best then we will know that the concept is practice. At IRM we are passionate about beginning to take root. leading the profession, and this is one way that we can do so. About IRM About the Author The Institute of Risk Management (IRM) is Richard Anderson, the principal author of this the world’s leading enterprise risk management booklet, is Deputy Chairman of IRM. Richard is also education Institute. We are independent, well- Managing Director of Crowe Horwath Global Risk respected advocates of the risk profession, owned by Consulting in the UK. A Chartered Accountant, and practising risk professionals. We provide qualifications, formerly a partner at a big-4 practice, Richard has short courses and events at a range of levels also run his own GRC practice for seven of the last from introductory to board level and support risk ten years. Richard has been professionally involved professionals by providing the skills and tools needed with risk management since the mid-nineties and has to deal with the demands of a constantly changing, broad industry sector experience. He wrote a report sophisticated and challenging business environment. for the OECD on Corporate Risk Management in the We operate internationally with members and banking sector in the UK, the USA and France. He is students in over 90 countries, drawn from a variety of a regular speaker at conferences and contributes to risk-related disciplines and a wide range of industries many journals on risk management and governance in the private, third and public sectors. issues. 5
Contents Introduction 4 Balanced risk 26 Table of Figures About IRM 5 Risk management clockspeed 26 Figure 1 - Performance over time 14 About the Author 5 Control issues 27 Figure 2 - Possible outcomes 14 Executive Summary 7 Measurement 27 Figure 3 - Risk Universe 14 Principles and approach 7 Strategic 29 Figure 4 - Risk Tolerance 14 Risk appetite and performance 8 Tactical and operational 29 Figure 5 - Risk Appetite 14 Putting it into practice 9 Data 29 Figure 6 - Risk Appetite in Context 16 Five tests for risk appetite Constructing a risk appetite - Figure 7 - Risk Culture Diagnostic 22 frameworks 9 questions for the boardroom 29 Figure 8 - Risk Appetite - Main Issues 23 Questions for the boardroom 10 IV Implementing a risk appetite 30 Figure 9 - Shareholder Value Model (1) 28 I Background 11 Sketch 31 Figure 10 - Shareholder Value Model (2) 28 The UK Corporate Stakeholder engagement 31 Figure 11 - Shareholder Value Model (3) 28 Governance Code 11 Develop 32 Figure 12 - Stages of Development Risk appetite and risk tolerance 14 Approve 32 of Risk Appetite 30 A word of caution 15 Implement 32 Figure 13 - Governing a Risk Appetite 33 Key terms and phrases 15 Report 32 Background - questions for Review 32 the boardroom 15 Implementing a risk appetite - II Designing a risk appetite 16 questions for the boardroom 32 Risk capacity 17 V Governing a risk appetite 33 Risk management maturity 19 Governing risk appetite - Multiple risk appetites 21 questions for the boardroom 34 Risk culture 21 VI The journey is not over 35 Key terms and phrases 21 The journey is not yet over - final Designing a risk appetite - questions for the boardroom 35 questions for the boardroom 22 Bibliography 36 III Constructing a risk appetite 23 Appendix A: Determining the risks Levels of risk appetite 23 the board is willing to take 37 Strategic 23 Responsibilities for risk taking 37 Risk taxonomies 24 Process for managing risk taking 38 Tactical 25 Appendix B: List of respondents Project or operational 25 to consultation 39 Propensity to take risk 25 Propensity to exercise control 25 6
Executive Summary Principles and approach “It is often said that no company can make a The following key principles have underpinned our work on risk appetite: profit without taking a risk. The same is true 1. Risk appetite can be complex. Excessive risk management maturity. Risk simplicity, while superficially attractive, management remains an emerging for all organisations: no leads to dangerous waters: far better discipline and some organisations, organisation, whether in the to acknowledge the complexity and irrespective of size or complexity, do private, public or third sector deal with it, rather than ignoring it. it much better than others. This is in can achieve its objectives 2. Risk appetite needs to be measurable. part due to their risk management culture (a subset of the overall without taking risk. The Otherwise there is a risk that any statements become empty and culture), partly due to their systems only question is how much vacuous. We are not promoting any and processes, and partly due to the risk do they need to take? individual measurement approach nature of their business. However, And yet taking risks without but fundamentally it is important until an organisation has a clear view of both its risk capacity and its risk consciously managing those that directors should understand how their performance drivers are management maturity it cannot be risks can lead to the downfall impacted by risk. Shareholder value clear as to what approach would work of organisations. This is the may be an appropriate starting or how it should be implemented. challenge that has been point for some private organisations, 5. Risk appetite must take into account highlighted by the latest stakeholder value or ‘Economic differing views at a strategic, tactical Value Added’ may be appropriate for and operational level. In other words, UK Corporate Governance others. We also anticipate more use while the UK Corporate Governance Code issued by the Financial of key risk indicators and key control Code envisages a strategic view of Reporting Council in 2010.” indicators which should be readily risk appetite, in fact risk appetite available inside or from outside the needs to be addressed throughout organisation. Relevant and accurate the organisation for it to make any data is vital for this process and we practical sense. urge directors to ensure that there 6. Risk appetite must be integrated with is the same level of data governance the control culture of the organisation. over these indicators as there would be Our framework explores this by over routine accounting data. looking at both the propensity to take 3. Risk appetite is not a single, fixed risk and the propensity to exercise concept. There will be a range of control. The framework promotes appetites for different risks which need the idea that the strategic level is to align and these appetites may well proportionately more about risk taking vary over time: the temporal aspect of than exercising control, while at the risk appetite is a key attribute to this operational level the proportions whole development. are broadly reversed. Clearly the 4. Risk appetite should be developed relative proportions will depend on in the context of an organisation’s the organisation itself, the nature of risk management capability, which the risks it faces and the regulatory is a function of risk capacity and environment within which it operates. 7
Risk and control The innovation is in looking at the interaction of risk and control as implementation of strategy. In the detailed paper we have included a We think that this dual focus on taking part of determining risk appetite. few suggestions as to how boards risk and exercising control is both Proportionately more time is likely to might like to consider these dual innovative and critical to a proper be spent on risk taking at a strategic responsibilities. Above all, we are understanding of risk appetite and level than at an operational level, very much focused on the need to risk tolerance. The innovation is not in where the focus is more likely to take risk as much as the traditional looking at risk and control – all boards be on the exercise of control. One pre-occupation of many risk do that. word of caution though, we are not management programmes, which equating strategy with board level and is the avoidance of harm. operations with lower levels of the organisation. A board will properly want to know that its operations are under control as much as it wants to oversee the development and Risk appetite and The illustrations on these pages show the relationship between risk appetite, Risk tolerance can be expressed in terms of absolutes, for example “we will not Performance tolerance and performance. Diagram 1 shows the expected direction of expose more than x% of our capital to losses in a certain line of business” or Our view is that both risk appetite and performance over the coming period. “we will not deal with certain types of risk tolerance are inextricably linked to Diagram 2 illustrates the range of customer “. performance over time. We believe that performance depending on whether Risk appetite, by contrast is about while risk appetite is about the pursuit of risks (or opportunities) materialise. The what the organisation does want to do risk, risk tolerance is about what you can remaining diagrams demonstrate the and how it goes about it. It therefore allow the organisation to deal with. difference between: becomes the board’s responsibility to Organisations have to take some risks • all the risks that the organisation define this all-important part of the and they have to avoid others. The big might face (the “risk universe”- risk management system and to ensure question that all organisations have diagram 3) that the exercise of risk management to ask themselves is: just what does • those that, if push comes to shove, throughout the organisation is consistent successful performance look like? This they might just be able to put up with with that appetite, which needs to remain question might be easier to answer for (the “risk tolerance” - diagram 4) and within the outer boundaries of the risk a listed company than for a government tolerance. Different boards, in different • those risks that they actively wish to department, but can usefully be asked by circumstances, will take different views on engage with (the “risk appetite” - boards in all sectors. the relative importance of appetite and diagram 5). tolerance. We believe that the appetite will be smaller than the tolerance in the vast majority of cases, and that in turn will be smaller than the risk universe, which in any case will include “unknown unknowns”. Where you might get to if some “good” things happen Performance Performance Performance Current direction of travel for performance Risk Universe t0 Time t1 t0 Time t1 t0 Time t1 Where you might Where you might get to if some get to if some “bad” things happen “bad” things happen Diagram 1 Diagram 2 Diagram 3 Performance Performance Risk Risk Tolerance Appetite t0 Time t1 t0 Time t1 Where you might Where you might get to if some get to if some “bad” things happen “bad” things happen Diagram 4 Diagram 5 8
Putting it into Consultation - in our paper we have set out an illustrative process for the Flexibility - all of this needs to be carried out with the basic precept in practice development of an approach to risk appetite. This includes appropriate mind that risk appetite can and will change over time (as, for example, the We have sought to develop an approach consultation with those external and economy shifts from boom to bust, or to risk appetite that: internal stakeholders, with whom the as cash reserves fall). In other words, board believes it appropriate to consult breaches of risk appetite may well • is theoretically sound (but the theory on this matter. It also includes a review reflect a need to reconsider the risk can quickly disappear into the process by the board, or an appropriate appetite part way through a reporting background) committee of the board, and finally it cycle as well as a more regular review • is practical and pragmatic: we do not includes a review process at the end of the on an annual cycle. Rapid changes in want to create a bureaucracy, rather cycle so that appropriate lessons can be circumstances, for example as were we are looking to help find solutions learned. witnessed during the financial crisis in that can work for organisations of all 2008-9, might also indicate a need for shapes and sizes Risk Committees - in his 2009 Review an organisation to re-appraise its risk of Corporate Governance in UK Banks • will make a difference. appetite. In a fast changing economic and Other Financial Industry Entities, climate, it is especially important Boardroom debate - we suspect that in Sir David Walker recommended that for firms to have not only a clearly the early days particularly, a successful financial services organisations should defined strategy, but also a clearly approach to reviewing risk appetite make use of board risk committees. The articulated risk appetite framework and risk tolerance in the boardroom Economic Affairs Committee of the House so that they are able to react quickly will necessarily lead to some tensions. of Lords recently suggested that large to the challenges and opportunities In other words we think that it should organisations in other sectors should also presented during such times. make a difference to the decisions that consider creating such committees. We are made, otherwise it will diminish into think that the creation and monitoring a mere tick-box activity – and nobody of approaches to risk appetite and needs any more of those in the board risk tolerance should be high on the room. It is essential that the approach agenda of these committees. In the that we are setting out in the detailed detailed document, we have included guidance can and should be tailored a brief section on the role of the board to the needs and maturity of the or risk committee: we are suggesting organisation: it is not a one-size-fits-all that governance needs to be exercised approach. over the framework at four key points: approval, measurement, monitoring and learning. Five tests for risk appetite frameworks In summary, there are five tests that 3. Are both managers and executives “The risk appetite statement is Directors should apply in reviewing their clear that risk appetite is not constant? generally considered the hardest part organisation’s risk appetite statement: It changes as the environment and of any Enterprise Risk Management business conditions change. Anything 1. Do the managers making decisions implementation. However, without approved by the board must have understand the degree to which they clearly defined, measurable tolerances some flexibility built in. (individually) are permitted to expose the whole risk cycle and any risk the organisation to the consequences 4. Are risk decisions made with full framework is arguably at a halt.” of an event or situation? Any risk consideration of reward? The risk appetite statement needs to be appetite framework needs to help Jill Douglas, Head of Risk, practical, guiding managers to make managers and executives take an Charterhouse Risk Management risk-intelligent decisions. appropriate level of risk for the business, given the potential for 1. Do the executives understand their reward. aggregated and interlinked level of risk so they can determine whether it is We believe that by following the guidance acceptable or not? set out in detail in our document, directors will be able to be confident that they can 2. Do the board and executive leadership pass all of those five tests. understand the aggregated and interlinked level of risk for the organisation as a whole? 9
Questions for the boardroom Below we set out some questions that we think boards may want to consider, as part of an iterative process over time, as they develop their approaches to risk appetite and which will enable them to remain at the forefront of the discussion. One clear outcome from our consultation exercise was that, despite the expected variation in views on the technical aspects of risk appetite, there was a common acceptance of these questions as a useful starting point for board discussion. Background Constructing a risk appetite Governing a risk appetite 1. What are the significant risks the 12. Does the organisation understand 20. Is the board satisfied with the board is willing to take? What are the clearly why and how it engages with arrangements for data governance significant risks the board is not willing risks? pertaining to risk management data to take? 13. Is the organisation addressing all and information? 2. What are the strategic objectives of relevant risks or only those that can 21. Has the board played an active the organisation? Are they clear? What be captured in risk management part in the approval, measurement, is explicit and what is implicit in those processes? monitoring and learning from the risk objectives? 14. Does the organisation have a appetite process? 3. Is the board clear about the nature framework for responding to risks? 22. Does the board have, or does it need, and extent of the significant risks it is a risk committee to, inter alia, oversee willing to take in achieving its strategic Implementing a risk appetite the development and monitoring of objectives? the risk appetite framework? 15. Who are the key external stakeholders 4. Does the board need to establish and have sufficient soundings been clearer governance over the risk taken of their views? Are those views The journey is not over - final appetite and tolerance of the dealt with appropriately in the final thoughts organisation? documentation? 23. What needs to change for next time 5. What steps has the board taken to 16. Has the organisation followed a round? ensure oversight over the management robust approach to developing its risk 24. Does the organisation have sufficient of the risks? appetite? and appropriate resources and 17. Did the risk appetite undergo systems? Designing a risk appetite appropriate approval processes, 25. What difference did the process make 6. Has the board and management including at the board (or risk and how would we like it to have an team reviewed the capabilities of the oversight committee)? impact next time round? organisation to manage the risks that 18. Is the risk appetite tailored and it faces? proportionate to the organisation? 7. What are the main features of the 19. What is the evidence that the organisation’s risk culture in terms organisation has implemented the risk of tone at the top? Governance? appetite effectively? Competency? Decision making? 8. Does an understanding of risk permeate the organisation and its culture? Hungry for risk? 9. Is management incentivised for good The word “appetite” brings connotations of food, hunger and satisfying one’s risk management? needs. We think that this metaphor is not always helpful in understanding the 10. How much does the organisation phrase “risk appetite”. When those two words appear together we think it is spend on risk management each year? more appropriate to think in terms of ‘fight or flight’ responses to perceived risks. How much does it need to spend? Most animals, including human beings, have a ‘fight or flight’ response to risk. In 11. How mature is risk management in the humans this can be over-ruled by our cognitive processes. Our interpretation of organisation? Is the view consistent at risk appetite is that it represents a corporate version of exactly the same instincts differing levels of the organisation? Is and cognitive processes. However, since these instincts are not ”hardwired“ in our the answer to these questions based corporate “nervous and sensory” systems we use risk management as a surrogate. on evidence or speculation? 10
I Background “What is this all about?” 101 In recent years we have witnessed some major risk 102 The rest of this section explores the nature of the The UK Corporate events ranging from the global financial crisis to the more recent words in the Code, and looks at the existing guidance which Governance Code might help to understand the words. In its recent update to sovereign debt crisis and a large number of natural and meteorological events with 103 the UK Corporate Governance • Sections II and III of this document look major consequential damage and knock- Code, the FRC has expanded at a proposed new framework of risk on effects. But the financial crisis of 2008 the section of the Code on Accountability appetite and risk tolerance had many consequences, and raised many as set out in the box below: questions, not least of which was the • Sections IV and V look at the question as to why boards failed to see it practicalities of implementing and . coming. At the request of the Prime overseeing risk appetite and risk Section C: Accountability Minister of the day, Sir David Walker tolerance The board should present a balanced carried out a review of the corporate • Section VI addresses some of the issues and understandable assessment governance of Banks and Other Financial that might require further thought, of the company’s position and Institutions (“BOFI’s”) and this was and prospects. The board is responsible for followed swiftly by a review of the • Appendix A presents a summary of determining the nature and extent of broader corporate governance landscape how, in practical terms, a board might the significant risks it is willing to take in the UK by the Financial Reporting go about determining the risks it is in achieving its strategic objectives. Council (the “FRC”). The FRC made the willing to take. The board should maintain sound risk all-important link between this question Throughout the paper we have indicated management and internal control and the subject of risk appetite and risk questions that could usefully be explored systems. tolerance by inserting reference to these in the boardroom to ensure that the two topics in their draft changes to The board should establish formal subjects of risk appetite and tolerance are Section C of the UK Corporate Governance and transparent arrangements for being appropriately addressed. Code (the “Code”) (Financial Reporting considering how they should apply Council, 2010). While those very words the corporate reporting and risk failed to survive the cut, the concept did management and internal control survive. Under the newly expanded principles... Section C, a board is explicitly tasked with being responsible for “determining the nature and extent of the significant risks it [the board] is willing to take in achieving its strategic objectives”. This is risk appetite and tolerance by any other name. 11
104 This Section is further 105 This paper explores the risk How has “risk appetite” expanded in the detailed management ramifications of provisions of the Code: these high level statements, been used before? and in particular those Risk appetite is a phrase that is relating to the “nature and extent of the 107 widely used but frequently in C.1 Financial and Business significant risks [the board] is willing to different contexts and for take in achieving its strategic objectives”. different purposes. It is a Reporting These are the words that replace the phrase that for some people conveys C.1.2 The directors should include references to risk appetite and tolerance poorly its meaning, and in respect of in the annual report an explanation in earlier drafts. It is worth noting that this which the meaning is different for of the basis on which the company sentence immediately precedes the different groups of people. Based on the generates or preserves value over requirement that “the board should work that was undertaken in writing this the longer term (the business model) maintain sound risk management and paper it was clear that there is little and the strategy for delivering the internal control systems”. So we might certainty as to what the phrase means, but objectives of the company. infer that this is not empty rubric, but there seems to be almost unanimity that it rather a matter of substance, especially could be, and indeed ought to be a useful C.2 Risk Management and since Code Provision C.2.1 goes on to concept, if only it could be properly Internal Control require the board “at least annually [to] expressed. Some people prefer other conduct a review of the effectiveness of terms such as risk attitude or risk capacity. Main Principle the company’s risk management and As far as we are concerned there is internal control systems...” To some this nothing fundamentally wrong in using The board is responsible for sounds like a recipe for Sarbanes-Oxley any of these terms. Suffice it to say that in determining the nature and extent s404 style work. This is clearly not the writing this guidance we are taking a very of the significant risks it is willing intent of the FRC, nor would it be pragmatic view: risk appetite is the most to take in achieving its strategic welcomed in most UK boardrooms. common phrase that we have come across, objectives. The board should However, the fact of this review has to be it is the one that was used by the FRC in maintain sound risk management reported to shareholders. The the context of the draft Corporate and internal control systems. juxtaposition of the “significant risks” Governance Code and therefore we Code Provision sentence with the requirement to would prefer to define this term in a way maintain “sound risk management and that begins to make sense for as many C.2.1 The board should, at least internal control systems” might lead the people as possible. annually, conduct a review of the reader to surmise that the risk appetite effectiveness of the company’s risk Given the lack of conformity element is one of the reasons that management and internal control organisations require risk systems. Overall 108 about the meaning of the systems and should report to phrase, it is worth looking at this is a radical new departure for the FRC shareholders that they have done the key standards on risk and introduces a new concept for many so. The review should cover all management, ISO31000 (ISO, 2009) and directors and boards of non-financial material controls, including financial, BS311001 (British Standards, 2008), to see services organisations. operational and compliance controls. what light they shed on the subject. As an aside, it seems that the 106 terms “risk appetite” and “risk Interestingly ISO31000, the international standard, is silent on the subject of risk tolerance” have deep appetite (focusing instead on ‘risk associations with the financial attitude’ and ‘risk criteria’), although services industry in some minds, and Guide 73 (ISO, 2002) defines risk appetite attempts to move non-financial services as the “amount and type of risk that an organisations in that direction might have organisation is willing to pursue or been difficult. However these words can retain.” Some people argue that ISO31000 be seen, for all intents and purposes, as is silent on the subject of because it is being indistinguishable from the previous neither a useful phrase not a meaningful phrases. While many commentators see concept. They therefore focus more on risk them as inseparable phrases, we focus criteria. On the other hand, we believe predominantly on the concept of risk that there is a benefit from exploring appetite in this paper as a way of what we think is turning out to be a providing guidance to directors and those useful and meaningful concept. tasked with advising directors on the requirements of the Code in so far as they relate to risk appetite and tolerance. Definition of Risk Appetite ISO 31000 / Guide 73 BS31100 Amount and type of risk that an Amount and type of risk that an organisation is willing to pursue or retain organisation is prepared to seek, accept or tolerate 1 At the time of writing, this document is undergoing revision. Nevertheless the approach in the 2008 document has proved most useful for this discussion. 12
The original BS31100 We are concerned that this In conclusion, BS31100 109 contained more detail. It 111 focus treats risk in an unduly 113 provides some guidance on defined risk appetite as the negative way, something how to use risk appetite, but it “amount and type of risk that which we are challenging in does not (nor did it ever set out to) an organisation is prepared to seek, accept this booklet in the sense that there should provide guidance on how to calculate or or tolerate” – very similar to Guide 73. The be a maximum tolerance for risk taking as measure risk appetite, although the standard went on to define risk tolerance well as risk avoidance. standard does suggest the use of (bearing in mind that the definition of risk “quantitative statements”, without While neither standard is very appetite includes reference to tolerating risk) as an “organisation’s readiness to 112 informative, it is instructive to further elaborating. It is interesting to see how the “appetite” word note that the revised version of BS31100 bear the risk after risk treatments in order has substantially removed references to or similar words were used in to achieve its objectives”. The definition risk appetite to bring it in line with the original BS31100: then includes a rider which states: “NOTE: ISO31000. This leaves something of a risk tolerance can be limited by legal or Paragraph 3.1 Governance includes vacuum on the subject, which this regulatory requirements”. a bullet to the effect that the risk guidance seeks to fill. management framework should have Notwithstanding the regular “defined parameters around the level of 110 appearance of risk appetite and risk that is acceptable to the organisation, risk tolerance in the same and thresholds which trigger escalation, sentence (or definition in the review and approval by an authorised case of BS31100) it is our belief that risk person/body.” tolerance is a much simpler concept in that Paragraph 3.3.2 Content of the risk it tends to suggest a series of limits which, management policy has the first explicit depending on the organisation, may either reference to risk appetite saying that be: this should be included in the policy and should outline “the organisation’s • In the nature of absolute lines drawn risk appetite, thresholds and escalation in the sand, beyond which the procedures” organisation does not wish to proceed; or Paragraph 3.8 Risk appetite and • More in the nature of tripwires, that risk profile provides a much more alert the organisation to an impending comprehensive commentary on risk breach of tolerable risks. appetite, which is set out below: 1. “Considering and setting a risk appetite enables an organisation to increase its rewards by optimizing risk taking and accepting calculated risks within an appropriate level of authority 2. “The organisation’s risk appetite should be established and/or approved by the board (or equivalent) and effectively communicated throughout the organisation 13
Risk “appetite” and risk “tolerance” The difference can be 114 Before we started on this project, it was our belief that 115 illustrated in the diagrams on 118 On the other hand, our “appetite” for risk is likely to we, and more importantly the bottom of this page. be shown by a narrower band directors and risk of performance outcomes Figure 1 shows performance professionals, could easily distinguish between risk appetite and risk tolerance 116 from the current time (t0) to shown by the triangle AMN. and that the former was the more sometime in the future (t1). Risk tolerance can therefore complicated concept. In practice we have The line AB shows the current expected direction of travel in terms of 119 be expressed in terms of found that in many instances these terms absolutes: for example “we are used inter-changeably. We think that is performance. Figure 2 shows that in will not expose more that x% conceptually wrong: there is a clear practice this is subject to risks which, of our capital to losses in a certain line of difference between the two. It is also should they materialise, could result in business”, or “we will not deal with a worth noting that in the eyes of some performance along the line AC, or to certain type of customer”. Risk tolerance commentators, risk tolerance is the more opportunities (positive risks) which could statements become “lines in the sand” important concept. While risk appetite is result in performance along the line AD. beyond which the organisation will not about the pursuit of risk, risk tolerance is The potential risk universe or the total risk move without prior board approval. about what you can allow the exposure is shown by the difference organisation to deal with. Without a between C and D. (see Figure 3) Risk appetite on the other doubt there will be occasions where an What is clear is that following 120 hand is about what the organisation can deal with more risk than it is thought prudent to pursue. 117 line AC is not desirable. Less organisation does want to do and how it goes about it. It clear is that it might also be therefore becomes the board’s undesirable to follow line AD responsibility to define this all important because pursuing it might throw up part of the risk management system and substantial additional risks. Consequently, to ensure that the exercise of risk there are some risk outcomes for which management and all that entails is there is no tolerance, and moreover no consistent with that appetite, which needs tolerance for taking those risks. Moreover, to remain within the outer boundaries of since we are using the generally accepted the risk tolerance. concept of risk as being potentially positive as well as negative, that suggests While we have focused that there is a range shown by the triangle AXY (See Figure 4), outside of which the 121 primarily on risk appetite, organisation will not tolerate exposure. some entities (such as This is the risk tolerance. Government departments) may be more focused on risk tolerance. This in itself becomes a more complicated Where you might issue where the risk of insolvency (the get to if some “good” things happen ultimate determination of failure for D corporates) is absent. Defining success and Performance Performance Current direction of travel for performance failure is therefore very important. This is an area where we believe further work is A A required. What is clear is that different B B boards in different circumstances will take different views as to which of these two t0 t1 t0 t1 Time Time concepts is more important for them at any given time. Where you might get to if some “bad” things happen C Figure 1 - Performance over time Figure 2 - Possible outcomes D M Performance Performance Performance X Risk Risk A Risk A Appetite A Tolerance B Universe Y N t0 Time t1 t0 Time t1 t0 Time t1 Where you might get to if some Where you might Figure 3 - Risk Universehappen “bad” things C Figure 4 - Risk Tolerance get to if some “bad” things happen Figure 5 - Risk Appetite 14
A word of caution Key Terms and Phrases The word “appetite” brings connotations of food, In this section we have used three key terms which 122 hunger and satisfying one’s needs. We think that this 124 we will continue to use throughout the document. In metaphor is not always helpful in understanding the the absence of helpful definitions elsewhere, we are phrase “risk appetite”. When those two words appear together defining them as set out here: we think it is more appropriate to think in terms of “fight or flight” responses to perceived risks. Phrase Meaning Most animals, including human beings have a “fight or flight” Risk appetite The amount of risk that an organisation is response to risk. In humans this can be over-ruled by our willing to seek or accept in the pursuit of its cognitive processes. Our interpretation of risk appetite is that it long term objectives. represents a corporate version of exactly the same instincts and cognitive processes. Except of course, as a legal fiction(as opposed Risk tolerance The boundaries of risk taking outside of which to biological reality) organisations do not have their own brains, the organisation is not prepared to venture in nervous systems, sensory organs and instincts. They ‘borrow’ these the pursuit of its long term objectives. from members of their boards and from their employees. Risk universe The full range of risks which could impact, either positively or negatively, on the ability These systems have to be created in terms of interactions of of the organisation to achieve its long term people, data systems and management information which enable objectives. people in the organisation to act as if they were parts of the same physical organism. It is our expectation that for most organisations, the 125 risk appetite will be smaller than the boundaries Conclusion depicted by its risk tolerance. 123 There are four early conclusions that The rest of this document we have drawn from the work we We have set out a route through this topic of risk have undertaken in preparing this 126 appetite in the rest of this document as follows guidance: under the following main headings: Section II: Designing a risk appetite • he first is that we would benefit from a renewed T focus on defining the terms that we are using. We Section III: Constructing a risk appetite have therefore developed glossaries of key terms and phrases which appear throughout this guidance. Section IV: Implementing a risk appetite • he second is that setting a risk appetite is only a T Section V: Governing a risk appetite worthwhile exercise if you, as an organisation, are Section VI: The journey is not over able to manage the risk to the level at which it is set. In Section VI we explore some of the issues that we will need to • he third is that there is very little by way of formal T explore as we develop this concept as a boardroom topic over the guidance on the definition of risk appetite. We coming years. have reviewed plenty of documents both from professional organisations and from consulting firms. However, our belief is that this subject remains under developed and the remainder of this booklet aims to play a part in redressing that shortcoming. Background - Questions for • he fourth is that risk appetite can and indeed must T change, for example as the economy shifts from the Boardroom boom to bust and back again, or as cash reserves • What are the significant risks the board is willing to fall. Risk appetite, and indeed risk tolerance, both take? What are the significant risks the board is not have a temporal element, which is reflected in the willing to take? way in which we have discussed the monitoring and • What are the strategic objectives of the organisation? governance of risk appetite later in this booklet. Are they clear? What is explicit and what is implicit in those objectives? • Is the board clear about the nature and extent of the significant risks it is willing to take in achieving its strategic objectives? • Does the board need to establish clearer governance over the risk appetite and tolerance of the organisation? • What steps has the board taken to ensure oversight over the management of the risks? 15
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite
Irm Risk Appetite

Recommandé

Risk Appetite
Risk AppetiteRisk Appetite
Risk AppetiteTowers Perrin
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightProformative, Inc.
 
Risk appetite
Risk appetite Risk appetite
Risk appetite Michel Rochette
 
Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Andrew Smart
 
Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk ManagementAndrew Smart
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0Rachael Phelan
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk AppetiteHassan Zaitoun
 

Recommandé

Risk Appetite
Risk AppetiteRisk Appetite
Risk AppetiteTowers Perrin
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightProformative, Inc.
 
Risk appetite
Risk appetite Risk appetite
Risk appetite Michel Rochette
 
Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Andrew Smart
 
Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk ManagementAndrew Smart
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0Rachael Phelan
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk AppetiteHassan Zaitoun
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONFrackson Kathibula-Nyoni
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Association for Project Management
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewJIGNESH PADIA
 
Risk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India AffiliateRisk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India AffiliateIRM India Affiliate
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB
 
Risk culture - IRM PROTIVITI
Risk culture - IRM PROTIVITIRisk culture - IRM PROTIVITI
Risk culture - IRM PROTIVITISimone Luca Giargia
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideCenapSerdarolu
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITMax Neira Schliemann
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementJorge Vaz Girão , CISA, PMP, PMDPro I, ERMCP
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditingFrederick Altum Pokoo-Aikins
 
Operational Risk Management
Operational Risk ManagementOperational Risk Management
Operational Risk ManagementAsad Hameed
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Diane Christina
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
COSO ERM
COSO ERMCOSO ERM
COSO ERMSophia Abigayle
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentationalygale
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Sadia Razzaq
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB
 
Risk Management Essentials for Bankers
Risk Management Essentials for BankersRisk Management Essentials for Bankers
Risk Management Essentials for BankersDavid Vu
 
Discover Risk Culture with Mohammad Fheili
Discover Risk Culture with Mohammad FheiliDiscover Risk Culture with Mohammad Fheili
Discover Risk Culture with Mohammad FheiliMohammad Ibrahim Fheili
 
Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008Praxiom
 

Contenu connexe

Tendances

Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONFrackson Kathibula-Nyoni
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Association for Project Management
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management OverviewJIGNESH PADIA
 
Risk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India AffiliateRisk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India AffiliateIRM India Affiliate
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideCenapSerdarolu
 
Operational Risk Management
Operational Risk ManagementOperational Risk Management
Operational Risk ManagementAsad Hameed
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Diane Christina
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentationalygale
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Sadia Razzaq
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB
 
Risk Management Essentials for Bankers
Risk Management Essentials for BankersRisk Management Essentials for Bankers
Risk Management Essentials for BankersDavid Vu
 

Tendances (20)

Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management Framework
 
Risk Management Overview
Risk Management OverviewRisk Management Overview
Risk Management Overview
 
Risk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India AffiliateRisk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India Affiliate
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
 
Risk culture - IRM PROTIVITI
Risk culture - IRM PROTIVITIRisk culture - IRM PROTIVITI
Risk culture - IRM PROTIVITI
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guide
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & IT
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk Management
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditing
 
Operational Risk Management
Operational Risk ManagementOperational Risk Management
Operational Risk Management
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentation
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
 
Risk Management Essentials for Bankers
Risk Management Essentials for BankersRisk Management Essentials for Bankers
Risk Management Essentials for Bankers
 

En vedette

Discover Risk Culture with Mohammad Fheili
Discover Risk Culture with Mohammad FheiliDiscover Risk Culture with Mohammad Fheili
Discover Risk Culture with Mohammad FheiliMohammad Ibrahim Fheili
 
Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008Praxiom
 
Presentation on risk management
Presentation on risk managementPresentation on risk management
Presentation on risk managementahson kabir
 
Enterprise Risk Management Workbook Series
Enterprise Risk Management Workbook SeriesEnterprise Risk Management Workbook Series
Enterprise Risk Management Workbook SeriesColleen Beck-Domanico
 
Risk culture presentation
Risk culture presentationRisk culture presentation
Risk culture presentationBenjamin Kpodo
 
Project_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloProject_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloJohn Intindolo
 

En vedette (6)

Discover Risk Culture with Mohammad Fheili
Discover Risk Culture with Mohammad FheiliDiscover Risk Culture with Mohammad Fheili
Discover Risk Culture with Mohammad Fheili
 
Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008Risk Management Presentation Powerpoint 2008
Risk Management Presentation Powerpoint 2008
 
Presentation on risk management
Presentation on risk managementPresentation on risk management
Presentation on risk management
 
Enterprise Risk Management Workbook Series
Enterprise Risk Management Workbook SeriesEnterprise Risk Management Workbook Series
Enterprise Risk Management Workbook Series
 
Risk culture presentation
Risk culture presentationRisk culture presentation
Risk culture presentation
 
Project_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloProject_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_Intindolo
 

Similaire à Irm Risk Appetite

A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy (Whitepaper)
A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy (Whitepaper)A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy (Whitepaper)
A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy (Whitepaper)NAFCU Services Corporation
 
Common failures of risk management
Common failures of risk management Common failures of risk management
Common failures of risk management Surajit Datta
 
Improving the application of risk management
Improving the application of risk managementImproving the application of risk management
Improving the application of risk managementKarl Davey
 
Integrated Risk Management Whitepaper - CAMMS
Integrated Risk Management Whitepaper - CAMMSIntegrated Risk Management Whitepaper - CAMMS
Integrated Risk Management Whitepaper - CAMMSCAMMS
 
Position statement roleofi-ainriskmgt
Position statement roleofi-ainriskmgtPosition statement roleofi-ainriskmgt
Position statement roleofi-ainriskmgthiramustansar
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk managementAnu Damodaran
 
Integrating Enterprise Risk Management (ERM) with Organizational Strategy
Integrating Enterprise Risk Management (ERM) with Organizational StrategyIntegrating Enterprise Risk Management (ERM) with Organizational Strategy
Integrating Enterprise Risk Management (ERM) with Organizational Strategyhenrytk2
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementAnu Damodaran
 
Sap 2009 06 02 Risk Management
Sap 2009 06 02 Risk ManagementSap 2009 06 02 Risk Management
Sap 2009 06 02 Risk ManagementPierre Harboun
 
Unified Comms Exploring Attitudes Towards Risk
Unified Comms Exploring Attitudes Towards RiskUnified Comms Exploring Attitudes Towards Risk
Unified Comms Exploring Attitudes Towards Riskrosiegregory
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820minhaj52
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820Vijay Kejriwal
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820Tim Smith
 
Risk management standard
Risk management standardRisk management standard
Risk management standardLuis Vitiritti
 
A Helping Hand : Helps Risk Managers - The IRM India
A Helping Hand : Helps Risk Managers - The IRM IndiaA Helping Hand : Helps Risk Managers - The IRM India
A Helping Hand : Helps Risk Managers - The IRM IndiaThe IRM India
 
Enterprise Risk Management Workshop (Singapore 2006)
Enterprise Risk Management Workshop (Singapore 2006)Enterprise Risk Management Workshop (Singapore 2006)
Enterprise Risk Management Workshop (Singapore 2006)simonffg
 
Managing Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryManaging Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryFindWhitePapers
 

Similaire à Irm Risk Appetite (20)

A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy (Whitepaper)
A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy (Whitepaper)A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy (Whitepaper)
A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy (Whitepaper)
 
Common failures of risk management
Common failures of risk management Common failures of risk management
Common failures of risk management
 
Improving the application of risk management
Improving the application of risk managementImproving the application of risk management
Improving the application of risk management
 
Descriptor MetisGRC
Descriptor MetisGRCDescriptor MetisGRC
Descriptor MetisGRC
 
Integrated Risk Management Whitepaper - CAMMS
Integrated Risk Management Whitepaper - CAMMSIntegrated Risk Management Whitepaper - CAMMS
Integrated Risk Management Whitepaper - CAMMS
 
Position statement roleofi-ainriskmgt
Position statement roleofi-ainriskmgtPosition statement roleofi-ainriskmgt
Position statement roleofi-ainriskmgt
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
Integrating Enterprise Risk Management (ERM) with Organizational Strategy
Integrating Enterprise Risk Management (ERM) with Organizational StrategyIntegrating Enterprise Risk Management (ERM) with Organizational Strategy
Integrating Enterprise Risk Management (ERM) with Organizational Strategy
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
Sap 2009 06 02 Risk Management
Sap 2009 06 02 Risk ManagementSap 2009 06 02 Risk Management
Sap 2009 06 02 Risk Management
 
Unified Comms Exploring Attitudes Towards Risk
Unified Comms Exploring Attitudes Towards RiskUnified Comms Exploring Attitudes Towards Risk
Unified Comms Exploring Attitudes Towards Risk
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard
Risk management standardRisk management standard
Risk management standard
 
A Helping Hand : Helps Risk Managers - The IRM India
A Helping Hand : Helps Risk Managers - The IRM IndiaA Helping Hand : Helps Risk Managers - The IRM India
A Helping Hand : Helps Risk Managers - The IRM India
 
Enterprise Risk Management Workshop (Singapore 2006)
Enterprise Risk Management Workshop (Singapore 2006)Enterprise Risk Management Workshop (Singapore 2006)
Enterprise Risk Management Workshop (Singapore 2006)
 
Business Risk
Business RiskBusiness Risk
Business Risk
 
Managing Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryManaging Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate Recovery
 

Irm Risk Appetite

  • 1. Risk Appetite & Tolerance Guidance Paper
  • 2. Foreword Risk appetite today is a core By providing practical advice on While the Financial Reporting Council consideration in any enterprise how to approach the development has kick-started the debate on risk risk management approach. and implementation of a risk appetite and risk tolerance in the UK, appetite framework we believe we it is a debate that resonates around As well as meeting the requirements the world. As an integrated global risk will be helping boards and senior imposed by corporate governance consulting business, I can testify to the management teams both to manage standards, organisations in all sectors fact that our clients are debating risk their organisations better and to are increasingly being asked by key appetite. That is why we are pleased discharge their corporate governance stakeholders, including investors, to support the work of the Institute responsibilities more effectively. analysts and the public, to express of Risk Management in moving this clearly the extent of their willingness to We are particularly pleased that a debate forward. We look forward to take risk in order to meet their strategic large number of professional bodies are actively engaging with IRM and others objectives. supporting this work – risk is everyone’s in promoting this thought-provoking business and a common understanding document and turning risk appetite into The Institute of Risk Management, and approach helps us work together a day-by-day reality for boards and risk now in its 25th year, has a key role to to address this challenging area. management professionals around the play in establishing sound practices in this area and building consensus in Alex Hindson world. what has, for too long, been a nebulous Chairman Larry Rieger subject. The Institute of Risk Management CEO, Crowe Horwath Global Risk Consulting 2
  • 3. The Chartered Institute of Internal All successful organisations need to This document is an important Auditors welcomes this contribution be clear about their willingness to contribution to a key area of board from the Institute of Risk Management accept risk in pursuit of their goals. activity and helpfully addresses one of to the debate on risk appetite and Armed with this clarity, boards and the issues highlighted in the Financial risk tolerance. In theory, the idea of management can make meaningful Reporting Council’s Guidance on deciding how much risk of different decisions about what actions to take at Board Effectiveness. ICSA is pleased to types the organisation wishes to take all levels of the organisation and the support the work started here by IRM, and accept sounds easy. In practice, it is extent to which they must deal with and looks forward to a well-informed difficult and needs ongoing effort both the associated risks. But defining and debate and some useful conclusions. from those responsible for governance implementing risk appetite is work in Seamus Gillen in agreeing what is acceptable and progress for many. CIMA therefore Director of Policy from all levels of management in warmly welcomes this new guidance Institute of Chartered Secretaries and communicating how much risk they from the Institute of Risk Management Administrators (ICSA) wish to take and in monitoring as a sound foundation for developing how much they are actually taking. best practice on this critical topic. Anything that stimulates debate on the Gillian Lees practical challenges of risk management Head of Corporate Governance is to be welcomed. Chartered Institute of Jackie Cain Management Accountants (CIMA) Policy Director Chartered Institute of Internal Auditors This paper will be helpful to senior CIPFA is pleased to endorse this work This paper sends out a clear statement managers in public service organisations by IRM on risk appetite and tolerance that the principle of risk appetite who are trying to understand risk which provides welcome leadership emanating from the board is the appetite in the context of their own on a challenging subject for both the only effective way to initiate an strategic and operational decision public and private sectors. We look ERM implementation. Charterhouse making. In its recently published Core forward to taking the debate further Risk Management is delighted to be Competencies in Public Service Risk with our membership in pursuit of associated with the launch of this paper Management, Alarm identified the our commitment to sound financial after contributing to the consultation need to understand the organisation’s management and good governance. process. Our own experience with risk appetite and risk tolerance, as clients confirms that this approach is Diana Melville part of the key function of identifying, not only critical, but that the whole Governance Adviser analysing, evaluating and responding to process must be undertaken with Chartered Institute of Public Finance risk. The ‘questions for the boardroom’, a practical rather than theoretical and Accountancy set out in this paper, could easily be vigour. This is an essential ingredient translated into ‘questions for the of our delivery capability. References to public organisation’s senior executive ‘appetite’ and ‘hunger’ only reinforce committee’ and as such may be of value the living nature of the required to many Alarm members and their approach. organisations. Neil Mockett Dr Lynn T Drennan CTO Chief Executive Charterhouse Risk Management Alarm, the public risk management association 3
  • 4. Introduction This guidance paper has been prepared The full version of this document is Members of the under the overall direction of a available for free download from the working group of the Institute of Risk website of the IRM and from partner Working Group Management. The group has held a series organisations. Printed versions of the Richard Anderson, deputy of meetings supplemented by much executive summary are also available. chairman of IRM and managing virtual debate to explore ideas and agree director of Crowe Horwath Global The original intent of this paper was in the direction of the paper. We have had Risk Consulting the first instance to provide guidance to healthy discussions, and given the nature directors, risk professionals and others Bill Aujla, CRO at Etisalat of the topic, there have been areas tasked with advising boards on compliance that have proved contentious. We have Gemma Clatworthy, senior risk with the part of the UK Corporate presented the outline of the thinking in consultant at Nationwide Building Governance Code that states that “the various meetings and we circulated an Society board is responsible for determining early draft of this paper to in excess of the nature and extent of the significant Roger Garrini, audit manager at fifty individuals. We have also exposed it risks it is willing to take in achieving its Selex Galileo for a much wider consultation from which strategic objectives” (Financial Reporting we received many responses (see list of Council, 2010). However, feedback from Paul Hopkin, director of IRM people and organisations responding in the consultation process has shown that and technical director of AIRMIC Appendix B). there is considerable interest in this topic Steven Shackleford, senior From this development process, we are in the public sector as well as the private academic in audit and risk confident that we are dealing with a sector and beyond the UK. While some management at Birmingham City topic that is relevant to many people in specifics might differ, the underlying University many organisations of different types principles hold true for all sectors and all in all sectors and that there is sufficient geographical locations. John Summers, chief advisor – risk consensus on issues and approaches at Rio Tinto We have found that the approach emerging to be able to publish this contained in here has far reaching Carolyn Williams, head of thought guidance. We know that future editions resonance with anyone who is interested leadership at IRM of this guidance may well be subject to in the subject of risk appetite and major revisions. That will be a sign of tolerance. This is not a subject with an good and healthy progress. It is in that untarnished history: most UK banks would context that we present this paper to have been expected to define their risk assist in boards’ deliberations on the appetite, but not a single bank would subject of risk appetite and tolerance. The have said that it wished to court (and paper consists of an executive summary, in some instances succumb to) oblivion which is designed to provide an overview in the form of the financial crisis. We on the subject for general use, particularly are now poised to move beyond that by board members, and a more detailed thinking. Whether it is a matter of document which is primarily designed setting, monitoring or overseeing risk to assist those whose task it is to advise appetite, this is a subject that has proved boards on these matters. to be somewhat elusive - it means many different things to many different people. For example, some see it as a series of limits, some see it as empowerment, some see it as something that has to be expressed in terms of net risk and others gross. For this reason the subject deserves serious attention. One of the purposes of this document is to begin to provide a common vocabulary for people who wish to discuss this subject both within their organisations, and also in comparing organisations. 4
  • 5. In writing this paper, we are conscious It is our view that risk appetite, correctly At a personal level, I would like to that we may appear to have come at this defined, approached and implemented thank the numerous people who have originally from a UK, quoted company- should be a fundamental business contributed to this paper, ranging from centric perspective and that this is counter concept that could make a substantial the working group, through various to IRM’s broad sectoral appeal and difference to how businesses and IRM meetings which debated early international ethos. In fact, while this organisations are run. We fully expect versions of the thinking to Carolyn guidance was originally written with the that the initial scepticism about risk Williams, head of thought leadership at UK Corporate Governance Code in mind, appetite will be gradually replaced as IRM, and of course, all of those people, comments and revisions arising from boards and executive directors gain clients, fellow risk professionals, internal the consultation process mean that it is greater insight into its usefulness. We auditors, and many, many others, who applicable to all sectors in all geographies. also anticipate that analysts will soon be have discussed this subject with all of the We continue to welcome feedback from asking chief executives, chairmen and members of the Working Group. I am, readers in this regard. finance directors about risk appetite. of course, particularly pleased that other After all, this subject is at the heart of the professional bodies of considerable repute Our objective in writing this document has organisation: risk-taking, whether private, agree sufficiently with our approach to been to give: public or third sector, whether large or put their names also to this document. 1. A theoretical underpinning to the small is what managing an organisation Richard Anderson subject of risk appetite; but is about. The approach of the new UK 2. More importantly, to provide some Corporate Governance Code represents Deputy Chairman guidance for those who need to deal an opportunity to place risk management, The Institute of Risk Management with the subject, either for their and in particular risk appetite, right at September 2011 corporate governance statements, or, the centre of the debate on effective alternatively, simply because they think corporate governance and the role of the the discussion would inform the way board in running organisations. their organisation is run. We would like to know whether or not This guidance is not definitive: we do not the approach in this paper has been think that we have written the last word helpful to you as you work through the on the subject. Thinking on the subject ramifications of risk appetite and risk of risk appetite and risk tolerance will tolerance in your own organisation. continue to develop and, if, as we hope, Please take the time to tell us so that we this booklet is superseded before too can both keep abreast of developments many reporting seasons come and go, and make sure that we are sharing best then we will know that the concept is practice. At IRM we are passionate about beginning to take root. leading the profession, and this is one way that we can do so. About IRM About the Author The Institute of Risk Management (IRM) is Richard Anderson, the principal author of this the world’s leading enterprise risk management booklet, is Deputy Chairman of IRM. Richard is also education Institute. We are independent, well- Managing Director of Crowe Horwath Global Risk respected advocates of the risk profession, owned by Consulting in the UK. A Chartered Accountant, and practising risk professionals. We provide qualifications, formerly a partner at a big-4 practice, Richard has short courses and events at a range of levels also run his own GRC practice for seven of the last from introductory to board level and support risk ten years. Richard has been professionally involved professionals by providing the skills and tools needed with risk management since the mid-nineties and has to deal with the demands of a constantly changing, broad industry sector experience. He wrote a report sophisticated and challenging business environment. for the OECD on Corporate Risk Management in the We operate internationally with members and banking sector in the UK, the USA and France. He is students in over 90 countries, drawn from a variety of a regular speaker at conferences and contributes to risk-related disciplines and a wide range of industries many journals on risk management and governance in the private, third and public sectors. issues. 5
  • 6. Contents Introduction 4 Balanced risk 26 Table of Figures About IRM 5 Risk management clockspeed 26 Figure 1 - Performance over time 14 About the Author 5 Control issues 27 Figure 2 - Possible outcomes 14 Executive Summary 7 Measurement 27 Figure 3 - Risk Universe 14 Principles and approach 7 Strategic 29 Figure 4 - Risk Tolerance 14 Risk appetite and performance 8 Tactical and operational 29 Figure 5 - Risk Appetite 14 Putting it into practice 9 Data 29 Figure 6 - Risk Appetite in Context 16 Five tests for risk appetite Constructing a risk appetite - Figure 7 - Risk Culture Diagnostic 22 frameworks 9 questions for the boardroom 29 Figure 8 - Risk Appetite - Main Issues 23 Questions for the boardroom 10 IV Implementing a risk appetite 30 Figure 9 - Shareholder Value Model (1) 28 I Background 11 Sketch 31 Figure 10 - Shareholder Value Model (2) 28 The UK Corporate Stakeholder engagement 31 Figure 11 - Shareholder Value Model (3) 28 Governance Code 11 Develop 32 Figure 12 - Stages of Development Risk appetite and risk tolerance 14 Approve 32 of Risk Appetite 30 A word of caution 15 Implement 32 Figure 13 - Governing a Risk Appetite 33 Key terms and phrases 15 Report 32 Background - questions for Review 32 the boardroom 15 Implementing a risk appetite - II Designing a risk appetite 16 questions for the boardroom 32 Risk capacity 17 V Governing a risk appetite 33 Risk management maturity 19 Governing risk appetite - Multiple risk appetites 21 questions for the boardroom 34 Risk culture 21 VI The journey is not over 35 Key terms and phrases 21 The journey is not yet over - final Designing a risk appetite - questions for the boardroom 35 questions for the boardroom 22 Bibliography 36 III Constructing a risk appetite 23 Appendix A: Determining the risks Levels of risk appetite 23 the board is willing to take 37 Strategic 23 Responsibilities for risk taking 37 Risk taxonomies 24 Process for managing risk taking 38 Tactical 25 Appendix B: List of respondents Project or operational 25 to consultation 39 Propensity to take risk 25 Propensity to exercise control 25 6
  • 7. Executive Summary Principles and approach “It is often said that no company can make a The following key principles have underpinned our work on risk appetite: profit without taking a risk. The same is true 1. Risk appetite can be complex. Excessive risk management maturity. Risk simplicity, while superficially attractive, management remains an emerging for all organisations: no leads to dangerous waters: far better discipline and some organisations, organisation, whether in the to acknowledge the complexity and irrespective of size or complexity, do private, public or third sector deal with it, rather than ignoring it. it much better than others. This is in can achieve its objectives 2. Risk appetite needs to be measurable. part due to their risk management culture (a subset of the overall without taking risk. The Otherwise there is a risk that any statements become empty and culture), partly due to their systems only question is how much vacuous. We are not promoting any and processes, and partly due to the risk do they need to take? individual measurement approach nature of their business. However, And yet taking risks without but fundamentally it is important until an organisation has a clear view of both its risk capacity and its risk consciously managing those that directors should understand how their performance drivers are management maturity it cannot be risks can lead to the downfall impacted by risk. Shareholder value clear as to what approach would work of organisations. This is the may be an appropriate starting or how it should be implemented. challenge that has been point for some private organisations, 5. Risk appetite must take into account highlighted by the latest stakeholder value or ‘Economic differing views at a strategic, tactical Value Added’ may be appropriate for and operational level. In other words, UK Corporate Governance others. We also anticipate more use while the UK Corporate Governance Code issued by the Financial of key risk indicators and key control Code envisages a strategic view of Reporting Council in 2010.” indicators which should be readily risk appetite, in fact risk appetite available inside or from outside the needs to be addressed throughout organisation. Relevant and accurate the organisation for it to make any data is vital for this process and we practical sense. urge directors to ensure that there 6. Risk appetite must be integrated with is the same level of data governance the control culture of the organisation. over these indicators as there would be Our framework explores this by over routine accounting data. looking at both the propensity to take 3. Risk appetite is not a single, fixed risk and the propensity to exercise concept. There will be a range of control. The framework promotes appetites for different risks which need the idea that the strategic level is to align and these appetites may well proportionately more about risk taking vary over time: the temporal aspect of than exercising control, while at the risk appetite is a key attribute to this operational level the proportions whole development. are broadly reversed. Clearly the 4. Risk appetite should be developed relative proportions will depend on in the context of an organisation’s the organisation itself, the nature of risk management capability, which the risks it faces and the regulatory is a function of risk capacity and environment within which it operates. 7
  • 8. Risk and control The innovation is in looking at the interaction of risk and control as implementation of strategy. In the detailed paper we have included a We think that this dual focus on taking part of determining risk appetite. few suggestions as to how boards risk and exercising control is both Proportionately more time is likely to might like to consider these dual innovative and critical to a proper be spent on risk taking at a strategic responsibilities. Above all, we are understanding of risk appetite and level than at an operational level, very much focused on the need to risk tolerance. The innovation is not in where the focus is more likely to take risk as much as the traditional looking at risk and control – all boards be on the exercise of control. One pre-occupation of many risk do that. word of caution though, we are not management programmes, which equating strategy with board level and is the avoidance of harm. operations with lower levels of the organisation. A board will properly want to know that its operations are under control as much as it wants to oversee the development and Risk appetite and The illustrations on these pages show the relationship between risk appetite, Risk tolerance can be expressed in terms of absolutes, for example “we will not Performance tolerance and performance. Diagram 1 shows the expected direction of expose more than x% of our capital to losses in a certain line of business” or Our view is that both risk appetite and performance over the coming period. “we will not deal with certain types of risk tolerance are inextricably linked to Diagram 2 illustrates the range of customer “. performance over time. We believe that performance depending on whether Risk appetite, by contrast is about while risk appetite is about the pursuit of risks (or opportunities) materialise. The what the organisation does want to do risk, risk tolerance is about what you can remaining diagrams demonstrate the and how it goes about it. It therefore allow the organisation to deal with. difference between: becomes the board’s responsibility to Organisations have to take some risks • all the risks that the organisation define this all-important part of the and they have to avoid others. The big might face (the “risk universe”- risk management system and to ensure question that all organisations have diagram 3) that the exercise of risk management to ask themselves is: just what does • those that, if push comes to shove, throughout the organisation is consistent successful performance look like? This they might just be able to put up with with that appetite, which needs to remain question might be easier to answer for (the “risk tolerance” - diagram 4) and within the outer boundaries of the risk a listed company than for a government tolerance. Different boards, in different • those risks that they actively wish to department, but can usefully be asked by circumstances, will take different views on engage with (the “risk appetite” - boards in all sectors. the relative importance of appetite and diagram 5). tolerance. We believe that the appetite will be smaller than the tolerance in the vast majority of cases, and that in turn will be smaller than the risk universe, which in any case will include “unknown unknowns”. Where you might get to if some “good” things happen Performance Performance Performance Current direction of travel for performance Risk Universe t0 Time t1 t0 Time t1 t0 Time t1 Where you might Where you might get to if some get to if some “bad” things happen “bad” things happen Diagram 1 Diagram 2 Diagram 3 Performance Performance Risk Risk Tolerance Appetite t0 Time t1 t0 Time t1 Where you might Where you might get to if some get to if some “bad” things happen “bad” things happen Diagram 4 Diagram 5 8
  • 9. Putting it into Consultation - in our paper we have set out an illustrative process for the Flexibility - all of this needs to be carried out with the basic precept in practice development of an approach to risk appetite. This includes appropriate mind that risk appetite can and will change over time (as, for example, the We have sought to develop an approach consultation with those external and economy shifts from boom to bust, or to risk appetite that: internal stakeholders, with whom the as cash reserves fall). In other words, board believes it appropriate to consult breaches of risk appetite may well • is theoretically sound (but the theory on this matter. It also includes a review reflect a need to reconsider the risk can quickly disappear into the process by the board, or an appropriate appetite part way through a reporting background) committee of the board, and finally it cycle as well as a more regular review • is practical and pragmatic: we do not includes a review process at the end of the on an annual cycle. Rapid changes in want to create a bureaucracy, rather cycle so that appropriate lessons can be circumstances, for example as were we are looking to help find solutions learned. witnessed during the financial crisis in that can work for organisations of all 2008-9, might also indicate a need for shapes and sizes Risk Committees - in his 2009 Review an organisation to re-appraise its risk of Corporate Governance in UK Banks • will make a difference. appetite. In a fast changing economic and Other Financial Industry Entities, climate, it is especially important Boardroom debate - we suspect that in Sir David Walker recommended that for firms to have not only a clearly the early days particularly, a successful financial services organisations should defined strategy, but also a clearly approach to reviewing risk appetite make use of board risk committees. The articulated risk appetite framework and risk tolerance in the boardroom Economic Affairs Committee of the House so that they are able to react quickly will necessarily lead to some tensions. of Lords recently suggested that large to the challenges and opportunities In other words we think that it should organisations in other sectors should also presented during such times. make a difference to the decisions that consider creating such committees. We are made, otherwise it will diminish into think that the creation and monitoring a mere tick-box activity – and nobody of approaches to risk appetite and needs any more of those in the board risk tolerance should be high on the room. It is essential that the approach agenda of these committees. In the that we are setting out in the detailed detailed document, we have included guidance can and should be tailored a brief section on the role of the board to the needs and maturity of the or risk committee: we are suggesting organisation: it is not a one-size-fits-all that governance needs to be exercised approach. over the framework at four key points: approval, measurement, monitoring and learning. Five tests for risk appetite frameworks In summary, there are five tests that 3. Are both managers and executives “The risk appetite statement is Directors should apply in reviewing their clear that risk appetite is not constant? generally considered the hardest part organisation’s risk appetite statement: It changes as the environment and of any Enterprise Risk Management business conditions change. Anything 1. Do the managers making decisions implementation. However, without approved by the board must have understand the degree to which they clearly defined, measurable tolerances some flexibility built in. (individually) are permitted to expose the whole risk cycle and any risk the organisation to the consequences 4. Are risk decisions made with full framework is arguably at a halt.” of an event or situation? Any risk consideration of reward? The risk appetite statement needs to be appetite framework needs to help Jill Douglas, Head of Risk, practical, guiding managers to make managers and executives take an Charterhouse Risk Management risk-intelligent decisions. appropriate level of risk for the business, given the potential for 1. Do the executives understand their reward. aggregated and interlinked level of risk so they can determine whether it is We believe that by following the guidance acceptable or not? set out in detail in our document, directors will be able to be confident that they can 2. Do the board and executive leadership pass all of those five tests. understand the aggregated and interlinked level of risk for the organisation as a whole? 9
  • 10. Questions for the boardroom Below we set out some questions that we think boards may want to consider, as part of an iterative process over time, as they develop their approaches to risk appetite and which will enable them to remain at the forefront of the discussion. One clear outcome from our consultation exercise was that, despite the expected variation in views on the technical aspects of risk appetite, there was a common acceptance of these questions as a useful starting point for board discussion. Background Constructing a risk appetite Governing a risk appetite 1. What are the significant risks the 12. Does the organisation understand 20. Is the board satisfied with the board is willing to take? What are the clearly why and how it engages with arrangements for data governance significant risks the board is not willing risks? pertaining to risk management data to take? 13. Is the organisation addressing all and information? 2. What are the strategic objectives of relevant risks or only those that can 21. Has the board played an active the organisation? Are they clear? What be captured in risk management part in the approval, measurement, is explicit and what is implicit in those processes? monitoring and learning from the risk objectives? 14. Does the organisation have a appetite process? 3. Is the board clear about the nature framework for responding to risks? 22. Does the board have, or does it need, and extent of the significant risks it is a risk committee to, inter alia, oversee willing to take in achieving its strategic Implementing a risk appetite the development and monitoring of objectives? the risk appetite framework? 15. Who are the key external stakeholders 4. Does the board need to establish and have sufficient soundings been clearer governance over the risk taken of their views? Are those views The journey is not over - final appetite and tolerance of the dealt with appropriately in the final thoughts organisation? documentation? 23. What needs to change for next time 5. What steps has the board taken to 16. Has the organisation followed a round? ensure oversight over the management robust approach to developing its risk 24. Does the organisation have sufficient of the risks? appetite? and appropriate resources and 17. Did the risk appetite undergo systems? Designing a risk appetite appropriate approval processes, 25. What difference did the process make 6. Has the board and management including at the board (or risk and how would we like it to have an team reviewed the capabilities of the oversight committee)? impact next time round? organisation to manage the risks that 18. Is the risk appetite tailored and it faces? proportionate to the organisation? 7. What are the main features of the 19. What is the evidence that the organisation’s risk culture in terms organisation has implemented the risk of tone at the top? Governance? appetite effectively? Competency? Decision making? 8. Does an understanding of risk permeate the organisation and its culture? Hungry for risk? 9. Is management incentivised for good The word “appetite” brings connotations of food, hunger and satisfying one’s risk management? needs. We think that this metaphor is not always helpful in understanding the 10. How much does the organisation phrase “risk appetite”. When those two words appear together we think it is spend on risk management each year? more appropriate to think in terms of ‘fight or flight’ responses to perceived risks. How much does it need to spend? Most animals, including human beings, have a ‘fight or flight’ response to risk. In 11. How mature is risk management in the humans this can be over-ruled by our cognitive processes. Our interpretation of organisation? Is the view consistent at risk appetite is that it represents a corporate version of exactly the same instincts differing levels of the organisation? Is and cognitive processes. However, since these instincts are not ”hardwired“ in our the answer to these questions based corporate “nervous and sensory” systems we use risk management as a surrogate. on evidence or speculation? 10
  • 11. I Background “What is this all about?” 101 In recent years we have witnessed some major risk 102 The rest of this section explores the nature of the The UK Corporate events ranging from the global financial crisis to the more recent words in the Code, and looks at the existing guidance which Governance Code might help to understand the words. In its recent update to sovereign debt crisis and a large number of natural and meteorological events with 103 the UK Corporate Governance • Sections II and III of this document look major consequential damage and knock- Code, the FRC has expanded at a proposed new framework of risk on effects. But the financial crisis of 2008 the section of the Code on Accountability appetite and risk tolerance had many consequences, and raised many as set out in the box below: questions, not least of which was the • Sections IV and V look at the question as to why boards failed to see it practicalities of implementing and . coming. At the request of the Prime overseeing risk appetite and risk Section C: Accountability Minister of the day, Sir David Walker tolerance The board should present a balanced carried out a review of the corporate • Section VI addresses some of the issues and understandable assessment governance of Banks and Other Financial that might require further thought, of the company’s position and Institutions (“BOFI’s”) and this was and prospects. The board is responsible for followed swiftly by a review of the • Appendix A presents a summary of determining the nature and extent of broader corporate governance landscape how, in practical terms, a board might the significant risks it is willing to take in the UK by the Financial Reporting go about determining the risks it is in achieving its strategic objectives. Council (the “FRC”). The FRC made the willing to take. The board should maintain sound risk all-important link between this question Throughout the paper we have indicated management and internal control and the subject of risk appetite and risk questions that could usefully be explored systems. tolerance by inserting reference to these in the boardroom to ensure that the two topics in their draft changes to The board should establish formal subjects of risk appetite and tolerance are Section C of the UK Corporate Governance and transparent arrangements for being appropriately addressed. Code (the “Code”) (Financial Reporting considering how they should apply Council, 2010). While those very words the corporate reporting and risk failed to survive the cut, the concept did management and internal control survive. Under the newly expanded principles... Section C, a board is explicitly tasked with being responsible for “determining the nature and extent of the significant risks it [the board] is willing to take in achieving its strategic objectives”. This is risk appetite and tolerance by any other name. 11
  • 12. 104 This Section is further 105 This paper explores the risk How has “risk appetite” expanded in the detailed management ramifications of provisions of the Code: these high level statements, been used before? and in particular those Risk appetite is a phrase that is relating to the “nature and extent of the 107 widely used but frequently in C.1 Financial and Business significant risks [the board] is willing to different contexts and for take in achieving its strategic objectives”. different purposes. It is a Reporting These are the words that replace the phrase that for some people conveys C.1.2 The directors should include references to risk appetite and tolerance poorly its meaning, and in respect of in the annual report an explanation in earlier drafts. It is worth noting that this which the meaning is different for of the basis on which the company sentence immediately precedes the different groups of people. Based on the generates or preserves value over requirement that “the board should work that was undertaken in writing this the longer term (the business model) maintain sound risk management and paper it was clear that there is little and the strategy for delivering the internal control systems”. So we might certainty as to what the phrase means, but objectives of the company. infer that this is not empty rubric, but there seems to be almost unanimity that it rather a matter of substance, especially could be, and indeed ought to be a useful C.2 Risk Management and since Code Provision C.2.1 goes on to concept, if only it could be properly Internal Control require the board “at least annually [to] expressed. Some people prefer other conduct a review of the effectiveness of terms such as risk attitude or risk capacity. Main Principle the company’s risk management and As far as we are concerned there is internal control systems...” To some this nothing fundamentally wrong in using The board is responsible for sounds like a recipe for Sarbanes-Oxley any of these terms. Suffice it to say that in determining the nature and extent s404 style work. This is clearly not the writing this guidance we are taking a very of the significant risks it is willing intent of the FRC, nor would it be pragmatic view: risk appetite is the most to take in achieving its strategic welcomed in most UK boardrooms. common phrase that we have come across, objectives. The board should However, the fact of this review has to be it is the one that was used by the FRC in maintain sound risk management reported to shareholders. The the context of the draft Corporate and internal control systems. juxtaposition of the “significant risks” Governance Code and therefore we Code Provision sentence with the requirement to would prefer to define this term in a way maintain “sound risk management and that begins to make sense for as many C.2.1 The board should, at least internal control systems” might lead the people as possible. annually, conduct a review of the reader to surmise that the risk appetite effectiveness of the company’s risk Given the lack of conformity element is one of the reasons that management and internal control organisations require risk systems. Overall 108 about the meaning of the systems and should report to phrase, it is worth looking at this is a radical new departure for the FRC shareholders that they have done the key standards on risk and introduces a new concept for many so. The review should cover all management, ISO31000 (ISO, 2009) and directors and boards of non-financial material controls, including financial, BS311001 (British Standards, 2008), to see services organisations. operational and compliance controls. what light they shed on the subject. As an aside, it seems that the 106 terms “risk appetite” and “risk Interestingly ISO31000, the international standard, is silent on the subject of risk tolerance” have deep appetite (focusing instead on ‘risk associations with the financial attitude’ and ‘risk criteria’), although services industry in some minds, and Guide 73 (ISO, 2002) defines risk appetite attempts to move non-financial services as the “amount and type of risk that an organisations in that direction might have organisation is willing to pursue or been difficult. However these words can retain.” Some people argue that ISO31000 be seen, for all intents and purposes, as is silent on the subject of because it is being indistinguishable from the previous neither a useful phrase not a meaningful phrases. While many commentators see concept. They therefore focus more on risk them as inseparable phrases, we focus criteria. On the other hand, we believe predominantly on the concept of risk that there is a benefit from exploring appetite in this paper as a way of what we think is turning out to be a providing guidance to directors and those useful and meaningful concept. tasked with advising directors on the requirements of the Code in so far as they relate to risk appetite and tolerance. Definition of Risk Appetite ISO 31000 / Guide 73 BS31100 Amount and type of risk that an Amount and type of risk that an organisation is willing to pursue or retain organisation is prepared to seek, accept or tolerate 1 At the time of writing, this document is undergoing revision. Nevertheless the approach in the 2008 document has proved most useful for this discussion. 12
  • 13. The original BS31100 We are concerned that this In conclusion, BS31100 109 contained more detail. It 111 focus treats risk in an unduly 113 provides some guidance on defined risk appetite as the negative way, something how to use risk appetite, but it “amount and type of risk that which we are challenging in does not (nor did it ever set out to) an organisation is prepared to seek, accept this booklet in the sense that there should provide guidance on how to calculate or or tolerate” – very similar to Guide 73. The be a maximum tolerance for risk taking as measure risk appetite, although the standard went on to define risk tolerance well as risk avoidance. standard does suggest the use of (bearing in mind that the definition of risk “quantitative statements”, without While neither standard is very appetite includes reference to tolerating risk) as an “organisation’s readiness to 112 informative, it is instructive to further elaborating. It is interesting to see how the “appetite” word note that the revised version of BS31100 bear the risk after risk treatments in order has substantially removed references to or similar words were used in to achieve its objectives”. The definition risk appetite to bring it in line with the original BS31100: then includes a rider which states: “NOTE: ISO31000. This leaves something of a risk tolerance can be limited by legal or Paragraph 3.1 Governance includes vacuum on the subject, which this regulatory requirements”. a bullet to the effect that the risk guidance seeks to fill. management framework should have Notwithstanding the regular “defined parameters around the level of 110 appearance of risk appetite and risk that is acceptable to the organisation, risk tolerance in the same and thresholds which trigger escalation, sentence (or definition in the review and approval by an authorised case of BS31100) it is our belief that risk person/body.” tolerance is a much simpler concept in that Paragraph 3.3.2 Content of the risk it tends to suggest a series of limits which, management policy has the first explicit depending on the organisation, may either reference to risk appetite saying that be: this should be included in the policy and should outline “the organisation’s • In the nature of absolute lines drawn risk appetite, thresholds and escalation in the sand, beyond which the procedures” organisation does not wish to proceed; or Paragraph 3.8 Risk appetite and • More in the nature of tripwires, that risk profile provides a much more alert the organisation to an impending comprehensive commentary on risk breach of tolerable risks. appetite, which is set out below: 1. “Considering and setting a risk appetite enables an organisation to increase its rewards by optimizing risk taking and accepting calculated risks within an appropriate level of authority 2. “The organisation’s risk appetite should be established and/or approved by the board (or equivalent) and effectively communicated throughout the organisation 13
  • 14. Risk “appetite” and risk “tolerance” The difference can be 114 Before we started on this project, it was our belief that 115 illustrated in the diagrams on 118 On the other hand, our “appetite” for risk is likely to we, and more importantly the bottom of this page. be shown by a narrower band directors and risk of performance outcomes Figure 1 shows performance professionals, could easily distinguish between risk appetite and risk tolerance 116 from the current time (t0) to shown by the triangle AMN. and that the former was the more sometime in the future (t1). Risk tolerance can therefore complicated concept. In practice we have The line AB shows the current expected direction of travel in terms of 119 be expressed in terms of found that in many instances these terms absolutes: for example “we are used inter-changeably. We think that is performance. Figure 2 shows that in will not expose more that x% conceptually wrong: there is a clear practice this is subject to risks which, of our capital to losses in a certain line of difference between the two. It is also should they materialise, could result in business”, or “we will not deal with a worth noting that in the eyes of some performance along the line AC, or to certain type of customer”. Risk tolerance commentators, risk tolerance is the more opportunities (positive risks) which could statements become “lines in the sand” important concept. While risk appetite is result in performance along the line AD. beyond which the organisation will not about the pursuit of risk, risk tolerance is The potential risk universe or the total risk move without prior board approval. about what you can allow the exposure is shown by the difference organisation to deal with. Without a between C and D. (see Figure 3) Risk appetite on the other doubt there will be occasions where an What is clear is that following 120 hand is about what the organisation can deal with more risk than it is thought prudent to pursue. 117 line AC is not desirable. Less organisation does want to do and how it goes about it. It clear is that it might also be therefore becomes the board’s undesirable to follow line AD responsibility to define this all important because pursuing it might throw up part of the risk management system and substantial additional risks. Consequently, to ensure that the exercise of risk there are some risk outcomes for which management and all that entails is there is no tolerance, and moreover no consistent with that appetite, which needs tolerance for taking those risks. Moreover, to remain within the outer boundaries of since we are using the generally accepted the risk tolerance. concept of risk as being potentially positive as well as negative, that suggests While we have focused that there is a range shown by the triangle AXY (See Figure 4), outside of which the 121 primarily on risk appetite, organisation will not tolerate exposure. some entities (such as This is the risk tolerance. Government departments) may be more focused on risk tolerance. This in itself becomes a more complicated Where you might issue where the risk of insolvency (the get to if some “good” things happen ultimate determination of failure for D corporates) is absent. Defining success and Performance Performance Current direction of travel for performance failure is therefore very important. This is an area where we believe further work is A A required. What is clear is that different B B boards in different circumstances will take different views as to which of these two t0 t1 t0 t1 Time Time concepts is more important for them at any given time. Where you might get to if some “bad” things happen C Figure 1 - Performance over time Figure 2 - Possible outcomes D M Performance Performance Performance X Risk Risk A Risk A Appetite A Tolerance B Universe Y N t0 Time t1 t0 Time t1 t0 Time t1 Where you might get to if some Where you might Figure 3 - Risk Universehappen “bad” things C Figure 4 - Risk Tolerance get to if some “bad” things happen Figure 5 - Risk Appetite 14
  • 15. A word of caution Key Terms and Phrases The word “appetite” brings connotations of food, In this section we have used three key terms which 122 hunger and satisfying one’s needs. We think that this 124 we will continue to use throughout the document. In metaphor is not always helpful in understanding the the absence of helpful definitions elsewhere, we are phrase “risk appetite”. When those two words appear together defining them as set out here: we think it is more appropriate to think in terms of “fight or flight” responses to perceived risks. Phrase Meaning Most animals, including human beings have a “fight or flight” Risk appetite The amount of risk that an organisation is response to risk. In humans this can be over-ruled by our willing to seek or accept in the pursuit of its cognitive processes. Our interpretation of risk appetite is that it long term objectives. represents a corporate version of exactly the same instincts and cognitive processes. Except of course, as a legal fiction(as opposed Risk tolerance The boundaries of risk taking outside of which to biological reality) organisations do not have their own brains, the organisation is not prepared to venture in nervous systems, sensory organs and instincts. They ‘borrow’ these the pursuit of its long term objectives. from members of their boards and from their employees. Risk universe The full range of risks which could impact, either positively or negatively, on the ability These systems have to be created in terms of interactions of of the organisation to achieve its long term people, data systems and management information which enable objectives. people in the organisation to act as if they were parts of the same physical organism. It is our expectation that for most organisations, the 125 risk appetite will be smaller than the boundaries Conclusion depicted by its risk tolerance. 123 There are four early conclusions that The rest of this document we have drawn from the work we We have set out a route through this topic of risk have undertaken in preparing this 126 appetite in the rest of this document as follows guidance: under the following main headings: Section II: Designing a risk appetite • he first is that we would benefit from a renewed T focus on defining the terms that we are using. We Section III: Constructing a risk appetite have therefore developed glossaries of key terms and phrases which appear throughout this guidance. Section IV: Implementing a risk appetite • he second is that setting a risk appetite is only a T Section V: Governing a risk appetite worthwhile exercise if you, as an organisation, are Section VI: The journey is not over able to manage the risk to the level at which it is set. In Section VI we explore some of the issues that we will need to • he third is that there is very little by way of formal T explore as we develop this concept as a boardroom topic over the guidance on the definition of risk appetite. We coming years. have reviewed plenty of documents both from professional organisations and from consulting firms. However, our belief is that this subject remains under developed and the remainder of this booklet aims to play a part in redressing that shortcoming. Background - Questions for • he fourth is that risk appetite can and indeed must T change, for example as the economy shifts from the Boardroom boom to bust and back again, or as cash reserves • What are the significant risks the board is willing to fall. Risk appetite, and indeed risk tolerance, both take? What are the significant risks the board is not have a temporal element, which is reflected in the willing to take? way in which we have discussed the monitoring and • What are the strategic objectives of the organisation? governance of risk appetite later in this booklet. Are they clear? What is explicit and what is implicit in those objectives? • Is the board clear about the nature and extent of the significant risks it is willing to take in achieving its strategic objectives? • Does the board need to establish clearer governance over the risk appetite and tolerance of the organisation? • What steps has the board taken to ensure oversight over the management of the risks? 15