SlideShare une entreprise Scribd logo

Conference 2010 Risk Appetite Includes Handouts And Output

L
liztaylor
1  sur  46
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Risk Appetite Copyright Liz Taylor LIZ TAYLOR RISK CONSULTING
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Risk Appetite What are we talking about? Is it – • Appetite for taking individual or more risks? • Capacity for taking individual / aggregated risks? • The risk Profile of the organisation? • The Tolerance of the organisation for individual / aggregation of risks?
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Risk Appetite Risk appetite is a combination of risk CAPACITY and risk TOLERANCE for single risks and aggregation of risks. The risk profile (summary of risks that the organisation believes it is exposed to) of the organisation is compared against the risk appetite to determine actions needed.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Arriving at a Risk Appetite Statement This is a complex subject. We set out some tools herein that can be adapted for the first stage of setting a risk appetite statement, but it’s a long journey and it must be undertaken by the Board or Board equivalent. We suggest that a series of nine facilitated workshops will complete this.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Setting the Risk Appetite This is what BS31100 says about risk appetite and risk profile: “Considering and setting a risk appetite enables an organization to increase its rewards by optimizing risk taking and accepting calculated risks within an appropriate level of authority. “The org’s risk appetite should be established and/or approved by the Board (or equivalent) and effectively communicated throughout the org.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Setting the Risk Appetite BS 31100 cntd “Prepare a risk appetite statement, which may: • provide direction and boundaries • consider the understanding of value, cost-effectiveness of management, rigour of controls and assurance process • recognize that the org might be prepared to accept a higher than usual proportion of risk • define the control, permissions and sanctions environment • be reflected in the org’s risk management policy
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Setting the Risk Appetite BS 31100 cntd It should “• include qualitative statements outlining specific risks the org is or is not prepared to accept and • include quantitative statements, described as limits, thresholds or key risk indicators, which set out how certain risks and their rewards are to be judged and/or how the aggregate consequences of risks are to be assessed and monitored.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Setting the Risk Appetite BS 31100 cntd “The risk profile provides an overall picture of risk across an organization, within unit or for a defined area. The risk profile should convey the nature and level of risks the org faces, the impact and likelihood of risk incidents on the org and its stakeholders, and the effectiveness of controls in place to manage the risks. Both the risk appetite and risk profile should be monitored by the Board (or equivalent) and formally reviewed as part of the org’s strategy and planning processes. This should consider whether the org’s risk appetite remains appropriate to deliver the organization’s objectives in light of internal and external drivers and constraints.”
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Preparation that we suggest • Agree the main drivers for the business • Agree purpose of setting the risk appetite statement (RAS) • Agree who is going to sign off the RAS • Agree that the RAS will be flexible • Agree the timetable for establishing the RAS – periodic and when certain risk occurrences happen
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example of business drivers Service safety / product safety – ie quality issues Customer satisfaction Environm ent Staff morale ROI / Cost £ Brand/rep BIZ driver 3BIZ driver 2BIZ driver 1 BIZ driver 4 BIZ driver 6BIZ driver 5
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 What kind of risks are we talking about? • Are we talking about risks that are only negative – ie threats? These are STATIC risks • Are we talking about risks that could be negative and or positive – ie threats and opportunities? These are DYNAMIC risks.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 How to deal with complexity – divide up into specific tasks or actions Action 8Action 4Agreed tolerance several risk events (less than capacity) Action 7Action 3Agreed tolerance single risk event (less than capacity) Action 6Action 2Capacity several risk events in a year Action 5Action 1Capacity single risk event DYNAMICSTATIC
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Action 1 - Determining the organisation’s CAPACITY for risk • Need to list some specific risk events – even though you know that when it happens it will be different • Use an escalation process to see where the sensitivity occurs to the risk event – the risk pain threshold • Use a simple formula for impact – high = business meltdown / total catastrophe, – medium = serious effect, long term problems but survivable – Low = lower than medium • Set those risk events against the business drivers • Remember we are talking about the CAPACITY – not the tolerance
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Action 1 – Define impacts (ignore likelihood) by circling the h/m/l indicator for each risk event under each business driver h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lEscalated again h/m/l h/m/l h/m/l BIZ driver 3 h/m/l h/m/l h/m/l BIZ driver 2 h/m/l h/m/l h/m/l BIZ driver 1 h/m/l h/m/l h/m/l BIZ driver 4 And so on h/m/lh/m/lEscalated h/m/lh/m/lHigher level h/m/lh/m/lLow level BIZ driver 6 BIZ driver 5 Risk event 1
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Action 1 Scenario 1 – Denial of access HQ Safety of client Cust satis Enviro nment Staff morale ROI / Cost £ Brand/ rep lhlhhmDenial of access to main HQ building > 4 days h h m l BIZ driver 3 h m l l BIZ driver 2 h l l l BIZ driver 1 l l l l BIZ driver 4 lhDenial of access to main HQ building > 5 days lmDenial of access to main HQ building > 3 days llDenial of access to main HQ building > 2 days llDenial of access to main HQ building > 1 day BIZ driver 6BIZ driver 5Risk Scenario 1 Denial of access to HQ – could be from any cause, from terrorism to major fire or contamination
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Action 1 example – Denial of access HQ ?Cust satis Enviro nment Staff moral e ROI / Cost £ Brand/ rep lhlhhmDenial of access to main HQ building > 4 days h h m l BIZ driver 3 h m l l BIZ driver 2 h l l l BIZ driver 1 l l l l BIZ driver 4 lhDenial of access to main HQ building > 5 days lmDenial of access to main HQ building > 3 days llDenial of access to main HQ building > 2 days llDenial of access to main HQ building > 1 day BIZ driver 6 BIZ driver 5 Now you have an indication of where the risk pain threshold is for this risk scenario. Starts getting painful at three days, but only verging on catastrophic when longer than 5 days.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Workshop • Using the pain threshold cards work out in groups the sensitivity to each risk scenario under the business drivers. • Circle your results on each card. • Work out the point at which the sensitivity gets to an overall medium and an overall high by allocating a score to each eg low = 1 med = 3 high = 5 • Show results as RAG score card or graph
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Cards for Static Risks (action 1) h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l5 Bad Debt h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l4 Complaints / lawsuits h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l2 Staff injury/fatality h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l8 Environmental incident h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Environ ment h/m/lh/m/l9 Loss of key people h/m/lh/m/l7 Fraud h/m/lh/m/l6 Loss of investments h/m/lh/m/l3 Injury / fatality customers Safety of client / product Cust satis Each of the risk events below appear and are escalated on each card.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 To recap – having completed action 1, then tackle other actions Action 8Action 4Agreed tolerance several risk events (less than capacity) Action 7Action 3Agreed tolerance single risk event (less than capacity) Action 6Action 2Capacity several risk events in a year Action 5Action 1Capacity single risk event DYNAMICSTATIC
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Summary We just completed Action 1. There are several more actions to go through to get to a good statement of risk appetite, having determined the CAPACITY of the organisation for risk and the TOLERANCE level;
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Summary Once those pain threshold cards are completed, you have then to look at the vertical sensitivities – ie by business driver and pick out the “cornerstones” of risk capacity and tolerance. The controls behind each of the risk scenarios are then determined and measured. Early warning indicators and Risk Performance Indicators are then developed from the outcomes and reporting mechanisms agreed upon. The risk appetite statement needs to be revisited from time to time or as things change, eg reputation is lowered resulting in a lower tolerance for reputation risks (although capacity might remain the same).
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Workshop • The pain threshold cards that follow are for adaptation / use during a workshop. • Sample outputs are included for illustration only
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 1 Safety of client Cust satis Enviro nment Staff morale ROI / Cost £ Brand/ rep h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lDenial of access to main HQ building > 4 days h/m/l h/m/l h/m/l h/m/l BIZ driver 3 h/m/l h/m/l h/m/l h/m/l BIZ driver 2 h/m/l h/m/l h/m/l h/m/l BIZ driver 1 h/m/l h/m/l h/m/l h/m/l BIZ driver 4 h/m/lh/m/lDenial of access to main HQ building > 5 days h/m/lh/m/lDenial of access to main HQ building > 3 days h/m/lh/m/lDenial of access to main HQ building > 2 days h/m/lh/m/lDenial of access to main HQ building > 1 day BIZ driver 6BIZ driver 5Risk Scenario 1 Denial of access to HQ – could be from any cause, from terrorism to major fire or contamination
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example of output - Denial of access 0 1 2 3 4 5 6 Brand/repRO I/Cost£Staffm oraleEnvironm ent CustsatisSafety ofclient scoreforrisk1=low,3=med5=high Denial of access to main HQ building > 1 day Denial of access to main HQ building > 2 days Denial of access to main HQ building > 3 days Denial of access to main HQ building > 4 days Denial of access to main HQ building > 5 days 22 20 14 8 6 total
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 2 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lSeveral staff fatalities h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lMany staff fatalities h/m/lh/m/lOne staff fatality h/m/lh/m/lSeveral major injuries h/m/lh/m/lMajor staff injury Safety of client / product Cust satis Staff includes temporary staff and contractors
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example of output – Staff injury 0 1 2 3 4 5 6 Brand/repRO I/Cost£Staffm oraleEnvironm entCustsatis Safety ofclient Major staff injury Several major injuries One staff fatality Several staff fatalities Many staff fatalities 14 8 8 8 6 total Scoreforrisk;1=low,3=med,5=high
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 3 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lFatality >100 customers h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lFatality more than 1000 customers h/m/lh/m/lFatality several customers h/m/lh/m/lFatality one customer h/m/lh/m/lMajor injury several customers Safety of client / product Cust satis Customer is any one who is not a member of staff / contractor and could include members of the public affected by the business.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 0 1 2 3 4 5 6 Brand/repRO I/Cost£Staffm oraleEnvironm entCustsatis Safety ofclient Major injury several customers Fatality one customer Fatality several customers Fatality >100 customers Fatality more than 1000 customers Example output – injury to customers 22 18 14 14 10 Total Scoreforrisk;1=low,3=med,5=high
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 4 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lThousands of complaints and lawsuits h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lSeveral thousands of complaints and lawsuits h/m/lh/m/lSeveral lawsuits h/m/lh/m/lHundreds of complaints about quality/biz conduct h/m/lh/m/lSeries of complaints about quality/biz conduct Safety of client / product Cust satis Complaints could be from any number of sources from poor service / product, to the operation of the business.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example output – quality of output 0 1 2 3 4 5 6 Brand/rep RO I/Cost£ Staffm orale Environm ent CustsatisSafety ofclient Series of complaints about quality/biz conduct Hundreds of complaints about quality/biz conduct Several lawsuits Thousands of complaints and lawsuits Several thousands of complaints and lawsuits 22 18 14 12 8 Total Scoreforrisk;1=low,3=med,5=high
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 5 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lOne or series of bad debts >15% turnover h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Environ ment h/m/lh/m/lOne or series of bad debts >20% turnover h/m/lh/m/lOne or series of bad debts >10% turnover h/m/lh/m/lOne or series of bad debts >5% turnover h/m/lh/m/lOne or series of bad debts >1% turnover Safety of client / product Cust satis Bad Debt – could be from a number of causes, but determined to be a failure of income for longer than six months
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example output – bad debt 20 16 12 8 6 Total 0 1 2 3 4 5 6 Brand/rep RO I/Cost£ Staffm orale Environm ent CustsatisSafety ofclient One or series of bad debts >1% turnover One or series of bad debts >5% turnover One or series of bad debts >10% turnover One or series of bad debts >15% turnover One or series of bad debts >20% turnover Scoreforrisk;1=low,3=med,5=high
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 6 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lOne or series of investments lost >15% turnover h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lOne or series of investments lost >20% turnover h/m/lh/m/lOne or series of investments lost >10% turnover h/m/lh/m/lOne or series of investments lost >5% turnover h/m/lh/m/lOne or series of investments lost >1% turnover Safety of client / product Cust satis Loss of investment, could be a share price fall, loss of an installation, currency fluctuation etc
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example output – loss of investment 0 1 2 3 4 5 6 Brand/repRO I/Cost£Staffm oraleEnvironm entCustsatis Safety ofclient One or series of investments lost >1% turnover One or series of investments lost >5% turnover One or series of investments lost >10% turnover One or series of investments lost >15% turnover One or series of investments lost >20% turnover 28 22 14 14 8 Total Scoreforrisk;1=low,3=med,5=high
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 7 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lOne or series of frauds >15% turnover h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lOne or series of frauds >20% turnover h/m/lh/m/lOne or series of frauds >10% turnover h/m/lh/m/lOne or series of frauds >5% turnover h/m/lh/m/lOne or series of frauds >1% turnover Safety of client / product Cust satis Fraud – could be internal or external, impact determined by cost
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example output - fraud 0 1 2 3 4 5 6 Brand/rep RO I/Cost£ Staffm orale Environm ent CustsatisSafety ofclient One or series of frauds >1% turnover One or series of frauds >5% turnover One or series of frauds >10% turnover One or series of frauds >15% turnover One or series of frauds >20% turnover 21 22 20 12 6 Total Scoreforrisk;1=low,3=med,5=high
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 8 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lEnvironment incident/s affecting >1000 people h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lEnvironment incident/s affecting >10000 people h/m/lh/m/lEnvironment incident/s affecting >100 people h/m/lh/m/lEnvironment incident/s affecting >20 people h/m/lh/m/lOne environmental incident affecting >five people Safety of client / product Cust satis Environmental incident – determined by the impact on people’s lives, welfare or livelihoods
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 0 1 2 3 4 5 6 Brand/repRO I/Cost£Staffm oraleEnvironm ent Custsatis Safety ofclient One environmental incident affecting >five people Environment incident/s affecting >20 people Environment incident/s affecting >100 people Environment incident/s affecting >1000 people Environment incident/s affecting >10000 people 28 24 16 14 8 Total Scoreforrisk;1=low,3=med,5=high
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 9 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lPerm loss of more than 20 key people h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Environ ment h/m/lh/m/lPerm loss of more than 100 key people h/m/lh/m/lPerm loss of more than 5 key people h/m/lh/m/lPerm loss of key person h/m/lh/m/lTemp loss of key person Safety of client / product Cust satis Key people – where involved in major biz decisions or projects and their loss could result in project failure or business loss
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example output – loss of key people 0 1 2 3 4 5 6 Brand/rep RO I/Cost£ Staffm orale Environm ent CustsatisSafety ofclient Temp loss of key person Perm loss of key person Perm loss of more than 5 key people Perm loss of more than 20 key people Perm loss of more than 100 key people 22 18 12 6 6 Total Scoreforrisk;1=low,3=med,5=high
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Summary of example outputs – capacity for single risk events 1 Denial of access to main site / HQ etc 2 Staff injury/ fatality 3 Injury / fatality customers 4 Complaints / lawsuits 5 Bad Debt 6 Loss of investments 7 Fraud 8 Environme ntal incident 9 Loss of key people 6 6 10 8 6 8 6 8 6 8 8 13 12 8 14 12 14 6 14 8 14 14 12 14 20 16 12 20 8 18 18 16 22 22 24 18 22 14 22 22 20 28 21 28 22 code 18 or above = red 11 or above = yellow below 11 = green In this example, the output shows that this organisation has a large CAPACITY for staff injuries, and a low CAPACITY for fraud. The TOLERANCE levels, however, may be different.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Determining Risk Appetite We have show some tools that can be used for the first stage of working out the risk appetite for an organisation – risk capacity for single risk events. There is a lot more work to do. We suggest a project time line of about nine months to complete a risk appetite statement taking about an hour per month of the Board’s time.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Articulating Risk Appetite Risk appetite can be articulated in a number of ways • As a graph showing output along the vertical axis and time along the horizontal. Variations up or down around that line of performance can be drawn showing CAPACITY and TOLERANCE • As a series of matrices showing risk impact against likelihood. One matrix per risk scenario. Show unacceptable risks in red, barely acceptable in amber and tolerable risks in green • As a set of words, charts and data.
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 12 point action plan 1. Agree the main drivers for the business 2. Agree purpose of setting the risk appetite statement (RAS) 3. Agree who is going to sign off the RAS 4. Agree that the RAS will be flexible 5. Agree the timetable for establishing the RAS 6. Understand that risk appetite includes a view of risk CAPACITY and risk TOLERANCE 7. Set up your action plan to deal with Capacity and Tolerance of risk for both Static and Dynamic risks as follows; STATIC DYNAMIC Capacity single risk event Action 1 Action 5 Capacity several risk events in a year Action 2 Action 6 Agreed tolerance single risk event (less than capacity) Action 3 Action 7 Agreed tolerance several risk events (less than capacity) Action 4 Action 8
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Action 1 Determining the organisation’s capacity for single risk events Need to list some specific risk events – even though you know that when it happens it will be different – concentrate on the “effect” of risk not the cause as the cause could be from many quarters, but effects on the business activity are easier to predict Use an escalation process to see where the sensitivity occurs to the risk event – the risk pain threshold Use a simple formula for impact eg high = business meltdown / total catastrophe – score 5 medium = serious effect, long term problems but survivable – score 3 Low = lower than medium – score 1 Set those risk events against the business drivers Remember we are talking about the CAPACITY – not the tolerance Run a workshop using adapted versions of the pain threshold cards (see later) 8. Action 2 Determining the organisation’s capacity for multiple risk events 9. As above but considering multiple events 10. Action 3 Determining the organisation’s tolerance for single risk events; Do scenario testing with top management on the highest evaluated risk events as determined by the risk capacity exercise. Push them to articulate their TOLERANCE for risk. Remember tolerance changes more frequently than capacity, and should be stress tested often. 11. Action 4 As above but considering multiple events 12. Actions 5,6,7 & 8 – more complex still, so call in the experts!
©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Copyright Liz Taylor LIZ TAYLOR RISK CONSULTING +44 1626 337626 www.liztaylorriskconsulting.co.uk email liz.taylor@liztaylorriskconsulting.co.uk

Recommandé

The Role of Risk Appetite in embedding the ORSA and linking with Business Str...
The Role of Risk Appetite in embedding the ORSA and linking with Business Str...The Role of Risk Appetite in embedding the ORSA and linking with Business Str...
The Role of Risk Appetite in embedding the ORSA and linking with Business Str...Susan Young
 
10 Aspects of a Good Risk Appetite Implementation Process
10 Aspects of a Good Risk Appetite Implementation Process10 Aspects of a Good Risk Appetite Implementation Process
10 Aspects of a Good Risk Appetite Implementation ProcessColleen Beck-Domanico
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0Rachael Phelan
 
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Zanders Treasury, Risk and Finance
 
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Eric Campbell
 
Risk appetite
Risk appetite Risk appetite
Risk appetite Michel Rochette
 
Risk Appetite: new challenges to manage an insurance company
Risk Appetite: new challenges to manage an insurance companyRisk Appetite: new challenges to manage an insurance company
Risk Appetite: new challenges to manage an insurance companyPhilippe Foulquier
 
Risk Reimagined! Series- The Relationship Between Strategy, Governance and Ri...
Risk Reimagined! Series- The Relationship Between Strategy, Governance and Ri...Risk Reimagined! Series- The Relationship Between Strategy, Governance and Ri...
Risk Reimagined! Series- The Relationship Between Strategy, Governance and Ri...Resolver Inc.
 

Recommandé

The Role of Risk Appetite in embedding the ORSA and linking with Business Str...
The Role of Risk Appetite in embedding the ORSA and linking with Business Str...The Role of Risk Appetite in embedding the ORSA and linking with Business Str...
The Role of Risk Appetite in embedding the ORSA and linking with Business Str...Susan Young
 
10 Aspects of a Good Risk Appetite Implementation Process
10 Aspects of a Good Risk Appetite Implementation Process10 Aspects of a Good Risk Appetite Implementation Process
10 Aspects of a Good Risk Appetite Implementation ProcessColleen Beck-Domanico
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0Rachael Phelan
 
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Zanders Treasury, Risk and Finance
 
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Eric Campbell
 
Risk appetite
Risk appetite Risk appetite
Risk appetite Michel Rochette
 
Risk Appetite: new challenges to manage an insurance company
Risk Appetite: new challenges to manage an insurance companyRisk Appetite: new challenges to manage an insurance company
Risk Appetite: new challenges to manage an insurance companyPhilippe Foulquier
 
Risk Reimagined! Series- The Relationship Between Strategy, Governance and Ri...
Risk Reimagined! Series- The Relationship Between Strategy, Governance and Ri...Risk Reimagined! Series- The Relationship Between Strategy, Governance and Ri...
Risk Reimagined! Series- The Relationship Between Strategy, Governance and Ri...Resolver Inc.
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk AppetiteHassan Zaitoun
 
Irm Risk Appetite
Irm Risk AppetiteIrm Risk Appetite
Irm Risk AppetiteHassan Zaitoun
 
Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...
Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...
Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...Association for Project Management
 
Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Andrew Smart
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk AppetiteTowers Perrin
 
Grant Thornton - Risk appetite: A market study UK 2012
Grant Thornton - Risk appetite: A market study UK 2012Grant Thornton - Risk appetite: A market study UK 2012
Grant Thornton - Risk appetite: A market study UK 2012Grant Thornton
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementCroydon Consulting, LLC
 
Risk Appetite Caa Dec08 (1)
Risk Appetite Caa Dec08 (1)Risk Appetite Caa Dec08 (1)
Risk Appetite Caa Dec08 (1)Michel Rochette
 
A Framework for Managing Project Risk
A Framework for Managing Project RiskA Framework for Managing Project Risk
A Framework for Managing Project RiskKnow That / Know How / Know Why
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Association for Project Management
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Enterprise Risk Management Erm
Enterprise Risk Management ErmEnterprise Risk Management Erm
Enterprise Risk Management ErmNexus Aid
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Processregio12
 
Enterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ InovastraEnterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ InovastraNik Hasyudeen
 
Risk mitigation strategies in SMEs (small and medium business)
Risk mitigation strategies in SMEs (small and medium business)Risk mitigation strategies in SMEs (small and medium business)
Risk mitigation strategies in SMEs (small and medium business)Sanjukta Basu
 
Complex risk management, Wednesday 21st January 2015
Complex risk management, Wednesday 21st January 2015Complex risk management, Wednesday 21st January 2015
Complex risk management, Wednesday 21st January 2015Association for Project Management
 
Deploying Risk Management in SMEs
Deploying Risk Management in SMEsDeploying Risk Management in SMEs
Deploying Risk Management in SMEsSikiru Salami ACA MRM
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Diane Christina
 
An assessment of risk management of small and medium scale enterprises in nig...
An assessment of risk management of small and medium scale enterprises in nig...An assessment of risk management of small and medium scale enterprises in nig...
An assessment of risk management of small and medium scale enterprises in nig...Alexander Decker
 
How will climate change affect financial services?
How will climate change affect financial services?How will climate change affect financial services?
How will climate change affect financial services?Colleen Beck-Domanico
 
Real Challenges of Enterprise Risk Management
Real Challenges of Enterprise Risk ManagementReal Challenges of Enterprise Risk Management
Real Challenges of Enterprise Risk ManagementAndrew Koh
 

Contenu connexe

Tendances

Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...
Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...
Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...Association for Project Management
 
Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Andrew Smart
 
Grant Thornton - Risk appetite: A market study UK 2012
Grant Thornton - Risk appetite: A market study UK 2012Grant Thornton - Risk appetite: A market study UK 2012
Grant Thornton - Risk appetite: A market study UK 2012Grant Thornton
 
Risk Appetite Caa Dec08 (1)
Risk Appetite Caa Dec08 (1)Risk Appetite Caa Dec08 (1)
Risk Appetite Caa Dec08 (1)Michel Rochette
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Association for Project Management
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Enterprise Risk Management Erm
Enterprise Risk Management ErmEnterprise Risk Management Erm
Enterprise Risk Management ErmNexus Aid
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Processregio12
 
Enterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ InovastraEnterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ InovastraNik Hasyudeen
 
Risk mitigation strategies in SMEs (small and medium business)
Risk mitigation strategies in SMEs (small and medium business)Risk mitigation strategies in SMEs (small and medium business)
Risk mitigation strategies in SMEs (small and medium business)Sanjukta Basu
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Diane Christina
 
An assessment of risk management of small and medium scale enterprises in nig...
An assessment of risk management of small and medium scale enterprises in nig...An assessment of risk management of small and medium scale enterprises in nig...
An assessment of risk management of small and medium scale enterprises in nig...Alexander Decker
 

Tendances (20)

Risk Appetite
Risk AppetiteRisk Appetite
Risk Appetite
 
Irm Risk Appetite
Irm Risk AppetiteIrm Risk Appetite
Irm Risk Appetite
 
Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...
Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...
Governance in Enterprise Risk Management, presented by Michael Lawrence, 10th...
 
Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011Integrating Risk Appetite With Strategy Feb 14 2011
Integrating Risk Appetite With Strategy Feb 14 2011
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk Appetite
 
Grant Thornton - Risk appetite: A market study UK 2012
Grant Thornton - Risk appetite: A market study UK 2012Grant Thornton - Risk appetite: A market study UK 2012
Grant Thornton - Risk appetite: A market study UK 2012
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
Risk Appetite Caa Dec08 (1)
Risk Appetite Caa Dec08 (1)Risk Appetite Caa Dec08 (1)
Risk Appetite Caa Dec08 (1)
 
A Framework for Managing Project Risk
A Framework for Managing Project RiskA Framework for Managing Project Risk
A Framework for Managing Project Risk
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite
 
Enterprise Risk Management Erm
Enterprise Risk Management ErmEnterprise Risk Management Erm
Enterprise Risk Management Erm
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management Framework
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Process
 
Enterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ InovastraEnterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ Inovastra
 
Risk mitigation strategies in SMEs (small and medium business)
Risk mitigation strategies in SMEs (small and medium business)Risk mitigation strategies in SMEs (small and medium business)
Risk mitigation strategies in SMEs (small and medium business)
 
Complex risk management, Wednesday 21st January 2015
Complex risk management, Wednesday 21st January 2015Complex risk management, Wednesday 21st January 2015
Complex risk management, Wednesday 21st January 2015
 
Deploying Risk Management in SMEs
Deploying Risk Management in SMEsDeploying Risk Management in SMEs
Deploying Risk Management in SMEs
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)
 
An assessment of risk management of small and medium scale enterprises in nig...
An assessment of risk management of small and medium scale enterprises in nig...An assessment of risk management of small and medium scale enterprises in nig...
An assessment of risk management of small and medium scale enterprises in nig...
 

Similaire à Conference 2010 Risk Appetite Includes Handouts And Output

How will climate change affect financial services?
How will climate change affect financial services?How will climate change affect financial services?
How will climate change affect financial services?Colleen Beck-Domanico
 
Real Challenges of Enterprise Risk Management
Real Challenges of Enterprise Risk ManagementReal Challenges of Enterprise Risk Management
Real Challenges of Enterprise Risk ManagementAndrew Koh
 
Adr approaches to_sensing_and_responding_to_emerging_risk[1]
Adr approaches to_sensing_and_responding_to_emerging_risk[1]Adr approaches to_sensing_and_responding_to_emerging_risk[1]
Adr approaches to_sensing_and_responding_to_emerging_risk[1]Gaiani (CarnCorpAudit)
 
Board Governance and Emerging Risks in the C21
Board Governance and Emerging Risks in the C21Board Governance and Emerging Risks in the C21
Board Governance and Emerging Risks in the C21FERMA
 
Role of Enterprise Risk Management in Risk Based Capital
Role of Enterprise Risk Management in Risk Based CapitalRole of Enterprise Risk Management in Risk Based Capital
Role of Enterprise Risk Management in Risk Based CapitalSonjai Kumar, SIRM
 
Strategically managing your insurance program
Strategically managing your insurance programStrategically managing your insurance program
Strategically managing your insurance programmikaelastafrace
 
Risk intelligence: How to reliably mitigate transaction risk and secure clean...
Risk intelligence: How to reliably mitigate transaction risk and secure clean...Risk intelligence: How to reliably mitigate transaction risk and secure clean...
Risk intelligence: How to reliably mitigate transaction risk and secure clean...Graeme Cross
 
75b466e0cde747249c297578d18993f6.pptx
75b466e0cde747249c297578d18993f6.pptx75b466e0cde747249c297578d18993f6.pptx
75b466e0cde747249c297578d18993f6.pptxzeidali3
 
risk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.pptrisk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.pptBrandonJuma2
 
risk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.pptrisk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.pptDerbewBirhanu2
 
risk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.pptrisk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.pptAyidAlmgati
 
The Top Risks Challenging the Financial Services Industry
The Top Risks Challenging the Financial Services IndustryThe Top Risks Challenging the Financial Services Industry
The Top Risks Challenging the Financial Services IndustryColleen Beck-Domanico
 
Stress Testing: 8 Facts Every Banker Should Know
Stress Testing: 8 Facts Every Banker Should KnowStress Testing: 8 Facts Every Banker Should Know
Stress Testing: 8 Facts Every Banker Should KnowColleen Beck-Domanico
 
Motorsport Client Brochure
Motorsport Client BrochureMotorsport Client Brochure
Motorsport Client Brochureforsythn1978
 
201608strategicriskaustralia 379683
201608strategicriskaustralia 379683201608strategicriskaustralia 379683
201608strategicriskaustralia 379683Marco Ciobo
 
Bending the bank: Next steps when stress testing calls for change
Bending the bank: Next steps when stress testing calls for changeBending the bank: Next steps when stress testing calls for change
Bending the bank: Next steps when stress testing calls for changeLibby Bierman
 

Similaire à Conference 2010 Risk Appetite Includes Handouts And Output (20)

How will climate change affect financial services?
How will climate change affect financial services?How will climate change affect financial services?
How will climate change affect financial services?
 
Real Challenges of Enterprise Risk Management
Real Challenges of Enterprise Risk ManagementReal Challenges of Enterprise Risk Management
Real Challenges of Enterprise Risk Management
 
Risk descriptions from 'Coconut island' risk workshop
Risk descriptions from 'Coconut island' risk workshopRisk descriptions from 'Coconut island' risk workshop
Risk descriptions from 'Coconut island' risk workshop
 
Adr approaches to_sensing_and_responding_to_emerging_risk[1]
Adr approaches to_sensing_and_responding_to_emerging_risk[1]Adr approaches to_sensing_and_responding_to_emerging_risk[1]
Adr approaches to_sensing_and_responding_to_emerging_risk[1]
 
Board Governance and Emerging Risks in the C21
Board Governance and Emerging Risks in the C21Board Governance and Emerging Risks in the C21
Board Governance and Emerging Risks in the C21
 
Role of Enterprise Risk Management in Risk Based Capital
Role of Enterprise Risk Management in Risk Based CapitalRole of Enterprise Risk Management in Risk Based Capital
Role of Enterprise Risk Management in Risk Based Capital
 
Strategically managing your insurance program
Strategically managing your insurance programStrategically managing your insurance program
Strategically managing your insurance program
 
MRTI_W11.pdf
MRTI_W11.pdfMRTI_W11.pdf
MRTI_W11.pdf
 
Risk intelligence: How to reliably mitigate transaction risk and secure clean...
Risk intelligence: How to reliably mitigate transaction risk and secure clean...Risk intelligence: How to reliably mitigate transaction risk and secure clean...
Risk intelligence: How to reliably mitigate transaction risk and secure clean...
 
75b466e0cde747249c297578d18993f6.pptx
75b466e0cde747249c297578d18993f6.pptx75b466e0cde747249c297578d18993f6.pptx
75b466e0cde747249c297578d18993f6.pptx
 
risk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.pptrisk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.ppt
 
risk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.pptrisk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.ppt
 
risk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.pptrisk_management_education_and_skills_presentation.ppt
risk_management_education_and_skills_presentation.ppt
 
The Top Risks Challenging the Financial Services Industry
The Top Risks Challenging the Financial Services IndustryThe Top Risks Challenging the Financial Services Industry
The Top Risks Challenging the Financial Services Industry
 
Business Risk
Business RiskBusiness Risk
Business Risk
 
Stress Testing: 8 Facts Every Banker Should Know
Stress Testing: 8 Facts Every Banker Should KnowStress Testing: 8 Facts Every Banker Should Know
Stress Testing: 8 Facts Every Banker Should Know
 
Motorsport Client Brochure
Motorsport Client BrochureMotorsport Client Brochure
Motorsport Client Brochure
 
201608strategicriskaustralia 379683
201608strategicriskaustralia 379683201608strategicriskaustralia 379683
201608strategicriskaustralia 379683
 
Bending the bank: Next steps when stress testing calls for change
Bending the bank: Next steps when stress testing calls for changeBending the bank: Next steps when stress testing calls for change
Bending the bank: Next steps when stress testing calls for change
 
Holistic risk management
Holistic risk managementHolistic risk management
Holistic risk management
 

Conference 2010 Risk Appetite Includes Handouts And Output

  • 1. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Risk Appetite Copyright Liz Taylor LIZ TAYLOR RISK CONSULTING
  • 2. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Risk Appetite What are we talking about? Is it – • Appetite for taking individual or more risks? • Capacity for taking individual / aggregated risks? • The risk Profile of the organisation? • The Tolerance of the organisation for individual / aggregation of risks?
  • 3. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Risk Appetite Risk appetite is a combination of risk CAPACITY and risk TOLERANCE for single risks and aggregation of risks. The risk profile (summary of risks that the organisation believes it is exposed to) of the organisation is compared against the risk appetite to determine actions needed.
  • 4. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Arriving at a Risk Appetite Statement This is a complex subject. We set out some tools herein that can be adapted for the first stage of setting a risk appetite statement, but it’s a long journey and it must be undertaken by the Board or Board equivalent. We suggest that a series of nine facilitated workshops will complete this.
  • 5. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Setting the Risk Appetite This is what BS31100 says about risk appetite and risk profile: “Considering and setting a risk appetite enables an organization to increase its rewards by optimizing risk taking and accepting calculated risks within an appropriate level of authority. “The org’s risk appetite should be established and/or approved by the Board (or equivalent) and effectively communicated throughout the org.
  • 6. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Setting the Risk Appetite BS 31100 cntd “Prepare a risk appetite statement, which may: • provide direction and boundaries • consider the understanding of value, cost-effectiveness of management, rigour of controls and assurance process • recognize that the org might be prepared to accept a higher than usual proportion of risk • define the control, permissions and sanctions environment • be reflected in the org’s risk management policy
  • 7. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Setting the Risk Appetite BS 31100 cntd It should “• include qualitative statements outlining specific risks the org is or is not prepared to accept and • include quantitative statements, described as limits, thresholds or key risk indicators, which set out how certain risks and their rewards are to be judged and/or how the aggregate consequences of risks are to be assessed and monitored.
  • 8. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Setting the Risk Appetite BS 31100 cntd “The risk profile provides an overall picture of risk across an organization, within unit or for a defined area. The risk profile should convey the nature and level of risks the org faces, the impact and likelihood of risk incidents on the org and its stakeholders, and the effectiveness of controls in place to manage the risks. Both the risk appetite and risk profile should be monitored by the Board (or equivalent) and formally reviewed as part of the org’s strategy and planning processes. This should consider whether the org’s risk appetite remains appropriate to deliver the organization’s objectives in light of internal and external drivers and constraints.”
  • 9. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Preparation that we suggest • Agree the main drivers for the business • Agree purpose of setting the risk appetite statement (RAS) • Agree who is going to sign off the RAS • Agree that the RAS will be flexible • Agree the timetable for establishing the RAS – periodic and when certain risk occurrences happen
  • 10. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example of business drivers Service safety / product safety – ie quality issues Customer satisfaction Environm ent Staff morale ROI / Cost £ Brand/rep BIZ driver 3BIZ driver 2BIZ driver 1 BIZ driver 4 BIZ driver 6BIZ driver 5
  • 11. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 What kind of risks are we talking about? • Are we talking about risks that are only negative – ie threats? These are STATIC risks • Are we talking about risks that could be negative and or positive – ie threats and opportunities? These are DYNAMIC risks.
  • 12. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 How to deal with complexity – divide up into specific tasks or actions Action 8Action 4Agreed tolerance several risk events (less than capacity) Action 7Action 3Agreed tolerance single risk event (less than capacity) Action 6Action 2Capacity several risk events in a year Action 5Action 1Capacity single risk event DYNAMICSTATIC
  • 13. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Action 1 - Determining the organisation’s CAPACITY for risk • Need to list some specific risk events – even though you know that when it happens it will be different • Use an escalation process to see where the sensitivity occurs to the risk event – the risk pain threshold • Use a simple formula for impact – high = business meltdown / total catastrophe, – medium = serious effect, long term problems but survivable – Low = lower than medium • Set those risk events against the business drivers • Remember we are talking about the CAPACITY – not the tolerance
  • 14. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Action 1 – Define impacts (ignore likelihood) by circling the h/m/l indicator for each risk event under each business driver h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lEscalated again h/m/l h/m/l h/m/l BIZ driver 3 h/m/l h/m/l h/m/l BIZ driver 2 h/m/l h/m/l h/m/l BIZ driver 1 h/m/l h/m/l h/m/l BIZ driver 4 And so on h/m/lh/m/lEscalated h/m/lh/m/lHigher level h/m/lh/m/lLow level BIZ driver 6 BIZ driver 5 Risk event 1
  • 15. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Action 1 Scenario 1 – Denial of access HQ Safety of client Cust satis Enviro nment Staff morale ROI / Cost £ Brand/ rep lhlhhmDenial of access to main HQ building > 4 days h h m l BIZ driver 3 h m l l BIZ driver 2 h l l l BIZ driver 1 l l l l BIZ driver 4 lhDenial of access to main HQ building > 5 days lmDenial of access to main HQ building > 3 days llDenial of access to main HQ building > 2 days llDenial of access to main HQ building > 1 day BIZ driver 6BIZ driver 5Risk Scenario 1 Denial of access to HQ – could be from any cause, from terrorism to major fire or contamination
  • 16. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Action 1 example – Denial of access HQ ?Cust satis Enviro nment Staff moral e ROI / Cost £ Brand/ rep lhlhhmDenial of access to main HQ building > 4 days h h m l BIZ driver 3 h m l l BIZ driver 2 h l l l BIZ driver 1 l l l l BIZ driver 4 lhDenial of access to main HQ building > 5 days lmDenial of access to main HQ building > 3 days llDenial of access to main HQ building > 2 days llDenial of access to main HQ building > 1 day BIZ driver 6 BIZ driver 5 Now you have an indication of where the risk pain threshold is for this risk scenario. Starts getting painful at three days, but only verging on catastrophic when longer than 5 days.
  • 17. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Workshop • Using the pain threshold cards work out in groups the sensitivity to each risk scenario under the business drivers. • Circle your results on each card. • Work out the point at which the sensitivity gets to an overall medium and an overall high by allocating a score to each eg low = 1 med = 3 high = 5 • Show results as RAG score card or graph
  • 18. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Cards for Static Risks (action 1) h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l5 Bad Debt h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l4 Complaints / lawsuits h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l2 Staff injury/fatality h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l8 Environmental incident h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Environ ment h/m/lh/m/l9 Loss of key people h/m/lh/m/l7 Fraud h/m/lh/m/l6 Loss of investments h/m/lh/m/l3 Injury / fatality customers Safety of client / product Cust satis Each of the risk events below appear and are escalated on each card.
  • 19. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 To recap – having completed action 1, then tackle other actions Action 8Action 4Agreed tolerance several risk events (less than capacity) Action 7Action 3Agreed tolerance single risk event (less than capacity) Action 6Action 2Capacity several risk events in a year Action 5Action 1Capacity single risk event DYNAMICSTATIC
  • 20. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Summary We just completed Action 1. There are several more actions to go through to get to a good statement of risk appetite, having determined the CAPACITY of the organisation for risk and the TOLERANCE level;
  • 21. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Summary Once those pain threshold cards are completed, you have then to look at the vertical sensitivities – ie by business driver and pick out the “cornerstones” of risk capacity and tolerance. The controls behind each of the risk scenarios are then determined and measured. Early warning indicators and Risk Performance Indicators are then developed from the outcomes and reporting mechanisms agreed upon. The risk appetite statement needs to be revisited from time to time or as things change, eg reputation is lowered resulting in a lower tolerance for reputation risks (although capacity might remain the same).
  • 22. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Workshop • The pain threshold cards that follow are for adaptation / use during a workshop. • Sample outputs are included for illustration only
  • 23. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 1 Safety of client Cust satis Enviro nment Staff morale ROI / Cost £ Brand/ rep h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lDenial of access to main HQ building > 4 days h/m/l h/m/l h/m/l h/m/l BIZ driver 3 h/m/l h/m/l h/m/l h/m/l BIZ driver 2 h/m/l h/m/l h/m/l h/m/l BIZ driver 1 h/m/l h/m/l h/m/l h/m/l BIZ driver 4 h/m/lh/m/lDenial of access to main HQ building > 5 days h/m/lh/m/lDenial of access to main HQ building > 3 days h/m/lh/m/lDenial of access to main HQ building > 2 days h/m/lh/m/lDenial of access to main HQ building > 1 day BIZ driver 6BIZ driver 5Risk Scenario 1 Denial of access to HQ – could be from any cause, from terrorism to major fire or contamination
  • 24. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example of output - Denial of access 0 1 2 3 4 5 6 Brand/repRO I/Cost£Staffm oraleEnvironm ent CustsatisSafety ofclient scoreforrisk1=low,3=med5=high Denial of access to main HQ building > 1 day Denial of access to main HQ building > 2 days Denial of access to main HQ building > 3 days Denial of access to main HQ building > 4 days Denial of access to main HQ building > 5 days 22 20 14 8 6 total
  • 25. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 2 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lSeveral staff fatalities h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lMany staff fatalities h/m/lh/m/lOne staff fatality h/m/lh/m/lSeveral major injuries h/m/lh/m/lMajor staff injury Safety of client / product Cust satis Staff includes temporary staff and contractors
  • 26. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example of output – Staff injury 0 1 2 3 4 5 6 Brand/repRO I/Cost£Staffm oraleEnvironm entCustsatis Safety ofclient Major staff injury Several major injuries One staff fatality Several staff fatalities Many staff fatalities 14 8 8 8 6 total Scoreforrisk;1=low,3=med,5=high
  • 27. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 3 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lFatality >100 customers h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lFatality more than 1000 customers h/m/lh/m/lFatality several customers h/m/lh/m/lFatality one customer h/m/lh/m/lMajor injury several customers Safety of client / product Cust satis Customer is any one who is not a member of staff / contractor and could include members of the public affected by the business.
  • 28. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 0 1 2 3 4 5 6 Brand/repRO I/Cost£Staffm oraleEnvironm entCustsatis Safety ofclient Major injury several customers Fatality one customer Fatality several customers Fatality >100 customers Fatality more than 1000 customers Example output – injury to customers 22 18 14 14 10 Total Scoreforrisk;1=low,3=med,5=high
  • 29. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 4 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lThousands of complaints and lawsuits h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lSeveral thousands of complaints and lawsuits h/m/lh/m/lSeveral lawsuits h/m/lh/m/lHundreds of complaints about quality/biz conduct h/m/lh/m/lSeries of complaints about quality/biz conduct Safety of client / product Cust satis Complaints could be from any number of sources from poor service / product, to the operation of the business.
  • 30. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example output – quality of output 0 1 2 3 4 5 6 Brand/rep RO I/Cost£ Staffm orale Environm ent CustsatisSafety ofclient Series of complaints about quality/biz conduct Hundreds of complaints about quality/biz conduct Several lawsuits Thousands of complaints and lawsuits Several thousands of complaints and lawsuits 22 18 14 12 8 Total Scoreforrisk;1=low,3=med,5=high
  • 31. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 5 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lOne or series of bad debts >15% turnover h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Environ ment h/m/lh/m/lOne or series of bad debts >20% turnover h/m/lh/m/lOne or series of bad debts >10% turnover h/m/lh/m/lOne or series of bad debts >5% turnover h/m/lh/m/lOne or series of bad debts >1% turnover Safety of client / product Cust satis Bad Debt – could be from a number of causes, but determined to be a failure of income for longer than six months
  • 32. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example output – bad debt 20 16 12 8 6 Total 0 1 2 3 4 5 6 Brand/rep RO I/Cost£ Staffm orale Environm ent CustsatisSafety ofclient One or series of bad debts >1% turnover One or series of bad debts >5% turnover One or series of bad debts >10% turnover One or series of bad debts >15% turnover One or series of bad debts >20% turnover Scoreforrisk;1=low,3=med,5=high
  • 33. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 6 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lOne or series of investments lost >15% turnover h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lOne or series of investments lost >20% turnover h/m/lh/m/lOne or series of investments lost >10% turnover h/m/lh/m/lOne or series of investments lost >5% turnover h/m/lh/m/lOne or series of investments lost >1% turnover Safety of client / product Cust satis Loss of investment, could be a share price fall, loss of an installation, currency fluctuation etc
  • 34. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example output – loss of investment 0 1 2 3 4 5 6 Brand/repRO I/Cost£Staffm oraleEnvironm entCustsatis Safety ofclient One or series of investments lost >1% turnover One or series of investments lost >5% turnover One or series of investments lost >10% turnover One or series of investments lost >15% turnover One or series of investments lost >20% turnover 28 22 14 14 8 Total Scoreforrisk;1=low,3=med,5=high
  • 35. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 7 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lOne or series of frauds >15% turnover h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lOne or series of frauds >20% turnover h/m/lh/m/lOne or series of frauds >10% turnover h/m/lh/m/lOne or series of frauds >5% turnover h/m/lh/m/lOne or series of frauds >1% turnover Safety of client / product Cust satis Fraud – could be internal or external, impact determined by cost
  • 36. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example output - fraud 0 1 2 3 4 5 6 Brand/rep RO I/Cost£ Staffm orale Environm ent CustsatisSafety ofclient One or series of frauds >1% turnover One or series of frauds >5% turnover One or series of frauds >10% turnover One or series of frauds >15% turnover One or series of frauds >20% turnover 21 22 20 12 6 Total Scoreforrisk;1=low,3=med,5=high
  • 37. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 8 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lEnvironment incident/s affecting >1000 people h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Enviro nment h/m/lh/m/lEnvironment incident/s affecting >10000 people h/m/lh/m/lEnvironment incident/s affecting >100 people h/m/lh/m/lEnvironment incident/s affecting >20 people h/m/lh/m/lOne environmental incident affecting >five people Safety of client / product Cust satis Environmental incident – determined by the impact on people’s lives, welfare or livelihoods
  • 38. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 0 1 2 3 4 5 6 Brand/repRO I/Cost£Staffm oraleEnvironm ent Custsatis Safety ofclient One environmental incident affecting >five people Environment incident/s affecting >20 people Environment incident/s affecting >100 people Environment incident/s affecting >1000 people Environment incident/s affecting >10000 people 28 24 16 14 8 Total Scoreforrisk;1=low,3=med,5=high
  • 39. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Pain Threshold Card 9 h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lPerm loss of more than 20 key people h/m/l h/m/l h/m/l h/m/l Staff morale h/m/l h/m/l h/m/l h/m/l ROI / Cost £ h/m/l h/m/l h/m/l h/m/l Brand/ rep h/m/l h/m/l h/m/l h/m/l Environ ment h/m/lh/m/lPerm loss of more than 100 key people h/m/lh/m/lPerm loss of more than 5 key people h/m/lh/m/lPerm loss of key person h/m/lh/m/lTemp loss of key person Safety of client / product Cust satis Key people – where involved in major biz decisions or projects and their loss could result in project failure or business loss
  • 40. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Example output – loss of key people 0 1 2 3 4 5 6 Brand/rep RO I/Cost£ Staffm orale Environm ent CustsatisSafety ofclient Temp loss of key person Perm loss of key person Perm loss of more than 5 key people Perm loss of more than 20 key people Perm loss of more than 100 key people 22 18 12 6 6 Total Scoreforrisk;1=low,3=med,5=high
  • 41. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Summary of example outputs – capacity for single risk events 1 Denial of access to main site / HQ etc 2 Staff injury/ fatality 3 Injury / fatality customers 4 Complaints / lawsuits 5 Bad Debt 6 Loss of investments 7 Fraud 8 Environme ntal incident 9 Loss of key people 6 6 10 8 6 8 6 8 6 8 8 13 12 8 14 12 14 6 14 8 14 14 12 14 20 16 12 20 8 18 18 16 22 22 24 18 22 14 22 22 20 28 21 28 22 code 18 or above = red 11 or above = yellow below 11 = green In this example, the output shows that this organisation has a large CAPACITY for staff injuries, and a low CAPACITY for fraud. The TOLERANCE levels, however, may be different.
  • 42. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Determining Risk Appetite We have show some tools that can be used for the first stage of working out the risk appetite for an organisation – risk capacity for single risk events. There is a lot more work to do. We suggest a project time line of about nine months to complete a risk appetite statement taking about an hour per month of the Board’s time.
  • 43. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Articulating Risk Appetite Risk appetite can be articulated in a number of ways • As a graph showing output along the vertical axis and time along the horizontal. Variations up or down around that line of performance can be drawn showing CAPACITY and TOLERANCE • As a series of matrices showing risk impact against likelihood. One matrix per risk scenario. Show unacceptable risks in red, barely acceptable in amber and tolerable risks in green • As a set of words, charts and data.
  • 44. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 12 point action plan 1. Agree the main drivers for the business 2. Agree purpose of setting the risk appetite statement (RAS) 3. Agree who is going to sign off the RAS 4. Agree that the RAS will be flexible 5. Agree the timetable for establishing the RAS 6. Understand that risk appetite includes a view of risk CAPACITY and risk TOLERANCE 7. Set up your action plan to deal with Capacity and Tolerance of risk for both Static and Dynamic risks as follows; STATIC DYNAMIC Capacity single risk event Action 1 Action 5 Capacity several risk events in a year Action 2 Action 6 Agreed tolerance single risk event (less than capacity) Action 3 Action 7 Agreed tolerance several risk events (less than capacity) Action 4 Action 8
  • 45. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Action 1 Determining the organisation’s capacity for single risk events Need to list some specific risk events – even though you know that when it happens it will be different – concentrate on the “effect” of risk not the cause as the cause could be from many quarters, but effects on the business activity are easier to predict Use an escalation process to see where the sensitivity occurs to the risk event – the risk pain threshold Use a simple formula for impact eg high = business meltdown / total catastrophe – score 5 medium = serious effect, long term problems but survivable – score 3 Low = lower than medium – score 1 Set those risk events against the business drivers Remember we are talking about the CAPACITY – not the tolerance Run a workshop using adapted versions of the pain threshold cards (see later) 8. Action 2 Determining the organisation’s capacity for multiple risk events 9. As above but considering multiple events 10. Action 3 Determining the organisation’s tolerance for single risk events; Do scenario testing with top management on the highest evaluated risk events as determined by the risk capacity exercise. Push them to articulate their TOLERANCE for risk. Remember tolerance changes more frequently than capacity, and should be stress tested often. 11. Action 4 As above but considering multiple events 12. Actions 5,6,7 & 8 – more complex still, so call in the experts!
  • 46. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626 Copyright Liz Taylor LIZ TAYLOR RISK CONSULTING +44 1626 337626 www.liztaylorriskconsulting.co.uk email liz.taylor@liztaylorriskconsulting.co.uk