Irm Risk Appetite


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Irm Risk Appetite

  1. 1. Risk Appetite & ToleranceGuidance Paper
  2. 2. ForewordRisk appetite today is a core By providing practical advice on While the Financial Reporting Councilconsideration in any enterprise how to approach the development has kick-started the debate on riskrisk management approach. and implementation of a risk appetite and risk tolerance in the UK, appetite framework we believe we it is a debate that resonates aroundAs well as meeting the requirements the world. As an integrated global risk will be helping boards and seniorimposed by corporate governance consulting business, I can testify to the management teams both to managestandards, organisations in all sectors fact that our clients are debating risk their organisations better and toare increasingly being asked by key appetite. That is why we are pleased discharge their corporate governancestakeholders, including investors, to support the work of the Institute responsibilities more effectively.analysts and the public, to express of Risk Management in moving thisclearly the extent of their willingness to We are particularly pleased that a debate forward. We look forward totake risk in order to meet their strategic large number of professional bodies are actively engaging with IRM and othersobjectives. supporting this work – risk is everyone’s in promoting this thought-provoking business and a common understanding document and turning risk appetite intoThe Institute of Risk Management, and approach helps us work together a day-by-day reality for boards and risknow in its 25th year, has a key role to to address this challenging area. management professionals around theplay in establishing sound practicesin this area and building consensus in Alex Hindson world.what has, for too long, been a nebulous Chairman Larry Riegersubject. The Institute of Risk Management CEO, Crowe Horwath Global Risk Consulting 2
  3. 3. The Chartered Institute of Internal All successful organisations need to This document is an importantAuditors welcomes this contribution be clear about their willingness to contribution to a key area of boardfrom the Institute of Risk Management accept risk in pursuit of their goals. activity and helpfully addresses one ofto the debate on risk appetite and Armed with this clarity, boards and the issues highlighted in the Financialrisk tolerance. In theory, the idea of management can make meaningful Reporting Council’s Guidance ondeciding how much risk of different decisions about what actions to take at Board Effectiveness. ICSA is pleased totypes the organisation wishes to take all levels of the organisation and the support the work started here by IRM,and accept sounds easy. In practice, it is extent to which they must deal with and looks forward to a well-informeddifficult and needs ongoing effort both the associated risks. But defining and debate and some useful conclusions.from those responsible for governance implementing risk appetite is work in Seamus Gillenin agreeing what is acceptable and progress for many. CIMA therefore Director of Policyfrom all levels of management in warmly welcomes this new guidance Institute of Chartered Secretaries andcommunicating how much risk they from the Institute of Risk Management Administrators (ICSA)wish to take and in monitoring as a sound foundation for developinghow much they are actually taking. best practice on this critical topic.Anything that stimulates debate on the Gillian Leespractical challenges of risk management Head of Corporate Governanceis to be welcomed. Chartered Institute ofJackie Cain Management Accountants (CIMA)Policy DirectorChartered Institute of Internal AuditorsThis paper will be helpful to senior CIPFA is pleased to endorse this work This paper sends out a clear statementmanagers in public service organisations by IRM on risk appetite and tolerance that the principle of risk appetitewho are trying to understand risk which provides welcome leadership emanating from the board is theappetite in the context of their own on a challenging subject for both the only effective way to initiate anstrategic and operational decision public and private sectors. We look ERM implementation. Charterhousemaking. In its recently published Core forward to taking the debate further Risk Management is delighted to beCompetencies in Public Service Risk with our membership in pursuit of associated with the launch of this paperManagement, Alarm identified the our commitment to sound financial after contributing to the consultationneed to understand the organisation’s management and good governance. process. Our own experience withrisk appetite and risk tolerance, as clients confirms that this approach is Diana Melvillepart of the key function of identifying, not only critical, but that the whole Governance Adviseranalysing, evaluating and responding to process must be undertaken with Chartered Institute of Public Financerisk. The ‘questions for the boardroom’, a practical rather than theoretical and Accountancyset out in this paper, could easily be vigour. This is an essential ingredienttranslated into ‘questions for the of our delivery capability. References topublic organisation’s senior executive ‘appetite’ and ‘hunger’ only reinforcecommittee’ and as such may be of value the living nature of the requiredto many Alarm members and their approach.organisations. Neil MockettDr Lynn T Drennan CTOChief Executive Charterhouse Risk ManagementAlarm, the public risk managementassociation 3
  4. 4. IntroductionThis guidance paper has been prepared The full version of this document is Members of theunder the overall direction of a available for free download from theworking group of the Institute of Risk website of the IRM and from partner Working GroupManagement. The group has held a series organisations. Printed versions of the Richard Anderson, deputyof meetings supplemented by much executive summary are also available. chairman of IRM and managingvirtual debate to explore ideas and agree director of Crowe Horwath Global The original intent of this paper was inthe direction of the paper. We have had Risk Consulting the first instance to provide guidance tohealthy discussions, and given the nature directors, risk professionals and others Bill Aujla, CRO at Etisalatof the topic, there have been areas tasked with advising boards on compliancethat have proved contentious. We have Gemma Clatworthy, senior risk with the part of the UK Corporatepresented the outline of the thinking in consultant at Nationwide Building Governance Code that states that “thevarious meetings and we circulated an Society board is responsible for determiningearly draft of this paper to in excess of the nature and extent of the significant Roger Garrini, audit manager atfifty individuals. We have also exposed it risks it is willing to take in achieving its Selex Galileofor a much wider consultation from which strategic objectives” (Financial Reportingwe received many responses (see list of Council, 2010). However, feedback from Paul Hopkin, director of IRMpeople and organisations responding in the consultation process has shown that and technical director of AIRMICAppendix B). there is considerable interest in this topic Steven Shackleford, seniorFrom this development process, we are in the public sector as well as the private academic in audit and riskconfident that we are dealing with a sector and beyond the UK. While some management at Birmingham Citytopic that is relevant to many people in specifics might differ, the underlying Universitymany organisations of different types principles hold true for all sectors and allin all sectors and that there is sufficient geographical locations. John Summers, chief advisor – riskconsensus on issues and approaches at Rio Tinto We have found that the approachemerging to be able to publish this contained in here has far reaching Carolyn Williams, head of thoughtguidance. We know that future editions resonance with anyone who is interested leadership at IRMof this guidance may well be subject to in the subject of risk appetite andmajor revisions. That will be a sign of tolerance. This is not a subject with angood and healthy progress. It is in that untarnished history: most UK banks wouldcontext that we present this paper to have been expected to define their riskassist in boards’ deliberations on the appetite, but not a single bank wouldsubject of risk appetite and tolerance. The have said that it wished to court (andpaper consists of an executive summary, in some instances succumb to) oblivionwhich is designed to provide an overview in the form of the financial crisis. Weon the subject for general use, particularly are now poised to move beyond thatby board members, and a more detailed thinking. Whether it is a matter ofdocument which is primarily designed setting, monitoring or overseeing riskto assist those whose task it is to advise appetite, this is a subject that has provedboards on these matters. to be somewhat elusive - it means many different things to many different people. For example, some see it as a series of limits, some see it as empowerment, some see it as something that has to be expressed in terms of net risk and others gross. For this reason the subject deserves serious attention. One of the purposes of this document is to begin to provide a common vocabulary for people who wish to discuss this subject both within their organisations, and also in comparing organisations. 4
  5. 5. In writing this paper, we are conscious It is our view that risk appetite, correctly At a personal level, I would like tothat we may appear to have come at this defined, approached and implemented thank the numerous people who haveoriginally from a UK, quoted company- should be a fundamental business contributed to this paper, ranging fromcentric perspective and that this is counter concept that could make a substantial the working group, through variousto IRM’s broad sectoral appeal and difference to how businesses and IRM meetings which debated earlyinternational ethos. In fact, while this organisations are run. We fully expect versions of the thinking to Carolynguidance was originally written with the that the initial scepticism about risk Williams, head of thought leadership atUK Corporate Governance Code in mind, appetite will be gradually replaced as IRM, and of course, all of those people,comments and revisions arising from boards and executive directors gain clients, fellow risk professionals, internalthe consultation process mean that it is greater insight into its usefulness. We auditors, and many, many others, whoapplicable to all sectors in all geographies. also anticipate that analysts will soon be have discussed this subject with all of theWe continue to welcome feedback from asking chief executives, chairmen and members of the Working Group. I am,readers in this regard. finance directors about risk appetite. of course, particularly pleased that other After all, this subject is at the heart of the professional bodies of considerable reputeOur objective in writing this document has organisation: risk-taking, whether private, agree sufficiently with our approach tobeen to give: public or third sector, whether large or put their names also to this document.1. A theoretical underpinning to the small is what managing an organisation Richard Anderson subject of risk appetite; but is about. The approach of the new UK2. More importantly, to provide some Corporate Governance Code represents Deputy Chairman guidance for those who need to deal an opportunity to place risk management, The Institute of Risk Management with the subject, either for their and in particular risk appetite, right at September 2011 corporate governance statements, or, the centre of the debate on effective alternatively, simply because they think corporate governance and the role of the the discussion would inform the way board in running organisations. their organisation is run. We would like to know whether or notThis guidance is not definitive: we do not the approach in this paper has beenthink that we have written the last word helpful to you as you work through theon the subject. Thinking on the subject ramifications of risk appetite and riskof risk appetite and risk tolerance will tolerance in your own organisation.continue to develop and, if, as we hope, Please take the time to tell us so that wethis booklet is superseded before too can both keep abreast of developmentsmany reporting seasons come and go, and make sure that we are sharing bestthen we will know that the concept is practice. At IRM we are passionate aboutbeginning to take root. leading the profession, and this is one way that we can do so.About IRM About the AuthorThe Institute of Risk Management (IRM) is Richard Anderson, the principal author of thisthe world’s leading enterprise risk management booklet, is Deputy Chairman of IRM. Richard is alsoeducation Institute. We are independent, well- Managing Director of Crowe Horwath Global Riskrespected advocates of the risk profession, owned by Consulting in the UK. A Chartered Accountant, andpractising risk professionals. We provide qualifications, formerly a partner at a big-4 practice, Richard hasshort courses and events at a range of levels also run his own GRC practice for seven of the lastfrom introductory to board level and support risk ten years. Richard has been professionally involvedprofessionals by providing the skills and tools needed with risk management since the mid-nineties and hasto deal with the demands of a constantly changing, broad industry sector experience. He wrote a reportsophisticated and challenging business environment. for the OECD on Corporate Risk Management in theWe operate internationally with members and banking sector in the UK, the USA and France. He isstudents in over 90 countries, drawn from a variety of a regular speaker at conferences and contributes torisk-related disciplines and a wide range of industries many journals on risk management and governancein the private, third and public sectors. issues. 5
  6. 6. ContentsIntroduction 4 Balanced risk 26 Table of Figures About IRM 5 Risk management clockspeed 26 Figure 1 - Performance over time 14 About the Author 5 Control issues 27 Figure 2 - Possible outcomes 14 Executive Summary 7 Measurement 27 Figure 3 - Risk Universe 14 Principles and approach 7 Strategic 29 Figure 4 - Risk Tolerance 14 Risk appetite and performance 8 Tactical and operational 29 Figure 5 - Risk Appetite 14 Putting it into practice 9 Data 29 Figure 6 - Risk Appetite in Context 16 Five tests for risk appetite Constructing a risk appetite - Figure 7 - Risk Culture Diagnostic 22 frameworks 9 questions for the boardroom 29 Figure 8 - Risk Appetite - Main Issues 23 Questions for the boardroom 10 IV Implementing a risk appetite 30 Figure 9 - Shareholder Value Model (1) 28I Background 11 Sketch 31 Figure 10 - Shareholder Value Model (2) 28 The UK Corporate Stakeholder engagement 31 Figure 11 - Shareholder Value Model (3) 28 Governance Code 11 Develop 32 Figure 12 - Stages of Development Risk appetite and risk tolerance 14 Approve 32 of Risk Appetite 30 A word of caution 15 Implement 32 Figure 13 - Governing a Risk Appetite 33 Key terms and phrases 15 Report 32 Background - questions for Review 32 the boardroom 15 Implementing a risk appetite -II Designing a risk appetite 16 questions for the boardroom 32 Risk capacity 17 V Governing a risk appetite 33 Risk management maturity 19 Governing risk appetite - Multiple risk appetites 21 questions for the boardroom 34 Risk culture 21 VI The journey is not over 35 Key terms and phrases 21 The journey is not yet over - final Designing a risk appetite - questions for the boardroom 35 questions for the boardroom 22 Bibliography 36III Constructing a risk appetite 23 Appendix A: Determining the risks Levels of risk appetite 23 the board is willing to take 37 Strategic 23 Responsibilities for risk taking 37 Risk taxonomies 24 Process for managing risk taking 38 Tactical 25 Appendix B: List of respondents Project or operational 25 to consultation 39 Propensity to take risk 25 Propensity to exercise control 25 6
  7. 7. Executive SummaryPrinciples and approach “It is often said that no company can make aThe following key principles have underpinned our work on risk appetite: profit without taking a risk. The same is true1. Risk appetite can be complex. Excessive risk management maturity. Risk simplicity, while superficially attractive, management remains an emerging for all organisations: no leads to dangerous waters: far better discipline and some organisations, organisation, whether in the to acknowledge the complexity and irrespective of size or complexity, do private, public or third sector deal with it, rather than ignoring it. it much better than others. This is in can achieve its objectives2. Risk appetite needs to be measurable. part due to their risk management culture (a subset of the overall without taking risk. The Otherwise there is a risk that any statements become empty and culture), partly due to their systems only question is how much vacuous. We are not promoting any and processes, and partly due to the risk do they need to take? individual measurement approach nature of their business. However, And yet taking risks without but fundamentally it is important until an organisation has a clear view of both its risk capacity and its risk consciously managing those that directors should understand how their performance drivers are management maturity it cannot be risks can lead to the downfall impacted by risk. Shareholder value clear as to what approach would work of organisations. This is the may be an appropriate starting or how it should be implemented. challenge that has been point for some private organisations, 5. Risk appetite must take into account highlighted by the latest stakeholder value or ‘Economic differing views at a strategic, tactical Value Added’ may be appropriate for and operational level. In other words, UK Corporate Governance others. We also anticipate more use while the UK Corporate Governance Code issued by the Financial of key risk indicators and key control Code envisages a strategic view of Reporting Council in 2010.” indicators which should be readily risk appetite, in fact risk appetite available inside or from outside the needs to be addressed throughout organisation. Relevant and accurate the organisation for it to make any data is vital for this process and we practical sense. urge directors to ensure that there 6. Risk appetite must be integrated with is the same level of data governance the control culture of the organisation. over these indicators as there would be Our framework explores this by over routine accounting data. looking at both the propensity to take3. Risk appetite is not a single, fixed risk and the propensity to exercise concept. There will be a range of control. The framework promotes appetites for different risks which need the idea that the strategic level is to align and these appetites may well proportionately more about risk taking vary over time: the temporal aspect of than exercising control, while at the risk appetite is a key attribute to this operational level the proportions whole development. are broadly reversed. Clearly the4. Risk appetite should be developed relative proportions will depend on in the context of an organisation’s the organisation itself, the nature of risk management capability, which the risks it faces and the regulatory is a function of risk capacity and environment within which it operates. 7
  8. 8. Risk and control The innovation is in looking at the interaction of risk and control as implementation of strategy. In the detailed paper we have included aWe think that this dual focus on taking part of determining risk appetite. few suggestions as to how boardsrisk and exercising control is both Proportionately more time is likely to might like to consider these dualinnovative and critical to a proper be spent on risk taking at a strategic responsibilities. Above all, we areunderstanding of risk appetite and level than at an operational level, very much focused on the need torisk tolerance. The innovation is not in where the focus is more likely to take risk as much as the traditionallooking at risk and control – all boards be on the exercise of control. One pre-occupation of many riskdo that. word of caution though, we are not management programmes, which equating strategy with board level and is the avoidance of harm. operations with lower levels of the organisation. A board will properly want to know that its operations are under control as much as it wants to oversee the development andRisk appetite and The illustrations on these pages show the relationship between risk appetite, Risk tolerance can be expressed in terms of absolutes, for example “we will notPerformance tolerance and performance. Diagram 1 shows the expected direction of expose more than x% of our capital to losses in a certain line of business” orOur view is that both risk appetite and performance over the coming period. “we will not deal with certain types ofrisk tolerance are inextricably linked to Diagram 2 illustrates the range of customer “.performance over time. We believe that performance depending on whether Risk appetite, by contrast is aboutwhile risk appetite is about the pursuit of risks (or opportunities) materialise. The what the organisation does want to dorisk, risk tolerance is about what you can remaining diagrams demonstrate the and how it goes about it. It thereforeallow the organisation to deal with. difference between: becomes the board’s responsibility toOrganisations have to take some risks • all the risks that the organisation define this all-important part of theand they have to avoid others. The big might face (the “risk universe”- risk management system and to ensurequestion that all organisations have diagram 3) that the exercise of risk managementto ask themselves is: just what does • those that, if push comes to shove, throughout the organisation is consistentsuccessful performance look like? This they might just be able to put up with with that appetite, which needs to remainquestion might be easier to answer for (the “risk tolerance” - diagram 4) and within the outer boundaries of the riska listed company than for a government tolerance. Different boards, in different • those risks that they actively wish todepartment, but can usefully be asked by circumstances, will take different views on engage with (the “risk appetite” -boards in all sectors. the relative importance of appetite and diagram 5). tolerance. We believe that the appetite will be smaller than the tolerance in the vast majority of cases, and that in turn will be smaller than the risk universe, which in any case will include “unknown unknowns”. Where you might get to if some “good” things happen PerformancePerformance Performance Current direction of travel for performance Risk Universe t0 Time t1 t0 Time t1 t0 Time t1 Where you might Where you might get to if some get to if some “bad” things happen “bad” things happenDiagram 1 Diagram 2 Diagram 3 PerformancePerformance Risk Risk Tolerance Appetite t0 Time t1 t0 Time t1 Where you might Where you might get to if some get to if some “bad” things happen “bad” things happenDiagram 4 Diagram 5 8
  9. 9. Putting it into Consultation - in our paper we have set out an illustrative process for the Flexibility - all of this needs to be carried out with the basic precept inpractice development of an approach to risk appetite. This includes appropriate mind that risk appetite can and will change over time (as, for example, theWe have sought to develop an approach consultation with those external and economy shifts from boom to bust, orto risk appetite that: internal stakeholders, with whom the as cash reserves fall). In other words, board believes it appropriate to consult breaches of risk appetite may well• is theoretically sound (but the theory on this matter. It also includes a review reflect a need to reconsider the risk can quickly disappear into the process by the board, or an appropriate appetite part way through a reporting background) committee of the board, and finally it cycle as well as a more regular review• is practical and pragmatic: we do not includes a review process at the end of the on an annual cycle. Rapid changes in want to create a bureaucracy, rather cycle so that appropriate lessons can be circumstances, for example as were we are looking to help find solutions learned. witnessed during the financial crisis in that can work for organisations of all 2008-9, might also indicate a need for shapes and sizes Risk Committees - in his 2009 Review an organisation to re-appraise its risk of Corporate Governance in UK Banks• will make a difference. appetite. In a fast changing economic and Other Financial Industry Entities, climate, it is especially importantBoardroom debate - we suspect that in Sir David Walker recommended that for firms to have not only a clearlythe early days particularly, a successful financial services organisations should defined strategy, but also a clearlyapproach to reviewing risk appetite make use of board risk committees. The articulated risk appetite frameworkand risk tolerance in the boardroom Economic Affairs Committee of the House so that they are able to react quicklywill necessarily lead to some tensions. of Lords recently suggested that large to the challenges and opportunitiesIn other words we think that it should organisations in other sectors should also presented during such times.make a difference to the decisions that consider creating such committees. Weare made, otherwise it will diminish into think that the creation and monitoringa mere tick-box activity – and nobody of approaches to risk appetite andneeds any more of those in the board risk tolerance should be high on theroom. It is essential that the approach agenda of these committees. In thethat we are setting out in the detailed detailed document, we have includedguidance can and should be tailored a brief section on the role of the boardto the needs and maturity of the or risk committee: we are suggestingorganisation: it is not a one-size-fits-all that governance needs to be exercisedapproach. over the framework at four key points: approval, measurement, monitoring and learning.Five tests for risk appetite frameworks In summary, there are five tests that 3. Are both managers and executives“The risk appetite statement is Directors should apply in reviewing their clear that risk appetite is not constant?generally considered the hardest part organisation’s risk appetite statement: It changes as the environment andof any Enterprise Risk Management business conditions change. Anything 1. Do the managers making decisionsimplementation. However, without approved by the board must have understand the degree to which theyclearly defined, measurable tolerances some flexibility built in. (individually) are permitted to exposethe whole risk cycle and any risk the organisation to the consequences 4. Are risk decisions made with fullframework is arguably at a halt.” of an event or situation? Any risk consideration of reward? The risk appetite statement needs to be appetite framework needs to helpJill Douglas, Head of Risk, practical, guiding managers to make managers and executives take anCharterhouse Risk Management risk-intelligent decisions. appropriate level of risk for the business, given the potential for 1. Do the executives understand their reward. aggregated and interlinked level of risk so they can determine whether it is We believe that by following the guidance acceptable or not? set out in detail in our document, directors will be able to be confident that they can 2. Do the board and executive leadership pass all of those five tests. understand the aggregated and interlinked level of risk for the organisation as a whole? 9
  10. 10. Questions for the boardroomBelow we set out some questions that we think boards may want to consider, as partof an iterative process over time, as they develop their approaches to risk appetite andwhich will enable them to remain at the forefront of the discussion. One clear outcomefrom our consultation exercise was that, despite the expected variation in views on thetechnical aspects of risk appetite, there was a common acceptance of these questions asa useful starting point for board discussion.Background Constructing a risk appetite Governing a risk appetite1. What are the significant risks the 12. Does the organisation understand 20. Is the board satisfied with the board is willing to take? What are the clearly why and how it engages with arrangements for data governance significant risks the board is not willing risks? pertaining to risk management data to take? 13. Is the organisation addressing all and information?2. What are the strategic objectives of relevant risks or only those that can 21. Has the board played an active the organisation? Are they clear? What be captured in risk management part in the approval, measurement, is explicit and what is implicit in those processes? monitoring and learning from the risk objectives? 14. Does the organisation have a appetite process?3. Is the board clear about the nature framework for responding to risks? 22. Does the board have, or does it need, and extent of the significant risks it is a risk committee to, inter alia, oversee willing to take in achieving its strategic Implementing a risk appetite the development and monitoring of objectives? the risk appetite framework? 15. Who are the key external stakeholders4. Does the board need to establish and have sufficient soundings been clearer governance over the risk taken of their views? Are those views The journey is not over - final appetite and tolerance of the dealt with appropriately in the final thoughts organisation? documentation? 23. What needs to change for next time5. What steps has the board taken to 16. Has the organisation followed a round? ensure oversight over the management robust approach to developing its risk 24. Does the organisation have sufficient of the risks? appetite? and appropriate resources and 17. Did the risk appetite undergo systems?Designing a risk appetite appropriate approval processes, 25. What difference did the process make6. Has the board and management including at the board (or risk and how would we like it to have an team reviewed the capabilities of the oversight committee)? impact next time round? organisation to manage the risks that 18. Is the risk appetite tailored and it faces? proportionate to the organisation?7. What are the main features of the 19. What is the evidence that the organisation’s risk culture in terms organisation has implemented the risk of tone at the top? Governance? appetite effectively? Competency? Decision making?8. Does an understanding of risk permeate the organisation and its culture? Hungry for risk?9. Is management incentivised for good The word “appetite” brings connotations of food, hunger and satisfying one’s risk management? needs. We think that this metaphor is not always helpful in understanding the10. How much does the organisation phrase “risk appetite”. When those two words appear together we think it is spend on risk management each year? more appropriate to think in terms of ‘fight or flight’ responses to perceived risks. How much does it need to spend? Most animals, including human beings, have a ‘fight or flight’ response to risk. In11. How mature is risk management in the humans this can be over-ruled by our cognitive processes. Our interpretation of organisation? Is the view consistent at risk appetite is that it represents a corporate version of exactly the same instincts differing levels of the organisation? Is and cognitive processes. However, since these instincts are not ”hardwired“ in our the answer to these questions based corporate “nervous and sensory” systems we use risk management as a surrogate. on evidence or speculation? 10
  11. 11. I Background“What is this all about?” 101 In recent years we have witnessed some major risk 102 The rest of this section explores the nature of the The UK Corporate events ranging from theglobal financial crisis to the more recent words in the Code, and looks at the existing guidance which Governance Code might help to understand the words. In its recent update tosovereign debt crisis and a large numberof natural and meteorological events with 103 the UK Corporate Governance • Sections II and III of this document lookmajor consequential damage and knock- Code, the FRC has expanded at a proposed new framework of riskon effects. But the financial crisis of 2008 the section of the Code on Accountability appetite and risk tolerancehad many consequences, and raised many as set out in the box below:questions, not least of which was the • Sections IV and V look at thequestion as to why boards failed to see it practicalities of implementing and .coming. At the request of the Prime overseeing risk appetite and risk Section C: AccountabilityMinister of the day, Sir David Walker tolerance The board should present a balancedcarried out a review of the corporate • Section VI addresses some of the issues and understandable assessmentgovernance of Banks and Other Financial that might require further thought, of the company’s position andInstitutions (“BOFI’s”) and this was and prospects. The board is responsible forfollowed swiftly by a review of the • Appendix A presents a summary of determining the nature and extent ofbroader corporate governance landscape how, in practical terms, a board might the significant risks it is willing to takein the UK by the Financial Reporting go about determining the risks it is in achieving its strategic objectives.Council (the “FRC”). The FRC made the willing to take. The board should maintain sound riskall-important link between this question Throughout the paper we have indicated management and internal controland the subject of risk appetite and risk questions that could usefully be explored systems.tolerance by inserting reference to these in the boardroom to ensure that thetwo topics in their draft changes to The board should establish formal subjects of risk appetite and tolerance areSection C of the UK Corporate Governance and transparent arrangements for being appropriately addressed.Code (the “Code”) (Financial Reporting considering how they should applyCouncil, 2010). While those very words the corporate reporting and riskfailed to survive the cut, the concept did management and internal controlsurvive. Under the newly expanded principles...Section C, a board is explicitly tasked withbeing responsible for “determining thenature and extent of the significant risks it[the board] is willing to take in achievingits strategic objectives”. This is riskappetite and tolerance by any other name. 11
  12. 12. 104 This Section is further 105 This paper explores the risk How has “risk appetite” expanded in the detailed management ramifications of provisions of the Code: these high level statements, been used before? and in particular those Risk appetite is a phrase that is relating to the “nature and extent of the 107 widely used but frequently inC.1 Financial and Business significant risks [the board] is willing to different contexts and for take in achieving its strategic objectives”. different purposes. It is aReporting These are the words that replace the phrase that for some people conveysC.1.2 The directors should include references to risk appetite and tolerance poorly its meaning, and in respect ofin the annual report an explanation in earlier drafts. It is worth noting that this which the meaning is different forof the basis on which the company sentence immediately precedes the different groups of people. Based on thegenerates or preserves value over requirement that “the board should work that was undertaken in writing thisthe longer term (the business model) maintain sound risk management and paper it was clear that there is littleand the strategy for delivering the internal control systems”. So we might certainty as to what the phrase means, butobjectives of the company. infer that this is not empty rubric, but there seems to be almost unanimity that it rather a matter of substance, especially could be, and indeed ought to be a usefulC.2 Risk Management and since Code Provision C.2.1 goes on to concept, if only it could be properlyInternal Control require the board “at least annually [to] expressed. Some people prefer other conduct a review of the effectiveness of terms such as risk attitude or risk capacity.Main Principle the company’s risk management and As far as we are concerned there is internal control systems...” To some this nothing fundamentally wrong in usingThe board is responsible for sounds like a recipe for Sarbanes-Oxley any of these terms. Suffice it to say that indetermining the nature and extent s404 style work. This is clearly not the writing this guidance we are taking a veryof the significant risks it is willing intent of the FRC, nor would it be pragmatic view: risk appetite is the mostto take in achieving its strategic welcomed in most UK boardrooms. common phrase that we have come across,objectives. The board should However, the fact of this review has to be it is the one that was used by the FRC inmaintain sound risk management reported to shareholders. The the context of the draft Corporateand internal control systems. juxtaposition of the “significant risks” Governance Code and therefore weCode Provision sentence with the requirement to would prefer to define this term in a way maintain “sound risk management and that begins to make sense for as manyC.2.1 The board should, at least internal control systems” might lead the people as possible.annually, conduct a review of the reader to surmise that the risk appetiteeffectiveness of the company’s risk Given the lack of conformity element is one of the reasons thatmanagement and internal control organisations require risk systems. Overall 108 about the meaning of thesystems and should report to phrase, it is worth looking at this is a radical new departure for the FRCshareholders that they have done the key standards on risk and introduces a new concept for manyso. The review should cover all management, ISO31000 (ISO, 2009) and directors and boards of non-financialmaterial controls, including financial, BS311001 (British Standards, 2008), to see services organisations.operational and compliance controls. what light they shed on the subject. As an aside, it seems that the 106 terms “risk appetite” and “risk Interestingly ISO31000, the international standard, is silent on the subject of risk tolerance” have deep appetite (focusing instead on ‘risk associations with the financial attitude’ and ‘risk criteria’), although services industry in some minds, and Guide 73 (ISO, 2002) defines risk appetite attempts to move non-financial services as the “amount and type of risk that an organisations in that direction might have organisation is willing to pursue or been difficult. However these words can retain.” Some people argue that ISO31000 be seen, for all intents and purposes, as is silent on the subject of because it is being indistinguishable from the previous neither a useful phrase not a meaningful phrases. While many commentators see concept. They therefore focus more on risk them as inseparable phrases, we focus criteria. On the other hand, we believe predominantly on the concept of risk that there is a benefit from exploring appetite in this paper as a way of what we think is turning out to be a providing guidance to directors and those useful and meaningful concept. tasked with advising directors on the requirements of the Code in so far as they relate to risk appetite and tolerance. Definition of Risk Appetite ISO 31000 / Guide 73 BS31100 Amount and type of risk that an Amount and type of risk that an organisation is willing to pursue or retain organisation is prepared to seek, accept or tolerate 1 At the time of writing, this document is undergoing revision. Nevertheless the approach in the 2008 document has proved most useful for this discussion. 12
  13. 13. The original BS31100 We are concerned that this In conclusion, BS31100 109 contained more detail. It 111 focus treats risk in an unduly 113 provides some guidance on defined risk appetite as the negative way, something how to use risk appetite, but it “amount and type of risk that which we are challenging in does not (nor did it ever set out to)an organisation is prepared to seek, accept this booklet in the sense that there should provide guidance on how to calculate oror tolerate” – very similar to Guide 73. The be a maximum tolerance for risk taking as measure risk appetite, although thestandard went on to define risk tolerance well as risk avoidance. standard does suggest the use of(bearing in mind that the definition of risk “quantitative statements”, without While neither standard is veryappetite includes reference to toleratingrisk) as an “organisation’s readiness to 112 informative, it is instructive to further elaborating. It is interesting to see how the “appetite” word note that the revised version of BS31100bear the risk after risk treatments in order has substantially removed references to or similar words were used into achieve its objectives”. The definition risk appetite to bring it in line with the original BS31100:then includes a rider which states: “NOTE: ISO31000. This leaves something of arisk tolerance can be limited by legal or Paragraph 3.1 Governance includes vacuum on the subject, which thisregulatory requirements”. a bullet to the effect that the risk guidance seeks to fill. management framework should have Notwithstanding the regular “defined parameters around the level of 110 appearance of risk appetite and risk that is acceptable to the organisation, risk tolerance in the same and thresholds which trigger escalation, sentence (or definition in the review and approval by an authorisedcase of BS31100) it is our belief that risk person/body.”tolerance is a much simpler concept in that Paragraph 3.3.2 Content of the riskit tends to suggest a series of limits which, management policy has the first explicitdepending on the organisation, may either reference to risk appetite saying thatbe: this should be included in the policy and should outline “the organisation’s• In the nature of absolute lines drawn risk appetite, thresholds and escalation in the sand, beyond which the procedures” organisation does not wish to proceed; or Paragraph 3.8 Risk appetite and• More in the nature of tripwires, that risk profile provides a much more alert the organisation to an impending comprehensive commentary on risk breach of tolerable risks. appetite, which is set out below: 1. “Considering and setting a risk appetite enables an organisation to increase its rewards by optimizing risk taking and accepting calculated risks within an appropriate level of authority 2. “The organisation’s risk appetite should be established and/or approved by the board (or equivalent) and effectively communicated throughout the organisation 13
  14. 14. Risk “appetite” andrisk “tolerance” The difference can be 114 Before we started on this project, it was our belief that 115 illustrated in the diagrams on 118 On the other hand, our “appetite” for risk is likely to we, and more importantly the bottom of this page. be shown by a narrower band directors and risk of performance outcomes Figure 1 shows performanceprofessionals, could easily distinguishbetween risk appetite and risk tolerance 116 from the current time (t0) to shown by the triangle AMN.and that the former was the more sometime in the future (t1). Risk tolerance can thereforecomplicated concept. In practice we have The line AB shows the current expected direction of travel in terms of 119 be expressed in terms offound that in many instances these terms absolutes: for example “weare used inter-changeably. We think that is performance. Figure 2 shows that in will not expose more that x%conceptually wrong: there is a clear practice this is subject to risks which, of our capital to losses in a certain line ofdifference between the two. It is also should they materialise, could result in business”, or “we will not deal with aworth noting that in the eyes of some performance along the line AC, or to certain type of customer”. Risk tolerancecommentators, risk tolerance is the more opportunities (positive risks) which could statements become “lines in the sand”important concept. While risk appetite is result in performance along the line AD. beyond which the organisation will notabout the pursuit of risk, risk tolerance is The potential risk universe or the total risk move without prior board approval.about what you can allow the exposure is shown by the differenceorganisation to deal with. Without a between C and D. (see Figure 3) Risk appetite on the otherdoubt there will be occasions where an What is clear is that following 120 hand is about what theorganisation can deal with more risk thanit is thought prudent to pursue. 117 line AC is not desirable. Less organisation does want to do and how it goes about it. It clear is that it might also be therefore becomes the board’s undesirable to follow line AD responsibility to define this all important because pursuing it might throw up part of the risk management system and substantial additional risks. Consequently, to ensure that the exercise of risk there are some risk outcomes for which management and all that entails is there is no tolerance, and moreover no consistent with that appetite, which needs tolerance for taking those risks. Moreover, to remain within the outer boundaries of since we are using the generally accepted the risk tolerance. concept of risk as being potentially positive as well as negative, that suggests While we have focused that there is a range shown by the triangle AXY (See Figure 4), outside of which the 121 primarily on risk appetite, organisation will not tolerate exposure. some entities (such as This is the risk tolerance. Government departments) may be more focused on risk tolerance. This in itself becomes a more complicated Where you might issue where the risk of insolvency (the get to if some “good” things happen ultimate determination of failure for D corporates) is absent. Defining success andPerformance Performance Current direction of travel for performance failure is therefore very important. This is an area where we believe further work is A A required. What is clear is that different B B boards in different circumstances will take different views as to which of these two t0 t1 t0 t1 Time Time concepts is more important for them at any given time. Where you might get to if some “bad” things happen CFigure 1 - Performance over time Figure 2 - Possible outcomes D MPerformance Performance Performance X Risk Risk A Risk A Appetite A Tolerance B Universe Y N t0 Time t1 t0 Time t1 t0 Time t1 Where you might get to if some Where you mightFigure 3 - Risk Universehappen “bad” things C Figure 4 - Risk Tolerance get to if some “bad” things happen Figure 5 - Risk Appetite 14
  15. 15. A word of caution Key Terms and Phrases The word “appetite” brings connotations of food, In this section we have used three key terms which 122 hunger and satisfying one’s needs. We think that this 124 we will continue to use throughout the document. In metaphor is not always helpful in understanding the the absence of helpful definitions elsewhere, we arephrase “risk appetite”. When those two words appear together defining them as set out here:we think it is more appropriate to think in terms of “fight orflight” responses to perceived risks. Phrase MeaningMost animals, including human beings have a “fight or flight” Risk appetite The amount of risk that an organisation isresponse to risk. In humans this can be over-ruled by our willing to seek or accept in the pursuit of itscognitive processes. Our interpretation of risk appetite is that it long term objectives.represents a corporate version of exactly the same instincts andcognitive processes. Except of course, as a legal fiction(as opposed Risk tolerance The boundaries of risk taking outside of whichto biological reality) organisations do not have their own brains, the organisation is not prepared to venture innervous systems, sensory organs and instincts. They ‘borrow’ these the pursuit of its long term objectives.from members of their boards and from their employees. Risk universe The full range of risks which could impact, either positively or negatively, on the abilityThese systems have to be created in terms of interactions of of the organisation to achieve its long termpeople, data systems and management information which enable objectives.people in the organisation to act as if they were parts of the samephysical organism. It is our expectation that for most organisations, the 125 risk appetite will be smaller than the boundaries Conclusion depicted by its risk tolerance. 123 There are four early conclusions that The rest of this document we have drawn from the work we We have set out a route through this topic of risk have undertaken in preparing this 126 appetite in the rest of this document as follows guidance: under the following main headings: Section II: Designing a risk appetite • he first is that we would benefit from a renewed T focus on defining the terms that we are using. We Section III: Constructing a risk appetite have therefore developed glossaries of key terms and phrases which appear throughout this guidance. Section IV: Implementing a risk appetite • he second is that setting a risk appetite is only a T Section V: Governing a risk appetite worthwhile exercise if you, as an organisation, are Section VI: The journey is not over able to manage the risk to the level at which it is set. In Section VI we explore some of the issues that we will need to • he third is that there is very little by way of formal T explore as we develop this concept as a boardroom topic over the guidance on the definition of risk appetite. We coming years. have reviewed plenty of documents both from professional organisations and from consulting firms. However, our belief is that this subject remains under developed and the remainder of this booklet aims to play a part in redressing that shortcoming. Background - Questions for • he fourth is that risk appetite can and indeed must T change, for example as the economy shifts from the Boardroom boom to bust and back again, or as cash reserves • What are the significant risks the board is willing to fall. Risk appetite, and indeed risk tolerance, both take? What are the significant risks the board is not have a temporal element, which is reflected in the willing to take? way in which we have discussed the monitoring and • What are the strategic objectives of the organisation? governance of risk appetite later in this booklet. Are they clear? What is explicit and what is implicit in those objectives? • Is the board clear about the nature and extent of the significant risks it is willing to take in achieving its strategic objectives? • Does the board need to establish clearer governance over the risk appetite and tolerance of the organisation? • What steps has the board taken to ensure oversight over the management of the risks? 15