Guidance Paper - The Institute of Risk Management

More documents

Recommendations

Info

Questions for the boardroom Below we set out some questions that we think boards may want to consider, as part of an iterative process over time, as they develop their approaches to risk appetite and which will enable them to remain at the forefront of the discussion. One clear outcome from our consultation exercise was that, despite the expected variation in views on the technical aspects of risk appetite, there was a common acceptance of these questions as a useful starting point for board discussion. Background 1. What are the significant risks the board is willing to take What are the significant risks the board is not willing to take 2. What are the strategic objectives of the organisation Are they clear What is explicit and what is implicit in those objectives 3. Is the board clear about the nature and extent of the significant risks it is willing to take in achieving its strategic objectives 4. Does the board need to establish clearer governance over the risk appetite and tolerance of the organisation 5. What steps has the board taken to ensure oversight over the management of the risks Designing a risk appetite 6. Has the board and management team reviewed the capabilities of the organisation to manage the risks that it faces 7. What are the main features of the organisation’s risk culture in terms of tone at the top Governance Competency Decision making 8. Does an understanding of risk permeate the organisation and its culture 9. Is management incentivised for good risk management 10. How much does the organisation spend on risk management each year How much does it need to spend 11. How mature is risk management in the organisation Is the view consistent at differing levels of the organisation Is the answer to these questions based on evidence or speculation Constructing a risk appetite 12. Does the organisation understand clearly why and how it engages with risks 13. Is the organisation addressing all relevant risks or only those that can be captured in risk management processes 14. Does the organisation have a framework for responding to risks Implementing a risk appetite 15. Who are the key external stakeholders and have sufficient soundings been taken of their views Are those views dealt with appropriately in the final documentation 16. Has the organisation followed a robust approach to developing its risk appetite 17. Did the risk appetite undergo appropriate approval processes, including at the board (or risk oversight committee) 18. Is the risk appetite tailored and proportionate to the organisation 19. What is the evidence that the organisation has implemented the risk appetite effectively Hungry for risk Governing a risk appetite 20. Is the board satisfied with the arrangements for data governance pertaining to risk management data and information 21. Has the board played an active part in the approval, measurement, monitoring and learning from the risk appetite process 22. Does the board have, or does it need, a risk committee to, inter alia, oversee the development and monitoring of the risk appetite framework The journey is not over - final thoughts 23. What needs to change for next time round 24. Does the organisation have sufficient and appropriate resources and systems 25. What difference did the process make and how would we like it to have an impact next time round The word “appetite” brings connotations of food, hunger and satisfying one’s needs. We think that this metaphor is not always helpful in understanding the phrase “risk appetite”. When those two words appear together we think it is more appropriate to think in terms of ‘fight or flight’ responses to perceived risks. Most animals, including human beings, have a ‘fight or flight’ response to risk. In humans this can be over-ruled by our cognitive processes. Our interpretation of risk appetite is that it represents a corporate version of exactly the same instincts and cognitive processes. However, since these instincts are not ”hardwired“ in our corporate “nervous and sensory” systems we use risk management as a surrogate. 10
I Background “What is this all about” 101 In recent years we have witnessed some major risk events ranging from the global financial crisis to the more recent sovereign debt crisis and a large number of natural and meteorological events with major consequential damage and knockon effects. But the financial crisis of 2008 had many consequences, and raised many questions, not least of which was the question as to why boards failed to see it coming. At the request of the Prime Minister of the day, Sir David Walker carried out a review of the corporate governance of Banks and Other Financial Institutions (“BOFI’s”) and this was followed swiftly by a review of the broader corporate governance landscape in the UK by the Financial Reporting Council (the “FRC”). The FRC made the all-important link between this question and the subject of risk appetite and risk tolerance by inserting reference to these two topics in their draft changes to Section C of the UK Corporate Governance Code (the “Code”) (Financial Reporting Council, 2010). While those very words failed to survive the cut, the concept did survive. Under the newly expanded Section C, a board is explicitly tasked with being responsible for “determining the nature and extent of the significant risks it [the board] is willing to take in achieving its strategic objectives”. This is risk appetite and tolerance by any other name. The rest of this section 102 explores the nature of the words in the Code, and looks at the existing guidance which might help to understand the words. • Sections II and III of this document look at a proposed new framework of risk appetite and risk tolerance • Sections IV and V look at the practicalities of implementing and overseeing risk appetite and risk tolerance • Section VI addresses some of the issues that might require further thought, and • Appendix A presents a summary of how, in practical terms, a board might go about determining the risks it is willing to take. Throughout the paper we have indicated questions that could usefully be explored in the boardroom to ensure that the subjects of risk appetite and tolerance are being appropriately addressed. The UK Corporate Governance Code 103 In its recent update to the UK Corporate Governance Code, the FRC has expanded the section of the Code on Accountability as set out in the box below: . Section C: Accountability The board should present a balanced and understandable assessment of the company’s position and prospects. The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems. The board should establish formal and transparent arrangements for considering how they should apply the corporate reporting and risk management and internal control principles... 11
Page 1 and 2: Risk Appetite & Tolerance Guidance
Page 3 and 4: The Chartered Institute of Internal
Page 5 and 6: In writing this paper, we are consc
Page 7 and 8: Executive Summary Principles and ap
Page 9: Putting it into practice We have so
Page 13 and 14: The original BS31100 109 contained
Page 15 and 16: A word of caution 122 The word “a
Page 17 and 18: 203 This framework has several key
Page 19 and 20: Risk Management Maturity 206 Risk m
Page 21 and 22: Multiple risk appetites 209 We beli
Page 23 and 24: III Constructing a risk appetite
Page 25 and 26: Tactical 308 Many organisations str
Page 27 and 28: Control Issues Irrespective of risk
Page 29 and 30: Strategic 319 At a strategic level
Page 31 and 32: Sketch 403 Risk appetite should be
Page 33 and 34: V Governing a risk appetite “Maki
Page 35 and 36: VI The journey is not over 601 It i
Page 37 and 38: Appendix A: Determining the risks t
Page 39 and 40: Appendix B: List of respondents to
Page 42: Crowe Horwath Global Risk Consultin

Guidance Paper - The Institute of Risk Management

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?