Guidance Paper - The Institute of Risk Management
Guidance Paper - The Institute of Risk Management
Guidance Paper - The Institute of Risk Management
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Develop<br />
408<br />
<strong>The</strong> development <strong>of</strong> the risk<br />
appetite approach should now<br />
be well-informed by the<br />
background work, the<br />
preliminary sketch and the dialogue with<br />
relevant stakeholders. <strong>The</strong> amount <strong>of</strong><br />
detail that is required will vary from<br />
organisation to organisation. Of course,<br />
the detail needs to be tailored and<br />
proportionate to the organisation.<br />
Approve<br />
409<br />
If we are right in thinking that<br />
the development <strong>of</strong> risk<br />
appetite thinking in<br />
organisations has the<br />
potential to change the way that<br />
organisations are run, then it goes<br />
without doubt that boards, and in the<br />
event that they exist, risk oversight<br />
committees should review and approve<br />
the risk appetite document.<br />
Implement<br />
410<br />
Implementation is going to<br />
take some time. It is unlikely<br />
that an organisation will be<br />
able to get the risk appetite framework<br />
right first time. In particular the cultural<br />
aspects, the data gathering and the<br />
ramifications <strong>of</strong> divergences from the<br />
statement will need to be worked<br />
through.<br />
<strong>The</strong>re is little point in defining<br />
411 an appetite without clearly<br />
articulating consequences.<br />
Further, it is important the<br />
organisation is seen to take action in<br />
conjunction with the appetite. For<br />
example, some Boards and senior<br />
management state they have a zero<br />
tolerance risk appetite regarding any<br />
compliance or regulatory breaches. All<br />
well and good, but the organisation’s staff<br />
policy handbook must clearly follow the<br />
same lines and one would expect that<br />
once proved, disciplinary proceedings for<br />
the staff responsible would be automatic.<br />
For the risk appetite statement to be<br />
taken seriously throughout the firm it<br />
cannot be defined in isolation to the rest<br />
<strong>of</strong> the organisation.<br />
Report<br />
412<br />
We envisage that reporting<br />
against risk appetite<br />
statements will broadly take<br />
two forms:<br />
• Internal: this will require reporting on<br />
a frequency similar to regular internal<br />
management reporting,; and<br />
• External: this will require annual<br />
reporting to relevant stakeholders,<br />
including (where they exist)<br />
shareholders, and perhaps others<br />
included in the stakeholder<br />
engagement stage above.<br />
Review<br />
413<br />
At the end <strong>of</strong> each reporting<br />
cycle, and before the risk<br />
appetite statement is resketched,<br />
there should be a review,<br />
perhaps undertaken by the board or the<br />
risk oversight committee into what<br />
worked well, what failed, and what needs<br />
to be done differently next time. Learning<br />
the lessons, especially in the early days <strong>of</strong><br />
implementing a risk appetite statement<br />
will be critically important.<br />
Implementing<br />
a risk appetite -<br />
questions for<br />
the boardroom<br />
• Has the organisation followed a<br />
robust approach to developing<br />
a risk appetite<br />
• Who are the key external<br />
stakeholders and have<br />
sufficient soundings been taken<br />
<strong>of</strong> their views Are those views<br />
dealt with appropriately in the<br />
final documentation<br />
• Is the risk appetite tailored<br />
and proportionate to the<br />
organisation<br />
• Did the risk appetite undergo<br />
appropriate approval processes,<br />
including at the board (or risk<br />
oversight committee)<br />
• What is the evidence that the<br />
organisation has implemented<br />
the risk appetite effectively<br />
32