Guidance Paper - The Institute of Risk Management
Guidance Paper - The Institute of Risk Management
Guidance Paper - The Institute of Risk Management
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Appendix A: Determining the risks<br />
the board is willing to take<br />
Responsibilities for risk taking<br />
1. <strong>The</strong> board <strong>of</strong> directors is responsible<br />
for the company’s risk appetite, risk<br />
tolerance and attitude to risk taking.<br />
It should do this by reference to a risk<br />
appetite framework the establishment<br />
<strong>of</strong> which the board should oversee.<br />
<strong>The</strong> risk appetite framework <strong>of</strong> the<br />
organisation should be established<br />
in the context <strong>of</strong> the capacity <strong>of</strong> the<br />
organisation to manage the risks and<br />
its ability to exercise the appropriate<br />
management disciplines.<br />
2. <strong>The</strong> risk appetite framework may be<br />
defined by a series <strong>of</strong> risk criteria for<br />
the different types <strong>of</strong> risks faced by the<br />
company. Establishing the risk appetite<br />
and / or risk criteria will enable the<br />
board to determine the nature and<br />
extent <strong>of</strong> the significant risks it is<br />
willing to take in achieving its strategic<br />
objectives. <strong>The</strong> board is responsible<br />
for monitoring compliance with the<br />
requirements <strong>of</strong> the risk appetite<br />
framework.<br />
3. <strong>The</strong> risk appetite framework should<br />
inform the development <strong>of</strong> strategy<br />
for the organisation. It should help<br />
with the development <strong>of</strong> plans for<br />
the implementation <strong>of</strong> strategy. It<br />
should also be used as a planning tool<br />
to develop tactics and plan change.<br />
Although the board should retain<br />
responsibility for strategic risk taking,<br />
a committee <strong>of</strong> the board may have<br />
delegated authority for overseeing<br />
the production <strong>of</strong> the risk appetite<br />
framework for board approval.<br />
4. <strong>Management</strong> <strong>of</strong> the company at all<br />
levels is responsible for operating<br />
within the constraints established<br />
by the risk appetite and risk<br />
tolerance framework. <strong>Management</strong><br />
is responsible for ensuring that<br />
employees follow the policy with<br />
regard to risk taking and operate<br />
within the limits <strong>of</strong> authority<br />
established by the risk appetite<br />
framework and the requirements<br />
<strong>of</strong> any Delegation <strong>of</strong> Authority<br />
arrangements. <strong>Management</strong> is also<br />
responsible for ensuring that the<br />
company operates a system <strong>of</strong> risk<br />
escalation when any risk exposure<br />
approaches the maximum level that<br />
the company is willing to tolerate.<br />
5. <strong>Management</strong> is responsible for<br />
ensuring that appropriate disciplines<br />
are in place over risk management<br />
data and risk management<br />
information. <strong>The</strong> board (or a<br />
committee there<strong>of</strong>) should satisfy itself<br />
that appropriate data architecture<br />
and data governance disciplines are in<br />
place.<br />
37