Risk Appetite & Tolerance Executive Summary Risk Appetite and Tolerance Executive Summary Foreword 1 Risk appetite and performance 10 Introduction 4 Putting it into practice 12 About IRM 6 Five tests for risk About the Author 6 appetite frameworks 14 Risk appetite – Questions for the boardroom 15 principles and approach 7 Supported by: A guidance paper from the Institute of Risk Management September 2011 ©2011 The Institute of Risk Management All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the express permission of the copyright owner. Permission will generally be granted for use of the material from this document on condition that the source is clearly credited as being the Institute of Risk Management. Risk Appetite and Tolerance Foreword Executive Summary Risk appetite today is a core By providing practical advice on how consideration in any enterprise to approach the development and implementation of a risk appetite risk management approach. framework we believe we will be helping As well as meeting the requirements boards and senior management teams both imposed by corporate governance to manage their organisations better and standards, organisations in all sectors to discharge their corporate governance are increasingly being asked by key responsibilities more effectively. stakeholders, including investors, analysts We are particularly pleased that a and the public, to express clearly the extent large number of professional bodies are of their willingness to take risk in order to supporting this work – risk is everyone’s meet their strategic objectives. business and a common understanding The Institute of Risk Management, and approach helps us work together now in its 25th year, has a key role to play to address this challenging area. in establishing sound practices in this area Alex Hindson and building consensus in what has, for Chairman too long, been a nebulous subject. The Institute of Risk Management 1 This paper will be helpful to senior The Chartered Institute of Internal managers in public service organisations Auditors welcomes this contribution from who are trying to understand risk appetite the Institute of Risk Management to the in the context of their own strategic and debate on risk appetite and risk tolerance. operational decision making. In its recently In theory, the idea of deciding how much published Core Competencies in Public risk of different types the organisation Service Risk Management, Alarm identified wishes to take and accept sounds easy. the need to understand the organisation’s In practice, it is difficult and needs ongoing risk appetite and risk tolerance, as part of effort both from those responsible for the key function of identifying, analysing, governance in agreeing what is acceptable evaluating and responding to risk. The and from all levels of management in ‘questions for the boardroom’, set out in communicating how much risk they wish this paper, could easily be translated into to take and in monitoring how much ‘questions for the public organisation’s they are actually taking. Anything senior executive committee’ and as such that stimulates debate on the practical may be of value to many Alarm members challenges of risk management is to and their organisations. be welcomed. Dr Lynn T Drennan Jackie Cain Chief Executive Policy Director Alarm, the public risk Chartered Institute management association of Internal Auditors While the Financial Reporting Council has CIPFA is pleased to endorse this work kick-started the debate on risk appetite by IRM on risk appetite and tolerance and risk tolerance in the UK, it is a debate which provides welcome leadership on a that resonates around the world. As an challenging subject for both the public integrated global risk consulting business, and private sectors. We look forward I can testify to the fact that our clients are to taking the debate further with our debating risk appetite. That is why we membership in pursuit of our commitment are pleased to support the work of the to sound financial management and good Institute of Risk Management in moving governance. this debate forward. We look forward to Diana Melville actively engaging with IRM and others Governance Adviser in promoting this thought-provoking Chartered Institute of Public Finance document and turning risk appetite into and Accountancy a day-by-day reality for boards and risk management professionals around the world. Larry Rieger CEO, Crowe Horwath Global Risk Consulting 2 All successful organisations need to be This document is an important contribution clear about their willingness to accept risk to a key area of board activity and helpfully in pursuit of their goals. Armed with this addresses one of the issues highlighted in clarity, boards and management can make the Financial Reporting Council’s Guidance meaningful decisions about what actions on Board Effectiveness. ICSA is pleased to take at all levels of the organisation to support the work started here by the and the extent to which they must deal Institute of Risk Management, and looks with the associated risks. But defining forward to a well-informed debate and and implementing risk appetite is work some useful conclusions. in progress for many. CIMA therefore Seamus Gillen warmly welcomes this new guidance Director of Policy from the Institute of Risk Management Institute of Chartered Secretaries as a sound foundation for developing and Administrators (ICSA) best practice on this critical topic. Gillian Lees Head of Corporate Governance Chartered Institute of Management Accountants (CIMA) This paper sends out a clear statement that the principle of risk appetite emanating from the board is the only effective way to initiate an ERM implementation. Charterhouse Risk Management is delighted to be associated with the launch of this paper after contributing to the consultation process. Our own experience with clients confirms that this approach is not only critical, but that the whole process must be undertaken with a practical rather than theoretical vigour. This is an essential ingredient of our delivery capability. References to ‘appetite’ and ‘hunger’ only reinforce the living nature of the required approach. Neil Mockett CTO Charterhouse Risk Management 3 Introduction The UK Corporate Governance Code We have prepared this guidance under states that “the board is responsible the overall direction of a working group of the Institute of Risk Management. Our for determining the nature and work has produced this executive summary, extent of the significant risks it which is designed to provide an overview is willing to take in achieving its of the subject for general use, particularly strategic objectives.” by board members, and a more detailed version which is primarily designed to assist The intent of this document is to provide those whose task it is to advise boards on high level guidance to directors and senior these matters. The detailed version of our executives on how to address this part guidance is available for free download of the Code, which essentially requires from IRM’s website*. consideration of the subjects of ‘risk appetite’ and ‘risk tolerance’. Following the financial collapse, precipitated by banks which we all This summary will tell you: assumed were outstanding at managing • what you need to know risk, which was after all their raison • what you need to do, and d’être, first the Walker Report, and then • where can you turn for more the review of Corporate Governance by detailed guidance the FRC highlighted the need for boards to re-evaluate just how good they are It became apparent during the at managing risk. As a consequence Risk development of our paper that there is Appetite and Risk Tolerance are now considerable interest in this topic in on the agenda for all listed companies. the public sector as well as the private Importantly, our work has shown that sector, and also beyond the UK. So, while this interest extends outside the listed some specifics might differ, we feel that sector to organisations in all walks of life. the underlying principles hold true for But managing risk appetite represents a all sectors and all geographical locations. massive challenge: risk professionals have been divided as to how to determine risk appetite and there is precious little in terms of useful guidance. * Risk Appetite and Tolerance – Guidance Paper available from www.theirm.org/publications/risk_appetite.html 4 We do not regard this guidance Members of as the last word on the subject: the Working Group thinking will continue to develop and, if, Richard Anderson, as we hope, this booklet is superseded Deputy Chairman of IRM and before too many reporting seasons come Managing Director of Crowe and go, then we will know that the Horwath Global Risk Consulting concept of risk appetite is beginning Bill Aujla, to take root. CRO at Etisalat It is our view that risk appetite, correctly Gemma Clatworthy, defined, approached and implemented, Senior risk consultant at Nationwide should be a fundamental business concept Building Society that could make a substantial difference to how businesses and organisations are run. Roger Garrini, We fully expect that the initial scepticism Audit manager at Selex Galileo about risk appetite will be gradually Paul Hopkin, replaced as boards and executive directors Director of IRM and technical gain greater insight into its usefulness. director of AIRMIC We also anticipate that analysts will soon be asking chief executives, chairmen and Steven Shackleford, finance directors about risk appetite. Senior academic in audit and risk After all, this subject is at the heart of the management at Birmingham City organisation: risk-taking, whether private, University public or third sector, whether large or small, is what managing an organisation John Summers, is about. The approach of the new UK Chief advisor – risk at Rio Tinto Corporate Governance Code represents Carolyn Williams, an opportunity to place risk management, Head of thought leadership at IRM and in particular risk appetite, right at the centre of the debate on effective corporate governance and the role of the board in running organisations. Richard Anderson Deputy Chairman, Institute of Risk Management 5 About IRM About the Author The Institute of Risk Management (IRM) Richard Anderson, the principal author is the world’s leading enterprise risk of this booklet, is Deputy Chairman of management education Institute. We are IRM. Richard is also Managing Director independent, well-respected advocates of of Crowe Horwath Global Risk Consulting the risk profession, owned by practising risk in the UK. A Chartered Accountant, and professionals. We provide qualifications, formerly a partner at a big-4 practice, short courses and events at a range of Richard has also run his own GRC practice levels from introductory to board level for seven of the last ten years. Richard and support risk professionals by providing has been professionally involved with risk the skills and tools needed to deal with management since the mid-nineties the demands of a constantly changing, and has broad industry sector experience. sophisticated and challenging business He wrote a report for the OECD on environment. We operate internationally Corporate Risk Management in the banking with members and students in over 90 sector in the UK, the USA and France. countries, drawn from a variety of risk- He is a regular speaker at conferences related disciplines and a wide range of and contributes to many journals on risk industries in the private, third and management and governance issues. public sectors. “It is interesting, but not surprising, that whilst a significant proportion of financial organisations who have formally articulated a risk appetite statement have been compelled to do so by regulatory requirements, non- financial organisations have developed risk appetites in order to assist in the achievement of strategic goals.” Source: Jill Douglas, Head of Risk, Charterhouse Risk Management 6 Risk appetite – principles and approach It is often said that no company The following key principles have can make a profit without taking underpinned our work on risk appetite: a risk. The same is true for all 1 Risk appetite can be complex. Excessive organisations: no organisation, simplicity, while superficially attractive, whether in the private, public leads to dangerous waters: far better or third sector can achieve its to acknowledge the complexity and objectives without taking risk. deal with it, rather than ignoring it. The only question is how much risk do they need to take? 2 Risk appetite needs to be measurable. And yet taking risks without Otherwise there is a risk that any consciously managing those statements become empty and risks can lead to the downfall of vacuous. We are not promoting any organisations. This is the challenge individual measurement approach but that has been highlighted by the fundamentally it is important that latest UK Corporate Governance directors should understand how their Code issued by the Financial performance drivers are impacted Reporting Council in 2010. by risk. Shareholder value may be an appropriate starting point for some private organisations; stakeholder value or ‘Economic Value Added’ may be appropriate for others. We also anticipate more use of key risk and control metrics which should be readily available inside or from outside the organisation. Relevant and accurate data is vital for this process and we urge directors to ensure that there is the same level of data governance over these metrics as there would be over routine accounting data. 7 3 R isk appetite is not a single, fixed 5 Risk appetite must take into account concept. There will be a range of differing views at a strategic, tactical appetites for different risks which need and operational level. In other words, to align and these appetites may well while the UK Corporate Governance vary over time: the temporal aspect of Code envisages a strategic view of risk appetite is a key attribute to this risk appetite, in fact risk appetite whole development. needs to be addressed throughout the organisation for it to make any 4 R isk appetite should be developed practical sense. in the context of an organisation’s risk management capability, which 6 Risk appetite must be integrated with is a function of risk capacity and the control culture of the organisation. risk management maturity. Risk Our framework explores this by looking management remains an emerging at both the propensity to take risk and discipline and some organisations, the propensity to exercise control. The irrespective of size or complexity, do it framework promotes the idea that much better than others. This is in part the strategic level is proportionately due to their risk management culture more about risk taking than exercising (a subset of the overall culture), partly control, while at the operational level due to their systems and processes, the proportions are broadly reversed. and partly due to the nature of their Clearly the relative proportions will business. However, until an organisation depend on the organisation itself, the has a clear view of both its risk capacity nature of the risks it faces and the and its risk management maturity it regulatory environment within which cannot be clear as to what approach it operates. would work or how it should be implemented. 8
Description: