GRC advisors are receiving questions on an ongoing basis about risk appetite. Regulators across the globe and most recently in Asia, have started focusing on a clearly defined risk appetite framework. The following takes you through a simple explanation of an approach to risk appetite.
What is risk appetite?
Risk appetite is the amount of risk an organization is willing to take on to achieve its strategy. The appetite framework should guide the organization in day to day decision making. Risk appetite should be linked directly to the overall strategy and cover all aspects of the business and all risk disciplines.
Who determines risk appetite?
The owner of any organization determines the amount of risk the organization is willing to take on board. In public companies the board of directors determines the amount of risk the organization is willing to take on board.
How is it established?
Typically, the person or area responsible for the risk framework (E.g.., the Chief Risk Officer) drafts a risk appetite proposal for the board of directors to discuss. Once the board of directors have established a clear appetite framework, the person or areas responsible for the implementation will report to the board (in larger organizations through a risk committee) on the risk profile and potential breaches to the established appetite levels on an ongoing basis. Depending on severity, the board of directors might have to be alerted immediately.
In GRC’s experience, successful implementation of a risk appetite framework is correlated to the amount of input received from the organization. The front line in the organization has an inherent view of appetite and are more likely to respond positively to tolerance levels if this view is incorporated into the draft appetite presented to the board. Subject matter experts are more likely to agree with breaches and escalation if they have been part of establishing tolerance levels.
When is it updated?
A risk appetite framework is dynamic and can be updated on an ongoing basis. At a minimum the board of directors should endorse their approach to risk appetite on an annual basis.
How is it used?
Risk appetite guides all employees in making day to day decisions and establishes clear guidelines for when mistakes should be escalated.
Level of detail
An organization should be able to express its view on risk taking at a very high level. This means writing an appetite framework on a couple of pages in a language understood by everybody. As the framework is utilized additional detail can be added to fit the area in question. Each area of an organization can develop an appetite framework which fits into the overall group wide framework.
Qualitative Statements and Clear Escalation Thresholds
In addition to qualitative risk appetite statements, quantitative escalation thresholds for breaches (for example operational losses) are incorporated in the framework to ensure that the Board of Directors are being notified before a critical level of loss is reached and ensures that action plans are being established on a timely basis. The below provides an example of a risk appetite framework for operational risk only.
Top Down Approach coupled with bottom up information
As mentioned above, in addition to the risk appetite statements it is key that information on key risk indicators, loss data, mitigation actions and project, customer satisfaction and audit remarks are included in the discussion and assessment of local tolerance for operational risks.
Loss data and other indicators should be monitored daily and on a rolling average basis. Loss data and other indications should be monitored on a dashboard or in a system.
Both Gross and net losses (total loss before and after mitigation factors such as insurance or refunding) as well as gains must be monitored and assessed, even when mitigation actions are deemed sufficient. Though no economic impact might arise each mistake presents a potential learning opportunity.
Board of Directors is notified when losses exceed the individual thresholds for each category and/or for a single loss breaching the individual threshold. The board of directors might determine that some event types should be escalated regardless of amounts. For instance, intentional internal fraud might require immediate escalation though no financial impact occurred.
Though no breaches to accumulated or single loss thresholds have occurred risk committees and the board of directors will still receive reporting on an ongoing basis.
Thresholds could be lowered as you move from the board of directors to the risk committees and further down in the organization. The Chief Risk Officer might require immediate reporting of all losses above a certain lower threshold.
Establish a group covering all main areas of the organization to establish a risk appetite proposal or vet a proposal to a framework with internal stakeholders.
Clear ownership: As with other aspects of a risk management framework clear ownership is key to the success. For example, it should be clear who reports on losses from each business area.
Pilot a framework: As the board of directors might be a bit gun-shy about establishing escalation thresholds a risk framework could be established in a test/pilot mode while the board of directors and the organization in general gets used to a new framework.
Use data already available: Typically, loss data and other indicators are already available in the organization and simply must be accumulated and simplified to prove a high-level overview.
Ask yourself: How often do I want to escalate? Look at historical data and establish initial thresholds based on the frequency of breaches.
Benchmark: Compare your risk appetite framework and loss data to like organizations.
Bring in a GRC advisor to establish a risk appetite framework. As we have developed multiple appetite frameworks we will be able to guide you through the process tailor a framework which suits your organization in an objective fashion.