Executive Summary - The Institute of Risk Management

AppetiteRisk & ToleranceExecutive Summary

Risk Appetite and ToleranceExecutive SummaryForeword 1Introduction 4About IRM 6About the Author 6Risk appetite –principles and approach 7Risk appetiteand performance 10Putting it into practice 12Five tests for riskappetite frameworks 14Questions for the boardroom 15Supported by:A guidance paper fromthe Institute of Risk ManagementSeptember 2011©2011 The Institute of Risk ManagementAll rights reserved. No part of this publication may bereproduced, stored in a retrieval system or transmittedin any form or by any means, electronic, mechanical,photocopying, recording or otherwise without the expresspermission of the copyright owner. Permission will generallybe granted for use of the material from this documenton condition that the source is clearly credited as beingthe Institute of Risk Management.

ForewordRisk appetite today is a coreconsideration in any enterpriserisk management approach.As well as meeting the requirementsimposed by corporate governancestandards, organisations in all sectorsare increasingly being asked by keystakeholders, including investors, analystsand the public, to express clearly the extentof their willingness to take risk in order tomeet their strategic objectives.The Institute of Risk Management,now in its 25 th year, has a key role to playin establishing sound practices in this areaand building consensus in what has, fortoo long, been a nebulous subject.By providing practical advice on howto approach the development andimplementation of a risk appetiteframework we believe we will be helpingboards and senior management teams bothto manage their organisations better andto discharge their corporate governanceresponsibilities more effectively.We are particularly pleased that alarge number of professional bodies aresupporting this work – risk is everyone’sbusiness and a common understandingand approach helps us work togetherto address this challenging area.Alex HindsonChairmanThe Institute of Risk Management1

This paper will be helpful to seniormanagers in public service organisationswho are trying to understand risk appetitein the context of their own strategic andoperational decision making. In its recentlypublished Core Competencies in PublicService Risk Management, Alarm identifiedthe need to understand the organisation’srisk appetite and risk tolerance, as part ofthe key function of identifying, analysing,evaluating and responding to risk. The‘questions for the boardroom’, set out inthis paper, could easily be translated into‘questions for the public organisation’ssenior executive committee’ and as suchmay be of value to many Alarm membersand their organisations.Dr Lynn T DrennanChief ExecutiveAlarm, the public riskmanagement associationThe Chartered Institute of InternalAuditors welcomes this contribution fromthe Institute of Risk Management to thedebate on risk appetite and risk tolerance.In theory, the idea of deciding how muchrisk of different types the organisationwishes to take and accept sounds easy.In practice, it is difficult and needs ongoingeffort both from those responsible forgovernance in agreeing what is acceptableand from all levels of management incommunicating how much risk they wishto take and in monitoring how muchthey are actually taking. Anythingthat stimulates debate on the practicalchallenges of risk management is tobe welcomed.Jackie CainPolicy DirectorChartered Instituteof Internal AuditorsWhile the Financial Reporting Council haskick-started the debate on risk appetiteand risk tolerance in the UK, it is a debatethat resonates around the world. As anintegrated global risk consulting business,I can testify to the fact that our clients aredebating risk appetite. That is why weare pleased to support the work of theInstitute of Risk Management in movingthis debate forward. We look forward toactively engaging with IRM and othersin promoting this thought-provokingdocument and turning risk appetite intoa day-by-day reality for boards and riskmanagement professionals around theworld.CIPFA is pleased to endorse this workby IRM on risk appetite and tolerancewhich provides welcome leadership on achallenging subject for both the publicand private sectors. We look forwardto taking the debate further with ourmembership in pursuit of our commitmentto sound financial management and goodgovernance.Diana MelvilleGovernance AdviserChartered Institute of Public Financeand AccountancyLarry RiegerCEO, Crowe HorwathGlobal Risk Consulting2

All successful organisations need to beclear about their willingness to accept riskin pursuit of their goals. Armed with thisclarity, boards and management can makemeaningful decisions about what actionsto take at all levels of the organisationand the extent to which they must dealwith the associated risks. But definingand implementing risk appetite is workin progress for many. CIMA thereforewarmly welcomes this new guidancefrom the Institute of Risk Managementas a sound foundation for developingbest practice on this critical topic.This document is an important contributionto a key area of board activity and helpfullyaddresses one of the issues highlighted inthe Financial Reporting Council’s Guidanceon Board Effectiveness. ICSA is pleasedto support the work started here by theInstitute of Risk Management, and looksforward to a well-informed debate andsome useful conclusions.Seamus GillenDirector of PolicyInstitute of Chartered Secretariesand Administrators (ICSA)Gillian LeesHead of Corporate GovernanceChartered Institute of ManagementAccountants (CIMA)This paper sends out a clear statement thatthe principle of risk appetite emanatingfrom the board is the only effectiveway to initiate an ERM implementation.Charterhouse Risk Management isdelighted to be associated with the launchof this paper after contributing to theconsultation process. Our own experiencewith clients confirms that this approach isnot only critical, but that the whole processmust be undertaken with a practical ratherthan theoretical vigour. This is an essentialingredient of our delivery capability.References to ‘appetite’ and ‘hunger’ onlyreinforce the living nature of the requiredapproach.Neil MockettCTOCharterhouse Risk Management3

IntroductionThe UK Corporate Governance Codestates that “the board is responsiblefor determining the nature andextent of the significant risks itis willing to take in achieving itsstrategic objectives.”The intent of this document is to providehigh level guidance to directors and seniorexecutives on how to address this partof the Code, which essentially requiresconsideration of the subjects of ‘riskappetite’ and ‘risk tolerance’.This summary will tell you:• what you need to know• what you need to do, and• where can you turn for moredetailed guidanceIt became apparent during thedevelopment of our paper that there isconsiderable interest in this topic inthe public sector as well as the privatesector, and also beyond the UK. So, whilesome specifics might differ, we feel thatthe underlying principles hold true forall sectors and all geographical locations.We have prepared this guidance underthe overall direction of a working groupof the Institute of Risk Management. Ourwork has produced this executive summary,which is designed to provide an overviewof the subject for general use, particularlyby board members, and a more detailedversion which is primarily designed to assistthose whose task it is to advise boards onthese matters. The detailed version of ourguidance is available for free downloadfrom IRM’s website * .Following the financial collapse,precipitated by banks which we allassumed were outstanding at managingrisk, which was after all their raisond’être, first the Walker Report, and thenthe review of Corporate Governance bythe FRC highlighted the need for boardsto re-evaluate just how good they areat managing risk. As a consequence RiskAppetite and Risk Tolerance are nowon the agenda for all listed companies.Importantly, our work has shown thatthis interest extends outside the listedsector to organisations in all walks of life.But managing risk appetite represents amassive challenge: risk professionals havebeen divided as to how to determine riskappetite and there is precious little in termsof useful guidance.4* Risk Appetite and Tolerance – Guidance Paper availablefrom www.theirm.org/publications/risk_appetite.html

We do not regard this guidanceas the last word on the subject:thinking will continue to develop and, if,as we hope, this booklet is supersededbefore too many reporting seasons comeand go, then we will know that theconcept of risk appetite is beginningto take root.It is our view that risk appetite, correctlydefined, approached and implemented,should be a fundamental business conceptthat could make a substantial difference tohow businesses and organisations are run.We fully expect that the initial scepticismabout risk appetite will be graduallyreplaced as boards and executive directorsgain greater insight into its usefulness.We also anticipate that analysts will soonbe asking chief executives, chairmen andfinance directors about risk appetite.After all, this subject is at the heart of theorganisation: risk-taking, whether private,public or third sector, whether large orsmall, is what managing an organisationis about. The approach of the new UKCorporate Governance Code representsan opportunity to place risk management,and in particular risk appetite, right at thecentre of the debate on effective corporategovernance and the role of the board inrunning organisations.Richard AndersonDeputy Chairman,Institute of Risk ManagementMembers ofthe Working GroupRichard Anderson,Deputy Chairman of IRM andManaging Director of CroweHorwath Global Risk ConsultingBill Aujla,CRO at EtisalatGemma Clatworthy,Senior risk consultant at NationwideBuilding SocietyRoger Garrini,Audit manager at Selex GalileoPaul Hopkin,Director of IRM and technicaldirector of AIRMICSteven Shackleford,Senior academic in audit and riskmanagement at Birmingham CityUniversityJohn Summers,Chief advisor – risk at Rio TintoCarolyn Williams,Head of thought leadership at IRM5

About IRMThe Institute of Risk Management (IRM)is the world’s leading enterprise riskmanagement education Institute. We areindependent, well-respected advocates ofthe risk profession, owned by practising riskprofessionals. We provide qualifications,short courses and events at a range oflevels from introductory to board leveland support risk professionals by providingthe skills and tools needed to deal withthe demands of a constantly changing,sophisticated and challenging businessenvironment. We operate internationallywith members and students in over 90countries, drawn from a variety of riskrelateddisciplines and a wide range ofindustries in the private, third andpublic sectors.About the AuthorRichard Anderson, the principal authorof this booklet, is Deputy Chairman ofIRM. Richard is also Managing Directorof Crowe Horwath Global Risk Consultingin the UK. A Chartered Accountant, andformerly a partner at a big-4 practice,Richard has also run his own GRC practicefor seven of the last ten years. Richardhas been professionally involved with riskmanagement since the mid-ninetiesand has broad industry sector experience.He wrote a report for the OECD onCorporate Risk Management in the bankingsector in the UK, the USA and France.He is a regular speaker at conferencesand contributes to many journals on riskmanagement and governance issues.“It is interesting, but not surprising,that whilst a significant proportionof financial organisations who haveformally articulated a risk appetitestatement have been compelled to doso by regulatory requirements, nonfinancialorganisations have developedrisk appetites in order to assist in theachievement of strategic goals.”Source: Jill Douglas,Head of Risk,Charterhouse Risk Management6

Risk appetite –principles and approachIt is often said that no companycan make a profit without takinga risk. The same is true for allorganisations: no organisation,whether in the private, publicor third sector can achieve itsobjectives without taking risk.The only question is how muchrisk do they need to take?And yet taking risks withoutconsciously managing thoserisks can lead to the downfall oforganisations. This is the challengethat has been highlighted by thelatest UK Corporate GovernanceCode issued by the FinancialReporting Council in 2010.The following key principles haveunderpinned our work on risk appetite:1 Risk appetite can be complex. Excessivesimplicity, while superficially attractive,leads to dangerous waters: far betterto acknowledge the complexity anddeal with it, rather than ignoring it.2 Risk appetite needs to be measurable.Otherwise there is a risk that anystatements become empty andvacuous. We are not promoting anyindividual measurement approach butfundamentally it is important thatdirectors should understand how theirperformance drivers are impactedby risk. Shareholder value may be anappropriate starting point for someprivate organisations; stakeholdervalue or ‘Economic Value Added’ maybe appropriate for others. We alsoanticipate more use of key risk andcontrol metrics which should be readilyavailable inside or from outside theorganisation. Relevant and accuratedata is vital for this process and weurge directors to ensure that there isthe same level of data governance overthese metrics as there would be overroutine accounting data.7

3 Risk appetite is not a single, fixedconcept. There will be a range ofappetites for different risks which needto align and these appetites may wellvary over time: the temporal aspect ofrisk appetite is a key attribute to thiswhole development.4 Risk appetite should be developedin the context of an organisation’srisk management capability, whichis a function of risk capacity andrisk management maturity. Riskmanagement remains an emergingdiscipline and some organisations,irrespective of size or complexity, do itmuch better than others. This is in partdue to their risk management culture(a subset of the overall culture), partlydue to their systems and processes,and partly due to the nature of theirbusiness. However, until an organisationhas a clear view of both its risk capacityand its risk management maturity itcannot be clear as to what approachwould work or how it should beimplemented.5 Risk appetite must take into accountdiffering views at a strategic, tacticaland operational level. In other words,while the UK Corporate GovernanceCode envisages a strategic view ofrisk appetite, in fact risk appetiteneeds to be addressed throughoutthe organisation for it to make anypractical sense.6 Risk appetite must be integrated withthe control culture of the organisation.Our framework explores this by lookingat both the propensity to take risk andthe propensity to exercise control. Theframework promotes the idea thatthe strategic level is proportionatelymore about risk taking than exercisingcontrol, while at the operational levelthe proportions are broadly reversed.Clearly the relative proportions willdepend on the organisation itself, thenature of the risks it faces and theregulatory environment within whichit operates.8

Risk and controlWe think that this dual focus ontaking risk and exercising control isboth innovative and critical to a properunderstanding of risk appetite and risktolerance. The innovation is not in lookingat risk and control – all boards do that.The innovation is in looking at theinteraction of risk and control as part ofdetermining risk appetite. Proportionatelymore time is likely to be spent on risktaking at a strategic level than at anoperational level, where the focus ismore likely to be on the exercise ofcontrol. One word of caution though,we are not equating strategy with boardlevel and operations with lower levelsof the organisation.A board will properly want to knowthat its operations are under controlas much as it wants to oversee thedevelopment and implementation ofstrategy. In the detailed paper we haveincluded a few suggestions as to howboards might like to consider these dualresponsibilities. Above all, we are verymuch focused on the need to take riskas much as the traditional pre-occupationof many risk management programmes,which is the avoidance of harm.Hungry for risk?The word “appetite” brings connotations of food, hunger and satisfying one’sneeds. We think that this metaphor is not always helpful in understanding thephrase “risk appetite”. When those two words appear together we think it ismore appropriate to think in terms of ‘fight or flight’ responses to perceived risks.Most animals, including human beings, have a ‘fight or flight’ response to risk.In humans this can be over-ruled by our cognitive processes. Our interpretation ofrisk appetite is that it represents a corporate version of exactly the same instinctsand cognitive processes. However, since these instincts are not ”hardwired“ in ourcorporate “nervous and sensory” systems we use risk management as a surrogate.9

Risk appetiteand performanceOur view is that both risk appetite andrisk tolerance are inextricably linked toperformance over time. We believe thatwhile risk appetite is about the pursuitof risk, risk tolerance is about what youcan allow the organisation to deal with.Organisations have to take some risksand they have to avoid others. The bigquestion that all organisations have toask themselves is: just what does successfulperformance look like? This question mightbe easier to answer for a listed companythan for a government department,but can usefully be asked by boardsin all sectors.The illustrations on these pages showthe relationship between risk appetite,tolerance and performance. Diagram 1shows the expected direction ofperformance over the coming period.Diagram 2 illustrates the range ofperformance depending on whetherrisks (or opportunities) materialise. Theremaining diagrams demonstrate thedifference between:• all the risks that the organisation mightface (the “risk universe”- Diagram 3)• those that, if push comes to shove,they might just be able to put up with(the “risk tolerance” - Diagram 4) and• those risks that they actively wishto engage with (the “risk appetite” -Diagram 5).PerformancePerformanceCurrent directionof travel for performancet0 Time t 1Diagram 1Where you mightget to if some“good” things happent0 Time t 1Where you mightget to if some“bad” things happenDiagram 210

We believe that the appetite will be smallerthan the tolerance in the vast majority ofcases, and that in turn will be smaller thanthe risk universe, which in any case willinclude “unknown unknowns”.PerformanceRiskUniverseRisk tolerance can be expressed in terms ofabsolutes, for example “we will not exposemore than x% of our capital to losses ina certain line of business” or “we will notdeal with certain types of customer“.t0 Time t 1Where you mightget to if some“bad” things happenDiagram 3Risk appetite, by contrast is about what theorganisation does want to do and how itgoes about it.It therefore becomes the board’sresponsibility to define this all-importantpart of the risk management systemand to ensure that the exercise of riskmanagement throughout the organisationis consistent with that appetite, whichneeds to remain within the outerboundaries of the risk tolerance. Differentboards, in different circumstances, will takedifferent views on the relative importanceof appetite and tolerance.Performancet0 Time t 1Where you mightget to if some“bad” things happenDiagram 4RiskTolerancePerformanceRiskAppetitet0 Time t 1Where you mightget to if some“bad” things happenDiagram 511

Putting it into practiceWe have sought to develop anapproach to risk appetite that:1 is theoretically sound (but the theorycan quickly disappear into thebackground)2 is practical and pragmatic: we do notwant to create a bureaucracy, rather weare looking to help find solutions thatcan work for organisations of all shapesand sizes, and3 will make a difference.Boardroom debate - we suspect thatin the early days particularly, a successfulapproach to reviewing risk appetite andrisk tolerance in the boardroom willnecessarily lead to some tensions. In otherwords we think that it should make adifference to the decisions that are made,otherwise it will diminish into a mere tickboxactivity – and nobody needs any moreof those in the boardroom. It is essentialthat the approach that we are setting outin the detailed guidance can and shouldbe tailored to the needs and maturity ofthe organisation: it is not a one-size-fits-allapproach.Consultation - in our paper we haveset out an illustrative process for thedevelopment of an approach to riskappetite. This includes appropriateconsultation with those external andinternal stakeholders, with whom theboard believes it appropriate to consult onthis matter. It also includes a review processby the board, or an appropriate committeeof the board, and finally it includes areview process at the end of the cycle sothat appropriate lessons can be learned.Risk Committees - in his 2009 Reviewof Corporate Governance in UK Banksand Other Financial Industry Entities,Sir David Walker recommended thatfinancial services organisations shouldmake use of board risk committees.The Economic Affairs Committee of theHouse of Lords recently suggested thatlarge organisations in other sectors shouldalso consider creating such committees.*We think that the creation and monitoringof approaches to risk appetite and risktolerance should be high on the agendaof these committees. In the detaileddocument, we have included a brief sectionon the role of the board or risk committee:we are suggesting that governance needsto be exercised over the framework atfour key points: approval, measurement,monitoring and learning.12* House of Lords Economic Affairs Committee. (2011)Second Report - Auditors: Market concentration and their role

Flexibility - all of this needs to be carriedout with the basic precept in mind thatrisk appetite can and will change over time(as, for example, the economy shifts fromboom to bust, or as cash reserves fall). Inother words, breaches of risk appetitemay well reflect a need to reconsiderthe risk appetite part way through areporting cycle as well as a more regularreview on an annual cycle. Rapid changesin circumstances, for example as werewitnessed during the financial crisis in2008-9, might also indicate a need foran organisation to re-appraise its riskappetite or at least the application of itsrisk appetite framework. In a fast changingeconomic climate, it is especially importantfor firms to have not only a clearly definedstrategy, but also a clearly articulated riskappetite framework so that they are ableto react quickly to the challenges andopportunities presented during such times.13

Five tests for risk appetiteframeworksIn summary, there are five tests thatDirectors should apply in reviewing theirorganisation’s risk appetite framework:1 Do the managers making decisionsunderstand the degree to which they(individually) are permitted to exposethe organisation to the consequencesof an event or situation? Any riskappetite framework needs to bepractical, guiding managers to makerisk-intelligent decisions.2 Do the executives understand theiraggregated and interlinked level ofrisk so they can determine whetherit is acceptable or not?3 Do the board and executive leadershipunderstand the aggregated andinterlinked level of risk for theorganisation as a whole?4 Are both managers and executives clearthat risk appetite is not constant? It maychange as the environment and businessconditions change. Anything approvedby the board must have some flexibilitybuilt in.5 Are risk decisions made with fullconsideration of reward? The riskappetite framework needs to helpmanagers and executives take anappropriate level of risk for thebusiness, given the potential for reward.We believe that by following the guidanceset out in detail in our document, directorswill be able to be confident that they canpass all of those five tests.“The risk appetite statement isgenerally considered the hardestpart of any Enterprise RiskManagement implementation.However, without clearly defined,measurable tolerances the wholerisk cycle and any risk frameworkis arguably at a halt.”Jill Douglas, Head of Risk,Charterhouse Risk Management14

Questions forthe boardroomBelow we set out some questions thatwe think boards may want to consider,as part of an iterative process over time,as they develop their approaches to riskappetite and which will enable them toremain at the forefront of the discussion.One clear outcome from our consultationexercise was that, despite the expectedvariation in views on the technical aspectsof risk appetite, there was a commonacceptance of these questions as a usefulstarting point for board discussion.Background1 What are the significant risks theboard is willing to take? What are thesignificant risks the board is not willingto take?2 What are the strategic objectives ofthe organisation? Are they clear?What is explicit and what is implicitin those objectives?3 Is the board clear about the natureand extent of the significant risks it iswilling to take in achieving its strategicobjectives?4 Does the board need to establish clearergovernance over the risk appetite andtolerance of the organisation?5 What steps has the board taken toensure oversight over the managementof the risks?15

Designing a risk appetite6 Has the board and managementteam reviewed the capabilities of theorganisation to manage the risks thatit faces?7 What are the main features of theorganisation’s risk culture in termsof tone at the top? Governance?Competency? Decision making?8 Does an understanding of risk permeatethe organisation and its culture?9 Is management incentivised for goodrisk management?10 How much does the organisationspend on risk management each year?How much does it need to spend?11 How mature is risk management in theorganisation? Is the view consistent atdiffering levels of the organisation?Is the answer to these questions basedon evidence or speculation?Constructing a risk appetite12 Does the organisation understandclearly why and how it engageswith risks?13 Is the organisation addressing allrelevant risks or only those that can becaptured in risk management processes?14 Does the organisation have aframework for responding to risks?Implementing a risk appetite15 Who are the key external stakeholdersand have sufficient soundings beentaken of their views? Are those viewsdealt with appropriately in the finalframework?16 Has the organisation followeda robust approach to developingits risk appetite?17 Did the risk appetite undergoappropriate approval processes,including at the board (or riskoversight committee)?18 Is the risk appetite tailored andproportionate to the organisation?19 What is the evidence that theorganisation has implementedthe risk appetite effectively?16

Governing a risk appetite20 Is the board satisfied with thearrangements for data governancepertaining to risk management dataand information?21 Has the board played an active part inthe approval, measurement, monitoringand learning from the risk appetiteprocess?22 Does the board have, or does it need,a risk committee to, inter alia, overseethe development and monitoring ofthe risk appetite framework?The journey is not over -final thoughts23 What needs to change for nexttime round?24 Does the organisation have sufficientand appropriate resources and systems?25 What difference did the process makeand how would we like it to have animpact next time round?17

Crowe Horwath Global Risk ConsultingContact: Richard AndersonE richard.anderson@crowehorwathgrc.netCharterhouse Risk Management LtdContact: Andy JenkinsonE andy.jenkinson@charterhouse-group.comThe Institute of Risk Management6 Lloyd’s AvenueLondon EC3N 3AXT +44(0)20 7709 9808E enquiries@theirm.orgW www.theirm.org