Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
& Tolerance
Executive Summary
Risk Appetite and Tolerance
Executive Summary
Supported by:
1
This paper will be helpful to senior The Chartered Institute of Internal
managers in public service organisations Auditors welcomes this contribution from
who are trying to understand risk appetite the Institute of Risk Management to the
in the context of their own strategic and debate on risk appetite and risk tolerance.
operational decision making. In its recently In theory, the idea of deciding how much
published Core Competencies in Public risk of different types the organisation
Service Risk Management, Alarm identified wishes to take and accept sounds easy.
the need to understand the organisation’s In practice, it is difficult and needs ongoing
risk appetite and risk tolerance, as part of effort both from those responsible for
the key function of identifying, analysing, governance in agreeing what is acceptable
evaluating and responding to risk. The and from all levels of management in
‘questions for the boardroom’, set out in communicating how much risk they wish
this paper, could easily be translated into to take and in monitoring how much
‘questions for the public organisation’s they are actually taking. Anything
senior executive committee’ and as such that stimulates debate on the practical
may be of value to many Alarm members challenges of risk management is to
and their organisations. be welcomed.
Dr Lynn T Drennan Jackie Cain
Chief Executive Policy Director
Alarm, the public risk Chartered Institute
management association of Internal Auditors
While the Financial Reporting Council has CIPFA is pleased to endorse this work
kick-started the debate on risk appetite by IRM on risk appetite and tolerance
and risk tolerance in the UK, it is a debate which provides welcome leadership on a
that resonates around the world. As an challenging subject for both the public
integrated global risk consulting business, and private sectors. We look forward
I can testify to the fact that our clients are to taking the debate further with our
debating risk appetite. That is why we membership in pursuit of our commitment
are pleased to support the work of the to sound financial management and good
Institute of Risk Management in moving governance.
this debate forward. We look forward to
Diana Melville
actively engaging with IRM and others
Governance Adviser
in promoting this thought-provoking
Chartered Institute of Public Finance
document and turning risk appetite into
and Accountancy
a day-by-day reality for boards and risk
management professionals around the
world.
Larry Rieger
CEO, Crowe Horwath
Global Risk Consulting
2
All successful organisations need to be This document is an important contribution
clear about their willingness to accept risk to a key area of board activity and helpfully
in pursuit of their goals. Armed with this addresses one of the issues highlighted in
clarity, boards and management can make the Financial Reporting Council’s Guidance
meaningful decisions about what actions on Board Effectiveness. ICSA is pleased
to take at all levels of the organisation to support the work started here by the
and the extent to which they must deal Institute of Risk Management, and looks
with the associated risks. But defining forward to a well-informed debate and
and implementing risk appetite is work some useful conclusions.
in progress for many. CIMA therefore
Seamus Gillen
warmly welcomes this new guidance
Director of Policy
from the Institute of Risk Management
Institute of Chartered Secretaries
as a sound foundation for developing
and Administrators (ICSA)
best practice on this critical topic.
Gillian Lees
Head of Corporate Governance
Chartered Institute of Management
Accountants (CIMA)
3
Introduction
*R
isk Appetite and Tolerance – Guidance Paper available
from www.theirm.org/publications/risk_appetite.html
4
We do not regard this guidance Members of
as the last word on the subject: the Working Group
thinking will continue to develop and, if, Richard Anderson,
as we hope, this booklet is superseded Deputy Chairman of IRM and
before too many reporting seasons come Managing Director of Crowe
and go, then we will know that the Horwath Global Risk Consulting
concept of risk appetite is beginning
Bill Aujla,
to take root.
CRO at Etisalat
It is our view that risk appetite, correctly
Gemma Clatworthy,
defined, approached and implemented,
Senior risk consultant at Nationwide
should be a fundamental business concept
Building Society
that could make a substantial difference to
how businesses and organisations are run. Roger Garrini,
We fully expect that the initial scepticism Audit manager at Selex Galileo
about risk appetite will be gradually
replaced as boards and executive directors Paul Hopkin,
gain greater insight into its usefulness. Director of IRM and technical
We also anticipate that analysts will soon director of AIRMIC
be asking chief executives, chairmen and Steven Shackleford,
finance directors about risk appetite. Senior academic in audit and risk
After all, this subject is at the heart of the management at Birmingham City
organisation: risk-taking, whether private, University
public or third sector, whether large or
small, is what managing an organisation John Summers,
is about. The approach of the new UK Chief advisor – risk at Rio Tinto
Corporate Governance Code represents Carolyn Williams,
an opportunity to place risk management, Head of thought leadership at IRM
and in particular risk appetite, right at the
centre of the debate on effective corporate
governance and the role of the board in
running organisations.
Richard Anderson
Deputy Chairman,
Institute of Risk Management
5
About IRM About the Author
The Institute of Risk Management (IRM) Richard Anderson, the principal author
is the world’s leading enterprise risk of this booklet, is Deputy Chairman of
management education Institute. We are IRM. Richard is also Managing Director
independent, well-respected advocates of of Crowe Horwath Global Risk Consulting
the risk profession, owned by practising risk in the UK. A Chartered Accountant, and
professionals. We provide qualifications, formerly a partner at a big-4 practice,
short courses and events at a range of Richard has also run his own GRC practice
levels from introductory to board level for seven of the last ten years. Richard
and support risk professionals by providing has been professionally involved with risk
the skills and tools needed to deal with management since the mid-nineties
the demands of a constantly changing, and has broad industry sector experience.
sophisticated and challenging business He wrote a report for the OECD on
environment. We operate internationally Corporate Risk Management in the banking
with members and students in over 90 sector in the UK, the USA and France.
countries, drawn from a variety of risk- He is a regular speaker at conferences
related disciplines and a wide range of and contributes to many journals on risk
industries in the private, third and management and governance issues.
public sectors.
6
Risk appetite –
principles and approach
7
3 Risk appetite is not a single, fixed 5 Risk appetite must take into account
concept. There will be a range of differing views at a strategic, tactical
appetites for different risks which need and operational level. In other words,
to align and these appetites may well while the UK Corporate Governance
vary over time: the temporal aspect of Code envisages a strategic view of
risk appetite is a key attribute to this risk appetite, in fact risk appetite
whole development. needs to be addressed throughout
the organisation for it to make any
4 Risk appetite should be developed
practical sense.
in the context of an organisation’s
risk management capability, which 6 Risk appetite must be integrated with
is a function of risk capacity and the control culture of the organisation.
risk management maturity. Risk Our framework explores this by looking
management remains an emerging at both the propensity to take risk and
discipline and some organisations, the propensity to exercise control. The
irrespective of size or complexity, do it framework promotes the idea that
much better than others. This is in part the strategic level is proportionately
due to their risk management culture more about risk taking than exercising
(a subset of the overall culture), partly control, while at the operational level
due to their systems and processes, the proportions are broadly reversed.
and partly due to the nature of their Clearly the relative proportions will
business. However, until an organisation depend on the organisation itself, the
has a clear view of both its risk capacity nature of the risks it faces and the
and its risk management maturity it regulatory environment within which
cannot be clear as to what approach it operates.
would work or how it should be
implemented.
8
Risk and control A board will properly want to know
that its operations are under control
We think that this dual focus on as much as it wants to oversee the
taking risk and exercising control is development and implementation of
both innovative and critical to a proper strategy. In the detailed paper we have
understanding of risk appetite and risk included a few suggestions as to how
tolerance. The innovation is not in looking boards might like to consider these dual
at risk and control – all boards do that. responsibilities. Above all, we are very
The innovation is in looking at the much focused on the need to take risk
interaction of risk and control as part of as much as the traditional pre-occupation
determining risk appetite. Proportionately of many risk management programmes,
more time is likely to be spent on risk which is the avoidance of harm.
taking at a strategic level than at an
operational level, where the focus is
more likely to be on the exercise of
control. One word of caution though,
we are not equating strategy with board
level and operations with lower levels
of the organisation.
9
Risk appetite
and performance
Performance
performance over time. We believe that
Current direction
while risk appetite is about the pursuit
of travel for performance
of risk, risk tolerance is about what you
can allow the organisation to deal with.
Organisations have to take some risks
and they have to avoid others. The big
t0 Time t1
question that all organisations have to
ask themselves is: just what does successful
performance look like? This question might
be easier to answer for a listed company Diagram 1
than for a government department,
but can usefully be asked by boards
in all sectors.
Where you might
The illustrations on these pages show get to if some
the relationship between risk appetite, “good” things happen
Performance
10
We believe that the appetite will be smaller
Performance
than the tolerance in the vast majority of
cases, and that in turn will be smaller than
the risk universe, which in any case will Risk
include “unknown unknowns”. Universe
Risk
Appetite
t0 Time t1
11
Putting it into practice
*H
ouse of Lords Economic Affairs Committee. (2011)
Second Report - Auditors: Market concentration and their role
12
Flexibility - all of this needs to be carried
out with the basic precept in mind that
risk appetite can and will change over time
(as, for example, the economy shifts from
boom to bust, or as cash reserves fall). In
other words, breaches of risk appetite
may well reflect a need to reconsider
the risk appetite part way through a
reporting cycle as well as a more regular
review on an annual cycle. Rapid changes
in circumstances, for example as were
witnessed during the financial crisis in
2008-9, might also indicate a need for
an organisation to re-appraise its risk
appetite or at least the application of its
risk appetite framework. In a fast changing
economic climate, it is especially important
for firms to have not only a clearly defined
strategy, but also a clearly articulated risk
appetite framework so that they are able
to react quickly to the challenges and
opportunities presented during such times.
13
Five tests for risk appetite
frameworks
In summary, there are five tests that 4 Are both managers and executives clear
Directors should apply in reviewing their that risk appetite is not constant? It may
organisation’s risk appetite framework: change as the environment and business
conditions change. Anything approved
1 Do the managers making decisions
by the board must have some flexibility
understand the degree to which they
built in.
(individually) are permitted to expose
the organisation to the consequences 5 Are risk decisions made with full
of an event or situation? Any risk consideration of reward? The risk
appetite framework needs to be appetite framework needs to help
practical, guiding managers to make managers and executives take an
risk-intelligent decisions. appropriate level of risk for the
business, given the potential for reward.
2 Do the executives understand their
aggregated and interlinked level of We believe that by following the guidance
risk so they can determine whether set out in detail in our document, directors
it is acceptable or not? will be able to be confident that they can
pass all of those five tests.
3 Do the board and executive leadership
understand the aggregated and
interlinked level of risk for the
organisation as a whole?
14
Questions for
the boardroom
15
Designing a risk appetite Constructing a risk appetite
6 Has the board and management 12 Does the organisation understand
team reviewed the capabilities of the clearly why and how it engages
organisation to manage the risks that with risks?
it faces?
13 Is the organisation addressing all
7 What are the main features of the relevant risks or only those that can be
organisation’s risk culture in terms captured in risk management processes?
of tone at the top? Governance?
14 Does the organisation have a
Competency? Decision making?
framework for responding to risks?
8 Does an understanding of risk permeate
the organisation and its culture? Implementing a risk appetite
9 Is management incentivised for good 15 Who are the key external stakeholders
risk management? and have sufficient soundings been
taken of their views? Are those views
10 How much does the organisation dealt with appropriately in the final
spend on risk management each year? framework?
How much does it need to spend?
16 Has the organisation followed
11 How mature is risk management in the a robust approach to developing
organisation? Is the view consistent at its risk appetite?
differing levels of the organisation?
Is the answer to these questions based 17 Did the risk appetite undergo
on evidence or speculation? appropriate approval processes,
including at the board (or risk
oversight committee)?
18 Is the risk appetite tailored and
proportionate to the organisation?
19 What is the evidence that the
organisation has implemented
the risk appetite effectively?
16
Governing a risk appetite
20 Is the board satisfied with the
arrangements for data governance
pertaining to risk management data
and information?
21 Has the board played an active part in
the approval, measurement, monitoring
and learning from the risk appetite
process?
22 Does the board have, or does it need,
a risk committee to, inter alia, oversee
the development and monitoring of
the risk appetite framework?
17
Crowe Horwath Global Risk Consulting
Contact: Richard Anderson
E richard.anderson@crowehorwathgrc.net