|
Risk Appetite
41
events, especially in crisis situations. From NatWest system outages to LIBOR rigging,
from systems failures at British Airways to passenger mistreatment by United Airlines,
and from Deepwater Horizon to the Grenfell Tower fire, effective crisis management
can mean the difference between saving a reputation or seeing it destroyed. Part 3 of
this book focuses on the importance of risk mitigation and controls and Chapter 20
explores the interconnections between reputation and resilience.
Turning these funnel steps into a table creates an actionable risk appetite struc-
ture – one that is being adopted by the financial organizations with a more mature
approach to operational risk management. Figure 5.2 presents the five elements of a
comprehensive risk appetite framework.
Risk appetite statements come first, and they are usually qualitative and organized
according to risk categories, even if an overarching statement is common at the top level
of the firm. Although risk categorization is the usual way of organizing risk appetite,
other options are possible, depending on the firm’s organizational structure. Some firms
articulate their risk appetite through board subcommittees, each loosely related to risk
types, which has the benefit of linking directly to the governance structure of the orga-
nization. Another example is a clearinghouse that defines its risk appetite around its
three main business processes because its activities are organized around those pro-
cesses, with a different level of risk appetite for each process. Some organizations may
prefer to define risk appetite in relation to the main business lines because the line
management structure is the dominant one and different risk appetite levels apply to
different business lines.
To define their appetite level, some firms have replaced the classic “low – medium –
high” by the more colorful “Averse,” “Cautious,” “Open” and “Seeker”/“Hungry.”
The latter is reserved for risk types that relate to business revenues, such as credit
risk for banks, actuarial risks for insurance companies and investment risks for asset
Risk appetite
• Qualitative
state
m
ents
• I
m
plicit risk/
reward tradeoff,
or pure risk
avoidance at a
cost
• Per risk
category
Risk tolerance
• Metrics
translating
appetite
•
V
alue at risk,
indicators,
budget
Key controls
• Internal
controls and
processes
ensuring the
respect of risk
li
m
its
Risk li
m
its
• Key indicators
and thresholds
• Allow
m
onitoring
• Loss budget or
incident
tolerance
Governance
• What to do if li
m
its are breached
• Risk owners and accountabilities
F I G U R E 5 . 2
Structure of actionable risk appetite
42
RISK ASSESSMENT
managers. Risk-taking is typically “Averse,” “Minimal” or “ALARP”
5
for compliance
risk, conduct and fraud, while firms will be “Cautious” for operational risk types such
as human errors and system downtime (depending on nature and frequency of activity,
however) that may be too costly to reduce to minimal levels.
In the COSO approach,
6
risk tolerance is the quantitative expression of risk
appetite but expressing the same level of risk-taking. This is the approach I favor.
However, for many firms, tolerance is the higher level of risk-taking accepted in
practice, with an amber, buffer-type zone before reaching the forbidden red zone
beyond risk appetite and tolerance. In these firms, risk appetite is seen more as an
aspirational safety level than a realistic one. This widespread attitude, however, begs
the question of the credibility of the risk appetite limits: if you give a higher tolerance,
will that become the new norm? Moving goalposts, blurry limits and discrepancies
between talk and action have long undermined governance and discipline. There is
little room for acceptable deviations in market or credit limits, so why should there be
for operational risk? Governance is a necessary condition for effective risk appetite
structures, and policies and practices must define what to do and who is accountable
for actions when risk limits are breached.
Most importantly, once the appetite and tolerance are stated (they are sometimes
merged into one statement), the key controls, or systems of control, are documented
to support and validate the statements. Documentation, such as the list of key controls
for each main risk type, is particularly useful for demonstrating to internal and exter-
nal stakeholders, including regulators and clients, that the organization lives up to its
objectives. Next, monitoring thresholds and key indicators for control reliability, activ-
ity limits and other KRIs should provide management with the relevant information
and assurance that the business operates as it should. Direct experience of incidents
and near misses, compared with estimates of acceptable limits, reveals whether cur-
rent actions are appropriate for the frequency and severity of adverse events under the
tolerated limits. Monitoring tools and reporting are discussed in Part 4.
Table 5.1. displays examples of risk appetite and tolerance statements in firms
I know or have worked with. Elements of the text have been removed to protect
the firms’ information without affecting understanding. Some firms prefer to merge
appetite and tolerance in one statement and express the limits of risk-taking in the
controls and key risks indicators. Many will express risk appetite through maximum
tolerance for events. However, large banks and mature firms have moved away from
that practice and instead express their risk appetite through internal controls to limit
certain losses at certain probabilities of occurrence.
5
ALARP: “As Low As Reasonably Practicable” – a concept commonly used in safety systems
and in the military, that raises interest among risk managers in the financial industry without still
fully picking up.
6
Understanding and Communicating Risk Appetite, Rittenberg & Martens, COSO White Paper,
2012.
Risk Appetite
43
T A B L E 5 . 1
Examples of risk appetite and tolerance statements
Do'stlaringiz bilan baham: |
