Chapter 10 Flashcards
10.1: How can using the concept of risk appetite add value to an organisation?
Organisations that determine their appetite for risk should be able to make better strategic and risk-management
decisions, as well as improve governance and internal control.
Better strategic decisions should mean that an organisation:
- does not enter into investments or activities that may expose it to an ‘excessive’ amount of risk; and
- is not overly conservative (stifling innovation or instating excessive bureaucracy) and thereby passing up
investments or activities that should add value.
Better risk-management decisions should ensure that an organisation can allocate its limited risk-management resources
more efficiently – targeting them where they are most needed. In addition, it should help to improve buy-in for riskmanagement activities by highlighting the consequences of not maintaining appropriate levels of risk exposure.
Better governance and internal control should come from the fact that decision makers have a clear understanding of
the risks that the organisation is willing to take and those that it is not willing to take. This should reduce the chance of
making inappropriate risk-management decisions.
10.2: Compare and contrast risk appetite, risk tolerance and risk capacity.
Risk appetite denotes the overall level of risk that an organisation is willing to take (or is prepared to accept). Risk
appetite may be expressed for an organisation’s total exposure to risk, but it is more commonly applied to broad risk
categories, such as market risk, credit risk and operational risk.
Risk tolerance is sometimes confused with risk appetite, especially where the focus is on the acceptability of risk. Risk
tolerance is more commonly applied to specific types of risk event, such as a tolerance for data inputting errors or
customer complaints. It is used to express a clear limit of exposure to risk events that will generally have no upside.
Risk capacity relates to the total maximum level of risk that an organisation can be exposed to before risking its long-term financial viability. The strength of an organisation’s balance sheet is a major determinant of risk capacity
10.3: Why should risk appetite be expressed quantitatively as well as qualitatively?
Not all risks can be quantified. Where categories of risks can be quantified to a degree, it is usually appropriate to have
quantitative expressions of risk appetite for these risks.
Where risks cannot be quantified, either because of a lack of data or because historical trends are an unreliable indicator
of the future, it is necessary to express risk appetite in a qualitative way.
10.4: What is the difference between culture and risk culture?
The culture of an organisation represents the general beliefs, values and assumptions that influence how people dress,
communicate, behave and make decisions. The risk culture relates specifically to how people talk about risk, behave in relation to risk-taking and control and make risk-management decisions.
10.5: How often should organisations attempt to assess, monitor and control their risk culture?
There is no agreed rule on frequency, but organisations should look to assess, monitor and control their risk culture on
a regular basis. Cultures and risk cultures are fluid and change on a regular basis, sometimes in surprising ways. It is important that organisations respond to any inappropriate changes in their risk cultures, such as excessive risk-taking or
negative views on risk management and compliance. Organisations such as Barclays and VW, who failed to respond to inappropriate changes in their risk cultures, have suffered major and costly scandals.
