IRM ERM M1U2.3 RASP - Strategy Flashcards
RM Strategy input into STOC
An important component of that risk strategy will be the requirement that there is risk management input into strategy, tactics, operations and compliance (STOC).
Organizations that have effective and efficient tactics, operations and compliance but an incorrect overall strategy will fail. This will be the case however good the risk management activities are at operational and project level. Incorrect strategy has resulted in more corporate failures than ineffective or inefficient operations and tactics. Nevertheless, the importance of compliance activities cannot be over-emphasized as failure to comply could result in the complete shutdown of operations.
The components ofthe Risk Strategy
the components ofthe Risk Strategy, as interpreted byHopkinand Thompsonare listedas:
Risk management philosophy
Arrangements for embedding risk management
Risk appetite and attitude to risk
Benchmark tests for significance
Specific statements / policies
Risk assessment techniques
Risk priorities
ERM Policy
It is typical for organisations to have a short (maximum two pages) ERM Policy that outlines the philosophy of risk management for the organisation, states who should be responsible for it and commits to provide the resources necessary to manage risks to an acceptable level. The Policy is typically approved and owned by the Board or a Risk Committee of the Board.
Risk appetite
‘The amount of risk that an organisation is willing to seek or accept in the pursuit of long-term objectives.’
The level of risk acceptable to the board or management
Risk appetite & Tolerance & Capacity
Fundamentally, the key terms mean:
risk appetite – the acceptable level for the risk, where no further action is required other than monitoring and reviewing for changes in the context, risk and controls
risk tolerance – the level of risk that you can accept for a short period of time, and which you will be actively managing to bring to an acceptable level
risk capacity – the level of risk that is unacceptable. This is the tipping point that the organisation cannot or does not wish to go over
RM & Internal Audit
The working relationship between risk management and internal audit is critically important. The RASP should set out the details of how this close co-operation will be achieved in practice. Risk management expertise rests in the assessment of risk and the identification of existing and additional controls. Internal audit has its expertise in the evaluation of controls and the testing of their efficiency and effectiveness.
Risk Appetite: Royal Bank of Scotland (RBA) takeover of Dutch bank ABN Amro
Risk Appetite - fight or flight’ response
“risk appetite”. When those two words appear together we think it is
more appropriate to think in terms of ‘fight or flight’ responses to perceived risks.
Most animals, including human beings, have a ‘fight or flight’ response to risk.
In humans this can be over-ruled by our cognitive processes. Our interpretation of
risk appetite is that it represents a corporate version of exactly the same instincts
and cognitive processes. However, since these instincts are not ”hardwired“ in our
corporate “nervous and sensory” systems we use risk management as a surrogate.
Risk appetite,
tolerance and universe
- all the risks that the organisation might
face (the “risk universe” - those that, if push comes to shove,
they might just be able to put up with
(the “risk tolerance” - - those risks that they actively wish
to engage with (the “risk appetite” -
