Risk Appetite / Compliance Management Flashcards
What do risk appetite, risk tolerance and risk capacity mean?
- Risk appetite - The quantity of risk that an organisation is willing to accept in pursuit of its objectives.
- Risk tolerance - A margin of additional risk that an organisation may absorb in excess of its risk appetite, per risk and arising from the outcomes of such risk (measured using quantitative and qualitiative criteria).
- Risk capacity - The aggregate of an organisation’s risk appetite and risk tolerance, representing the maximum risk an organisation may accept.
What are the three principal roles of risk appetite?
Risk appetite supports:
- RISK MANAGEMENT DECISIONS: Risk appetite benchmarks decision-making, ensuring these remain ‘within appetite’.
- RISK GOVERNANCE/INTERNAL CONTROL: Beneficial for limit-setting purposes in terms of consolidated risk and solo risk categories. Absolute limits are unlikely to be helpful; instead, a RISK PREMIUM target may be more useful in defining the RETURN RATE required to JUSTIFY A GIVEN RISK.
- STRATEGIC DECISION-MAKING: Risk appetite also informs strategic decisions and achievement of organisation objectives, balancing risk and return - not too little (Blockbuster; Kodak) and not too much (Northern Rock; Perrier).
How may risk appetite be expressed?
- No agreed approach; different risk may require different means of expression.
- Two principal approaches:
- METRIC-BASED: Quantitative or qualititative probability and impact boundaries (typical for H&S, enviromental risks); targets, limits and thresholds.
- NON-METRIC-BASED: Organisational values; principles-based; formal risk appetite statement.
What are the differences between targets, limits and thresholds?
- TARGETS: Value or range of values aimed for (e.g. % change; RAG status). Often set for STRATEGIC RISKS that have a positive or negative outcome.
- LIMITS: Denote MAXIMUM or MINIMUM VALUE that an organisation may accept (e.g. customer complaints, losses). Limits often correlate with DOWNSIDE RISK.
- THRESHOLDS: Often linked to RAG reporting, as a control and performance indicator.
What are three non-metric values?
1.VALUES:
- Explain organisation’s purposes and beliefs (e.g. ethics, sustainability, stakeholder relations).
- Values may impact organisation’s acceptance and management of risks.
2. RISK MANAGEMENT PRINCIPLES:
- Principles included in risk management policy.
- May provide for risk-taking where benefits exceed costs, certain risks will never be taken and ensuring RM to maximise stakeholder value.
3. RISK APPETITE STATEMENT:
- May be used to explain (i) organisational values and RM principles, and (ii) risks against which there is no appetite (e.g. insolvency, regulatory non-compliance).
- Risks may be express QUANTITATIVELY (if sufficient risk data exists) or QUALITITATIVELY (if not).
What five factors typically influence risk appetite?
Risk appetite should be established by the board, involving consideration of:
1. LEGAL AND REGULATORY REQUIREMENTS.
2. STAKEHOLDER RISK PREFERENCES (e.g. shareholders, customers, employees).
3. ORGANISATIONAL RISK, GOVERNANCE AND COMPLIANCE STAKEHOLDERS.
4. BALANCE SHEET STRENGTH.
5. EXTERNAL FACTORS (e.g. technological change or economic growth).
What five forms of culture may impact an organisation’s risk appetite?
- MACRO CULTURES:
- Individual’s national background;
- Family influences;
- Academic profile; professional training/experiences). - ORGANISATIONAL CULTURE:
- Visible products (dress code; office layout; policy/procedure design);
- Expressed beliefs and values;
- Deeper underlying assumptions - competitive, aggressive, politeness, friendliness? - ORGANISATIONAL RISK CULTURE.
- RISK SUB-CULTURE.
- INDIVIDUAL.
What is the difference between culture and risk culture?
- CULTURE: Represents general bleiefs, values and assumptions affecting how personnel communicate, behave and make decisions.
- RISK CULTURE: Represents how risk is discussed in connection with risk-taking, control and risk management decision-making.
Both may changed and should be assessed, monitored and controlled regularly through, for example, risk culture surveys and metrics.
What does compliance management involve?
- Identification of applicable laws and regulations.
- Ensuring impact of such laws and regulations on decision-making and processes are assessed and understood.
- Ensuring RM policies are compliant with laws and regulations, and designing and implementing a control environment to maintain compliance.
Name three potential compliance risks.
- Ignorance of an applicable law or regulation.
- Uncertainty as to how to comply with a law or regulation.
- Conscious management decision not to comply with a law or regulation.
Name seven possible consequence of a compliance risk event.
- Fines.
- Staff imprisonment.
- Costly legal disputes.
- Third party liability claims and compensation costs.
- Reputational damage.
- Share price reduction (for listed companies).
- Cessation of business.
What are the roles of the board of directors and company secretary in terms of compliance risk?
- Board generally ultimately responsible for organisational compliance with laws and regulations.
- In smaller organisations, the company secretary may represent the compliance function or have compliance stakeholders report into them.
How are employees responsible for complying with laws and regulations?
- All employees are responsible for not knowing contravening legal and regulatory requirements applicable to the organisation.
- BOARD - Must assure themselves all necessary compliance management arrangements exists and are maintained to ensure compliance with applicable laws and regulations.
- COMPLIANCE, RISK AND GOVERNANCE SPECIALISTS - Ensure design and implementation of organisational compliance management infrastructure is appropriate.
- LINE MANAGERS - Must follow Compliance, Risk and Governance requirements and ensure direct reports support organisational compliance arrangements.
- OTHER EMPLOYEES - Must follow line manager directions as to Compliance, Risk and Governance requirements..
What are three reasons why compliance monitoring may be risk-based?
- Distinction between compliance and non-compliance is not always clear (though absence of clarity does not justify non-compliance).
- It is may be too costly to invest in compliance management experts, tool design, procedures and ongoing monitoring to ensure definitive compliance.
- Conversely, available resources will be limited and may only accommodate a finite number of compliance reviews and audits - resources are likely to be focused on more probable and higher impact compliance risk events.
What does a compliance review, gap analysis and impact analysis involve, as compliance management tools?
- Compliance review - Reviews whether compliance controls are used APPROPRIATELY and whether ADDITIONAL CONTROLS are necessary.
- Gap analysis - Assesses whether existing policies, processes, procedures and compliance controls are SUFFICIENT TO ENSURE COMPLIANCE.
- Impact analysis - Investigates impact of a COMPLIANCE BREACH, including (in)direct FINANCIAL liabilities as wells as NON-FINANCIAL consequences.
